Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e8b24f1b5c30ecbce61d6f9ae17c3f84b45a14cb2f97399b581656d5a63cdc93

  • Size

    454KB

  • Sample

    230920-j94slsfa6s

  • MD5

    300a570d6a63d96ee97ff8d87032d888

  • SHA1

    b90d4f984728dcac268f9a4482b8ecff31997519

  • SHA256

    e8b24f1b5c30ecbce61d6f9ae17c3f84b45a14cb2f97399b581656d5a63cdc93

  • SHA512

    7c963dc5fd65a65ff5bfbeed78865d40198c9a1e16507d58a85bbb7dcc2f41d7f328c76366e5104af0c837eada112e7b20d33f15c64b6b732bf6c0ae6db9fdbf

  • SSDEEP

    12288:IQCijCpR1T3GYZPsSfm7oy0tDuQr5Til28+Yy:IQCiGt3LsSO7MtDuQr5Til11y

Malware Config

Extracted

Family

warzonerat

C2

191.101.130.113:8907

Targets

    • Target

      GN9RraXeXEBgOFw.exe

    • Size

      502KB

    • MD5

      a1e4735b4aaecb5d1e7b2b14c9f10b9f

    • SHA1

      3345d8e116ddef9ca6ae902d427902299b54cce3

    • SHA256

      e829d7199bc4b9903390779d67bc19fd7ecf51f5f9d449903e5baad0109e59a8

    • SHA512

      ea04af1c3fdf7caf771384e9f5f710e850f0c1e8d5e00c03ec4fd8fee3c56f03d784c0db0ca9ca702a2650d6bba1b45971b6fd3a524dc7ec72db4625a05ad091

    • SSDEEP

      12288:TBi0blTWLxWzw2LRYYDLieFAh+Zf5tT0/:ljlTWLxU7HieFECh+

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks