warzonerat | 0e56b689196e7f1ddef9fad8cc6db33ba3bcc529b1ddb9cd5940ae206289d667

Analysis

max time kernel
148s
max time network
162s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 14:09

Target

SSexeexeexe.exe
Size

174KB
MD5

b682e3dc1f18c1131f75ff8582aa5703
SHA1

3469dd3c70a3ee99ece17b22b4ffe01ed806404a
SHA256

0e56b689196e7f1ddef9fad8cc6db33ba3bcc529b1ddb9cd5940ae206289d667
SHA512

7d279f652bd1817d5d5a0330865c1ab04b11c7597515120756d2db7ef97e37c2628d9790ed843d94744b602dba73346bea8542ab384209b4e93a172c2b206465
SSDEEP

3072:68MvVo31JZfOQtO9PD6vl7fIkWEffn9ne2+6TKXeB5AlckP+tL/uZwfkR:68MvqIL6vl7fIkWK9eXC5AakP+tL/uZf

Score

10^/10

Family

warzonerat

193.42.32.191:8282

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/1708-60-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1708-61-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1708-62-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1708-63-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1708-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1708-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1708-69-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 1708	1116	SSexeexeexe.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28
PID 1116 wrote to memory of 1708	1116	SSexeexeexe.exe	28

C:\Users\Admin\AppData\Local\Temp\SSexeexeexe.exe
"C:\Users\Admin\AppData\Local\Temp\SSexeexeexe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1708

memory/1116-54-0x0000000001050000-0x0000000001080000-memory.dmp

Filesize
192KB

Download
memory/1116-55-0x0000000000670000-0x0000000000692000-memory.dmp

Filesize
136KB

Download
memory/1116-56-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/1116-64-0x000000001BD00000-0x000000001BD80000-memory.dmp

Filesize
512KB

Download
memory/1708-60-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-59-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-58-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-61-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-62-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-63-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-57-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1708-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-69-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download