warzonerat | d1ce6205e2058fc13f81a5c14ebcbe2265228be3948aa0545c974335e8561b0b

General

Target

RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
Size

991KB
MD5

afecebe5a5e2394aef67af6eded00288
SHA1

446d8e6f515a82457214ea50b4f897684218fbce
SHA256

798afa1c705601611bc76eb9420d00072c5c5a7f42f410d11876b772ce71839e
SHA512

d7a59556a47efa0e1a16fb48a4d3581dbbddb35ba3ac2e950c6da8cb6292c1dc9840a1b773ab203814d0dba2009d61565a7908ffb68a97323ff99b1f5a15e7e7

Score

10^/10

Family

warzonerat

C2

bestsuccess.ddns.net:2442

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1824-57-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1824-58-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1824-60-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

description	pid	process	target process
PID 1740 set thread context of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

description	pid	process	target process
PID 1740 wrote to memory of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 1740 wrote to memory of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 1740 wrote to memory of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 1740 wrote to memory of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 1740 wrote to memory of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 1740 wrote to memory of 1824	1740	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

C:\Users\Admin\AppData\Local\Temp\RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
"C:\Users\Admin\AppData\Local\Temp\RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe"
2⤵
PID:1824

memory/1740-53-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1740-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-55-0x0000000000301000-0x0000000000315000-memory.dmp

Filesize
80KB

Download
memory/1824-56-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1824-57-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1824-58-0x0000000000405CE2-mapping.dmp

Download
memory/1824-60-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download