Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    babbb.exe

  • Size

    764KB

  • Sample

    240128-p9qtmsdafn

  • MD5

    5040eb019a579d7d5b583ccc285c2732

  • SHA1

    9a689878c6aee62a6f5f6634d05d999f543365bb

  • SHA256

    0bf6ae6361d96420e17922aca4af1f02ab2f3f01d67cd14148f187fd2de4f51b

  • SHA512

    c4efdb54a752e309a574b9a769f5b2365f65ee1690e322bb6364e288c5f8f3196eb4b5122979af517706d463c6f2291d05ca664b8a1d22c2abc6feed5b6c223f

  • SSDEEP

    6144:F1NBdGYC2Ri6+GpplN8HTy4KV/ftexpq01Tek9TaASdJW6Di:F1N7GYtRi6Hczy4KJl+ekdaBJWF

Malware Config

Extracted

Family

warzonerat

C2

bossnew.ddns.net:1001

Targets

    • Target

      babbb.exe

    • Size

      764KB

    • MD5

      5040eb019a579d7d5b583ccc285c2732

    • SHA1

      9a689878c6aee62a6f5f6634d05d999f543365bb

    • SHA256

      0bf6ae6361d96420e17922aca4af1f02ab2f3f01d67cd14148f187fd2de4f51b

    • SHA512

      c4efdb54a752e309a574b9a769f5b2365f65ee1690e322bb6364e288c5f8f3196eb4b5122979af517706d463c6f2291d05ca664b8a1d22c2abc6feed5b6c223f

    • SSDEEP

      6144:F1NBdGYC2Ri6+GpplN8HTy4KV/ftexpq01Tek9TaASdJW6Di:F1N7GYtRi6Hczy4KJl+ekdaBJWF

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks