Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    P.O 4700009314.exe

  • Size

    588KB

  • Sample

    240129-d5wzbaadgr

  • MD5

    e9c78cc0569b16b1e332cd86285620a2

  • SHA1

    f7c0db3e8139345ab87fb624a1a86274b7bcbc9e

  • SHA256

    decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70

  • SHA512

    780345ad09f734e5b889814f8fc3a082831dc39c06e5b0080d5a72f3adaef2957ea1a92b37063f3fb8c5ea2fc64ad9366d608f3934c861bef7ef1feb79c13816

  • SSDEEP

    12288:7a1rIoIFFHgeg/cNyyffsZAulwt34bmctED1BrCtWZQVRA4Uo9nuLwW:CIXFxN8eUsobtEZFZyVRA4b1u

Malware Config

Extracted

Family

warzonerat

C2

43.230.202.77:4568

Targets

    • Target

      P.O 4700009314.exe

    • Size

      588KB

    • MD5

      e9c78cc0569b16b1e332cd86285620a2

    • SHA1

      f7c0db3e8139345ab87fb624a1a86274b7bcbc9e

    • SHA256

      decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70

    • SHA512

      780345ad09f734e5b889814f8fc3a082831dc39c06e5b0080d5a72f3adaef2957ea1a92b37063f3fb8c5ea2fc64ad9366d608f3934c861bef7ef1feb79c13816

    • SSDEEP

      12288:7a1rIoIFFHgeg/cNyyffsZAulwt34bmctED1BrCtWZQVRA4Uo9nuLwW:CIXFxN8eUsobtEZFZyVRA4b1u

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks