warzonerat | 842fc15b363a849a21ce37a22bd237371576a0a92adc3718adce933dfbb16f83

Analysis

max time kernel
138s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

574e031a4747d5e6315b894f983d3001.exe
Size

2.3MB
MD5

574e031a4747d5e6315b894f983d3001
SHA1

30222efc71057a20e085b757c7eadb75ee50b155
SHA256

842fc15b363a849a21ce37a22bd237371576a0a92adc3718adce933dfbb16f83
SHA512

7a204e8f508e5e0d0f798f996d53e301d8bc330b86f26dab55ed22495c4ed09c0bc149c2e7857cc1fa68f0e118092b8c9f1ab8d321540c8277fcfd52b76226a1
SSDEEP

12288:2YSJAsjzCjawSIIgH8n7XAW76XcpjvV653IDqYheWiYWZaQKjYD:6JAsjvI

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3580-132-0x0000000002C50000-0x0000000003650000-memory.dmp	warzonerat
behavioral2/memory/3580-133-0x0000000002AD0000-0x0000000002C38000-memory.dmp	warzonerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	574e031a4747d5e6315b894f983d3001.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	574e031a4747d5e6315b894f983d3001.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	574e031a4747d5e6315b894f983d3001.exe
File opened for modification	C:\Users\Admin\Documents\Documents:ApplicationData	574e031a4747d5e6315b894f983d3001.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4012	powershell.exe
4012	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 4012	3580	574e031a4747d5e6315b894f983d3001.exe	82
PID 3580 wrote to memory of 4012	3580	574e031a4747d5e6315b894f983d3001.exe	82
PID 3580 wrote to memory of 4012	3580	574e031a4747d5e6315b894f983d3001.exe	82

C:\Users\Admin\AppData\Local\Temp\574e031a4747d5e6315b894f983d3001.exe
"C:\Users\Admin\AppData\Local\Temp\574e031a4747d5e6315b894f983d3001.exe"
1⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3580-132-0x0000000002C50000-0x0000000003650000-memory.dmp

Filesize
10.0MB

Download
memory/3580-133-0x0000000002AD0000-0x0000000002C38000-memory.dmp

Filesize
1.4MB

Download
memory/4012-140-0x0000000004990000-0x00000000049C6000-memory.dmp

Filesize
216KB

Download
memory/4012-141-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/4012-142-0x00000000050A0000-0x00000000050C2000-memory.dmp

Filesize
136KB

Download
memory/4012-143-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/4012-144-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4012-145-0x0000000005F70000-0x0000000005F8E000-memory.dmp

Filesize
120KB

Download
memory/4012-146-0x0000000006530000-0x0000000006562000-memory.dmp

Filesize
200KB

Download
memory/4012-147-0x000000006FB20000-0x000000006FB6C000-memory.dmp

Filesize
304KB

Download
memory/4012-148-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/4012-149-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/4012-150-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/4012-151-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/4012-152-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/4012-153-0x0000000007490000-0x000000000749E000-memory.dmp

Filesize
56KB

Download
memory/4012-154-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/4012-155-0x0000000007580000-0x0000000007588000-memory.dmp

Filesize
32KB

Download