Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
BAC1BEEF11C340AE6632B50D2CE1FB80.exe
-
Size
532KB
-
Sample
240121-wft3jafdel
-
MD5
bac1beef11c340ae6632b50d2ce1fb80
-
SHA1
eed74625db691bb0d498afec7b5b376e83bf5ff1
-
SHA256
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
-
SHA512
1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6
-
SSDEEP
12288:XePFLVoq3FMItDhVug2npXPCqCAVzDU17u+vpBze+kkNSLy5eZ870W:XePRVoMFMIt/+FxM7le+3NJi
Static task
static1
Behavioral task
behavioral1
Sample
BAC1BEEF11C340AE6632B50D2CE1FB80.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
BAC1BEEF11C340AE6632B50D2CE1FB80.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
warzonerat
173.249.202.75:5200
Targets
-
-
Target
BAC1BEEF11C340AE6632B50D2CE1FB80.exe
-
Size
532KB
-
MD5
bac1beef11c340ae6632b50d2ce1fb80
-
SHA1
eed74625db691bb0d498afec7b5b376e83bf5ff1
-
SHA256
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
-
SHA512
1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6
-
SSDEEP
12288:XePFLVoq3FMItDhVug2npXPCqCAVzDU17u+vpBze+kkNSLy5eZ870W:XePRVoMFMIt/+FxM7le+3NJi
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Modifies WinLogon
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1