warzonerat | acc8d7fcd58098b4baabe139fc928b4845e1ceedad4bb646be8062549d545f58

Analysis

max time kernel
179s
max time network
187s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:42

Target

SOA72736467388453latest.exe
Size

261KB
MD5

676cf08fb03d8a9ffcf5ab5d36447c15
SHA1

d5affa18c7ec3b13bc91f103d08e9b779ccd5560
SHA256

5b3b7ebe915f592364c520775e220965c95bdb9dee6160de07993866645c0dea
SHA512

05c458b547d715ae0ca5d9d4a7c55b699b35b087a28584deb9f7720f8ed70b464690749c6e60a6f64f4d348f7c5f36837baac29ee7c1c76543972ff155d1e5e1
SSDEEP

6144:NBHhJHDyzWdMSHDPUEPFWjlxUTm7LcTbTeEZFH0pviB9jV5QR:NJhNdMS1Ajlaq7LcHT9qsB

Score

10^/10

Family

warzonerat

charlesdnsoh.duckdns.org:77

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA72736467388453latest.exe

description pid process target process

PID 1456 set thread context of 1224 1456 SOA72736467388453latest.exe vbc.exe

description	pid	process	target process
PID 1456 set thread context of 1224	1456	SOA72736467388453latest.exe	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SOA72736467388453latest.exe

description	pid	process	target process
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe
PID 1456 wrote to memory of 1224	1456	SOA72736467388453latest.exe	vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1224

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1224-62-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-57-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-60-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-58-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-64-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-66-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-68-0x0000000000405E28-mapping.dmp

Download
memory/1224-69-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-73-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1224-78-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/1456-55-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1456-56-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download
memory/1456-54-0x0000000000D80000-0x0000000000DC8000-memory.dmp

Filesize
288KB

Download