Overview

overview

10

Static

static

10

WARZONE RA...ed.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    583s
  • max time network
    444s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-01-2025 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WARZONE RAT 2.70 POISON/Warzone Cracked.exe

  • Size

    529KB

  • MD5

    fc2dabf299a9b53c9176eea0888d171c

  • SHA1

    7956711f178354c0c38f479c7e9ef4a15a7c42c2

  • SHA256

    52b24b6304c986495bf28f660d507a2bc8a618e63b61c333641f930d9c2db7b9

  • SHA512

    7d507647c1a63eb6d5cb1c1dd03e17c3cdfab4c11dc66f4a832f5ad1fe0dbb78ed4c1bf88eb60750a2d58354ec2e426873ba0e795b8ae085fd4ea63b7fbde82e

  • SSDEEP

    6144:Rgf3v7Q4h9GgpTwEbb47QVwyGkuQwTxPz8NuftbwJTw0b:RK3v7QopEaHGkTsPz8NIOEK

Score
10/10
warzoneratdiscoveryinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

127.0.0.1:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 2 IoCs
    rat
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\Warzone Cracked.exe
      "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\Warzone Cracked.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\WARZONE RAT - HIDDEN POISON 2.70.exe
        "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\WARZONE RAT - HIDDEN POISON 2.70.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1452
      • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\Injector\Inject.exe
        "Injector\Inject.exe" -m Main -i "Injector\Warzone.Loader.dll" -l Cortex.Loader -a "jebac bydgoszcz" -n "WARZONE RAT - HIDDEN POISON 2.70.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2776
      • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\Injector\Inject.exe
        "Injector\Inject.exe" -m Main -i "Injector\Warzone.Loader.dll" -l Cortex.Loader -a "jebac bydgoszcz" -n "WARZONE RAT - HIDDEN POISON 2.70.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3888
      • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\Injector\Inject.exe
        "Injector\Inject.exe" -m Main -i "Injector\Warzone.Loader.dll" -l Cortex.Loader -a "jebac bydgoszcz" -n "WARZONE RAT - HIDDEN POISON 2.70.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3256
    • C:\Users\Admin\Videos\rat.exe
      "C:\Users\Admin\Videos\rat.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:244
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3804
    • C:\Users\Admin\Videos\babad.exe
      "C:\Users\Admin\Videos\babad.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
    • C:\Users\Admin\Videos\babad.exe
      "C:\Users\Admin\Videos\babad.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1164
    • C:\Users\Admin\Videos\rat.exe
      "C:\Users\Admin\Videos\rat.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4248
    • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\WARZONE RAT - HIDDEN POISON 2.70.exe
      "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\WARZONE RAT - HIDDEN POISON 2.70.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:888
    • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\WARZONE RAT - HIDDEN POISON 2.70.exe
      "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 2.70 POISON\WARZONE RAT - HIDDEN POISON 2.70.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3560
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3936
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:380
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WARZONE RAT - HIDDEN POISON 2.70.exe.log
      Filesize

      1KB

      MD5

      6c3817f08fe9da050530e18a933b0b4c

      SHA1

      1cdce7922de0e3f80c7606910e9b74841f4f7d64

      SHA256

      4870d40f8a4c75bdc7316ce4674654e4e20c999723a4a18c75a2521edcfe0998

      SHA512

      37478726fb63f7e4a38377b26267d610418c373c93eb3c7efc7233cec487bcfc393033a1598c75fa7e0868e0f26b32702e1bbd07e7abbe56b6e78ef3c813cecf

      Download Submit

    • C:\Users\Admin\Videos\babad.exe
      Filesize

      152KB

      MD5

      385ff7073c515eef3fa2f5c6aae48d0a

      SHA1

      0a2ad277fc9e773b1a12d41186c27b95d13ee374

      SHA256

      3ceb6eabd53b972fe6346ec6a16ab2c1d2f03b09a6db5cdeac1c7b6b5d7bcaf2

      SHA512

      604ba1abcae80871d7d1717a68bd817c5cab1323ee3e15f1d94ed82a0f957e859f56f07e317499eb612b90ed27af8a6ef580b040b65632ad0997776cbe7c3adf

      Download Submit

    • C:\Users\Admin\Videos\rat.exe
      Filesize

      152KB

      MD5

      88cf1e14d8798c8f788724bd8a047d53

      SHA1

      c5b255680ceb5c604f61b0cecd9f41af9bf3efa3

      SHA256

      cea69a5d0c2d088fea8d65e6f7ba28edcaa58bbc5bf0f86b803025b03c739914

      SHA512

      1d461597d099fb2c628fee5077ce2707f8e083b062489f2c1c1e5f1ab7bcfd9fdb9019b3cd67d89067d147d8e26a789c023bf7f8bff2fc785f3742e033eb1b2f

      Download Submit

    • memory/404-3-0x00000000050D0000-0x0000000005162000-memory.dmp

      Filesize

      584KB

      Download

    • memory/404-4-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/404-5-0x00000000051D0000-0x00000000051DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/404-6-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/404-15-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/404-2-0x0000000005680000-0x0000000005C26000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/404-1-0x00000000004F0000-0x000000000057A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/404-59-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/404-12-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/888-92-0x0000000008C90000-0x0000000008E08000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1452-39-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-47-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-16-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-17-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-18-0x000000000C150000-0x000000000C1B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1452-19-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-20-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-21-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-22-0x0000000008050000-0x0000000008056000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1452-23-0x0000000008C50000-0x0000000008C56000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1452-36-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-37-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-38-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-40-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-13-0x0000000007900000-0x000000000790C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1452-41-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-42-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-43-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-44-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-45-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-46-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-14-0x00000000089D0000-0x0000000008B48000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1452-48-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-49-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-50-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-51-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-52-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-53-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-54-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-55-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-56-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-57-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-11-0x0000000005520000-0x00000000055E2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/1452-10-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-9-0x0000000005310000-0x000000000534A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1452-7-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1452-8-0x00000000002E0000-0x0000000000AEA000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1452-90-0x0000000074A80000-0x0000000075231000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2104-76-0x0000000000910000-0x0000000000911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3308-79-0x00000000028F0000-0x00000000028F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3308-85-0x00000000028F0000-0x00000000028F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3308-78-0x0000000014380000-0x0000000014480000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3308-75-0x0000000014380000-0x0000000014480000-memory.dmp

      Filesize

      1024KB

      Download