warzonerat | 366d56c69b0267ee6ac2a27cc199911123ed7f511d3e54ac1c69f52236644e84

Resubmissions

22-03-2023 20:25

230322-y69l1sdb4s 10

Analysis

max time kernel
129s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KR22190.xlsx.exe
Size

1.3MB
MD5

edc4d988e087a9a91f13d19df5dc7b00
SHA1

716697f5e6e8c3b453ef06feea4aadf581f1929e
SHA256

366d56c69b0267ee6ac2a27cc199911123ed7f511d3e54ac1c69f52236644e84
SHA512

eb0cf37543a8370e33ef76a9fb45f4143a90d841178b4a23cf16d65831f69b37e54e165b62afdbde61727ce66f0bc9b57e1e4138fd1c218ae6866458ba3fedc2
SSDEEP

12288:Uw7JF3ADz1KGRbItXhuWw3L/2TN3SBP8WYXhuFvpmeFM8jdfA3zpWSzOgj:UqaIM72BiBUWFg0Mihm4Szr

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

45.137.116.170:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1472-65-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1472-66-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1472-67-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1472-68-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1472-70-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1472-72-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1472-73-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

KR22190.xlsx.exe

description pid process target process

PID 1376 set thread context of 1472 1376 KR22190.xlsx.exe KR22190.xlsx.exe

description	pid	process	target process
PID 1376 set thread context of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

KR22190.xlsx.exe

description	pid	process	target process
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe
PID 1376 wrote to memory of 1472	1376	KR22190.xlsx.exe	KR22190.xlsx.exe

C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe"
2⤵
PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-54-0x0000000000DF0000-0x0000000000F48000-memory.dmp

Filesize
1.3MB

Download
memory/1376-55-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/1376-56-0x0000000000530000-0x000000000054A000-memory.dmp

Filesize
104KB

Download
memory/1376-57-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/1376-58-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1376-59-0x0000000007E40000-0x0000000007EF0000-memory.dmp

Filesize
704KB

Download
memory/1376-60-0x0000000000D10000-0x0000000000D16000-memory.dmp

Filesize
24KB

Download
memory/1376-61-0x00000000044E0000-0x0000000004518000-memory.dmp

Filesize
224KB

Download
memory/1472-62-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-63-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-65-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-66-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-67-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-64-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-68-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1472-70-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-72-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1472-73-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download