General
-
Target
WARZONE RAT 3.03 Cracked.rar
-
Size
23.9MB
-
Sample
230228-hs2q9aaa78
-
MD5
9391aac09c459fc82b6a9cbd37471ee3
-
SHA1
5e05eda013340b68420948e5281ddedfd36e4a26
-
SHA256
1656d6d761b098d9d47da71bd5da77c3c9dac1b67705725fcce33d0bd67f6ae7
-
SHA512
b8245708fddef00ab8de2a5ffbc42b72bfb9ed4afecd0b516664bb97205e9d79a716983dd38be0590b67460b30740ecfe2b9cfbd2c5868009819520da2d7b0f4
-
SSDEEP
393216:UPLyQtrQFTLdNsv5FUkqFpQjgxxCng8fZYRpXC6tROYVwmQXTPuVI4MfCl1vBq7E:evWFnduUkOCcjsZYXSWXMTP2fwDT1no
Static task
static1
Behavioral task
behavioral1
Sample
WARZONE RAT 3.03 Cracked/WARZONE RAT 3.03 Cracked.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
WARZONE RAT 3.03 Cracked/WARZONE RAT 3.03 Cracked.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs
Targets
-
-
Target
WARZONE RAT 3.03 Cracked/WARZONE RAT 3.03 Cracked.exe
-
Size
23.3MB
-
MD5
ea63f1e98314ce9d9bc3a1d67ea58322
-
SHA1
ac01a21d9df82567f3c3b9b4b57141a40e2b7b39
-
SHA256
d1e0afc0d61645c545b8d365078107970600aa156fe6889f8ebbf014d77d833c
-
SHA512
f18af943e8be60e3a58a6968e41872703449554170645587ce9b06b582bb69e0918cb13dca9ff90a31d1b7d77f1c10dcd370266340c354fd6d495bf3f4588eb1
-
SSDEEP
393216:JBUWmQbAIEXvJ1yL1xcavOF/DLhkK2D7CHVOw2exeHUQ64kL0iFqG0xqoXqDgYke:3UV0A121Suo/5kK2DeVOGwDGuqoik8Vt
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-