warzonerat | 3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f983d8647b0ea9e6f71bd1736a983d.exe
Size

98KB
MD5

58f983d8647b0ea9e6f71bd1736a983d
SHA1

6e6285384012ae45de920c7156731f2a1ff63545
SHA256

3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105
SHA512

4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e
SSDEEP

1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

4.tcp.eu.ngrok.io:18570

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\ProgramData\images.exe	warzonerat
\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1116 images.exe
Loads dropped DLL 2 IoCs

Processes:

58f983d8647b0ea9e6f71bd1736a983d.exe

pid process

1480 58f983d8647b0ea9e6f71bd1736a983d.exe
1480 58f983d8647b0ea9e6f71bd1736a983d.exe

pid	process
1116	images.exe

pid	process
1480	58f983d8647b0ea9e6f71bd1736a983d.exe
1480	58f983d8647b0ea9e6f71bd1736a983d.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

58f983d8647b0ea9e6f71bd1736a983d.exeimages.exe

description	pid	process	target process
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	images.exe
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	images.exe
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	images.exe
PID 1480 wrote to memory of 1116	1480	58f983d8647b0ea9e6f71bd1736a983d.exe	images.exe
PID 1116 wrote to memory of 320	1116	images.exe	cmd.exe
PID 1116 wrote to memory of 320	1116	images.exe	cmd.exe
PID 1116 wrote to memory of 320	1116	images.exe	cmd.exe
PID 1116 wrote to memory of 320	1116	images.exe	cmd.exe
PID 1116 wrote to memory of 320	1116	images.exe	cmd.exe
PID 1116 wrote to memory of 320	1116	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe
"C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
C:\ProgramData\images.exe
Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
\ProgramData\images.exe
Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
\ProgramData\images.exe
Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
memory/320-60-0x0000000000000000-mapping.dmp

Download
memory/320-61-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1116-57-0x0000000000000000-mapping.dmp

Download
memory/1480-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download