Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb.exe
-
Size
2.2MB
-
Sample
240223-f9zl4sce75
-
MD5
cdd45a122734f4f14ae8c4741cd79eab
-
SHA1
97c84316d2a17e3deae6c134076f873d60cd8ce4
-
SHA256
ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb
-
SHA512
bed5c5d5916e49c0de6fd33a395f583ef72d40c91079ad1de349d68c20a1e6ab6403633b5efdeb02a454a59ebf7558e63a5d809d963c37d3230387524fb282fa
-
SSDEEP
49152:US8kak8/G2ejlDcpoaPGum5Z8MwtE5d8qdoFZ:UUak88cpogPmUCsJZ
Static task
static1
Behavioral task
behavioral1
Sample
ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb.exe
Resource
win10v2004-20240221-en
Malware Config
Extracted
warzonerat
zakriexports.com:2017
Targets
-
-
Target
ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb.exe
-
Size
2.2MB
-
MD5
cdd45a122734f4f14ae8c4741cd79eab
-
SHA1
97c84316d2a17e3deae6c134076f873d60cd8ce4
-
SHA256
ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb
-
SHA512
bed5c5d5916e49c0de6fd33a395f583ef72d40c91079ad1de349d68c20a1e6ab6403633b5efdeb02a454a59ebf7558e63a5d809d963c37d3230387524fb282fa
-
SSDEEP
49152:US8kak8/G2ejlDcpoaPGum5Z8MwtE5d8qdoFZ:UUak88cpogPmUCsJZ
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
-
Detects executables embedding command execution via IExecuteCommand COM object
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Creates new service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1