ioc[.]one - OSINT Cyber Threat Intelligence Database

Technical analysis of WarZoneRAT malware

Tags

attack-pattern:

Data Clipboard Data - T1414 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Python - T1059.006 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Clipboard Data - T1115 Powershell - T1086 Remote Desktop Protocol - T1076

Show in Graph

Common Information

Type	Value
UUID	63d5ebf9-69a2-4b10-a637-fb7d2b1c4351
Fingerprint	8c233e73adba22f1
Analysis status	DONE
Considered CTI value	0
Text language
Published	Aug. 15, 2023, midnight
Added to db	Nov. 9, 2023, 1:47 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	Technical analysis of WarZoneRAT malware
Title	Technical analysis of WarZoneRAT malware
Detected Hints/Tags/Attributes	60/1/26

Source URLs

	Redirection	Url
Details	Source	https://muha2xmad.github.io/malware-analysis/warzonerat/

URL Provider

Details	Provider	Source level domain
Details	github.io	muha2xmad.github.io

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	176	✔	muha2xmad	https://muha2xmad.github.io/feed.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	6		warzone.ws
Details	Domain	13		archive.zip
Details	Domain	62		stackoverflow.com
Details	Domain	6		research.openanalysis.net
Details	Domain	48		pefile.pe
Details	Domain	13		section.name
Details	File	1		%systemroot%\system32\termsrv.dll
Details	File	17		termsrv.dll
Details	File	32		%systemroot%\system32\svchost.exe
Details	File	1122		svchost.exe
Details	File	1209		powershell.exe
Details	File	1		c:\path\to\your\directory' -destinationpath 'c:\path\to\your\archive.zip
Details	File	30		shutdown.exe
Details	File	533		ntdll.dll
Details	File	2		warzone_rat_config.html
Details	File	64		logins.json
Details	File	29		profiles.ini
Details	File	2127		cmd.exe
Details	File	2		%systemroot%\\system32\\termsrv.dll
Details	md5	13		9375CFF0413111d3B88A00104B2A6676
Details	sha256	1		f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c
Details	IPv4	1441		127.0.0.1
Details	IPv4	1		89.117.76.41
Details	IPv4	79		1.2.3.4
Details	Url	2		https://stackoverflow.com/questions/9433541/movsx-in-python
Details	Url	2		https://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_rat_config.html