warzonerat | 3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

Analysis

max time kernel
138s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 19:25

Target

58f983d8647b0ea9e6f71bd1736a983d.exe
Size

98KB
MD5

58f983d8647b0ea9e6f71bd1736a983d
SHA1

6e6285384012ae45de920c7156731f2a1ff63545
SHA256

3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105
SHA512

4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e
SSDEEP

1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG

Score

10^/10

Family

warzonerat

4.tcp.eu.ngrok.io:18570

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000022e69-134.dat	warzonerat
behavioral2/files/0x0006000000022e69-133.dat	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
3672	images.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3672	4804	58f983d8647b0ea9e6f71bd1736a983d.exe	82
PID 4804 wrote to memory of 3672	4804	58f983d8647b0ea9e6f71bd1736a983d.exe	82
PID 4804 wrote to memory of 3672	4804	58f983d8647b0ea9e6f71bd1736a983d.exe	82
PID 3672 wrote to memory of 3748	3672	images.exe	83
PID 3672 wrote to memory of 3748	3672	images.exe	83
PID 3672 wrote to memory of 3748	3672	images.exe	83
PID 3672 wrote to memory of 3748	3672	images.exe	83
PID 3672 wrote to memory of 3748	3672	images.exe	83

C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe
"C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3748

C:\ProgramData\images.exe

Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
C:\ProgramData\images.exe

Filesize
98KB

MD5
58f983d8647b0ea9e6f71bd1736a983d

SHA1
6e6285384012ae45de920c7156731f2a1ff63545

SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105

SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e

Download Submit
memory/3748-136-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download