[QuickNote] Phishing email distributes WarZone RAT via
DBatLoader
Published: 2024-04-09 · Archived: 2026-04-05 21:07:44 UTC
3 Votes
I. Execution Flow Summary:
Below is an illustrated and summarized way of how WarZone RAT sample infects the victim system via
DBatLoader:
II. Technical Analysis
The attacker’s email sent to the user includes an attached .html file as follows:
Observing the file PO-2200934-KINQTE.html in Hex mode, it appears to contain scripts and a large blob of
base64-encoded data.
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 1 of 9

The main task of the script as shown below:
By quick analyzing the content of the script, it will simulate downloading the file PO-2200934-KINQTE.rar rather
than a file with the .exe extension. This can be verified by opening the .html file through popular browsers such
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 2 of 9

as Edge or Chrome.
Decode the base64Data to obtain the RAR file. This RAR file contains an executable file named PO-2200934-
KINQTE.exe .
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 3 of 9

File PO-2200934-KINQTE.exe (bdb74765f6e99f2af997bb1916e373390aafa21100f8638c4d4dc89553fbba35) is
DBatLoader :
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 4 of 9

DBatLoader typically performs download obfuscated later stage payloads from public cloud services such as
OneDrive or Google Drive. In the sample I’m analyzing, it will load the payload from OneDrive.
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 5 of 9

hxxps://onedrive[.]live[.]com/download?resid=FDB0512DE793B32E%21180&authkey=!AHbZUypgd3P08kc
At the time of analysis, the encrypted payload is still downloadable via the link above.
Decrypting the encrypted payload:
The decrypted payload (4c014a78f07a12a659b780d0da285a897a7ff56234796da909dc7a172e9282fc) is indeed
the Warzone RAT, based on the following strings:
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 6 of 9

https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 7 of 9

https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 8 of 9

Reuse the script in the article I analyzed here, extracting the C2 information that the WarZone RAT payload will
connect to.
III. References
DbatLoader Triage
[QuickNote] Decrypting the C2 configuration of Warzone RAT
IV. Indicators Of Compromise (IOCs)
End.
m4n0w4r
Source: https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
Page 9 of 9