warzonerat | 7c4f34556d1064cbe1889b7d6567b6f8baccaa9d33c18b18f7a2dfb0458484d1

Sharing

Copy URL

Twitter E-mail

General

Target

WARZONE_RAT_3.03.zip
Size

21.5MB
Sample

230326-27byxsad85
MD5

71087ea8e5e0c8c7f7449e212da6f8f1
SHA1

14c9d49bf4ef5b582565e7778b9c7a2904d59288
SHA256

7c4f34556d1064cbe1889b7d6567b6f8baccaa9d33c18b18f7a2dfb0458484d1
SHA512

f58e9abfda86ae1e3f29d86934a9b7e8dcf838849cf8f5fee76384dd974b7bbc82377214c7d17955e8bb8841ab68bc09481fe9a732aa8db65dadc6df3f9d9145
SSDEEP

393216:kc2N//I0YrDNmGBI2frbPCOVcfxMOqJggcL3a7JFIPaEHRl:d2O0Yr0GBI2frbPhVYxruggGO8T

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs

Targets

- Target
  
  WARZONE RAT 3.03/Datas/ServerManager.dll
- Size
  
  96KB
- MD5
  
  ccc5bd0d95f504fce814e6758d4953d6
- SHA1
  
  531755eb609b6740a5117e0e7a84547ae66061e0
- SHA256
  
  2b658436167826d3a1e44919a1113c6f1717515bd7ef0064d7152d7c3e050fc1
- SHA512
  
  da7c581c84d9236d0c728bb947d212d76ba59af79ee3d8966a6fe42276543a0db40eecd1792a6f6c0db507f8b5e2267370ae46866d8b03dc4e2e9f1e1dfee954
- SSDEEP
  
  1536:XLKZtKu0SvWj0DhgyQWnOS+jKcMfjR2CJ0psWQcd7kiW4L2er:XLOtKdSvNgyQWnOSKBVCOAiHL2er
Score

1^/10
behavioral1
- Target
  
  WARZONE RAT 3.03/Datas/SocksManager.exe
- Size
  
  8KB
- MD5
  
  e659818d6efe1953e14c9ece3b24a14c
- SHA1
  
  771ee6fa69d72d337e108305a609d4b96b9db5d4
- SHA256
  
  28195831f7e09ddf9bbe28ec957c1f380d27cf9cc3ebf538beaada0e4e74886a
- SHA512
  
  49acf7e0341707f1094da620660aac7af2b5ced92ff4a1f82fb274091666cb9d5c70bf5532020d08a0088f490a887fa734915243a36f2e69bcabacf0caf38333
- SSDEEP
  
  96:OFkBFvEm0IBRNHUPs+EsZRkCMJe0+5JGS4fVfaFDF8IEt0mGu4RzNt:OonHUEhWPH0iGS4flaL8IEKmEz
Score

1^/10
behavioral2
- Target
  
  WARZONE RAT 3.03/Datas/firefox.dlls
- Size
  
  2.3MB
- MD5
  
  a26861558315278d5960fe1bf58b1950
- SHA1
  
  4b71194940c91fdd44909b8cf262000b10a3f7a8
- SHA256
  
  b52720863ec78e0f7bff98e6c809fdf50ab2d0ea361e95eb5341e870aafb0354
- SHA512
  
  63a7376abe6907d9d25202c8611b2dc15386b287e23aa8755fe0b7ffc5b5cb40ef03716bab3968440f0eca2689fa195809bad48cd1ef3718bcdb9081538cfb83
- SSDEEP
  
  49152:f7Pi205SP4PJ+LzW5ygDwnEZIYkjgWjblMSRpMqxsFYrt:f7P705mAF5zD6sILTjblMS3Ft
Score

1^/10
behavioral3
- Target
  
  WARZONE RAT 3.03/Datas/rdpwrap32.dll
- Size
  
  107KB
- MD5
  
  f5c6a32ee3bd88ae44c0c0dfae950cf0
- SHA1
  
  ccf368347092d2fdbbe53448378133a1adb7e762
- SHA256
  
  b9828995474f7e6a6b5c160e5160c5ff49495654a5b89654b6a0f9b8664f82fc
- SHA512
  
  c9ceb02a6f9235c9d26856987c18a66cc0abf6c3a1d580fef078cd98cade3fc54d5b76de9cb0ab4e3c048722dd258c2718b617b6efa35ae2fe7dfb4ecfa71c8e
- SSDEEP
  
  1536:rU2oADiIgmzJEHxstEua3iDFurHEYpQa5CaU/cIxpi4rHdvSFDEX7p9:rU2oADmsTayDERzCaKcaQadvEA9
Score

1^/10
behavioral4
- Target
  
  WARZONE RAT 3.03/Datas/rdpwrap64.dll
- Size
  
  150KB
- MD5
  
  c4063372afe486d5e9a11c5b68e0524f
- SHA1
  
  9f9da8d10f3a2f6f17dffdf45b5b90e094ad30f6
- SHA256
  
  fc1f3fc182cef9bcef5192e4fa4569697e27852cbffb7a55ea6118c603ddc420
- SHA512
  
  6286914126dd16600797f5741bfa6a56e0ade32913385beed822bf6186f74c53fa607597a30a31868d0e5493524bd4cdea41c54e3fa2fa2cbb9d23366b5661e3
- SSDEEP
  
  3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVsXDPtD05aw:oMjTiVw2ve9LBMMpJsT+lCa
Score

1^/10
behavioral5
- Target
  
  WARZONE RAT 3.03/Datas/rvncviewer.exe
- Size
  
  1.4MB
- MD5
  
  27561e722c736ab5a77110790402999b
- SHA1
  
  94899eba768a3b53dd45891ac482c354d7c1f48b
- SHA256
  
  5e49a7fec8c9f81b191e5fa69bdb1a627814631813fedfc4136c71e55cd57c0f
- SHA512
  
  fe92715c24df8d5d3027a6a9c782a87f2d5e13d5b3c18f3dc4d4f076e8d707268fdadb036ffa746a3e735596a5ab805961383c1515f36023d13493c166ef422d
- SSDEEP
  
  24576:fgOkIyp31kIO30I8nF/RN2VdIOMIC4ITr4hhxselM5lcgaK:fuIyp3XO30ZnF/RgVCOMiITUhhxRM5l7
Score

1^/10
behavioral6
- Target
  
  WARZONE RAT 3.03/Datas/upnp.exe
- Size
  
  70KB
- MD5
  
  ca96229390a0e6a53e8f2125f2c01114
- SHA1
  
  a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
- SHA256
  
  0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
- SHA512
  
  e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
- SSDEEP
  
  1536:tjL6b1xoQ66K+jLMqPHULq87qdGN2B30GfDQ+1FIRXWHH0:t0BVbjQaNpd82xpLQ+126H0
Score

8^/10

evasion upx
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7
- Target
  
  WARZONE RAT 3.03/Datas/vncviewer.exe
- Size
  
  17.1MB
- MD5
  
  17ae77c95c824bd71e9e3da66068b1df
- SHA1
  
  1ab8b85559c81dce515d9e1e9d80ba0609cdb17a
- SHA256
  
  54b1e999d48059651e15685a860f655c37b70e241433335d01048ce65d237856
- SHA512
  
  5e3158f7f329e0c7802791542585fd662076f4355cc24fc7be1dc2878a6d5eaa4b40729997c8bdd2b848fdf7e145c1fbf752d5933bba9e01ec0cf571fc5c7a7d
- SSDEEP
  
  196608:lDlkblYbL1z/p+mjLXLBzepAjEVhuD+T/MY09Eoq9H5uoxU:lD+kimBzIuuUY0SomG
Score

1^/10
behavioral8
- Target
  
  WARZONE RAT 3.03/License.dll
- Size
  
  959KB
- MD5
  
  cb63d02b2189eeef93f7abdd88450095
- SHA1
  
  f8230932af46537195f9f266e7fd657622fe297d
- SHA256
  
  8e680c2074e5e701174f801125cb438c55a4a65649b4c7307e10de61879cbe65
- SHA512
  
  c40efb00279f9e2bf4fe81a6dd14785e4d66a50b9955cb80ddb545b5142a293013ff6ea9cbf817e48f6a2e393baf169106f5663e1defddc524c8574374477780
- SSDEEP
  
  24576:x8ePkxtGwCxgwKE+OqBIqg04hennliOETs:PwE+UIQUIj
Score

1^/10
behavioral9
- Target
  
  WARZONE RAT 3.03/MaterialSkin.dll
- Size
  
  571KB
- MD5
  
  ed99fa9fdde37b7bacce5fb11b61dfdd
- SHA1
  
  b7f562ba4fb1c40e1ff979f2ba0843619c38a9df
- SHA256
  
  50d82fc44a5ee228ffacc36f5babc51985ed229b0e0c88dfa806e08a56ec989a
- SHA512
  
  42a6c5775cec20b26cc5c19140b5495bd3527f09b6f6138179fcfc4361a83a83c0fe7fc7c7ab418a9e1f02eceae1c781a6568f3638de1e60c737fcfb88288872
- SSDEEP
  
  12288:mbd0kxswcXKC2zNWfm2YRm5sm2YRm5hkxswcXKC2zNW:mbd0ZX9uWfm2Yysm2YyhZX9uW
Score

1^/10
behavioral10
- Target
  
  WARZONE RAT 3.03/PETools.dll
- Size
  
  19KB
- MD5
  
  db7101a0e92cd476b587afb9c55586d0
- SHA1
  
  2439c91a6f6ce5a684e56d825155e5101c35070b
- SHA256
  
  b39bbd6d8ee84743834741aae0a39159f62db829678e5bb0d915b09edc27b41e
- SHA512
  
  c194b789346f2dc9f10d4bba787a0edb585de0a5fa4ee3c507b7df9bf2086027cff82c810c0100a09253776b0986bcf7d9eac1c488a2322fef726282f157c3ad
- SSDEEP
  
  384:u6/gKCNh7RZ/XyBJvoQXxiJiIWaYvJN71wfPXY7:7/SNh7RZPy4QXpoYRNJwY7
Score

1^/10
behavioral11
- Target
  
  WARZONE RAT 3.03/TyWarzone.dll
- Size
  
  132KB
- MD5
  
  8972fbd74954fb223bd1f8000afefbed
- SHA1
  
  56912e4371bfeb65b2d53a845e65a0252fdf0f20
- SHA256
  
  20b6d6c9e4c611beb2394539b90ce3b904b28d296b08da9d07d19a0ffc2971a1
- SHA512
  
  12c0a61e031cae5f1557d0685deae0e87f997dcefd556c94d04bb34c6f5c90cf7c4188e04ee298e850b5f11c960fc8e3635cd8976a0a820446bc88349216b367
- SSDEEP
  
  3072:Z3wSeEN8bsEe0wwT+KKpiTxWOCz4PLT85:ZAEN8bFwIcIfCzILT8
Score

1^/10
behavioral12
- Target
  
  WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe
- Size
  
  615KB
- MD5
  
  9437e1958c0ac30e29f23673a8363dca
- SHA1
  
  d5dde71d0da6910018a78b023779eb0a960b01e5
- SHA256
  
  33f697aeab386599e11efc14a336d131dceb4efe397614b06ad1c592f89d3212
- SHA512
  
  0197288326d68d96d91e5f58514dcf0ab6e76dd69b889424d62ca540670c7fd945240f457a244cc49f48ac8b86b335be80812f94cd7b6008aa7f01813cfd36ec
- SSDEEP
  
  1536:1gg2zBS5D6aZuAQomeq6Y2mlJ5Tv8gzWNX5D6vZDAQomeK6Y2m9J5Tv8gzW:1gpBMrZuAQrZKgyNRGZDAQXRygC
Score

1^/10
behavioral13
- Target
  
  WARZONE RAT 3.03/WARZONE-RAT 3.03 Cracked.exe
- Size
  
  14.1MB
- MD5
  
  6d150d36b56cdc5bbd815f89735c7f87
- SHA1
  
  ad0dd5834bdaf8552e0c2a16fca8894786f7f299
- SHA256
  
  8a165d8c914a2c64273ddb5ea961e8d7f4e42f3a803af96886ebfd0ff576be1d
- SHA512
  
  3ad90ab0dc0af13d6aff72699e4398aeb404340b212ae9e82627603c028e4b6c24f0aec82eaa867cfc2c2129441352fce79b3978d5a6fcac20622f3e20e283f2
- SSDEEP
  
  196608:M7ua82jskVEUbKBsY6+jLD07YMT7DKSilI/xaU71ItNSyF6apyMWv1aQWipiZh7b:MKxPUtMD07YeKAZaUQh6apGttQb2m
Score

10^/10

evasion themida trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  WARZONE RAT 3.03/cratclient.bin
- Size
  
  131KB
- MD5
  
  aedb2e69d91d2c8aff792e5c0b2396a0
- SHA1
  
  28425bd65bef2ba27b7ac372ba9bab189a27a4e7
- SHA256
  
  e76b0d04117daa58544d87b69427aaa6a78d90461470a2a55c80616842180451
- SHA512
  
  c5216fccb6b42904f220c098da91c47ab57f6f0d4cd785b09edeeb343aa226a07f139b0c446c636bd035e1584a0b38b6b3ec7030b3cc005e7b34832cbf45630f
- SSDEEP
  
  3072:U7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:UwpsERzGKurEXCzeLT7a
Score

3^/10
behavioral15
- Target
  
  WARZONE RAT 3.03/cratclientd.bin
- Size
  
  132KB
- MD5
  
  f6dbe80a1b68a734c92375fbbcf4be88
- SHA1
  
  cd6a7b57812c891f75e3a40c8f925ef5be48bade
- SHA256
  
  d364fe03510f34c22e8b5d25784ba80decae568bd939db66e4cd8b90538d60be
- SHA512
  
  59abbb522f6a4f442601190f901846ff7b57e041a25773ea0b7ec03011c2d207bb8e609443dd1a74ad0a13a4e5bef043c584b0da882a5d6619d05871015230e8
- SSDEEP
  
  3072:Z3wSeEN8bsEe0wwT+KKpiTxW7Cz4PLT85:ZAEN8bFwIcIqCzILT8
Score

3^/10
behavioral16

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies Windows Firewall

UPX packed file

Suspicious use of NtCreateUserProcessOtherParentProcess

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16