warzonerat | 035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

General

Target

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe
Size

592KB
MD5

71f641159a0b255e20d6af33d1abd416
SHA1

12d5dcb0816ef37a8b38f68e9945661b665a8953
SHA256

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f
SHA512

b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Score

10^/10

Family

warzonerat

C2

ngray.duckdns.org:3284

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4660-130-0x00000000023B0000-0x00000000023D0000-memory.dmp	warzonerat
behavioral2/memory/4660-131-0x0000000002F40000-0x0000000002F63000-memory.dmp	warzonerat
behavioral2/memory/204-143-0x0000000003970000-0x0000000003993000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

204 images.exe

pid	process
204	images.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.execmd.exeimages.exe

description	pid	process	target process
PID 4660 wrote to memory of 320	4660	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 4660 wrote to memory of 320	4660	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 4660 wrote to memory of 320	4660	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	cmd.exe
PID 4660 wrote to memory of 204	4660	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 4660 wrote to memory of 204	4660	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 4660 wrote to memory of 204	4660	035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe	images.exe
PID 320 wrote to memory of 5024	320	cmd.exe	reg.exe
PID 320 wrote to memory of 5024	320	cmd.exe	reg.exe
PID 320 wrote to memory of 5024	320	cmd.exe	reg.exe
PID 204 wrote to memory of 1048	204	images.exe	cmd.exe
PID 204 wrote to memory of 1048	204	images.exe	cmd.exe
PID 204 wrote to memory of 1048	204	images.exe	cmd.exe
PID 204 wrote to memory of 1048	204	images.exe	cmd.exe
PID 204 wrote to memory of 1048	204	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe
"C:\Users\Admin\AppData\Local\Temp\035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
    3⤵
    PID:5024
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1048

C:\ProgramData\images.exe

Filesize
592KB

MD5
71f641159a0b255e20d6af33d1abd416

SHA1
12d5dcb0816ef37a8b38f68e9945661b665a8953

SHA256
035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

SHA512
b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Download Submit
C:\ProgramData\images.exe

Filesize
592KB

MD5
71f641159a0b255e20d6af33d1abd416

SHA1
12d5dcb0816ef37a8b38f68e9945661b665a8953

SHA256
035ec20b83846152ff2ffb513545aa2cf2d7fb83b81ab1c623ba582c71cd2b7f

SHA512
b37303e7f823b9299c519af61cb16d03ff1157c69a9077db77344ebf185eff9a92439a1c42e03361ed037e2e8d7821c2345a89db1b37c4faae162aad1234ddff

Download Submit
memory/204-138-0x0000000000000000-mapping.dmp

Download
memory/204-143-0x0000000003970000-0x0000000003993000-memory.dmp

Filesize
140KB

Download
memory/320-137-0x0000000000000000-mapping.dmp

Download
memory/1048-149-0x0000000000000000-mapping.dmp

Download
memory/1048-150-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4660-130-0x00000000023B0000-0x00000000023D0000-memory.dmp

Filesize
128KB

Download
memory/4660-131-0x0000000002F40000-0x0000000002F63000-memory.dmp

Filesize
140KB

Download
memory/5024-141-0x0000000000000000-mapping.dmp

Download