WarZoneRAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (83)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en58
zh16
de10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us24
cn18
de8
it6
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Remcos2
Ave Maria2
Nanocore RAT2
BitRAT2
AsyncRAT2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined26
Operating System8
Spreadsheet Software4
Content Management System4
Programming Language Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined30
Microsoft14
Cisco4
B&R2
Basti2web2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Microsoft Excel4
MongoDB4
B&R SiteManager2
Jenkins2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Apache HTTP Server mod_proxy server-side request forgery7.37.3$25k-$100k$5k-$25kNot DefinedNot Defined0.040.97406CVE-2021-40438
2Microsoft Excel memory corruption7.06.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.01492CVE-2020-0650
3VMware Spring Boot HTTP Request denial of service5.75.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00043CVE-2023-34055
4bouncycastle Self-Signed Certificate X509LDAPCertStoreSpi.java ldap injection3.93.9$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00051CVE-2023-33201
5Nagios XI POST Request banner_message-ajaxhelper.php sql injection6.06.0$0-$5k$0-$5kNot DefinedNot Defined0.030.00085CVE-2023-40931
6Taokeyun HTTP POST Request Drs.php index sql injection8.17.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00063CVE-2024-0480
7Apache ShardingSphere ElasticJob-UI information disclosure3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000.12656CVE-2022-22733
8phpMyAdmin SQL File cross site scripting4.44.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00053CVE-2023-25727
9ZoneMinder HostController.php daemonControl os command injection7.47.3$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00119CVE-2023-26039
10Zoho ManageEngine Recovery Manager Plus Proxy Setting Privilege Escalation5.75.6$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00668CVE-2023-48646
11jeecgboot JimuReport image path traversal7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00062CVE-2023-6307
12WP Shortcodes Plugin resource injection4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.040.00050CVE-2023-6226
13QDocs Smart School HTTP POST Request sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.080.00077CVE-2023-5495
14MongoDB improper authorization6.66.5$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00109CVE-2019-2386
15MongoDB Message Decompressor denial of service5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00087CVE-2019-20925
16MongoDB SysV Init Script Kill input validation4.24.2$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00044CVE-2019-2389
17Job Configuration History Plugin path traversal3.93.9$0-$5k$0-$5kNot DefinedNot Defined0.050.00046CVE-2023-41930
18TEL-STER TelWin SCADA WebInterface information disclosure6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.000.00076CVE-2023-0956
19Tongda OA delete_seal.php sql injection6.96.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030.00066CVE-2023-4165
20Autodesk AutoCAD STP File Parser null pointer dereference4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.000.00045CVE-2023-41139

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1185.19.85.163WarZoneRAT07/12/2022verifiedHigh
2XXX.XXX.XX.XXXXxxxxxxxxx07/12/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (13)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (37)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/syslogpredictiveHigh
2File/course/filterRecords/predictiveHigh
3File/download/imagepredictiveHigh
4File/nagiosxi/admin/banner_message-ajaxhelper.phppredictiveHigh
5File/see_more_details.phppredictiveHigh
6File/xxx/xxx/xxx/xxxxxxxxxx/xxxxxxxxxxxxxx.xxxpredictiveHigh
7Filexxxxx/xxxxx_xxxxx.xxxpredictiveHigh
8Filexxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
9Filexxxxxxxxxxx/xxxxx/xxxxxxxxxx/x/xxx.xxxpredictiveHigh
10Filexxxxx.xxxpredictiveMedium
11Filexxx.xxxpredictiveLow
12Filexxxxxx/xxx.xpredictiveMedium
13Filexxxxxxx.xxxpredictiveMedium
14Filexxxxxxx/xxxxxx/xxxx_xxxxxx/xxxxxxxxxx/xxxxxx_xxxx.xxxpredictiveHigh
15Filexxxxx.xxx/xxxx/xxxxx/xxxx/xxxx.xxxpredictiveHigh
16Filexxxx_xxxxxxx.xxxpredictiveHigh
17Filexxxxx_xxx.xxxpredictiveHigh
18Filexxxxxxxx.xxxpredictiveMedium
19Filexxxx.xxxpredictiveMedium
20Filexxxx-xxxxxx.xpredictiveHigh
21Filexxxxx.xxxpredictiveMedium
22Filexxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
23Libraryxxxxxx.xxxpredictiveMedium
24ArgumentxxxxxxpredictiveLow
25ArgumentxxxpredictiveLow
26ArgumentxxxpredictiveLow
27Argumentxxxxxx_xxxpredictiveMedium
28ArgumentxxxxxpredictiveLow
29ArgumentxxpredictiveLow
30ArgumentxxpredictiveLow
31ArgumentxxxxxxxxpredictiveMedium
32ArgumentxxxxpredictiveLow
33Argumentxxxxxxxxxx[x][xxxxx]/xxxxxxxxxx[x][xxxxxxxxxxx]/xxxxxxxxxx[x][xxxxxxxxxxx]predictiveHigh
34ArgumentxxxxxxxxpredictiveMedium
35ArgumentxxxpredictiveLow
36ArgumentxxxxpredictiveLow
37Pattern|xx xx xx|predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!