warzonerat | 6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740

General

Target

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe
Size

1.8MB
MD5

4b26b9948fbbcf50de765bf2f6d050a2
SHA1

997c16dbcaca77e7b9b2c07815384f71c7960689
SHA256

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740
SHA512

f963736d3ddb22bafc8af555c0e2a5eed6c2ffaf129b482798cd50163cffe723fcdc3b09d93ae4967225a4e8b673e30ce411d652e99d74fea2902589b7e4ca11

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.46:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/680-130-0x0000000001400000-0x000000000141D000-memory.dmp	warzonerat
behavioral2/memory/680-136-0x0000000000E56000-0x0000000000E77000-memory.dmp	warzonerat
behavioral2/memory/680-141-0x0000000000E56000-0x0000000000E77000-memory.dmp	warzonerat
behavioral2/memory/4396-158-0x0000000002F70000-0x0000000002F8D000-memory.dmp	warzonerat
behavioral2/memory/4396-164-0x0000000000786000-0x00000000007A7000-memory.dmp	warzonerat
behavioral2/memory/4396-169-0x0000000000786000-0x00000000007A7000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

winupdates.exe

pid process

4396 winupdates.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4408 powershell.exe
4408 powershell.exe
1664 powershell.exe
1664 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4408 powershell.exe
Token: SeDebugPrivilege 1664 powershell.exe

pid	process
4396	winupdates.exe

pid	process
4408	powershell.exe
4408	powershell.exe
1664	powershell.exe
1664	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exewinupdates.exe

description	pid	process	target process
PID 680 wrote to memory of 4408	680	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 680 wrote to memory of 4408	680	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 680 wrote to memory of 4408	680	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	powershell.exe
PID 680 wrote to memory of 4396	680	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 680 wrote to memory of 4396	680	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 680 wrote to memory of 4396	680	6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe	winupdates.exe
PID 4396 wrote to memory of 1664	4396	winupdates.exe	powershell.exe
PID 4396 wrote to memory of 1664	4396	winupdates.exe	powershell.exe
PID 4396 wrote to memory of 1664	4396	winupdates.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe
"C:\Users\Admin\AppData\Local\Temp\6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\ProgramData\winupdates.exe
"C:\ProgramData\winupdates.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winupdates.exe

Filesize
1.8MB

MD5
4b26b9948fbbcf50de765bf2f6d050a2

SHA1
997c16dbcaca77e7b9b2c07815384f71c7960689

SHA256
6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740

SHA512
f963736d3ddb22bafc8af555c0e2a5eed6c2ffaf129b482798cd50163cffe723fcdc3b09d93ae4967225a4e8b673e30ce411d652e99d74fea2902589b7e4ca11

Download Submit
C:\ProgramData\winupdates.exe

Filesize
1.8MB

MD5
4b26b9948fbbcf50de765bf2f6d050a2

SHA1
997c16dbcaca77e7b9b2c07815384f71c7960689

SHA256
6db5403ea553ff7f6bcf709d828d00e8b64b94608b9fbc366097562c9a3a1740

SHA512
f963736d3ddb22bafc8af555c0e2a5eed6c2ffaf129b482798cd50163cffe723fcdc3b09d93ae4967225a4e8b673e30ce411d652e99d74fea2902589b7e4ca11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
104c25e9e99f7ef45ac072c469b2a4a1

SHA1
af3663b814d0be3d19c7913579023b22224a4add

SHA256
400639de89525c99ac72a813b8713394b411ab65cfa4c2f852c6faaa66731a1e

SHA512
51b8f926ddaa78bfb42fd3dddbe7984c83cffbee5bdbf8b55df65ccd2e3d607d212a4072448d47d665fd7eafac50fa72a96acdbb86d024f3bd76e676433c4362

Download Submit
memory/680-141-0x0000000000E56000-0x0000000000E77000-memory.dmp

Filesize
132KB

Download
memory/680-130-0x0000000001400000-0x000000000141D000-memory.dmp

Filesize
116KB

Download
memory/680-136-0x0000000000E56000-0x0000000000E77000-memory.dmp

Filesize
132KB

Download
memory/1664-168-0x000000006FB50000-0x000000006FB9C000-memory.dmp

Filesize
304KB

Download
memory/1664-165-0x0000000000000000-mapping.dmp

Download
memory/4396-138-0x0000000000000000-mapping.dmp

Download
memory/4396-169-0x0000000000786000-0x00000000007A7000-memory.dmp

Filesize
132KB

Download
memory/4396-164-0x0000000000786000-0x00000000007A7000-memory.dmp

Filesize
132KB

Download
memory/4396-158-0x0000000002F70000-0x0000000002F8D000-memory.dmp

Filesize
116KB

Download
memory/4408-149-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

Filesize
304KB

Download
memory/4408-157-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/4408-150-0x00000000075E0000-0x00000000075FE000-memory.dmp

Filesize
120KB

Download
memory/4408-151-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/4408-152-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/4408-153-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/4408-154-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/4408-155-0x00000000079D0000-0x00000000079DE000-memory.dmp

Filesize
56KB

Download
memory/4408-156-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/4408-148-0x0000000007620000-0x0000000007652000-memory.dmp

Filesize
200KB

Download
memory/4408-147-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/4408-146-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/4408-145-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/4408-144-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/4408-143-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/4408-142-0x0000000002B60000-0x0000000002B96000-memory.dmp

Filesize
216KB

Download
memory/4408-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing