Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Irfduym.exe

  • Size

    126KB

  • Sample

    240130-p662fsgbd6

  • MD5

    7bc4486e1ce4e18d7cd5421d76e49cbd

  • SHA1

    9894afb8cec46464c31f6748f6aead25e6fd12ae

  • SHA256

    6dbcd4c929ebc70a66cc5f94f5326e919457a1adbd4a390ff7ef9882a445b6f8

  • SHA512

    9e7f523cfcd940b3dbc4ae22e8ec423f23643d98283e32bd797742bd06597d2d6e0ce863c92ea8967ff1771eabdbb6c6e101fd867ff2820d6dc7fa27d1e8482a

  • SSDEEP

    1536:qp2qaP/hsoA/zw/BsnGfk7vI2sM+gDs5r21wRkPF5hp/galhJmTLaT1ktjl:nyH/zAr6vI2sM+rKQalhJmTLaT25l

Malware Config

Extracted

Family

warzonerat

C2

bossnew.ddns.net:1001

Targets

    • Target

      Irfduym.exe

    • Size

      126KB

    • MD5

      7bc4486e1ce4e18d7cd5421d76e49cbd

    • SHA1

      9894afb8cec46464c31f6748f6aead25e6fd12ae

    • SHA256

      6dbcd4c929ebc70a66cc5f94f5326e919457a1adbd4a390ff7ef9882a445b6f8

    • SHA512

      9e7f523cfcd940b3dbc4ae22e8ec423f23643d98283e32bd797742bd06597d2d6e0ce863c92ea8967ff1771eabdbb6c6e101fd867ff2820d6dc7fa27d1e8482a

    • SSDEEP

      1536:qp2qaP/hsoA/zw/BsnGfk7vI2sM+gDs5r21wRkPF5hp/galhJmTLaT1ktjl:nyH/zAr6vI2sM+rKQalhJmTLaT25l

    • Detect ZGRat V1

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Warzone RAT payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks