warzonerat | a62f162bb5c1b694e414d1da281b09e37ec87e7835ef6c72ce909bee39b29a39

Analysis

max time kernel
26s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26580b02825235c11789df19e4c989ed.exe
Size

338KB
MD5

26580b02825235c11789df19e4c989ed
SHA1

f44ed66c791c34c8b53b231050af6d0bdd75b1f8
SHA256

a62f162bb5c1b694e414d1da281b09e37ec87e7835ef6c72ce909bee39b29a39
SHA512

c3af5bae6a2e116e52401f05fac3f6de40e131543fa44aaeb6f36a87d8cb5241a92d8a0b20188b7780843cf316b44d253bb5864d8d68a6e8823e3f974f855ade
SSDEEP

6144:FIMLiqy54VEdd+bsnVEwp6AyHbgif0er3xErA8aB0i4H:FIPqyYI+b54Pif0NaB

Score

10^/10

warzonerat zgrat infostealer rat

Malware Config

Extracted

Family

warzonerat

byx.z86.ru:5200

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2508-6-0x0000000004FD0000-0x0000000005038000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-32-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-62-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-70-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-68-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-66-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-64-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-60-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-58-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-56-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-54-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-52-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-50-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-48-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-46-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-44-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-42-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-40-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-38-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-36-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-34-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-30-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-28-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-26-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-24-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-22-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-20-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-18-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-16-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-14-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-12-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-10-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-8-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1
behavioral1/memory/2508-7-0x0000000004FD0000-0x0000000005032000-memory.dmp	family_zgrat_v1

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2120-2014-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/2120-2021-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/1160-4047-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe
2508	26580b02825235c11789df19e4c989ed.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	26580b02825235c11789df19e4c989ed.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3000	2508	26580b02825235c11789df19e4c989ed.exe	34
PID 2508 wrote to memory of 3000	2508	26580b02825235c11789df19e4c989ed.exe	34
PID 2508 wrote to memory of 3000	2508	26580b02825235c11789df19e4c989ed.exe	34
PID 2508 wrote to memory of 3000	2508	26580b02825235c11789df19e4c989ed.exe	34
PID 2508 wrote to memory of 1980	2508	26580b02825235c11789df19e4c989ed.exe	33
PID 2508 wrote to memory of 1980	2508	26580b02825235c11789df19e4c989ed.exe	33
PID 2508 wrote to memory of 1980	2508	26580b02825235c11789df19e4c989ed.exe	33
PID 2508 wrote to memory of 1980	2508	26580b02825235c11789df19e4c989ed.exe	33
PID 2508 wrote to memory of 2136	2508	26580b02825235c11789df19e4c989ed.exe	32
PID 2508 wrote to memory of 2136	2508	26580b02825235c11789df19e4c989ed.exe	32
PID 2508 wrote to memory of 2136	2508	26580b02825235c11789df19e4c989ed.exe	32
PID 2508 wrote to memory of 2136	2508	26580b02825235c11789df19e4c989ed.exe	32
PID 2508 wrote to memory of 1740	2508	26580b02825235c11789df19e4c989ed.exe	31
PID 2508 wrote to memory of 1740	2508	26580b02825235c11789df19e4c989ed.exe	31
PID 2508 wrote to memory of 1740	2508	26580b02825235c11789df19e4c989ed.exe	31
PID 2508 wrote to memory of 1740	2508	26580b02825235c11789df19e4c989ed.exe	31
PID 2508 wrote to memory of 1720	2508	26580b02825235c11789df19e4c989ed.exe	30
PID 2508 wrote to memory of 1720	2508	26580b02825235c11789df19e4c989ed.exe	30
PID 2508 wrote to memory of 1720	2508	26580b02825235c11789df19e4c989ed.exe	30
PID 2508 wrote to memory of 1720	2508	26580b02825235c11789df19e4c989ed.exe	30
PID 2508 wrote to memory of 1984	2508	26580b02825235c11789df19e4c989ed.exe	29
PID 2508 wrote to memory of 1984	2508	26580b02825235c11789df19e4c989ed.exe	29
PID 2508 wrote to memory of 1984	2508	26580b02825235c11789df19e4c989ed.exe	29
PID 2508 wrote to memory of 1984	2508	26580b02825235c11789df19e4c989ed.exe	29
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28
PID 2508 wrote to memory of 2120	2508	26580b02825235c11789df19e4c989ed.exe	28

C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
"C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:2120
- - C:\ProgramData\svchost.exe
    "C:\ProgramData\svchost.exe"
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
    3⤵
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  C:\Users\Admin\AppData\Local\Temp\26580b02825235c11789df19e4c989ed.exe
  2⤵
  PID:3000

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
1⤵
PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
77KB

MD5
1110f625f84d74a41b9908d59cb2c57f

SHA1
85e459e6e46ba9e721d7387a38b31894e71f1f60

SHA256
7c9d27ae7c9ebf71a799441e1a022eaa0975c24f894f0c53c0c8c8d1b1371450

SHA512
9d3f11de7a93311e11f2de6277b8fcbd740c84fce285eb9f83ea18bb63a0c9105b944064a2038f74706672b290eda468b04b35e34ecee2206b73ba31036a0cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
136KB

MD5
1ef60e2aaa612ab33d9b98ec3f07240c

SHA1
12a0027d6b7d18b9d4cc99c813eec773bedea17d

SHA256
944104794b4bd6230b3578a8ef55f07f49f64b8245bbca53c9ac495d6836f4f1

SHA512
8fd94899007ce04c73056f5e881d0f72e5eab287baef19c332df748d044b8d911357e0754fb4feefe03a3bf7eace480eac731a0b833a39bb3a329017736caeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
67KB

MD5
4721863849b1482621b64157b68322f5

SHA1
753f310f0ac22a2e1cac257f322b9d799b2c3221

SHA256
562c5e1662d3044285acea238dc85141ef595be0497e00ab086dd9111d1f770e

SHA512
1cbff215efa57655ddc598c3ac2cb716bc5b8ec2867772e3adfa9980206c709c2fd4fddb3cd479c6cf6a279764e7607d6399619cbce30cee8905ab67afca7e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
45KB

MD5
d173b5fed9f861c846d8f2189f9cacc0

SHA1
ce2084b6526241231328ad9485f42bdc6bbca22f

SHA256
879ac84914fc7fbc22a20172d6b33bb10a5e99c71809e56e818ae1dc690eeac9

SHA512
3be7076a95f36351bcd76517a8c5e2e31c33c8be6a33f7a211bf9732e1054739cee57ba9e22cb128e992370cb89807c2716b823d1528435e48378701d5fff783

Download Submit
\ProgramData\svchost.exe

Filesize
26KB

MD5
6c8fa3d67a6b33e8b25ccb8fb8abc0a3

SHA1
3f2382102d7f082229432bb0212d757fe8e4a625

SHA256
2c326c5513eaf4811b3b5eb7c613327027afe5439e2e91fe83abb1ada731c5ac

SHA512
4735acaec37e850e9c45f9f4a374a9463a4e5b472f44b30598c5c39c104c9384909513142e1e8402a180a8954076f1eb562f0b542b23eea26179b2f0d6bd4022

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
7KB

MD5
7a61e768c7e800c3e2e88c8804bfdc9c

SHA1
5fade9c1a32c9267c7c473bcdfaa2d01c73536c4

SHA256
2570e6e72625958e9227b552a2778046d44d65138f2e8ec34587ff1de516ef3c

SHA512
87c9f3ba7667d6dfde42709da8dd101ca40ae583027b08dd22e5aa020e100a1727cb98525b5fa517b4012b2bb63908cb8c3a4eafa808e375bd7edd078fbeff37

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
24KB

MD5
83b99e9ab74a5376cd51ceb52e9e97a9

SHA1
863d9ce65a15bebd10af551934b5a6ebfd87f2b5

SHA256
7bfb2bf401072049cd52cfbaaeee872db65b93f21e511791a858eac2a92e45b1

SHA512
029e3bb69ece0d9a968eae8a7221bd6f0bee0ab65b35303689cd7ed2bc1b9a2535298109cdb651b4b130dece29ef0f0da101c268bf1288e15e46393991597a7d

Download Submit
memory/1160-4054-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1160-4047-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2120-2014-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2120-2021-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2508-24-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-14-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-56-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-54-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-52-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-50-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-48-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-46-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-44-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-42-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-40-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-38-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-36-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-34-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-30-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-28-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-26-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-766-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/2508-0-0x0000000000270000-0x00000000002CA000-memory.dmp

Filesize
360KB

Download
memory/2508-22-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-20-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-18-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-16-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-58-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-12-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-10-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-8-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-7-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-5-0x0000000004BF0000-0x0000000004C42000-memory.dmp

Filesize
328KB

Download
memory/2508-60-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-2013-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-2-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/2508-3-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-64-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-66-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-68-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-4-0x0000000001ED0000-0x0000000001F22000-memory.dmp

Filesize
328KB

Download
memory/2508-6-0x0000000004FD0000-0x0000000005038000-memory.dmp

Filesize
416KB

Download
memory/2508-70-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-62-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2508-32-0x0000000004FD0000-0x0000000005032000-memory.dmp

Filesize
392KB

Download
memory/2884-4045-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-2026-0x00000000041F0000-0x0000000004242000-memory.dmp

Filesize
328KB

Download
memory/2884-2025-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-2022-0x0000000000D90000-0x0000000000DEA000-memory.dmp

Filesize
360KB

Download
memory/2884-2023-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-2024-0x0000000004240000-0x0000000004280000-memory.dmp

Filesize
256KB

Download