warzonerat | 576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9

General

Target

576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
Size

51KB
MD5

5ceda99abca552519e012a36d2e371cb
SHA1

81c2b36ab581339d7c1f96ba53c81023830dcef5
SHA256

576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9
SHA512

4a4e9f01d86f491957edb92eefa2db3b36d37df1f20bfabd59b27b86d4e9a6f8187c58b40e0615cf7bc50bcd1aaa462d8ce1384251ec5be96834168d7fceb22b
SSDEEP

768:oS8FZ30G5Crd40w728IshC1Kjb4PLknyS2v4MqHQejfmHj:ohZ3ekCKoPLknyS84W3Hj

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

198.50.128.23:16276

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/568-63-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/568-64-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/568-65-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/568-66-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/568-68-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/568-70-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/568-71-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28
PID 1476 wrote to memory of 568	1476	576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe	28

C:\Users\Admin\AppData\Local\Temp\576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
"C:\Users\Admin\AppData\Local\Temp\576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe
  "C:\Users\Admin\AppData\Local\Temp\576c2ce07b215f9383f2935f906c523c0ac58a46239795af08d8c2eca9263ec9.exe"
  2⤵
  PID:568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/568-65-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-71-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-70-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-68-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-60-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-66-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-64-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-63-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-62-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/568-61-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1476-55-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/1476-54-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download
memory/1476-59-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1476-57-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/1476-56-0x0000000004C50000-0x0000000004CAA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing