warzonerat | 6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740

General

Target

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe
Size

1.8MB
MD5

4b26b9948fbbcf50de765bf2f6d050a2
SHA1

997c16dbcaca77e7b9b2c07815384f71c7960689
SHA256

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740
SHA512

f963736d3ddb22bafc8af555c0e2a5eed6c2ffaf129b482798cd50163cffe723fcdc3b09d93ae4967225a4e8b673e30ce411d652e99d74fea2902589b7e4ca11

Score

10^/10

Family

warzonerat

C2

185.140.53.46:5200

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2008-55-0x00000000001B0000-0x00000000001CD000-memory.dmp	warzonerat
behavioral1/memory/2008-61-0x0000000000531000-0x0000000000552000-memory.dmp	warzonerat
behavioral1/memory/2008-66-0x0000000000531000-0x0000000000552000-memory.dmp	warzonerat
behavioral1/memory/628-70-0x0000000000350000-0x000000000036D000-memory.dmp	warzonerat
behavioral1/memory/628-76-0x0000000000431000-0x0000000000452000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

winupdates.exe

pid process

628 winupdates.exe
Loads dropped DLL 1 IoCs

Processes:

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe

pid process

2008 6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1188 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1188 powershell.exe

pid	process
628	winupdates.exe

pid	process
2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe

pid	process
1188	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1188	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe

description	pid	process	target process
PID 2008 wrote to memory of 1188	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 2008 wrote to memory of 1188	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 2008 wrote to memory of 1188	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 2008 wrote to memory of 1188	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 2008 wrote to memory of 628	2008	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe

C:\ProgramData\winupdates.exe
"C:\ProgramData\winupdates.exe"
2⤵
- Executes dropped EXE
PID:628

C:\ProgramData\winupdates.exe

Filesize
1.8MB

MD5
4b26b9948fbbcf50de765bf2f6d050a2

SHA1
997c16dbcaca77e7b9b2c07815384f71c7960689

SHA256
6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740

SHA512
f963736d3ddb22bafc8af555c0e2a5eed6c2ffaf129b482798cd50163cffe723fcdc3b09d93ae4967225a4e8b673e30ce411d652e99d74fea2902589b7e4ca11

Download Submit
\ProgramData\winupdates.exe

Filesize
1.8MB

MD5
4b26b9948fbbcf50de765bf2f6d050a2

SHA1
997c16dbcaca77e7b9b2c07815384f71c7960689

SHA256
6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740

SHA512
f963736d3ddb22bafc8af555c0e2a5eed6c2ffaf129b482798cd50163cffe723fcdc3b09d93ae4967225a4e8b673e30ce411d652e99d74fea2902589b7e4ca11

Download Submit
memory/628-64-0x0000000000000000-mapping.dmp

Download
memory/628-70-0x0000000000350000-0x000000000036D000-memory.dmp

Filesize
116KB

Download
memory/628-76-0x0000000000431000-0x0000000000452000-memory.dmp

Filesize
132KB

Download
memory/1188-62-0x0000000000000000-mapping.dmp

Download
memory/1188-68-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x00000000001B0000-0x00000000001CD000-memory.dmp

Filesize
116KB

Download
memory/2008-61-0x0000000000531000-0x0000000000552000-memory.dmp

Filesize
132KB

Download
memory/2008-66-0x0000000000531000-0x0000000000552000-memory.dmp

Filesize
132KB

Download