warzonerat | 5bc9f5fd6836473b7e1d9fd66cde0f1e03fec54dfebec3f54a0d3cc9a342fa1e

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 08:31

Target

743744c130f46095b187c8793f53c126.exe
Size

761KB
MD5

743744c130f46095b187c8793f53c126
SHA1

218a25fea52fb236aedb6afc32c377028c4d8fe5
SHA256

5bc9f5fd6836473b7e1d9fd66cde0f1e03fec54dfebec3f54a0d3cc9a342fa1e
SHA512

2f1b63645d97e0bb98133318c07c974cf1f5773af896a2368fad9020705d89390920dc627bf54c18fe32043aec86691f1d642c35e3bd36d9b2952b4b85f55321
SSDEEP

12288:nRpzc3VfVeg3HCEHL72C9mIzUewRTCFMKQ26BdTxbWig1GO4l0tC2+6hMvCO2Ps9:nErHLyC9mIzUewRTCFvQ26TlWig1w2tl

Score

10^/10

Family

warzonerat

162.216.47.148:59226

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2300-5-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2300-8-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2300-10-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2300-11-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 2300	228	743744c130f46095b187c8793f53c126.exe	91

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91
PID 228 wrote to memory of 2300	228	743744c130f46095b187c8793f53c126.exe	91

C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe
"C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe
  "C:\Users\Admin\AppData\Local\Temp\743744c130f46095b187c8793f53c126.exe"
  2⤵
  PID:2300

memory/228-0-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/228-1-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/228-2-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/228-3-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/228-4-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/228-9-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/2300-5-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2300-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2300-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2300-11-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download