Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10WARZONE RA...er.dll
windows10-2004-x64
1WARZONE RA...er.exe
windows10-2004-x64
1WARZONE RA...ox.dll
windows10-2004-x64
1WARZONE RA...32.dll
windows10-2004-x64
1WARZONE RA...64.dll
windows10-2004-x64
1WARZONE RA...er.exe
windows10-2004-x64
1WARZONE RA...np.exe
windows10-2004-x64
8WARZONE RA...er.exe
windows10-2004-x64
1WARZONE RA...se.dll
windows10-2004-x64
1WARZONE RA...in.dll
windows10-2004-x64
1WARZONE RA...ls.dll
windows10-2004-x64
1WARZONE RA...ne.dll
windows10-2004-x64
1WARZONE RA....0.exe
windows10-2004-x64
1WARZONE RA...ed.exe
windows10-2004-x64
10WARZONE RA...nt.exe
windows10-2004-x64
3WARZONE RA...td.dll
windows10-2004-x64
3Analysis
-
max time kernel
135s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2023, 23:12
Behavioral task
behavioral1
Sample
WARZONE RAT 3.03/Datas/ServerManager.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
WARZONE RAT 3.03/Datas/SocksManager.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
WARZONE RAT 3.03/Datas/firefox.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
WARZONE RAT 3.03/Datas/rdpwrap32.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
WARZONE RAT 3.03/Datas/rdpwrap64.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
WARZONE RAT 3.03/Datas/rvncviewer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
WARZONE RAT 3.03/Datas/upnp.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
WARZONE RAT 3.03/Datas/vncviewer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
WARZONE RAT 3.03/License.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
WARZONE RAT 3.03/MaterialSkin.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
WARZONE RAT 3.03/PETools.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
WARZONE RAT 3.03/TyWarzone.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
WARZONE RAT 3.03/WARZONE-RAT 3.03 Cracked.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
WARZONE RAT 3.03/cratclient.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
WARZONE RAT 3.03/cratclientd.dll
Resource
win10v2004-20230220-en
General
-
Target
WARZONE RAT 3.03/Datas/upnp.exe
-
Size
70KB
-
MD5
ca96229390a0e6a53e8f2125f2c01114
-
SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
-
SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
-
SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
SSDEEP
1536:tjL6b1xoQ66K+jLMqPHULq87qdGN2B30GfDQ+1FIRXWHH0:t0BVbjQaNpd82xpLQ+126H0
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3668 netsh.exe -
resource yara_rule behavioral7/memory/4716-133-0x0000000000610000-0x000000000063D000-memory.dmp upx behavioral7/memory/4716-135-0x0000000000610000-0x000000000063D000-memory.dmp upx -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4716 wrote to memory of 3668 4716 upnp.exe 85 PID 4716 wrote to memory of 3668 4716 upnp.exe 85 PID 4716 wrote to memory of 3668 4716 upnp.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\Datas\upnp.exe"C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\Datas\upnp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
PID:3668
-