warzonerat | 401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

General

Target

a4596b039ec21394b6f5a7032f9b4b50.exe
Size

383KB
MD5

a4596b039ec21394b6f5a7032f9b4b50
SHA1

15604020db19962ef579ecde885f2516a48c4b99
SHA256

401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48
SHA512

877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2056 svchost.exe
3260 svchost.exe

pid	process
2056	svchost.exe
3260	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

description	pid	process	target process
PID 4060 set thread context of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2056 set thread context of 3260	2056	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

pid process

4060 a4596b039ec21394b6f5a7032f9b4b50.exe
4060 a4596b039ec21394b6f5a7032f9b4b50.exe
2056 svchost.exe
2056 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4060 a4596b039ec21394b6f5a7032f9b4b50.exe
Token: SeDebugPrivilege 2056 svchost.exe

pid	process
4060	a4596b039ec21394b6f5a7032f9b4b50.exe
4060	a4596b039ec21394b6f5a7032f9b4b50.exe
2056	svchost.exe
2056	svchost.exe

description	pid	process
Token: SeDebugPrivilege	4060	a4596b039ec21394b6f5a7032f9b4b50.exe
Token: SeDebugPrivilege	2056	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exea4596b039ec21394b6f5a7032f9b4b50.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 4060 wrote to memory of 2268	4060	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2268 wrote to memory of 3672	2268	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 2268 wrote to memory of 3672	2268	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 2268 wrote to memory of 3672	2268	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 2268 wrote to memory of 2056	2268	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 2268 wrote to memory of 2056	2268	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 2268 wrote to memory of 2056	2268	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 3672 wrote to memory of 1320	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 1320	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 1320	3672	cmd.exe	reg.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 2056 wrote to memory of 3260	2056	svchost.exe	svchost.exe
PID 3260 wrote to memory of 1544	3260	svchost.exe	cmd.exe
PID 3260 wrote to memory of 1544	3260	svchost.exe	cmd.exe
PID 3260 wrote to memory of 1544	3260	svchost.exe	cmd.exe
PID 3260 wrote to memory of 1544	3260	svchost.exe	cmd.exe
PID 3260 wrote to memory of 1544	3260	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
"C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:1320

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
C:\ProgramData\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
memory/1320-139-0x0000000000000000-mapping.dmp

Download
memory/1544-156-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1544-155-0x0000000000000000-mapping.dmp

Download
memory/2056-132-0x0000000000000000-mapping.dmp

Download
memory/2056-141-0x0000000005400000-0x00000000058FE000-memory.dmp

Filesize
5.0MB

Download
memory/2268-128-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2268-129-0x0000000000405E28-mapping.dmp

Download
memory/2268-130-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3260-151-0x0000000000405E28-mapping.dmp

Download
memory/3260-154-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3672-131-0x0000000000000000-mapping.dmp

Download
memory/4060-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/4060-127-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/4060-126-0x0000000006DB0000-0x0000000006E0D000-memory.dmp

Filesize
372KB

Download
memory/4060-121-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/4060-120-0x0000000006450000-0x0000000006499000-memory.dmp

Filesize
292KB

Download
memory/4060-119-0x0000000002520000-0x00000000025B2000-memory.dmp

Filesize
584KB

Download
memory/4060-118-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4060-117-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4060-116-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing