[QuickNote] Phishing email distributes WarZone RAT via DBatLoader

April 2024
M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Posted: April 9, 2024 in My Tutorials, [QuickNote] Phishing email distributes WarZone RAT via DBatLoader
Tags: AveMariaRAT, DBatLoader, malware, Malware Analysis, ModiLoader, Warzone RAT

I. Execution Flow Summary:

Below is an illustrated and summarized way of how WarZone RAT sample infects the victim system via DBatLoader:

II. Technical Analysis

The attacker’s email sent to the user includes an attached .html file as follows:

Observing the file PO-2200934-KINQTE.html in Hex mode, it appears to contain scripts and a large blob of base64-encoded data.

The main task of the script as shown below:

By quick analyzing the content of the script, it will simulate downloading the file PO-2200934-KINQTE.rar rather than a file with the .exe extension. This can be verified by opening the .html file through popular browsers such as Edge or Chrome.

Decode the base64Data to obtain the RAR file. This RAR file contains an executable file named PO-2200934-KINQTE.exe.

File PO-2200934-KINQTE.exe (bdb74765f6e99f2af997bb1916e373390aafa21100f8638c4d4dc89553fbba35) is DBatLoader:

DBatLoader typically performs download obfuscated later stage payloads from public cloud services such as OneDrive or Google Drive. In the sample I’m analyzing, it will load the payload from OneDrive.

hxxps://onedrive[.]live[.]com/download?resid=FDB0512DE793B32E%21180&authkey=!AHbZUypgd3P08kc

At the time of analysis, the encrypted payload is still downloadable via the link above.

Decrypting the encrypted payload:

The decrypted payload (4c014a78f07a12a659b780d0da285a897a7ff56234796da909dc7a172e9282fc) is indeed the Warzone RAT, based on the following strings:

Reuse the script in the article I analyzed here, extracting the C2 information that the WarZone RAT payload will connect to.

III. References

IV. Indicators Of Compromise (IOCs)

PO-2200934-KINQTE.html	7b51aaf3071c6f0dad3865e0fa9cc19d2be45a46dbe507b9254ca6d7ba01d850
DbatLoader (PO-2200934-KINQTE.exe)	bdb74765f6e99f2af997bb1916e373390aafa21100f8638c4d4dc89553fbba35
WarZone RAT (encrypted)	hxxps://onedrive[.]live[.]com/download?resid=FDB0512DE793B32E%21180&authkey=!AHbZUypgd3P08kc
WarZone RAT	4c014a78f07a12a659b780d0da285a897a7ff56234796da909dc7a172e9282fc
WarZone RAT (C2)	halal[.]home-webserver[.]de:3109

End.

m4n0w4r

Comments

Week 15 – 2024 – This Week In 4n6 says:

April 14, 2024 at 8:11 PM

[…] 0day in {REA_TEAM}[QuickNote] Phishing email distributes WarZone RAT via DBatLoader […]

This site uses Akismet to reduce spam. Learn how your comment data is processed.

	Week 17 – 2024… on [QuickNote] Qakbot 5.0 –…
	[QuickNote] Qakbot 5… on Unveiling Qakbot: Exploring on…
	Week 15 – 2024… on [QuickNote] Phishing email dis…
	kienmanowar on REVERSING WITH IDA FROM SCRATC…
	mixue on REVERSING WITH IDA FROM SCRATC…

0day in {REA_TEAM}

Lịch

Tìm kiếm

Recent Posts – Bài mới

Bình luận gần nhất

Pages

Chuyên mục

peonimusha Bl0g

Top Posts

Các bài đã đăng

Blogroll

Statistics - Lượt truy cập