Overview

overview

10

Static

static

10

WARZONE RA....0.exe

windows11-21h2-x64

3

WARZONE RA...ed.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WARZONE RAT 3.03.7z

  • Size

    14.8MB

  • Sample

    250127-3wr2fazmaw

  • MD5

    baa48b7b4f818eac1961077a5a8dec7b

  • SHA1

    dfb920f433043fc37c52c41beef84a7c3f5fea51

  • SHA256

    3acce18fa1327b1e89c47997fe1da62a86a1211d893f5128b4c59fa44d57b335

  • SHA512

    e4f70569979e7113b457f01540da15c1117db4ad11ad7ec0bc80e8728919388238169939d3d8e4bfb16ff462600a2f79eff705ada7188c05b9fe93369498d6d7

  • SSDEEP

    393216:tDM8XTc0COEg55W4DufHxGtAopJ/Q4k3mJghKo3pasJthjqXOrLr:BBjc0q4Sb4JI4FJUasJthjq+nr

Score
10/10
warzoneratdefense_evasiondiscoveryinfostealerratthemidatrojanupx

Malware Config

Extracted

Family

warzonerat

C2

127.0.0.1:5200

Targets

    • Target

      WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe

    • Size

      615KB

    • MD5

      9437e1958c0ac30e29f23673a8363dca

    • SHA1

      d5dde71d0da6910018a78b023779eb0a960b01e5

    • SHA256

      33f697aeab386599e11efc14a336d131dceb4efe397614b06ad1c592f89d3212

    • SHA512

      0197288326d68d96d91e5f58514dcf0ab6e76dd69b889424d62ca540670c7fd945240f457a244cc49f48ac8b86b335be80812f94cd7b6008aa7f01813cfd36ec

    • SSDEEP

      1536:1gg2zBS5D6aZuAQomeq6Y2mlJ5Tv8gzWNX5D6vZDAQomeK6Y2m9J5Tv8gzW:1gpBMrZuAQrZKgyNRGZDAQXRygC

    Score
    3/10
    discovery
    behavioral1

    • Target

      WARZONE RAT 3.03/WARZONE RAT 3.03 Cracked.exe

    • Size

      7.5MB

    • MD5

      03977a4fc47100f00650d65b1088f391

    • SHA1

      2517557e6bdb3e2268143f4690a4cc44426ac481

    • SHA256

      2325745d8b078385be3a995640b2cee98e85c8ac1c111fde5fcb1c257d9efe7d

    • SHA512

      2ad09d2e14ea3f83a950b76444b49d49b53a5735f1256f6c59f97bf380bd89e59f97f157ba7a75416e154e9142e33a609eb10c4c5f59963487d4d2ec6adb4a3c

    • SSDEEP

      196608:fWjyOLFVG2tUpi7tPRopU2Pa3uAdvCgoYEttoTBoWY/:fR6FVJUpi7tJoDAdvbEttoev/

    Score
    10/10
    warzoneratdefense_evasiondiscoveryinfostealerratthemidatrojan

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Warzone RAT payload

      rat

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks