warzonerat | 56966c8c118c536a8d7e82b72628d20b57663671e7c984875c9e8fb1830c74c6

Analysis

max time kernel
240s
max time network
270s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0ec54c74e0a28d4535b46b144879d6.exe
Size

788KB
MD5

1b0ec54c74e0a28d4535b46b144879d6
SHA1

e181873e0abdce5c0d2c68ccd292a7ec8a852770
SHA256

56966c8c118c536a8d7e82b72628d20b57663671e7c984875c9e8fb1830c74c6
SHA512

d77a4f1235c43961fc3da307a24ede1b38a36972b5850c901c68615eeb637ddb770d7dd5cbeb96c143031303b3ac3d51f9f597562a807bb2488811c0ba01d04d
SSDEEP

12288:ieRdSG6MzldfqLi6xLpkaqCOmxi1xsfFPmwW:B6w/fqL/GCOmQ1xsfC

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

ugob.ddns.net:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/1480-17-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-14-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-20-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-13-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-23-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-24-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1480-31-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 6 IoCs

pid	Process
796	images.exe
1972	images.exe
1364	images.exe
1540	images.exe
1844	images.exe
2000	images.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	1b0ec54c74e0a28d4535b46b144879d6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2800	1b0ec54c74e0a28d4535b46b144879d6.exe
2800	1b0ec54c74e0a28d4535b46b144879d6.exe
2800	1b0ec54c74e0a28d4535b46b144879d6.exe
2800	1b0ec54c74e0a28d4535b46b144879d6.exe
2800	1b0ec54c74e0a28d4535b46b144879d6.exe
2932	powershell.exe
796	images.exe
796	images.exe
796	images.exe
796	images.exe
796	images.exe
796	images.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	1b0ec54c74e0a28d4535b46b144879d6.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	796	images.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 548	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	27
PID 2800 wrote to memory of 548	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	27
PID 2800 wrote to memory of 548	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	27
PID 2800 wrote to memory of 548	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	27
PID 2800 wrote to memory of 748	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	28
PID 2800 wrote to memory of 748	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	28
PID 2800 wrote to memory of 748	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	28
PID 2800 wrote to memory of 748	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	28
PID 2800 wrote to memory of 1464	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	29
PID 2800 wrote to memory of 1464	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	29
PID 2800 wrote to memory of 1464	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	29
PID 2800 wrote to memory of 1464	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	29
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 2800 wrote to memory of 1480	2800	1b0ec54c74e0a28d4535b46b144879d6.exe	30
PID 1480 wrote to memory of 2932	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	31
PID 1480 wrote to memory of 2932	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	31
PID 1480 wrote to memory of 2932	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	31
PID 1480 wrote to memory of 2932	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	31
PID 1480 wrote to memory of 796	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	32
PID 1480 wrote to memory of 796	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	32
PID 1480 wrote to memory of 796	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	32
PID 1480 wrote to memory of 796	1480	1b0ec54c74e0a28d4535b46b144879d6.exe	32
PID 796 wrote to memory of 1972	796	images.exe	34
PID 796 wrote to memory of 1972	796	images.exe	34
PID 796 wrote to memory of 1972	796	images.exe	34
PID 796 wrote to memory of 1972	796	images.exe	34
PID 796 wrote to memory of 1364	796	images.exe	35
PID 796 wrote to memory of 1364	796	images.exe	35
PID 796 wrote to memory of 1364	796	images.exe	35
PID 796 wrote to memory of 1364	796	images.exe	35
PID 796 wrote to memory of 1540	796	images.exe	38
PID 796 wrote to memory of 1540	796	images.exe	38
PID 796 wrote to memory of 1540	796	images.exe	38
PID 796 wrote to memory of 1540	796	images.exe	38
PID 796 wrote to memory of 1844	796	images.exe	37
PID 796 wrote to memory of 1844	796	images.exe	37
PID 796 wrote to memory of 1844	796	images.exe	37
PID 796 wrote to memory of 1844	796	images.exe	37
PID 796 wrote to memory of 2000	796	images.exe	36
PID 796 wrote to memory of 2000	796	images.exe	36
PID 796 wrote to memory of 2000	796	images.exe	36
PID 796 wrote to memory of 2000	796	images.exe	36

C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
"C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
  2⤵
  PID:548
- C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
  2⤵
  PID:748
- C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
  2⤵
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:1972
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:1364
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:1844
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
788KB

MD5
1b0ec54c74e0a28d4535b46b144879d6

SHA1
e181873e0abdce5c0d2c68ccd292a7ec8a852770

SHA256
56966c8c118c536a8d7e82b72628d20b57663671e7c984875c9e8fb1830c74c6

SHA512
d77a4f1235c43961fc3da307a24ede1b38a36972b5850c901c68615eeb637ddb770d7dd5cbeb96c143031303b3ac3d51f9f597562a807bb2488811c0ba01d04d

Download Submit
C:\ProgramData\images.exe

Filesize
475KB

MD5
59eef7e656132e1f249d41cbb550a3a3

SHA1
705c0dfa85d3658884288c5dc30052b951770bb0

SHA256
3526ff2b0fd509b780e6fc32296e4dfc88352d01235639ede406535a10add9e4

SHA512
6cd8a77bc2aa2de3050662b6e3674aca19c0672526edb3e1291cfa71043752571a0f2617264558c0cf5b2ca4052c1547c605575d999e3fe6bdfbc53bc854af0d

Download Submit
memory/796-52-0x0000000073DA0000-0x000000007448E000-memory.dmp

Filesize
6.9MB

Download
memory/796-43-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/796-42-0x0000000073DA0000-0x000000007448E000-memory.dmp

Filesize
6.9MB

Download
memory/796-34-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/796-33-0x00000000001E0000-0x00000000002AC000-memory.dmp

Filesize
816KB

Download
memory/796-32-0x0000000073DA0000-0x000000007448E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-12-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1480-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-20-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-13-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-23-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-31-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1480-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2800-22-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-0-0x00000000000A0000-0x000000000016C000-memory.dmp

Filesize
816KB

Download
memory/2800-7-0x00000000005E0000-0x0000000000604000-memory.dmp

Filesize
144KB

Download
memory/2800-6-0x00000000041D0000-0x000000000422A000-memory.dmp

Filesize
360KB

Download
memory/2800-5-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2800-1-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-2-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2800-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2800-4-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-41-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/2932-40-0x000000006F100000-0x000000006F6AB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-39-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/2932-44-0x000000006F100000-0x000000006F6AB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-45-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/2932-46-0x000000006F100000-0x000000006F6AB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-38-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/2932-37-0x000000006F100000-0x000000006F6AB000-memory.dmp

Filesize
5.7MB

Download