Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4.doc

  • Size

    3KB

  • Sample

    240213-cnfekaah57

  • MD5

    08e4197b0f47a59e1061a1c30c445daa

  • SHA1

    a3c5eb519045be882bcc057f4df655789f542ee8

  • SHA256

    0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4

  • SHA512

    5b7a923f6cc6f1baddb728dce653b5af353cc1a2544348fd857b0ede029470307597e39a151460a79e4bd3963b8438ae55531dbb2d2f26fc55483c9c8ce8f336

Malware Config

Extracted

Family

warzonerat

C2

makatti.duckdns.org:3787

Targets

    • Target

      0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4.doc

    • Size

      3KB

    • MD5

      08e4197b0f47a59e1061a1c30c445daa

    • SHA1

      a3c5eb519045be882bcc057f4df655789f542ee8

    • SHA256

      0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4

    • SHA512

      5b7a923f6cc6f1baddb728dce653b5af353cc1a2544348fd857b0ede029470307597e39a151460a79e4bd3963b8438ae55531dbb2d2f26fc55483c9c8ce8f336

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks