warzonerat | 3acce18fa1327b1e89c47997fe1da62a86a1211d893f5128b4c59fa44d57b335

Sharing

Copy URL

Twitter E-mail

General

Target

WARZONERAT3.03.7z
Size

14.8MB
Sample

250128-am1b8szrc1
MD5

baa48b7b4f818eac1961077a5a8dec7b
SHA1

dfb920f433043fc37c52c41beef84a7c3f5fea51
SHA256

3acce18fa1327b1e89c47997fe1da62a86a1211d893f5128b4c59fa44d57b335
SHA512

e4f70569979e7113b457f01540da15c1117db4ad11ad7ec0bc80e8728919388238169939d3d8e4bfb16ff462600a2f79eff705ada7188c05b9fe93369498d6d7
SSDEEP

393216:tDM8XTc0COEg55W4DufHxGtAopJ/Q4k3mJghKo3pasJthjqXOrLr:BBjc0q4Sb4JI4FJUasJthjq+nr

Score

10^/10

Malware Config

Targets

- Target
  
  WARZONE RAT 3.03/Datas/ServerManager.dll
- Size
  
  96KB
- MD5
  
  ccc5bd0d95f504fce814e6758d4953d6
- SHA1
  
  531755eb609b6740a5117e0e7a84547ae66061e0
- SHA256
  
  2b658436167826d3a1e44919a1113c6f1717515bd7ef0064d7152d7c3e050fc1
- SHA512
  
  da7c581c84d9236d0c728bb947d212d76ba59af79ee3d8966a6fe42276543a0db40eecd1792a6f6c0db507f8b5e2267370ae46866d8b03dc4e2e9f1e1dfee954
- SSDEEP
  
  1536:XLKZtKu0SvWj0DhgyQWnOS+jKcMfjR2CJ0psWQcd7kiW4L2er:XLOtKdSvNgyQWnOSKBVCOAiHL2er
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  WARZONE RAT 3.03/Datas/SocksManager.exe
- Size
  
  8KB
- MD5
  
  e659818d6efe1953e14c9ece3b24a14c
- SHA1
  
  771ee6fa69d72d337e108305a609d4b96b9db5d4
- SHA256
  
  28195831f7e09ddf9bbe28ec957c1f380d27cf9cc3ebf538beaada0e4e74886a
- SHA512
  
  49acf7e0341707f1094da620660aac7af2b5ced92ff4a1f82fb274091666cb9d5c70bf5532020d08a0088f490a887fa734915243a36f2e69bcabacf0caf38333
- SSDEEP
  
  96:OFkBFvEm0IBRNHUPs+EsZRkCMJe0+5JGS4fVfaFDF8IEt0mGu4RzNt:OonHUEhWPH0iGS4flaL8IEKmEz
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  WARZONE RAT 3.03/Datas/firefox.dlls
- Size
  
  2.3MB
- MD5
  
  a26861558315278d5960fe1bf58b1950
- SHA1
  
  4b71194940c91fdd44909b8cf262000b10a3f7a8
- SHA256
  
  b52720863ec78e0f7bff98e6c809fdf50ab2d0ea361e95eb5341e870aafb0354
- SHA512
  
  63a7376abe6907d9d25202c8611b2dc15386b287e23aa8755fe0b7ffc5b5cb40ef03716bab3968440f0eca2689fa195809bad48cd1ef3718bcdb9081538cfb83
- SSDEEP
  
  49152:f7Pi205SP4PJ+LzW5ygDwnEZIYkjgWjblMSRpMqxsFYrt:f7P705mAF5zD6sILTjblMS3Ft
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  WARZONE RAT 3.03/Datas/rdpwrap32.dll
- Size
  
  107KB
- MD5
  
  f5c6a32ee3bd88ae44c0c0dfae950cf0
- SHA1
  
  ccf368347092d2fdbbe53448378133a1adb7e762
- SHA256
  
  b9828995474f7e6a6b5c160e5160c5ff49495654a5b89654b6a0f9b8664f82fc
- SHA512
  
  c9ceb02a6f9235c9d26856987c18a66cc0abf6c3a1d580fef078cd98cade3fc54d5b76de9cb0ab4e3c048722dd258c2718b617b6efa35ae2fe7dfb4ecfa71c8e
- SSDEEP
  
  1536:rU2oADiIgmzJEHxstEua3iDFurHEYpQa5CaU/cIxpi4rHdvSFDEX7p9:rU2oADmsTayDERzCaKcaQadvEA9
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  WARZONE RAT 3.03/Datas/rdpwrap64.dll
- Size
  
  150KB
- MD5
  
  c4063372afe486d5e9a11c5b68e0524f
- SHA1
  
  9f9da8d10f3a2f6f17dffdf45b5b90e094ad30f6
- SHA256
  
  fc1f3fc182cef9bcef5192e4fa4569697e27852cbffb7a55ea6118c603ddc420
- SHA512
  
  6286914126dd16600797f5741bfa6a56e0ade32913385beed822bf6186f74c53fa607597a30a31868d0e5493524bd4cdea41c54e3fa2fa2cbb9d23366b5661e3
- SSDEEP
  
  3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVsXDPtD05aw:oMjTiVw2ve9LBMMpJsT+lCa
Score

1^/10
behavioral10 behavioral9
- Target
  
  WARZONE RAT 3.03/Datas/rvncviewer.exe
- Size
  
  1.4MB
- MD5
  
  27561e722c736ab5a77110790402999b
- SHA1
  
  94899eba768a3b53dd45891ac482c354d7c1f48b
- SHA256
  
  5e49a7fec8c9f81b191e5fa69bdb1a627814631813fedfc4136c71e55cd57c0f
- SHA512
  
  fe92715c24df8d5d3027a6a9c782a87f2d5e13d5b3c18f3dc4d4f076e8d707268fdadb036ffa746a3e735596a5ab805961383c1515f36023d13493c166ef422d
- SSDEEP
  
  24576:fgOkIyp31kIO30I8nF/RN2VdIOMIC4ITr4hhxselM5lcgaK:fuIyp3XO30ZnF/RgVCOMiITUhhxRM5l7
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  WARZONE RAT 3.03/Datas/upnp.exe
- Size
  
  70KB
- MD5
  
  ca96229390a0e6a53e8f2125f2c01114
- SHA1
  
  a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
- SHA256
  
  0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
- SHA512
  
  e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
- SSDEEP
  
  1536:tjL6b1xoQ66K+jLMqPHULq87qdGN2B30GfDQ+1FIRXWHH0:t0BVbjQaNpd82xpLQ+126H0
Score

8^/10

defense_evasion discovery persistence privilege_escalation upx
- Modifies Windows Firewall
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral13 behavioral14
- Target
  
  WARZONE RAT 3.03/Datas/vncviewer.exe
- Size
  
  17.1MB
- MD5
  
  17ae77c95c824bd71e9e3da66068b1df
- SHA1
  
  1ab8b85559c81dce515d9e1e9d80ba0609cdb17a
- SHA256
  
  54b1e999d48059651e15685a860f655c37b70e241433335d01048ce65d237856
- SHA512
  
  5e3158f7f329e0c7802791542585fd662076f4355cc24fc7be1dc2878a6d5eaa4b40729997c8bdd2b848fdf7e145c1fbf752d5933bba9e01ec0cf571fc5c7a7d
- SSDEEP
  
  196608:lDlkblYbL1z/p+mjLXLBzepAjEVhuD+T/MY09Eoq9H5uoxU:lD+kimBzIuuUY0SomG
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  WARZONE RAT 3.03/License.dll
- Size
  
  959KB
- MD5
  
  cb63d02b2189eeef93f7abdd88450095
- SHA1
  
  f8230932af46537195f9f266e7fd657622fe297d
- SHA256
  
  8e680c2074e5e701174f801125cb438c55a4a65649b4c7307e10de61879cbe65
- SHA512
  
  c40efb00279f9e2bf4fe81a6dd14785e4d66a50b9955cb80ddb545b5142a293013ff6ea9cbf817e48f6a2e393baf169106f5663e1defddc524c8574374477780
- SSDEEP
  
  24576:x8ePkxtGwCxgwKE+OqBIqg04hennliOETs:PwE+UIQUIj
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  WARZONE RAT 3.03/MaterialSkin.dll
- Size
  
  571KB
- MD5
  
  ed99fa9fdde37b7bacce5fb11b61dfdd
- SHA1
  
  b7f562ba4fb1c40e1ff979f2ba0843619c38a9df
- SHA256
  
  50d82fc44a5ee228ffacc36f5babc51985ed229b0e0c88dfa806e08a56ec989a
- SHA512
  
  42a6c5775cec20b26cc5c19140b5495bd3527f09b6f6138179fcfc4361a83a83c0fe7fc7c7ab418a9e1f02eceae1c781a6568f3638de1e60c737fcfb88288872
- SSDEEP
  
  12288:mbd0kxswcXKC2zNWfm2YRm5sm2YRm5hkxswcXKC2zNW:mbd0ZX9uWfm2Yysm2YyhZX9uW
Score

1^/10
behavioral19 behavioral20
- Target
  
  WARZONE RAT 3.03/PETools.dll
- Size
  
  19KB
- MD5
  
  db7101a0e92cd476b587afb9c55586d0
- SHA1
  
  2439c91a6f6ce5a684e56d825155e5101c35070b
- SHA256
  
  b39bbd6d8ee84743834741aae0a39159f62db829678e5bb0d915b09edc27b41e
- SHA512
  
  c194b789346f2dc9f10d4bba787a0edb585de0a5fa4ee3c507b7df9bf2086027cff82c810c0100a09253776b0986bcf7d9eac1c488a2322fef726282f157c3ad
- SSDEEP
  
  384:u6/gKCNh7RZ/XyBJvoQXxiJiIWaYvJN71wfPXY7:7/SNh7RZPy4QXpoYRNJwY7
Score

1^/10
behavioral21 behavioral22
- Target
  
  WARZONE RAT 3.03/TyWarzone.dll
- Size
  
  132KB
- MD5
  
  8972fbd74954fb223bd1f8000afefbed
- SHA1
  
  56912e4371bfeb65b2d53a845e65a0252fdf0f20
- SHA256
  
  20b6d6c9e4c611beb2394539b90ce3b904b28d296b08da9d07d19a0ffc2971a1
- SHA512
  
  12c0a61e031cae5f1557d0685deae0e87f997dcefd556c94d04bb34c6f5c90cf7c4188e04ee298e850b5f11c960fc8e3635cd8976a0a820446bc88349216b367
- SSDEEP
  
  3072:Z3wSeEN8bsEe0wwT+KKpiTxWOCz4PLT85:ZAEN8bFwIcIfCzILT8
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  WARZONE RAT 3.03/WARZONE Password Viewer 1.0.exe
- Size
  
  615KB
- MD5
  
  9437e1958c0ac30e29f23673a8363dca
- SHA1
  
  d5dde71d0da6910018a78b023779eb0a960b01e5
- SHA256
  
  33f697aeab386599e11efc14a336d131dceb4efe397614b06ad1c592f89d3212
- SHA512
  
  0197288326d68d96d91e5f58514dcf0ab6e76dd69b889424d62ca540670c7fd945240f457a244cc49f48ac8b86b335be80812f94cd7b6008aa7f01813cfd36ec
- SSDEEP
  
  1536:1gg2zBS5D6aZuAQomeq6Y2mlJ5Tv8gzWNX5D6vZDAQomeK6Y2m9J5Tv8gzW:1gpBMrZuAQrZKgyNRGZDAQXRygC
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  WARZONE RAT 3.03/WARZONE RAT 3.03 Cracked.exe
- Size
  
  7.5MB
- MD5
  
  03977a4fc47100f00650d65b1088f391
- SHA1
  
  2517557e6bdb3e2268143f4690a4cc44426ac481
- SHA256
  
  2325745d8b078385be3a995640b2cee98e85c8ac1c111fde5fcb1c257d9efe7d
- SHA512
  
  2ad09d2e14ea3f83a950b76444b49d49b53a5735f1256f6c59f97bf380bd89e59f97f157ba7a75416e154e9142e33a609eb10c4c5f59963487d4d2ec6adb4a3c
- SSDEEP
  
  196608:fWjyOLFVG2tUpi7tPRopU2Pa3uAdvCgoYEttoTBoWY/:fR6FVJUpi7tJoDAdvbEttoev/
Score

9^/10

defense_evasion discovery themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  WARZONE RAT 3.03/cratclient.bin
- Size
  
  131KB
- MD5
  
  aedb2e69d91d2c8aff792e5c0b2396a0
- SHA1
  
  28425bd65bef2ba27b7ac372ba9bab189a27a4e7
- SHA256
  
  e76b0d04117daa58544d87b69427aaa6a78d90461470a2a55c80616842180451
- SHA512
  
  c5216fccb6b42904f220c098da91c47ab57f6f0d4cd785b09edeeb343aa226a07f139b0c446c636bd035e1584a0b38b6b3ec7030b3cc005e7b34832cbf45630f
- SSDEEP
  
  3072:U7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:UwpsERzGKurEXCzeLT7a
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  WARZONE RAT 3.03/cratclientd.bin
- Size
  
  132KB
- MD5
  
  f6dbe80a1b68a734c92375fbbcf4be88
- SHA1
  
  cd6a7b57812c891f75e3a40c8f925ef5be48bade
- SHA256
  
  d364fe03510f34c22e8b5d25784ba80decae568bd939db66e4cd8b90538d60be
- SHA512
  
  59abbb522f6a4f442601190f901846ff7b57e041a25773ea0b7ec03011c2d207bb8e609443dd1a74ad0a13a4e5bef043c584b0da882a5d6619d05871015230e8
- SSDEEP
  
  3072:Z3wSeEN8bsEe0wwT+KKpiTxW7Cz4PLT85:ZAEN8bFwIcIqCzILT8
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Modifies Windows Firewall

UPX packed file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32