warzonerat | bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716

General

Target

svchost.exe
Size

3.0MB
MD5

91f690acfa88c901361ceeb29193b957
SHA1

f65a8c9860f424598f6fe3e93ae8a05b182087f5
SHA256

bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716
SHA512

9015d3e8e60f24e71fec3fcc37151d600adc7ac4503370efd0cba6033598cde59aecac6b9e7ba27150259ef18bd0e9bd95c625bd771130f39508880532294f96

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

111.90.149.108:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3492 images.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3296 powershell.exe
3296 powershell.exe
3296 powershell.exe
3820 powershell.exe
3820 powershell.exe
3820 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3296 powershell.exe
Token: SeDebugPrivilege 3820 powershell.exe

pid	process
3492	images.exe

pid	process
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
3820	powershell.exe
3820	powershell.exe
3820	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

svchost.execmd.exeimages.exe

description	pid	process	target process
PID 632 wrote to memory of 3296	632	svchost.exe	powershell.exe
PID 632 wrote to memory of 3296	632	svchost.exe	powershell.exe
PID 632 wrote to memory of 3296	632	svchost.exe	powershell.exe
PID 632 wrote to memory of 2124	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 2124	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 2124	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 3492	632	svchost.exe	images.exe
PID 632 wrote to memory of 3492	632	svchost.exe	images.exe
PID 632 wrote to memory of 3492	632	svchost.exe	images.exe
PID 2124 wrote to memory of 3188	2124	cmd.exe	reg.exe
PID 2124 wrote to memory of 3188	2124	cmd.exe	reg.exe
PID 2124 wrote to memory of 3188	2124	cmd.exe	reg.exe
PID 3492 wrote to memory of 3820	3492	images.exe	powershell.exe
PID 3492 wrote to memory of 3820	3492	images.exe	powershell.exe
PID 3492 wrote to memory of 3820	3492	images.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
PID:3188

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
91f690acfa88c901361ceeb29193b957

SHA1
f65a8c9860f424598f6fe3e93ae8a05b182087f5

SHA256
bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716

SHA512
9015d3e8e60f24e71fec3fcc37151d600adc7ac4503370efd0cba6033598cde59aecac6b9e7ba27150259ef18bd0e9bd95c625bd771130f39508880532294f96

Download Submit
C:\ProgramData\images.exe
MD5
91f690acfa88c901361ceeb29193b957

SHA1
f65a8c9860f424598f6fe3e93ae8a05b182087f5

SHA256
bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716

SHA512
9015d3e8e60f24e71fec3fcc37151d600adc7ac4503370efd0cba6033598cde59aecac6b9e7ba27150259ef18bd0e9bd95c625bd771130f39508880532294f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
35eda25651e46928a51c083f0bebe1de

SHA1
a4c8a9c9a854e163ff0d8651c5b9baf73604383a

SHA256
ea3c284032ed3974a75eb1c68b635c8f47787c7760bd1206cae75516cae60f17

SHA512
6c28f3b8f7b362cfb9db80c6022352d8e963ef587da559928a4986c17c44ea959aa100cab37735f0b861cfac0f20005332310c3163d987ffca9757e392af3dd4

Download Submit
memory/632-114-0x0000000003300000-0x000000000345D000-memory.dmp

Filesize
1.4MB

Download
memory/632-118-0x0000000003690000-0x0000000004190000-memory.dmp

Filesize
11.0MB

Download
memory/2124-120-0x0000000000000000-mapping.dmp

Download
memory/3188-124-0x0000000000000000-mapping.dmp

Download
memory/3296-137-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3296-159-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/3296-129-0x00000000004D2000-0x00000000004D3000-memory.dmp

Filesize
4KB

Download
memory/3296-130-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/3296-131-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/3296-132-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3296-133-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/3296-134-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3296-135-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/3296-136-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/3296-127-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3296-145-0x00000000089C0000-0x00000000089F3000-memory.dmp

Filesize
204KB

Download
memory/3296-152-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/3296-157-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/3296-158-0x000000007EDB0000-0x000000007EDB1000-memory.dmp

Filesize
4KB

Download
memory/3296-128-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3296-169-0x00000000004D3000-0x00000000004D4000-memory.dmp

Filesize
4KB

Download
memory/3296-353-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3296-359-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/3296-119-0x0000000000000000-mapping.dmp

Download
memory/3492-121-0x0000000000000000-mapping.dmp

Download
memory/3492-374-0x0000000004110000-0x000000000426D000-memory.dmp

Filesize
1.4MB

Download
memory/3820-378-0x0000000000000000-mapping.dmp

Download
memory/3820-387-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/3820-389-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/3820-390-0x0000000004472000-0x0000000004473000-memory.dmp

Filesize
4KB

Download
memory/3820-392-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/3820-413-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

Filesize
4KB

Download
memory/3820-429-0x0000000004473000-0x0000000004474000-memory.dmp

Filesize
4KB

Download
memory/3820-427-0x000000007EB50000-0x000000007EB51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads