Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
e8b24f1b5c30ecbce61d6f9ae17c3f84b45a14cb2f97399b581656d5a63cdc93
-
Size
454KB
-
Sample
230920-j94slsfa6s
-
MD5
300a570d6a63d96ee97ff8d87032d888
-
SHA1
b90d4f984728dcac268f9a4482b8ecff31997519
-
SHA256
e8b24f1b5c30ecbce61d6f9ae17c3f84b45a14cb2f97399b581656d5a63cdc93
-
SHA512
7c963dc5fd65a65ff5bfbeed78865d40198c9a1e16507d58a85bbb7dcc2f41d7f328c76366e5104af0c837eada112e7b20d33f15c64b6b732bf6c0ae6db9fdbf
-
SSDEEP
12288:IQCijCpR1T3GYZPsSfm7oy0tDuQr5Til28+Yy:IQCiGt3LsSO7MtDuQr5Til11y
Static task
static1
Behavioral task
behavioral1
Sample
GN9RraXeXEBgOFw.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
GN9RraXeXEBgOFw.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
warzonerat
191.101.130.113:8907
Targets
-
-
Target
GN9RraXeXEBgOFw.exe
-
Size
502KB
-
MD5
a1e4735b4aaecb5d1e7b2b14c9f10b9f
-
SHA1
3345d8e116ddef9ca6ae902d427902299b54cce3
-
SHA256
e829d7199bc4b9903390779d67bc19fd7ecf51f5f9d449903e5baad0109e59a8
-
SHA512
ea04af1c3fdf7caf771384e9f5f710e850f0c1e8d5e00c03ec4fd8fee3c56f03d784c0db0ca9ca702a2650d6bba1b45971b6fd3a524dc7ec72db4625a05ad091
-
SSDEEP
12288:TBi0blTWLxWzw2LRYYDLieFAh+Zf5tT0/:ljlTWLxU7HieFECh+
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Sets DLL path for service in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1