Overview
overview
10Static
static
10WARZONE RA...er.dll
windows10-2004-x64
1WARZONE RA...er.exe
windows10-2004-x64
1WARZONE RA...ox.dll
windows10-2004-x64
1WARZONE RA...32.dll
windows10-2004-x64
1WARZONE RA...64.dll
windows10-2004-x64
1WARZONE RA...er.exe
windows10-2004-x64
1WARZONE RA...np.exe
windows10-2004-x64
8WARZONE RA...er.exe
windows10-2004-x64
1WARZONE RA...se.dll
windows10-2004-x64
1WARZONE RA...in.dll
windows10-2004-x64
1WARZONE RA...ls.dll
windows10-2004-x64
1WARZONE RA...ne.dll
windows10-2004-x64
1WARZONE RA....0.exe
windows10-2004-x64
1WARZONE RA...ed.exe
windows10-2004-x64
10WARZONE RA...nt.exe
windows10-2004-x64
3WARZONE RA...td.dll
windows10-2004-x64
3General
-
Target
WARZONE_RAT_3.03.zip
-
Size
21.5MB
-
Sample
230326-27byxsad85
-
MD5
71087ea8e5e0c8c7f7449e212da6f8f1
-
SHA1
14c9d49bf4ef5b582565e7778b9c7a2904d59288
-
SHA256
7c4f34556d1064cbe1889b7d6567b6f8baccaa9d33c18b18f7a2dfb0458484d1
-
SHA512
f58e9abfda86ae1e3f29d86934a9b7e8dcf838849cf8f5fee76384dd974b7bbc82377214c7d17955e8bb8841ab68bc09481fe9a732aa8db65dadc6df3f9d9145
-
SSDEEP
393216:kc2N//I0YrDNmGBI2frbPCOVcfxMOqJggcL3a7JFIPaEHRl:d2O0Yr0GBI2frbPhVYxruggGO8T
Behavioral task
behavioral1
Sample
WARZONE RAT 3.03/Datas/ServerManager.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
WARZONE RAT 3.03/Datas/SocksManager.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
WARZONE RAT 3.03/Datas/firefox.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
WARZONE RAT 3.03/Datas/rdpwrap32.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
WARZONE RAT 3.03/Datas/rdpwrap64.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
WARZONE RAT 3.03/Datas/rvncviewer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
WARZONE RAT 3.03/Datas/upnp.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
WARZONE RAT 3.03/Datas/vncviewer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
WARZONE RAT 3.03/License.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
WARZONE RAT 3.03/MaterialSkin.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
WARZONE RAT 3.03/PETools.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
WARZONE RAT 3.03/TyWarzone.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
WARZONE RAT 3.03/WARZONE-RAT 3.03 Cracked.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
WARZONE RAT 3.03/cratclient.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
WARZONE RAT 3.03/cratclientd.dll
Resource
win10v2004-20230220-en
Malware Config
Extracted
https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs
Targets
-
-
Target
WARZONE RAT 3.03/Datas/ServerManager.dll
-
Size
96KB
-
MD5
ccc5bd0d95f504fce814e6758d4953d6
-
SHA1
531755eb609b6740a5117e0e7a84547ae66061e0
-
SHA256
2b658436167826d3a1e44919a1113c6f1717515bd7ef0064d7152d7c3e050fc1
-
SHA512
da7c581c84d9236d0c728bb947d212d76ba59af79ee3d8966a6fe42276543a0db40eecd1792a6f6c0db507f8b5e2267370ae46866d8b03dc4e2e9f1e1dfee954
-
SSDEEP
1536:XLKZtKu0SvWj0DhgyQWnOS+jKcMfjR2CJ0psWQcd7kiW4L2er:XLOtKdSvNgyQWnOSKBVCOAiHL2er
Score1/10 -
-
-
Target
WARZONE RAT 3.03/Datas/SocksManager.exe
-
Size
8KB
-
MD5
e659818d6efe1953e14c9ece3b24a14c
-
SHA1
771ee6fa69d72d337e108305a609d4b96b9db5d4
-
SHA256
28195831f7e09ddf9bbe28ec957c1f380d27cf9cc3ebf538beaada0e4e74886a
-
SHA512
49acf7e0341707f1094da620660aac7af2b5ced92ff4a1f82fb274091666cb9d5c70bf5532020d08a0088f490a887fa734915243a36f2e69bcabacf0caf38333
-
SSDEEP
96:OFkBFvEm0IBRNHUPs+EsZRkCMJe0+5JGS4fVfaFDF8IEt0mGu4RzNt:OonHUEhWPH0iGS4flaL8IEKmEz
Score1/10 -
-
-
Target
WARZONE RAT 3.03/Datas/firefox.dlls
-
Size
2.3MB
-
MD5
a26861558315278d5960fe1bf58b1950
-
SHA1
4b71194940c91fdd44909b8cf262000b10a3f7a8
-
SHA256
b52720863ec78e0f7bff98e6c809fdf50ab2d0ea361e95eb5341e870aafb0354
-
SHA512
63a7376abe6907d9d25202c8611b2dc15386b287e23aa8755fe0b7ffc5b5cb40ef03716bab3968440f0eca2689fa195809bad48cd1ef3718bcdb9081538cfb83
-
SSDEEP
49152:f7Pi205SP4PJ+LzW5ygDwnEZIYkjgWjblMSRpMqxsFYrt:f7P705mAF5zD6sILTjblMS3Ft
Score1/10 -
-
-
Target
WARZONE RAT 3.03/Datas/rdpwrap32.dll
-
Size
107KB
-
MD5
f5c6a32ee3bd88ae44c0c0dfae950cf0
-
SHA1
ccf368347092d2fdbbe53448378133a1adb7e762
-
SHA256
b9828995474f7e6a6b5c160e5160c5ff49495654a5b89654b6a0f9b8664f82fc
-
SHA512
c9ceb02a6f9235c9d26856987c18a66cc0abf6c3a1d580fef078cd98cade3fc54d5b76de9cb0ab4e3c048722dd258c2718b617b6efa35ae2fe7dfb4ecfa71c8e
-
SSDEEP
1536:rU2oADiIgmzJEHxstEua3iDFurHEYpQa5CaU/cIxpi4rHdvSFDEX7p9:rU2oADmsTayDERzCaKcaQadvEA9
Score1/10 -
-
-
Target
WARZONE RAT 3.03/Datas/rdpwrap64.dll
-
Size
150KB
-
MD5
c4063372afe486d5e9a11c5b68e0524f
-
SHA1
9f9da8d10f3a2f6f17dffdf45b5b90e094ad30f6
-
SHA256
fc1f3fc182cef9bcef5192e4fa4569697e27852cbffb7a55ea6118c603ddc420
-
SHA512
6286914126dd16600797f5741bfa6a56e0ade32913385beed822bf6186f74c53fa607597a30a31868d0e5493524bd4cdea41c54e3fa2fa2cbb9d23366b5661e3
-
SSDEEP
3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVsXDPtD05aw:oMjTiVw2ve9LBMMpJsT+lCa
Score1/10 -
-
-
Target
WARZONE RAT 3.03/Datas/rvncviewer.exe
-
Size
1.4MB
-
MD5
27561e722c736ab5a77110790402999b
-
SHA1
94899eba768a3b53dd45891ac482c354d7c1f48b
-
SHA256
5e49a7fec8c9f81b191e5fa69bdb1a627814631813fedfc4136c71e55cd57c0f
-
SHA512
fe92715c24df8d5d3027a6a9c782a87f2d5e13d5b3c18f3dc4d4f076e8d707268fdadb036ffa746a3e735596a5ab805961383c1515f36023d13493c166ef422d
-
SSDEEP
24576:fgOkIyp31kIO30I8nF/RN2VdIOMIC4ITr4hhxselM5lcgaK:fuIyp3XO30ZnF/RgVCOMiITUhhxRM5l7
Score1/10 -
-
-
Target
WARZONE RAT 3.03/Datas/upnp.exe
-
Size
70KB
-
MD5
ca96229390a0e6a53e8f2125f2c01114
-
SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
-
SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
-
SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
SSDEEP
1536:tjL6b1xoQ66K+jLMqPHULq87qdGN2B30GfDQ+1FIRXWHH0:t0BVbjQaNpd82xpLQ+126H0
-
Modifies Windows Firewall
-
-
-
Target
WARZONE RAT 3.03/Datas/vncviewer.exe
-
Size
17.1MB
-
MD5
17ae77c95c824bd71e9e3da66068b1df
-
SHA1
1ab8b85559c81dce515d9e1e9d80ba0609cdb17a
-
SHA256
54b1e999d48059651e15685a860f655c37b70e241433335d01048ce65d237856
-
SHA512
5e3158f7f329e0c7802791542585fd662076f4355cc24fc7be1dc2878a6d5eaa4b40729997c8bdd2b848fdf7e145c1fbf752d5933bba9e01ec0cf571fc5c7a7d
-
SSDEEP
196608:lDlkblYbL1z/p+mjLXLBzepAjEVhuD+T/MY09Eoq9H5uoxU:lD+kimBzIuuUY0SomG
Score1/10 -
-
-
Target
WARZONE RAT 3.03/License.dll
-
Size
959KB
-
MD5
cb63d02b2189eeef93f7abdd88450095
-
SHA1
f8230932af46537195f9f266e7fd657622fe297d
-
SHA256
8e680c2074e5e701174f801125cb438c55a4a65649b4c7307e10de61879cbe65
-
SHA512
c40efb00279f9e2bf4fe81a6dd14785e4d66a50b9955cb80ddb545b5142a293013ff6ea9cbf817e48f6a2e393baf169106f5663e1defddc524c8574374477780
-
SSDEEP
24576:x8ePkxtGwCxgwKE+OqBIqg04hennliOETs:PwE+UIQUIj
Score1/10 -
-
-
Target
WARZONE RAT 3.03/MaterialSkin.dll
-
Size
571KB
-
MD5
ed99fa9fdde37b7bacce5fb11b61dfdd
-
SHA1
b7f562ba4fb1c40e1ff979f2ba0843619c38a9df
-
SHA256
50d82fc44a5ee228ffacc36f5babc51985ed229b0e0c88dfa806e08a56ec989a
-
SHA512
42a6c5775cec20b26cc5c19140b5495bd3527f09b6f6138179fcfc4361a83a83c0fe7fc7c7ab418a9e1f02eceae1c781a6568f3638de1e60c737fcfb88288872
-
SSDEEP
12288:mbd0kxswcXKC2zNWfm2YRm5sm2YRm5hkxswcXKC2zNW:mbd0ZX9uWfm2Yysm2YyhZX9uW
Score1/10 -
-
-
Target
WARZONE RAT 3.03/PETools.dll
-
Size
19KB
-
MD5
db7101a0e92cd476b587afb9c55586d0
-
SHA1
2439c91a6f6ce5a684e56d825155e5101c35070b
-
SHA256
b39bbd6d8ee84743834741aae0a39159f62db829678e5bb0d915b09edc27b41e
-
SHA512
c194b789346f2dc9f10d4bba787a0edb585de0a5fa4ee3c507b7df9bf2086027cff82c810c0100a09253776b0986bcf7d9eac1c488a2322fef726282f157c3ad
-
SSDEEP
384:u6/gKCNh7RZ/XyBJvoQXxiJiIWaYvJN71wfPXY7:7/SNh7RZPy4QXpoYRNJwY7
Score1/10 -
-
-
Target
WARZONE RAT 3.03/TyWarzone.dll
-
Size
132KB
-
MD5
8972fbd74954fb223bd1f8000afefbed
-
SHA1
56912e4371bfeb65b2d53a845e65a0252fdf0f20
-
SHA256
20b6d6c9e4c611beb2394539b90ce3b904b28d296b08da9d07d19a0ffc2971a1
-
SHA512
12c0a61e031cae5f1557d0685deae0e87f997dcefd556c94d04bb34c6f5c90cf7c4188e04ee298e850b5f11c960fc8e3635cd8976a0a820446bc88349216b367
-
SSDEEP
3072:Z3wSeEN8bsEe0wwT+KKpiTxWOCz4PLT85:ZAEN8bFwIcIfCzILT8
Score1/10 -
-
-
Target
WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe
-
Size
615KB
-
MD5
9437e1958c0ac30e29f23673a8363dca
-
SHA1
d5dde71d0da6910018a78b023779eb0a960b01e5
-
SHA256
33f697aeab386599e11efc14a336d131dceb4efe397614b06ad1c592f89d3212
-
SHA512
0197288326d68d96d91e5f58514dcf0ab6e76dd69b889424d62ca540670c7fd945240f457a244cc49f48ac8b86b335be80812f94cd7b6008aa7f01813cfd36ec
-
SSDEEP
1536:1gg2zBS5D6aZuAQomeq6Y2mlJ5Tv8gzWNX5D6vZDAQomeK6Y2m9J5Tv8gzW:1gpBMrZuAQrZKgyNRGZDAQXRygC
Score1/10 -
-
-
Target
WARZONE RAT 3.03/WARZONE-RAT 3.03 Cracked.exe
-
Size
14.1MB
-
MD5
6d150d36b56cdc5bbd815f89735c7f87
-
SHA1
ad0dd5834bdaf8552e0c2a16fca8894786f7f299
-
SHA256
8a165d8c914a2c64273ddb5ea961e8d7f4e42f3a803af96886ebfd0ff576be1d
-
SHA512
3ad90ab0dc0af13d6aff72699e4398aeb404340b212ae9e82627603c028e4b6c24f0aec82eaa867cfc2c2129441352fce79b3978d5a6fcac20622f3e20e283f2
-
SSDEEP
196608:M7ua82jskVEUbKBsY6+jLD07YMT7DKSilI/xaU71ItNSyF6apyMWv1aQWipiZh7b:MKxPUtMD07YeKAZaUQh6apGttQb2m
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
WARZONE RAT 3.03/cratclient.bin
-
Size
131KB
-
MD5
aedb2e69d91d2c8aff792e5c0b2396a0
-
SHA1
28425bd65bef2ba27b7ac372ba9bab189a27a4e7
-
SHA256
e76b0d04117daa58544d87b69427aaa6a78d90461470a2a55c80616842180451
-
SHA512
c5216fccb6b42904f220c098da91c47ab57f6f0d4cd785b09edeeb343aa226a07f139b0c446c636bd035e1584a0b38b6b3ec7030b3cc005e7b34832cbf45630f
-
SSDEEP
3072:U7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:UwpsERzGKurEXCzeLT7a
Score3/10 -
-
-
Target
WARZONE RAT 3.03/cratclientd.bin
-
Size
132KB
-
MD5
f6dbe80a1b68a734c92375fbbcf4be88
-
SHA1
cd6a7b57812c891f75e3a40c8f925ef5be48bade
-
SHA256
d364fe03510f34c22e8b5d25784ba80decae568bd939db66e4cd8b90538d60be
-
SHA512
59abbb522f6a4f442601190f901846ff7b57e041a25773ea0b7ec03011c2d207bb8e609443dd1a74ad0a13a4e5bef043c584b0da882a5d6619d05871015230e8
-
SSDEEP
3072:Z3wSeEN8bsEe0wwT+KKpiTxW7Cz4PLT85:ZAEN8bFwIcIqCzILT8
Score3/10 -