Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

RFQ-ELITE ...CT.exe

windows7-x64

10

RFQ-ELITE ...CT.exe

windows10-2004-x64

10

RFQ-ELITE ...64.dll

windows7-x64

1

RFQ-ELITE ...64.dll

windows10-2004-x64

1

RFQ-ELITE ...64.dll

windows7-x64

10

RFQ-ELITE ...64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0effd7596713b75d23e412b42eef23055f0e44bba7e2b283e6c053d90c75e1fa

  • Size

    2.4MB

  • Sample

    250304-bffvpavvc1

  • MD5

    4879c8d246f35579f9ff063afb81d969

  • SHA1

    6d46c565e11279a3b592685887bfa6b92c3b2d90

  • SHA256

    0effd7596713b75d23e412b42eef23055f0e44bba7e2b283e6c053d90c75e1fa

  • SHA512

    904d4d06b85f9c67f6df2fea9f7baf357e8ac67a25987ee7385ce980d5cb147d1670eadeacbc977baeb75f1222763740b38337e18fec318cbfdf8b65aefd04af

  • SSDEEP

    49152:vG7HNV+gSf7BQL8C0yLQvx3kNnbexIgFd1B0Xx73BeMvRxZso7YspmpRW:vUtggSf7BQgC0DvJQYeLBegfxmW

Score
10/10
warzoneratcollectiondiscoveryinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

198.46.177.153:4532

Targets

    • Target

      RFQ-ELITE INDUSTRIAL MARINE PROJECT/RFQ-ELITE INDUSTRIAL MARINE PROJECT.exe

    • Size

      633KB

    • MD5

      573c3aa20cab92c93663f0e475323557

    • SHA1

      647598a3a90b23787b83f0c23ba26a8b4b779592

    • SHA256

      9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a

    • SHA512

      06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694

    • SSDEEP

      6144:WTTzzJeyp1RnC7HJnIApeX9vLSaXmWFiB3WOk6f7h9WgFER0u+GIIIIIIIhIIIIw:GTzNeypHnC7HdeXZEWFTOk6fmBm5GV

    Score
    10/10
    warzoneratcollectiondiscoveryinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      RFQ-ELITE INDUSTRIAL MARINE PROJECT/tier0_s64.dll

    • Size

      412KB

    • MD5

      de738f87b7a558476d73d590ea20a3b9

    • SHA1

      ea2da2c8b5c811ea798805d3e77250f12cf6da76

    • SHA256

      87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

    • SHA512

      934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

    • SSDEEP

      6144:xgK7Z8Fd7IQx/XYn7z504xbPnTfMrqS63qqp5WEoXWGhYcRo4gFYRu7oJzBV9:hZ8Fd7IM/Xwnz2qS63nYEe6uo4gxyB

    Score
    1/10
    behavioral3behavioral4

    • Target

      RFQ-ELITE INDUSTRIAL MARINE PROJECT/vstdlib_s64.dll

    • Size

      5.4MB

    • MD5

      9f2a2fa3476321eb5943480d441106e0

    • SHA1

      36027da2845264c407d0b0d109643a8c1f8b61ff

    • SHA256

      2b6676336d45baf336906ff7144d33a4c5a3127e313bcc66c4eebdb6a760dfe7

    • SHA512

      316eec64a4601773c8b23037796ecc5c843e39513b0c29d7b638db122ff38e9a7ea40cf76ee3544aee0af0194d5ac71deeeb38bb821c71b4fab82949a7b947f6

    • SSDEEP

      49152:5uDsWlAQvkWnf89a3vQppqWMlrGkPNAnagnTfhODqPKvw+VjZ++T93G0aOMmKAWw:MDlrAzoOPAw+VjEjty1ED+W4Hl

    Score
    10/10
    warzoneratcollectiondiscoveryinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks