Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    010b1992555965e82a43f5642aaf8ba1.exe

  • Size

    556KB

  • Sample

    240122-g16jqsabdj

  • MD5

    010b1992555965e82a43f5642aaf8ba1

  • SHA1

    ae665f4148618c9f48332ed3795cf91326311bb2

  • SHA256

    2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3

  • SHA512

    fb5ec0de2fe64114ee78d7578baebdfe23bc0978a4e35917d3039c057393c8a6eecf1adc82a25e92558ade18fabd205599e4039b16ac2fb0c0ec52e319c3c917

  • SSDEEP

    12288:sPf6X60ET/3W+pLzJWN0sMeG5n4Ps6lrjV7qIAxe4I/3YMa2URX:sPHvW+rKGJ4PplDX4OTalRX

Malware Config

Extracted

Family

warzonerat

C2

23.106.121.172:2026

Targets

    • Target

      010b1992555965e82a43f5642aaf8ba1.exe

    • Size

      556KB

    • MD5

      010b1992555965e82a43f5642aaf8ba1

    • SHA1

      ae665f4148618c9f48332ed3795cf91326311bb2

    • SHA256

      2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3

    • SHA512

      fb5ec0de2fe64114ee78d7578baebdfe23bc0978a4e35917d3039c057393c8a6eecf1adc82a25e92558ade18fabd205599e4039b16ac2fb0c0ec52e319c3c917

    • SSDEEP

      12288:sPf6X60ET/3W+pLzJWN0sMeG5n4Ps6lrjV7qIAxe4I/3YMa2URX:sPHvW+rKGJ4PplDX4OTalRX

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks