Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a.exe

  • Size

    11.1MB

  • Sample

    240826-bln39awfrb

  • MD5

    63316fbe9cf350587c0ba8e107b72aeb

  • SHA1

    face0bdd6337c3f224dfd5a5088fcc821fd4f3eb

  • SHA256

    7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a

  • SHA512

    325136919dcaf134c81818bddfe678756b18f802344023b2dad98f139d845522e6d719e1d54b33ddfd31329d5efd96ff3c83b3af7c0964fe4280b04fc02a95e3

  • SSDEEP

    196608:A+GhzkE7l+GhzkE7H+GhzkE7p+GhzkE7D+GhzkE7d+GhzkE7T+GhzkE7fKWQc0gr:AxhzkUxhzkKxhzkoxhzkWxhzk8xhzkOT

Malware Config

Extracted

Family

warzonerat

C2

victorybelng.ddns.net:13900

Targets

    • Target

      7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a.exe

    • Size

      11.1MB

    • MD5

      63316fbe9cf350587c0ba8e107b72aeb

    • SHA1

      face0bdd6337c3f224dfd5a5088fcc821fd4f3eb

    • SHA256

      7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a

    • SHA512

      325136919dcaf134c81818bddfe678756b18f802344023b2dad98f139d845522e6d719e1d54b33ddfd31329d5efd96ff3c83b3af7c0964fe4280b04fc02a95e3

    • SSDEEP

      196608:A+GhzkE7l+GhzkE7H+GhzkE7p+GhzkE7D+GhzkE7d+GhzkE7T+GhzkE7fKWQc0gr:AxhzkUxhzkKxhzkoxhzkWxhzk8xhzkOT

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks