warzonerat | 2582050d304d67e4d56ce15ca6f7376766875fb2e0bd7d655c1e6406d5204b6e

Analysis

max time kernel
144s
max time network
174s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:49

Target

235a58c841820f0f5db279dc3295d727.exe
Size

502KB
MD5

235a58c841820f0f5db279dc3295d727
SHA1

720864edb7b23bdb2c91202a0d5b050173e6b63d
SHA256

2582050d304d67e4d56ce15ca6f7376766875fb2e0bd7d655c1e6406d5204b6e
SHA512

77bf49f4ffb3a4dd7ef71bcf6f8c0ec59f1eeee25ffd0d8dd4bd4287674827a1720ace0ac044de80351a2cfe98bf1bbe37e51b532b6a5283eeaaa47e5e7c282f
SSDEEP

6144:HU89BqrGPBcwqh3SBN9JxJRRAqAgEDQs+BKvTftCpki1szFFullxln:HPOGPOELJ73AqPeXTcCZzFFull

Score

10^/10

Family

warzonerat

185.157.161.69:9494

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1736-2-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1736-5-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1736-6-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1736-7-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 1736	2504	235a58c841820f0f5db279dc3295d727.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2504	235a58c841820f0f5db279dc3295d727.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1736	2504	235a58c841820f0f5db279dc3295d727.exe	28
PID 2504 wrote to memory of 1736	2504	235a58c841820f0f5db279dc3295d727.exe	28
PID 2504 wrote to memory of 1736	2504	235a58c841820f0f5db279dc3295d727.exe	28
PID 2504 wrote to memory of 1736	2504	235a58c841820f0f5db279dc3295d727.exe	28
PID 2504 wrote to memory of 1736	2504	235a58c841820f0f5db279dc3295d727.exe	28

C:\Users\Admin\AppData\Local\Temp\235a58c841820f0f5db279dc3295d727.exe
"C:\Users\Admin\AppData\Local\Temp\235a58c841820f0f5db279dc3295d727.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\235a58c841820f0f5db279dc3295d727.exe
  "C:\Users\Admin\AppData\Local\Temp\235a58c841820f0f5db279dc3295d727.exe"
  2⤵
  PID:1736

memory/1736-2-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1736-5-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1736-6-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1736-7-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2504-3-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2504-9-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download