warzonerat | 56966c8c118c536a8d7e82b72628d20b57663671e7c984875c9e8fb1830c74c6

Analysis

max time kernel
211s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0ec54c74e0a28d4535b46b144879d6.exe
Size

788KB
MD5

1b0ec54c74e0a28d4535b46b144879d6
SHA1

e181873e0abdce5c0d2c68ccd292a7ec8a852770
SHA256

56966c8c118c536a8d7e82b72628d20b57663671e7c984875c9e8fb1830c74c6
SHA512

d77a4f1235c43961fc3da307a24ede1b38a36972b5850c901c68615eeb637ddb770d7dd5cbeb96c143031303b3ac3d51f9f597562a807bb2488811c0ba01d04d
SSDEEP

12288:ieRdSG6MzldfqLi6xLpkaqCOmxi1xsfFPmwW:B6w/fqL/GCOmQ1xsfC

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

ugob.ddns.net:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3572-12-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3572-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3572-17-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3572-18-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4744 set thread context of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4744	1b0ec54c74e0a28d4535b46b144879d6.exe
4744	1b0ec54c74e0a28d4535b46b144879d6.exe
4744	1b0ec54c74e0a28d4535b46b144879d6.exe
4744	1b0ec54c74e0a28d4535b46b144879d6.exe
4744	1b0ec54c74e0a28d4535b46b144879d6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	1b0ec54c74e0a28d4535b46b144879d6.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4944	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	100
PID 4744 wrote to memory of 4944	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	100
PID 4744 wrote to memory of 4944	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	100
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101
PID 4744 wrote to memory of 3572	4744	1b0ec54c74e0a28d4535b46b144879d6.exe	101

C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
"C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
  2⤵
  PID:4944
- C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1b0ec54c74e0a28d4535b46b144879d6.exe"
  2⤵
  PID:3572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3572-12-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3572-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3572-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3572-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4744-4-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4744-5-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/4744-6-0x0000000005050000-0x000000000506C000-memory.dmp

Filesize
112KB

Download
memory/4744-7-0x00000000062A0000-0x000000000633C000-memory.dmp

Filesize
624KB

Download
memory/4744-8-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4744-9-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4744-10-0x0000000000CB0000-0x0000000000D0A000-memory.dmp

Filesize
360KB

Download
memory/4744-11-0x0000000000D50000-0x0000000000D74000-memory.dmp

Filesize
144KB

Download
memory/4744-1-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4744-15-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4744-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/4744-2-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/4744-0-0x00000000003C0000-0x000000000048C000-memory.dmp

Filesize
816KB

Download