General

  • Target

    WARZONE RAT 3.03 Cracked.rar

  • Size

    23.9MB

  • Sample

    230228-hs2q9aaa78

  • MD5

    9391aac09c459fc82b6a9cbd37471ee3

  • SHA1

    5e05eda013340b68420948e5281ddedfd36e4a26

  • SHA256

    1656d6d761b098d9d47da71bd5da77c3c9dac1b67705725fcce33d0bd67f6ae7

  • SHA512

    b8245708fddef00ab8de2a5ffbc42b72bfb9ed4afecd0b516664bb97205e9d79a716983dd38be0590b67460b30740ecfe2b9cfbd2c5868009819520da2d7b0f4

  • SSDEEP

    393216:UPLyQtrQFTLdNsv5FUkqFpQjgxxCng8fZYRpXC6tROYVwmQXTPuVI4MfCl1vBq7E:evWFnduUkOCcjsZYXSWXMTP2fwDT1no

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs

Targets

    • Target

      WARZONE RAT 3.03 Cracked/WARZONE RAT 3.03 Cracked.exe

    • Size

      23.3MB

    • MD5

      ea63f1e98314ce9d9bc3a1d67ea58322

    • SHA1

      ac01a21d9df82567f3c3b9b4b57141a40e2b7b39

    • SHA256

      d1e0afc0d61645c545b8d365078107970600aa156fe6889f8ebbf014d77d833c

    • SHA512

      f18af943e8be60e3a58a6968e41872703449554170645587ce9b06b582bb69e0918cb13dca9ff90a31d1b7d77f1c10dcd370266340c354fd6d495bf3f4588eb1

    • SSDEEP

      393216:JBUWmQbAIEXvJ1yL1xcavOF/DLhkK2D7CHVOw2exeHUQ64kL0iFqG0xqoXqDgYke:3UV0A121Suo/5kK2DeVOGwDGuqoik8Vt

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks