warzonerat | d1ce6205e2058fc13f81a5c14ebcbe2265228be3948aa0545c974335e8561b0b

Analysis

Target

RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
Size

991KB
MD5

afecebe5a5e2394aef67af6eded00288
SHA1

446d8e6f515a82457214ea50b4f897684218fbce
SHA256

798afa1c705601611bc76eb9420d00072c5c5a7f42f410d11876b772ce71839e
SHA512

d7a59556a47efa0e1a16fb48a4d3581dbbddb35ba3ac2e950c6da8cb6292c1dc9840a1b773ab203814d0dba2009d61565a7908ffb68a97323ff99b1f5a15e7e7

Score

10^/10

Family

warzonerat

bestsuccess.ddns.net:2442

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3460-117-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/3460-116-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3460-118-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

description	pid	process	target process
PID 664 set thread context of 3460	664	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

description	pid	process	target process
PID 664 wrote to memory of 3460	664	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 664 wrote to memory of 3460	664	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 664 wrote to memory of 3460	664	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 664 wrote to memory of 3460	664	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
PID 664 wrote to memory of 3460	664	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe	RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe

C:\Users\Admin\AppData\Local\Temp\RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe
"C:\Users\Admin\AppData\Local\Temp\RE URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 MAERSK KLEVEN.exe"
2⤵
PID:3460

memory/664-114-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/664-115-0x0000000002481000-0x0000000002495000-memory.dmp

Filesize
80KB

Download
memory/3460-117-0x0000000000405CE2-mapping.dmp

Download
memory/3460-116-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3460-118-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download