warzonerat | acc8d7fcd58098b4baabe139fc928b4845e1ceedad4bb646be8062549d545f58

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:42

Target

SOA72736467388453latest.exe
Size

261KB
MD5

676cf08fb03d8a9ffcf5ab5d36447c15
SHA1

d5affa18c7ec3b13bc91f103d08e9b779ccd5560
SHA256

5b3b7ebe915f592364c520775e220965c95bdb9dee6160de07993866645c0dea
SHA512

05c458b547d715ae0ca5d9d4a7c55b699b35b087a28584deb9f7720f8ed70b464690749c6e60a6f64f4d348f7c5f36837baac29ee7c1c76543972ff155d1e5e1
SSDEEP

6144:NBHhJHDyzWdMSHDPUEPFWjlxUTm7LcTbTeEZFH0pviB9jV5QR:NJhNdMS1Ajlaq7LcHT9qsB

Score

10^/10

Family

warzonerat

charlesdnsoh.duckdns.org:77

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA72736467388453latest.exe

description pid process target process

PID 4972 set thread context of 816 4972 SOA72736467388453latest.exe vbc.exe

description	pid	process	target process
PID 4972 set thread context of 816	4972	SOA72736467388453latest.exe	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SOA72736467388453latest.exe

description	pid	process	target process
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe
PID 4972 wrote to memory of 816	4972	SOA72736467388453latest.exe	vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:816

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/816-134-0x0000000000000000-mapping.dmp

Download
memory/816-135-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/816-137-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/816-138-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/816-139-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4972-132-0x0000000000560000-0x00000000005A8000-memory.dmp

Filesize
288KB

Download
memory/4972-133-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download