warzonerat | fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8

Analysis

max time kernel
179s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 09:01

Target

b858a1f896ba459493486676e59af5ad.exe
Size

152KB
MD5

b858a1f896ba459493486676e59af5ad
SHA1

c8a0ba42f8076b5c2b0d4cd2e0e6225b509b9f0c
SHA256

fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8
SHA512

cab1bf9703921eba97b4686c03583ec8d27b6d8ba6b869e8be7983071d513c9ce1347a345f931365db214de3918e417f0c0c1fa35e5ec681b3a0ee7c59fd87c1
SSDEEP

3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF

Score

10^/10

Family

warzonerat

sdafsdffssffs.ydns.eu:6703

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

resource	yara_rule
behavioral2/files/0x000700000002320c-2.dat	BazaLoader

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002320c-2.dat	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
932	images.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 5004	2792	b858a1f896ba459493486676e59af5ad.exe	93
PID 2792 wrote to memory of 5004	2792	b858a1f896ba459493486676e59af5ad.exe	93
PID 2792 wrote to memory of 5004	2792	b858a1f896ba459493486676e59af5ad.exe	93
PID 2792 wrote to memory of 932	2792	b858a1f896ba459493486676e59af5ad.exe	95
PID 2792 wrote to memory of 932	2792	b858a1f896ba459493486676e59af5ad.exe	95
PID 2792 wrote to memory of 932	2792	b858a1f896ba459493486676e59af5ad.exe	95
PID 5004 wrote to memory of 2508	5004	cmd.exe	96
PID 5004 wrote to memory of 2508	5004	cmd.exe	96
PID 5004 wrote to memory of 2508	5004	cmd.exe	96
PID 932 wrote to memory of 5016	932	images.exe	97
PID 932 wrote to memory of 5016	932	images.exe	97
PID 932 wrote to memory of 5016	932	images.exe	97
PID 932 wrote to memory of 5016	932	images.exe	97
PID 932 wrote to memory of 5016	932	images.exe	97

C:\Users\Admin\AppData\Local\Temp\b858a1f896ba459493486676e59af5ad.exe
"C:\Users\Admin\AppData\Local\Temp\b858a1f896ba459493486676e59af5ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
    3⤵
    PID:2508
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5016

C:\ProgramData\images.exe

Filesize
152KB

MD5
b858a1f896ba459493486676e59af5ad

SHA1
c8a0ba42f8076b5c2b0d4cd2e0e6225b509b9f0c

SHA256
fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8

SHA512
cab1bf9703921eba97b4686c03583ec8d27b6d8ba6b869e8be7983071d513c9ce1347a345f931365db214de3918e417f0c0c1fa35e5ec681b3a0ee7c59fd87c1

Download Submit
memory/5016-4-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download