warzonerat | bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716

General

Target

svchost.exe
Size

3.0MB
MD5

91f690acfa88c901361ceeb29193b957
SHA1

f65a8c9860f424598f6fe3e93ae8a05b182087f5
SHA256

bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716
SHA512

9015d3e8e60f24e71fec3fcc37151d600adc7ac4503370efd0cba6033598cde59aecac6b9e7ba27150259ef18bd0e9bd95c625bd771130f39508880532294f96

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

111.90.149.108:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2272 images.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1944 powershell.exe
1944 powershell.exe
1944 powershell.exe
3888 powershell.exe
3888 powershell.exe
3888 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1944 powershell.exe
Token: SeDebugPrivilege 3888 powershell.exe

pid	process
2272	images.exe

pid	process
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
3888	powershell.exe
3888	powershell.exe
3888	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

svchost.execmd.exeimages.exe

description	pid	process	target process
PID 632 wrote to memory of 1944	632	svchost.exe	powershell.exe
PID 632 wrote to memory of 1944	632	svchost.exe	powershell.exe
PID 632 wrote to memory of 1944	632	svchost.exe	powershell.exe
PID 632 wrote to memory of 3376	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 3376	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 3376	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 2272	632	svchost.exe	images.exe
PID 632 wrote to memory of 2272	632	svchost.exe	images.exe
PID 632 wrote to memory of 2272	632	svchost.exe	images.exe
PID 3376 wrote to memory of 2156	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 2156	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 2156	3376	cmd.exe	reg.exe
PID 2272 wrote to memory of 3888	2272	images.exe	powershell.exe
PID 2272 wrote to memory of 3888	2272	images.exe	powershell.exe
PID 2272 wrote to memory of 3888	2272	images.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
PID:2156

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
91f690acfa88c901361ceeb29193b957

SHA1
f65a8c9860f424598f6fe3e93ae8a05b182087f5

SHA256
bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716

SHA512
9015d3e8e60f24e71fec3fcc37151d600adc7ac4503370efd0cba6033598cde59aecac6b9e7ba27150259ef18bd0e9bd95c625bd771130f39508880532294f96

Download Submit
C:\ProgramData\images.exe
MD5
91f690acfa88c901361ceeb29193b957

SHA1
f65a8c9860f424598f6fe3e93ae8a05b182087f5

SHA256
bc9f7802dd7825de6574c4eed585c53ab724a975d72b88f9871f477ea23a2716

SHA512
9015d3e8e60f24e71fec3fcc37151d600adc7ac4503370efd0cba6033598cde59aecac6b9e7ba27150259ef18bd0e9bd95c625bd771130f39508880532294f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
753fc8d87263708d5918e25561a69e5d

SHA1
04b600104cd0daf1619f92715e43097283927071

SHA256
2158ed7dd5802c3b8fca26e30dc65ab9c0b68d9178da54dbe8c44e4f91ebf211

SHA512
332108ff5ed069c29e0dd480a47b5e58dd8d6f1632eb0a3ac4646d0fd3dd0a07829e863bd6bb2d26ee88ebc98fad1847d2a5ce04df10dbeb1c97fa788a0434f1

Download Submit
memory/632-118-0x0000000003300000-0x0000000003E00000-memory.dmp

Filesize
11.0MB

Download
memory/632-114-0x0000000003E00000-0x0000000003F5D000-memory.dmp

Filesize
1.4MB

Download
memory/1944-137-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/1944-158-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/1944-127-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1944-128-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/1944-129-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/1944-130-0x0000000002C82000-0x0000000002C83000-memory.dmp

Filesize
4KB

Download
memory/1944-131-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/1944-132-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/1944-133-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/1944-134-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1944-135-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/1944-136-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/1944-119-0x0000000000000000-mapping.dmp

Download
memory/1944-145-0x00000000090A0000-0x00000000090D3000-memory.dmp

Filesize
204KB

Download
memory/1944-152-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/1944-359-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/1944-157-0x000000007EDB0000-0x000000007EDB1000-memory.dmp

Filesize
4KB

Download
memory/1944-159-0x00000000093A0000-0x00000000093A1000-memory.dmp

Filesize
4KB

Download
memory/1944-162-0x0000000002C83000-0x0000000002C84000-memory.dmp

Filesize
4KB

Download
memory/1944-353-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/2156-124-0x0000000000000000-mapping.dmp

Download
memory/2272-374-0x00000000039F0000-0x0000000003B4D000-memory.dmp

Filesize
1.4MB

Download
memory/2272-121-0x0000000000000000-mapping.dmp

Download
memory/3376-120-0x0000000000000000-mapping.dmp

Download
memory/3888-378-0x0000000000000000-mapping.dmp

Download
memory/3888-387-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/3888-389-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/3888-390-0x00000000068C2000-0x00000000068C3000-memory.dmp

Filesize
4KB

Download
memory/3888-392-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3888-413-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/3888-483-0x000000007EB50000-0x000000007EB51000-memory.dmp

Filesize
4KB

Download
memory/3888-484-0x00000000068C3000-0x00000000068C4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads