warzonerat | 035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

General

Target

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe
Size

592KB
MD5

71f641159a0b255e20d6af33d1abd416
SHA1

12d5dcb0816ef37a8b38f68e9945661b665a8953
SHA256

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f
SHA512

b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

ngray.duckdns.org:3284

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1080-55-0x0000000000190000-0x00000000001B0000-memory.dmp	warzonerat
behavioral1/memory/1080-56-0x0000000000280000-0x00000000002A3000-memory.dmp	warzonerat
behavioral1/memory/1192-69-0x0000000000890000-0x00000000008B3000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1192 images.exe
Loads dropped DLL 1 IoCs

Processes:

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe

pid process

1080 035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe

pid	process
1192	images.exe

pid	process
1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.execmd.exeimages.exe

description	pid	process	target process
PID 1080 wrote to memory of 860	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 1080 wrote to memory of 860	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 1080 wrote to memory of 860	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 1080 wrote to memory of 860	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 1080 wrote to memory of 1192	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 1080 wrote to memory of 1192	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 1080 wrote to memory of 1192	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 1080 wrote to memory of 1192	1080	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 860 wrote to memory of 980	860	cmd.exe	reg.exe
PID 860 wrote to memory of 980	860	cmd.exe	reg.exe
PID 860 wrote to memory of 980	860	cmd.exe	reg.exe
PID 860 wrote to memory of 980	860	cmd.exe	reg.exe
PID 1192 wrote to memory of 1340	1192	images.exe	cmd.exe
PID 1192 wrote to memory of 1340	1192	images.exe	cmd.exe
PID 1192 wrote to memory of 1340	1192	images.exe	cmd.exe
PID 1192 wrote to memory of 1340	1192	images.exe	cmd.exe
PID 1192 wrote to memory of 1340	1192	images.exe	cmd.exe
PID 1192 wrote to memory of 1340	1192	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe
"C:\Users\Admin\AppData\Local\Temp\035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
    3⤵
    PID:980
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
592KB

MD5
71f641159a0b255e20d6af33d1abd416

SHA1
12d5dcb0816ef37a8b38f68e9945661b665a8953

SHA256
035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

SHA512
b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Download Submit
C:\ProgramData\images.exe

Filesize
592KB

MD5
71f641159a0b255e20d6af33d1abd416

SHA1
12d5dcb0816ef37a8b38f68e9945661b665a8953

SHA256
035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

SHA512
b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Download Submit
\ProgramData\images.exe

Filesize
592KB

MD5
71f641159a0b255e20d6af33d1abd416

SHA1
12d5dcb0816ef37a8b38f68e9945661b665a8953

SHA256
035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

SHA512
b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Download Submit
memory/860-62-0x0000000000000000-mapping.dmp

Download
memory/980-67-0x0000000000000000-mapping.dmp

Download
memory/1080-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1080-55-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/1080-56-0x0000000000280000-0x00000000002A3000-memory.dmp

Filesize
140KB

Download
memory/1192-64-0x0000000000000000-mapping.dmp

Download
memory/1192-69-0x0000000000890000-0x00000000008B3000-memory.dmp

Filesize
140KB

Download
memory/1340-75-0x0000000000000000-mapping.dmp

Download
memory/1340-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing