{ "id": "c5cbb288-6b34-487d-b729-bfa9d6465a34", "created_at": "2026-04-06T00:11:31.53625Z", "updated_at": "2026-04-10T03:20:26.356481Z", "deleted_at": null, "sha1_hash": "ac0e4cdbe845663d4c463956acaf055f0db7cbb6", "title": "[QuickNote] Phishing email distributes WarZone RAT via DBatLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1051300, "plain_text": "[QuickNote] Phishing email distributes WarZone RAT via\r\nDBatLoader\r\nPublished: 2024-04-09 · Archived: 2026-04-05 21:07:44 UTC\r\n3 Votes\r\nI. Execution Flow Summary:\r\nBelow is an illustrated and summarized way of how WarZone RAT sample infects the victim system via\r\nDBatLoader:\r\nII. Technical Analysis\r\nThe attacker’s email sent to the user includes an attached .html file as follows:\r\nObserving the file PO-2200934-KINQTE.html in Hex mode, it appears to contain scripts and a large blob of\r\nbase64-encoded data.\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 1 of 9\n\nThe main task of the script as shown below:\r\nBy quick analyzing the content of the script, it will simulate downloading the file PO-2200934-KINQTE.rar rather\r\nthan a file with the .exe extension. This can be verified by opening the .html file through popular browsers such\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 2 of 9\n\nas Edge or Chrome.\r\nDecode the base64Data to obtain the RAR file. This RAR file contains an executable file named PO-2200934-\r\nKINQTE.exe .\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 3 of 9\n\nFile PO-2200934-KINQTE.exe (bdb74765f6e99f2af997bb1916e373390aafa21100f8638c4d4dc89553fbba35) is\r\nDBatLoader :\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 4 of 9\n\nDBatLoader typically performs download obfuscated later stage payloads from public cloud services such as\r\nOneDrive or Google Drive. In the sample I’m analyzing, it will load the payload from OneDrive.\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 5 of 9\n\nhxxps://onedrive[.]live[.]com/download?resid=FDB0512DE793B32E%21180\u0026authkey=!AHbZUypgd3P08kc\r\nAt the time of analysis, the encrypted payload is still downloadable via the link above.\r\nDecrypting the encrypted payload:\r\nThe decrypted payload (4c014a78f07a12a659b780d0da285a897a7ff56234796da909dc7a172e9282fc) is indeed\r\nthe Warzone RAT, based on the following strings:\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 6 of 9\n\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 7 of 9\n\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 8 of 9\n\nReuse the script in the article I analyzed here, extracting the C2 information that the WarZone RAT payload will\r\nconnect to.\r\nIII. References\r\nDbatLoader Triage\r\n[QuickNote] Decrypting the C2 configuration of Warzone RAT\r\nIV. Indicators Of Compromise (IOCs)\r\nEnd.\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nhttps://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/" ], "report_names": [ "quicknote-phishing-email-distributes-warzone-rat-via-dbatloader" ], "threat_actors": [], "ts_created_at": 1775434291, "ts_updated_at": 1775791226, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac0e4cdbe845663d4c463956acaf055f0db7cbb6.pdf", "text": "https://archive.orkl.eu/ac0e4cdbe845663d4c463956acaf055f0db7cbb6.txt", "img": "https://archive.orkl.eu/ac0e4cdbe845663d4c463956acaf055f0db7cbb6.jpg" } }