General

  • Target

    WARZONE_dddRAT_3.03.zip

  • Size

    21.5MB

  • Sample

    230327-qnq3ysdf38

  • MD5

    71087ea8e5e0c8c7f7449e212da6f8f1

  • SHA1

    14c9d49bf4ef5b582565e7778b9c7a2904d59288

  • SHA256

    7c4f34556d1064cbe1889b7d6567b6f8baccaa9d33c18b18f7a2dfb0458484d1

  • SHA512

    f58e9abfda86ae1e3f29d86934a9b7e8dcf838849cf8f5fee76384dd974b7bbc82377214c7d17955e8bb8841ab68bc09481fe9a732aa8db65dadc6df3f9d9145

  • SSDEEP

    393216:kc2N//I0YrDNmGBI2frbPCOVcfxMOqJggcL3a7JFIPaEHRl:d2O0Yr0GBI2frbPhVYxruggGO8T

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs

Targets

    • Target

      WARZONE RAT 3.03/Datas/ServerManager.dll

    • Size

      96KB

    • MD5

      ccc5bd0d95f504fce814e6758d4953d6

    • SHA1

      531755eb609b6740a5117e0e7a84547ae66061e0

    • SHA256

      2b658436167826d3a1e44919a1113c6f1717515bd7ef0064d7152d7c3e050fc1

    • SHA512

      da7c581c84d9236d0c728bb947d212d76ba59af79ee3d8966a6fe42276543a0db40eecd1792a6f6c0db507f8b5e2267370ae46866d8b03dc4e2e9f1e1dfee954

    • SSDEEP

      1536:XLKZtKu0SvWj0DhgyQWnOS+jKcMfjR2CJ0psWQcd7kiW4L2er:XLOtKdSvNgyQWnOSKBVCOAiHL2er

    Score
    3/10
    • Target

      WARZONE RAT 3.03/Datas/SocksManager.exe

    • Size

      8KB

    • MD5

      e659818d6efe1953e14c9ece3b24a14c

    • SHA1

      771ee6fa69d72d337e108305a609d4b96b9db5d4

    • SHA256

      28195831f7e09ddf9bbe28ec957c1f380d27cf9cc3ebf538beaada0e4e74886a

    • SHA512

      49acf7e0341707f1094da620660aac7af2b5ced92ff4a1f82fb274091666cb9d5c70bf5532020d08a0088f490a887fa734915243a36f2e69bcabacf0caf38333

    • SSDEEP

      96:OFkBFvEm0IBRNHUPs+EsZRkCMJe0+5JGS4fVfaFDF8IEt0mGu4RzNt:OonHUEhWPH0iGS4flaL8IEKmEz

    Score
    1/10
    • Target

      WARZONE RAT 3.03/Datas/firefox.dlls

    • Size

      2.3MB

    • MD5

      a26861558315278d5960fe1bf58b1950

    • SHA1

      4b71194940c91fdd44909b8cf262000b10a3f7a8

    • SHA256

      b52720863ec78e0f7bff98e6c809fdf50ab2d0ea361e95eb5341e870aafb0354

    • SHA512

      63a7376abe6907d9d25202c8611b2dc15386b287e23aa8755fe0b7ffc5b5cb40ef03716bab3968440f0eca2689fa195809bad48cd1ef3718bcdb9081538cfb83

    • SSDEEP

      49152:f7Pi205SP4PJ+LzW5ygDwnEZIYkjgWjblMSRpMqxsFYrt:f7P705mAF5zD6sILTjblMS3Ft

    Score
    1/10
    • Target

      WARZONE RAT 3.03/Datas/options.vnc

    • Size

      48B

    • MD5

      6243b2004273137cb880196f4472268b

    • SHA1

      71b9250ca202c0107460ad40ab8109502428efff

    • SHA256

      11c79026b86d78df113dd84848065175bc39efadd48df4c9768ca685e8faffc4

    • SHA512

      77a2becb3c0679e25cbfdbde8301f90ff1a9c5a75f1e4c7726bdd22c8de459835ff9f910a04dacf02c7ecd6db70886a5ddc1c00d100f3a985c0ff3e84acd2ba3

    Score
    3/10
    • Target

      WARZONE RAT 3.03/Datas/rdpwrap32.dll

    • Size

      107KB

    • MD5

      f5c6a32ee3bd88ae44c0c0dfae950cf0

    • SHA1

      ccf368347092d2fdbbe53448378133a1adb7e762

    • SHA256

      b9828995474f7e6a6b5c160e5160c5ff49495654a5b89654b6a0f9b8664f82fc

    • SHA512

      c9ceb02a6f9235c9d26856987c18a66cc0abf6c3a1d580fef078cd98cade3fc54d5b76de9cb0ab4e3c048722dd258c2718b617b6efa35ae2fe7dfb4ecfa71c8e

    • SSDEEP

      1536:rU2oADiIgmzJEHxstEua3iDFurHEYpQa5CaU/cIxpi4rHdvSFDEX7p9:rU2oADmsTayDERzCaKcaQadvEA9

    Score
    1/10
    • Target

      WARZONE RAT 3.03/Datas/rdpwrap64.dll

    • Size

      150KB

    • MD5

      c4063372afe486d5e9a11c5b68e0524f

    • SHA1

      9f9da8d10f3a2f6f17dffdf45b5b90e094ad30f6

    • SHA256

      fc1f3fc182cef9bcef5192e4fa4569697e27852cbffb7a55ea6118c603ddc420

    • SHA512

      6286914126dd16600797f5741bfa6a56e0ade32913385beed822bf6186f74c53fa607597a30a31868d0e5493524bd4cdea41c54e3fa2fa2cbb9d23366b5661e3

    • SSDEEP

      3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVsXDPtD05aw:oMjTiVw2ve9LBMMpJsT+lCa

    Score
    1/10
    • Target

      WARZONE RAT 3.03/Datas/rvncviewer.exe

    • Size

      1.4MB

    • MD5

      27561e722c736ab5a77110790402999b

    • SHA1

      94899eba768a3b53dd45891ac482c354d7c1f48b

    • SHA256

      5e49a7fec8c9f81b191e5fa69bdb1a627814631813fedfc4136c71e55cd57c0f

    • SHA512

      fe92715c24df8d5d3027a6a9c782a87f2d5e13d5b3c18f3dc4d4f076e8d707268fdadb036ffa746a3e735596a5ab805961383c1515f36023d13493c166ef422d

    • SSDEEP

      24576:fgOkIyp31kIO30I8nF/RN2VdIOMIC4ITr4hhxselM5lcgaK:fuIyp3XO30ZnF/RgVCOMiITUhhxRM5l7

    Score
    1/10
    • Target

      WARZONE RAT 3.03/Datas/upnp.exe

    • Size

      70KB

    • MD5

      ca96229390a0e6a53e8f2125f2c01114

    • SHA1

      a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

    • SHA256

      0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

    • SHA512

      e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

    • SSDEEP

      1536:tjL6b1xoQ66K+jLMqPHULq87qdGN2B30GfDQ+1FIRXWHH0:t0BVbjQaNpd82xpLQ+126H0

    Score
    8/10
    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      WARZONE RAT 3.03/Datas/vncviewer.exe

    • Size

      17.1MB

    • MD5

      17ae77c95c824bd71e9e3da66068b1df

    • SHA1

      1ab8b85559c81dce515d9e1e9d80ba0609cdb17a

    • SHA256

      54b1e999d48059651e15685a860f655c37b70e241433335d01048ce65d237856

    • SHA512

      5e3158f7f329e0c7802791542585fd662076f4355cc24fc7be1dc2878a6d5eaa4b40729997c8bdd2b848fdf7e145c1fbf752d5933bba9e01ec0cf571fc5c7a7d

    • SSDEEP

      196608:lDlkblYbL1z/p+mjLXLBzepAjEVhuD+T/MY09Eoq9H5uoxU:lD+kimBzIuuUY0SomG

    Score
    1/10
    • Target

      WARZONE RAT 3.03/License.dll

    • Size

      959KB

    • MD5

      cb63d02b2189eeef93f7abdd88450095

    • SHA1

      f8230932af46537195f9f266e7fd657622fe297d

    • SHA256

      8e680c2074e5e701174f801125cb438c55a4a65649b4c7307e10de61879cbe65

    • SHA512

      c40efb00279f9e2bf4fe81a6dd14785e4d66a50b9955cb80ddb545b5142a293013ff6ea9cbf817e48f6a2e393baf169106f5663e1defddc524c8574374477780

    • SSDEEP

      24576:x8ePkxtGwCxgwKE+OqBIqg04hennliOETs:PwE+UIQUIj

    Score
    1/10
    • Target

      WARZONE RAT 3.03/PETools.dll

    • Size

      19KB

    • MD5

      db7101a0e92cd476b587afb9c55586d0

    • SHA1

      2439c91a6f6ce5a684e56d825155e5101c35070b

    • SHA256

      b39bbd6d8ee84743834741aae0a39159f62db829678e5bb0d915b09edc27b41e

    • SHA512

      c194b789346f2dc9f10d4bba787a0edb585de0a5fa4ee3c507b7df9bf2086027cff82c810c0100a09253776b0986bcf7d9eac1c488a2322fef726282f157c3ad

    • SSDEEP

      384:u6/gKCNh7RZ/XyBJvoQXxiJiIWaYvJN71wfPXY7:7/SNh7RZPy4QXpoYRNJwY7

    Score
    1/10
    • Target

      WARZONE RAT 3.03/TyWarzone.dll

    • Size

      132KB

    • MD5

      8972fbd74954fb223bd1f8000afefbed

    • SHA1

      56912e4371bfeb65b2d53a845e65a0252fdf0f20

    • SHA256

      20b6d6c9e4c611beb2394539b90ce3b904b28d296b08da9d07d19a0ffc2971a1

    • SHA512

      12c0a61e031cae5f1557d0685deae0e87f997dcefd556c94d04bb34c6f5c90cf7c4188e04ee298e850b5f11c960fc8e3635cd8976a0a820446bc88349216b367

    • SSDEEP

      3072:Z3wSeEN8bsEe0wwT+KKpiTxWOCz4PLT85:ZAEN8bFwIcIfCzILT8

    Score
    1/10
    • Target

      WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe

    • Size

      615KB

    • MD5

      9437e1958c0ac30e29f23673a8363dca

    • SHA1

      d5dde71d0da6910018a78b023779eb0a960b01e5

    • SHA256

      33f697aeab386599e11efc14a336d131dceb4efe397614b06ad1c592f89d3212

    • SHA512

      0197288326d68d96d91e5f58514dcf0ab6e76dd69b889424d62ca540670c7fd945240f457a244cc49f48ac8b86b335be80812f94cd7b6008aa7f01813cfd36ec

    • SSDEEP

      1536:1gg2zBS5D6aZuAQomeq6Y2mlJ5Tv8gzWNX5D6vZDAQomeK6Y2m9J5Tv8gzW:1gpBMrZuAQrZKgyNRGZDAQXRygC

    Score
    1/10
    • Target

      WARZONE RAT 3.03/WARZONE-RAT 3.03 Cracked.exe

    • Size

      14.1MB

    • MD5

      6d150d36b56cdc5bbd815f89735c7f87

    • SHA1

      ad0dd5834bdaf8552e0c2a16fca8894786f7f299

    • SHA256

      8a165d8c914a2c64273ddb5ea961e8d7f4e42f3a803af96886ebfd0ff576be1d

    • SHA512

      3ad90ab0dc0af13d6aff72699e4398aeb404340b212ae9e82627603c028e4b6c24f0aec82eaa867cfc2c2129441352fce79b3978d5a6fcac20622f3e20e283f2

    • SSDEEP

      196608:M7ua82jskVEUbKBsY6+jLD07YMT7DKSilI/xaU71ItNSyF6apyMWv1aQWipiZh7b:MKxPUtMD07YeKAZaUQh6apGttQb2m

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      WARZONE RAT 3.03/cratclient.bin

    • Size

      131KB

    • MD5

      aedb2e69d91d2c8aff792e5c0b2396a0

    • SHA1

      28425bd65bef2ba27b7ac372ba9bab189a27a4e7

    • SHA256

      e76b0d04117daa58544d87b69427aaa6a78d90461470a2a55c80616842180451

    • SHA512

      c5216fccb6b42904f220c098da91c47ab57f6f0d4cd785b09edeeb343aa226a07f139b0c446c636bd035e1584a0b38b6b3ec7030b3cc005e7b34832cbf45630f

    • SSDEEP

      3072:U7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:UwpsERzGKurEXCzeLT7a

    Score
    3/10
    • Target

      WARZONE RAT 3.03/cratclientd.bin

    • Size

      132KB

    • MD5

      f6dbe80a1b68a734c92375fbbcf4be88

    • SHA1

      cd6a7b57812c891f75e3a40c8f925ef5be48bade

    • SHA256

      d364fe03510f34c22e8b5d25784ba80decae568bd939db66e4cd8b90538d60be

    • SHA512

      59abbb522f6a4f442601190f901846ff7b57e041a25773ea0b7ec03011c2d207bb8e609443dd1a74ad0a13a4e5bef043c584b0da882a5d6619d05871015230e8

    • SSDEEP

      3072:Z3wSeEN8bsEe0wwT+KKpiTxW7Cz4PLT85:ZAEN8bFwIcIqCzILT8

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

System Information Discovery

5
T1082

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

Tasks