warzonerat | 3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f983d8647b0ea9e6f71bd1736a983d.exe
Size

98KB
MD5

58f983d8647b0ea9e6f71bd1736a983d
SHA1

6e6285384012ae45de920c7156731f2a1ff63545
SHA256

3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105
SHA512

4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e
SSDEEP

1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

4.tcp.eu.ngrok.io:18570

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000014930-55.dat	warzonerat
behavioral1/files/0x0007000000014930-56.dat	warzonerat
behavioral1/files/0x0007000000014930-58.dat	warzonerat
behavioral1/files/0x0007000000014930-62.dat	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
1116	images.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	58f983d8647b0ea9e6f71bd1736a983d.exe
1480	58f983d8647b0ea9e6f71bd1736a983d.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	27
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	27
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	27
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	27
PID 1116 wrote to memory of 320	1116	images.exe	28
PID 1116 wrote to memory of 320	1116	images.exe	28
PID 1116 wrote to memory of 320	1116	images.exe	28
PID 1116 wrote to memory of 320	1116	images.exe	28
PID 1116 wrote to memory of 320	1116	images.exe	28
PID 1116 wrote to memory of 320	1116	images.exe	28

C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe
"C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
C:\ProgramData\images.exe

Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
\ProgramData\images.exe

Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
\ProgramData\images.exe

Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
memory/320-61-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1480-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads