warzonerat | 864b531c5f5a397b3fd2a8aa91c83f956d93300db9c986bfa7ae4744d7cb732f

Analysis

Target

Documento de envio.exe
Size

982KB
MD5

0fcc784f9400be0d78104a0043ee4479
SHA1

65cac3bdb71487d6e14480ade6397347289e047b
SHA256

864b531c5f5a397b3fd2a8aa91c83f956d93300db9c986bfa7ae4744d7cb732f
SHA512

b32a5475f7ec76dc88201383616e712d867757de39525ac5cda21536c5144e82fb3fe4b08f5024678823e8e1ca7bd8ffea0cbbeab8845636adb6e11e1fd1c975

Score

10^/10

Family

warzonerat

juner234.ddns.net:6397

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Documento de envio.exe

description	pid	process	target process
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe
PID 1640 wrote to memory of 1592	1640	Documento de envio.exe	mobsync.exe

C:\Users\Admin\AppData\Local\Temp\Documento de envio.exe
"C:\Users\Admin\AppData\Local\Temp\Documento de envio.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\mobsync.exe
  C:\Windows\System32\mobsync.exe
  2⤵
  PID:1592

memory/1592-65-0x0000000000000000-mapping.dmp

Download
memory/1592-68-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1592-67-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1592-69-0x0000000010670000-0x00000000107D0000-memory.dmp

Filesize
1.4MB

Download
memory/1592-70-0x0000000001F50000-0x00000000020AE000-memory.dmp

Filesize
1.4MB

Download
memory/1592-71-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1640-59-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1640-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1640-62-0x0000000004B40000-0x0000000004B84000-memory.dmp

Filesize
272KB

Download