warzonerat | ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b

Analysis

max time kernel
72s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
Size

193KB
MD5

53622e61772d39cd6868b89aaabb8249
SHA1

97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b
SHA256

ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b
SHA512

1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95
SSDEEP

6144:QkdnyRSXGwbtZt2hP4hY9eII6cuH58KCNRJynB:Q3SXt5E4hoeEdmV+

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

46.183.222.62:5353

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3572-137-0x0000000000500000-0x000000000065C000-memory.dmp	warzonerat
behavioral1/memory/3572-143-0x0000000000500000-0x000000000065C000-memory.dmp	warzonerat
behavioral1/memory/3572-148-0x0000000000500000-0x000000000065C000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

description	pid	process	target process
PID 3812 set thread context of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2996 3572 WerFault.exe ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

pid	pid_target	process	target process
2996	3572	WerFault.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

description	pid	process	target process
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
PID 3812 wrote to memory of 3572	3812	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe	ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

C:\Users\Admin\AppData\Local\Temp\ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
"C:\Users\Admin\AppData\Local\Temp\ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe
"C:\Users\Admin\AppData\Local\Temp\ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe"
2⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 544
3⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3572 -ip 3572
1⤵
PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3572-137-0x0000000000500000-0x000000000065C000-memory.dmp

Filesize
1.4MB

Download
memory/3572-143-0x0000000000500000-0x000000000065C000-memory.dmp

Filesize
1.4MB

Download
memory/3572-148-0x0000000000500000-0x000000000065C000-memory.dmp

Filesize
1.4MB

Download
memory/3812-133-0x0000000000910000-0x0000000000946000-memory.dmp

Filesize
216KB

Download
memory/3812-134-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/3812-135-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download