warzonerat | eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tes1.exe
Size

132KB
MD5

b77ff60d464d3aa97d0432680c468bf5
SHA1

9523926751ef97005e7c87beac04ef74ba353fe2
SHA256

eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797
SHA512

699bb186b2859460d86ce1cff238665ecb3ed27291e7f8c2d85632e98596a0e31b186096e5fd1d3c77d52b3e5e029f0aa0f0f2a81e20ee8d79010d32627984ac
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat discovery infostealer rat

Malware Config

Extracted

Family

warzonerat

194.59.30.96:7771

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\Documents\images.exe	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2524 images.exe
Loads dropped DLL 2 IoCs

Processes:

tes1.exe

pid process

2504 tes1.exe
2504 tes1.exe

pid	process
2524	images.exe

pid	process
2504	tes1.exe
2504	tes1.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tes1.exeimages.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tes1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tes1.exe

description	pid	process	target process
PID 2504 wrote to memory of 2524	2504	tes1.exe	images.exe
PID 2504 wrote to memory of 2524	2504	tes1.exe	images.exe
PID 2504 wrote to memory of 2524	2504	tes1.exe	images.exe
PID 2504 wrote to memory of 2524	2504	tes1.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\tes1.exe
"C:\Users\Admin\AppData\Local\Temp\tes1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\Documents\images.exe
"C:\Users\Admin\Documents\images.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Documents\images.exe
Filesize
132KB

MD5
b77ff60d464d3aa97d0432680c468bf5

SHA1
9523926751ef97005e7c87beac04ef74ba353fe2

SHA256
eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797

SHA512
699bb186b2859460d86ce1cff238665ecb3ed27291e7f8c2d85632e98596a0e31b186096e5fd1d3c77d52b3e5e029f0aa0f0f2a81e20ee8d79010d32627984ac

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads