Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Kavipsz.exe

  • Size

    10KB

  • Sample

    240128-p9p74sbcc4

  • MD5

    c2962aaa2e45754c27cfd561af655a64

  • SHA1

    738bd61ccaad6cdba0e0c73241c57e936096fdc1

  • SHA256

    29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908

  • SHA512

    e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03

  • SSDEEP

    192:xd5UZeTU9CIji4dcgh8V2PnHujraKj9Q:xdyZeUXj35SV2vHuraKj9

Malware Config

Extracted

Family

warzonerat

C2

bossnew.ddns.net:1001

Targets

    • Target

      Kavipsz.exe

    • Size

      10KB

    • MD5

      c2962aaa2e45754c27cfd561af655a64

    • SHA1

      738bd61ccaad6cdba0e0c73241c57e936096fdc1

    • SHA256

      29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908

    • SHA512

      e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03

    • SSDEEP

      192:xd5UZeTU9CIji4dcgh8V2PnHujraKj9Q:xdyZeUXj35SV2vHuraKj9

    • Detect ZGRat V1

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Warzone RAT payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks