warzonerat | 5bc9f5fd6836473b7e1d9fd66cde0f1e03fec54dfebec3f54a0d3cc9a342fa1e

General

Target

743744c130f46095b187c8793f53c126.exe
Size

761KB
MD5

743744c130f46095b187c8793f53c126
SHA1

218a25fea52fb236aedb6afc32c377028c4d8fe5
SHA256

5bc9f5fd6836473b7e1d9fd66cde0f1e03fec54dfebec3f54a0d3cc9a342fa1e
SHA512

2f1b63645d97e0bb98133318c07c974cf1f5773af896a2368fad9020705d89390920dc627bf54c18fe32043aec86691f1d642c35e3bd36d9b2952b4b85f55321
SSDEEP

12288:nRpzc3VfVeg3HCEHL72C9mIzUewRTCFMKQ26BdTxbWig1GO4l0tC2+6hMvCO2Ps9:nErHLyC9mIzUewRTCFvQ26TlWig1w2tl

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

162.216.47.148:59226

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2720-9-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-14-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-11-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-10-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-8-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-18-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2720-19-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 2720	1776	743744c130f46095b187c8793f53c126.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1776	743744c130f46095b187c8793f53c126.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	743744c130f46095b187c8793f53c126.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2800	1776	743744c130f46095b187c8793f53c126.exe	28
PID 1776 wrote to memory of 2800	1776	743744c130f46095b187c8793f53c126.exe	28
PID 1776 wrote to memory of 2800	1776	743744c130f46095b187c8793f53c126.exe	28
PID 1776 wrote to memory of 2800	1776	743744c130f46095b187c8793f53c126.exe	28
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29
PID 1776 wrote to memory of 2720	1776	743744c130f46095b187c8793f53c126.exe	29

C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe
"C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe
  "C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe"
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe
  "C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe"
  2⤵
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-0-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-1-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1776-2-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-4-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1776-3-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-17-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-9-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-6-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-11-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-5-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-7-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2720-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing