Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    BAC1BEEF11C340AE6632B50D2CE1FB80.exe

  • Size

    532KB

  • Sample

    240121-wfwlcsgaa5

  • MD5

    bac1beef11c340ae6632b50d2ce1fb80

  • SHA1

    eed74625db691bb0d498afec7b5b376e83bf5ff1

  • SHA256

    13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310

  • SHA512

    1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6

  • SSDEEP

    12288:XePFLVoq3FMItDhVug2npXPCqCAVzDU17u+vpBze+kkNSLy5eZ870W:XePRVoMFMIt/+FxM7le+3NJi

Malware Config

Extracted

Family

warzonerat

C2

173.249.202.75:5200

Targets

    • Target

      BAC1BEEF11C340AE6632B50D2CE1FB80.exe

    • Size

      532KB

    • MD5

      bac1beef11c340ae6632b50d2ce1fb80

    • SHA1

      eed74625db691bb0d498afec7b5b376e83bf5ff1

    • SHA256

      13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310

    • SHA512

      1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6

    • SSDEEP

      12288:XePFLVoq3FMItDhVug2npXPCqCAVzDU17u+vpBze+kkNSLy5eZ870W:XePRVoMFMIt/+FxM7le+3NJi

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks