Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

MACHINE SP...ON.exe

windows7-x64

10

MACHINE SP...ON.exe

windows10-2004-x64

10

MACHINE SP...64.dll

windows7-x64

1

MACHINE SP...64.dll

windows10-2004-x64

1

MACHINE SP...64.dll

windows7-x64

10

MACHINE SP...64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c12c79486f13c973e550baa52dfdc8fd94d34e68dcfd388b19f2ebbae431017

  • Size

    1.4MB

  • Sample

    250305-wmhcbavwaz

  • MD5

    3f80f160bf6e4aa59c0b8a99261250aa

  • SHA1

    8aefccd8a63d73ab857131a7a4eb9ef365d6b81b

  • SHA256

    3c12c79486f13c973e550baa52dfdc8fd94d34e68dcfd388b19f2ebbae431017

  • SHA512

    c1cc4256347df905ce8ac33b57d3866df6d5540b0be403fb3e8c51ab9400df3c786393732e69433cd3085535d2c57d089c6845220ba9b98bdf942592af1aef4a

  • SSDEEP

    24576:9JUfRbN7a4vRrP4GVIZkqfejou+fsMjf2L99qd/KnjotymgEmeUky0EE4C2bqezM:PG7pNV+PfuoU9cxKCRFUEEEdCqezhsQA

Score
10/10
warzoneratdiscoveryinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

198.46.177.153:4532

Targets

    • Target

      MACHINE SPECIFICATION/MACHINE SPECIFICATION.exe

    • Size

      633KB

    • MD5

      573c3aa20cab92c93663f0e475323557

    • SHA1

      647598a3a90b23787b83f0c23ba26a8b4b779592

    • SHA256

      9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a

    • SHA512

      06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694

    • SSDEEP

      6144:WTTzzJeyp1RnC7HJnIApeX9vLSaXmWFiB3WOk6f7h9WgFER0u+GIIIIIIIhIIIIw:GTzNeypHnC7HdeXZEWFTOk6fmBm5GV

    Score
    10/10
    warzoneratdiscoveryinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      MACHINE SPECIFICATION/tier0_s64.dll

    • Size

      412KB

    • MD5

      de738f87b7a558476d73d590ea20a3b9

    • SHA1

      ea2da2c8b5c811ea798805d3e77250f12cf6da76

    • SHA256

      87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

    • SHA512

      934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

    • SSDEEP

      6144:xgK7Z8Fd7IQx/XYn7z504xbPnTfMrqS63qqp5WEoXWGhYcRo4gFYRu7oJzBV9:hZ8Fd7IM/Xwnz2qS63nYEe6uo4gxyB

    Score
    1/10
    behavioral3behavioral4

    • Target

      MACHINE SPECIFICATION/vstdlib_s64.dll

    • Size

      2.6MB

    • MD5

      ba33ebe145dae57fac22d5cc3888c9a0

    • SHA1

      1b926c38671e5aa4749c59dc1df0f2c697961a7a

    • SHA256

      87659f72a7421b8ed6e2a3d4547ace704fb915d4b2853282677090eb7f664eb7

    • SHA512

      f356e033c212730e2c175b95293a38eb2e8ba10c4a94f8b883ee16771cd3b63742b1a6d6f1c4372b75d666e4add5d5ef7ae7afd19d8eb8e8ebbbfc40bdb2859e

    • SSDEEP

      24576:y1DLJPcRzGh+FrWTCZqnsTbR1UEMPMvtns7bHf1H26JiyftbIqfX6yXFlY2rXXEK:y1DLJh+RWTCZ7SJZYqfiAqYy21l1nDd

    Score
    10/10
    warzoneratdiscoveryinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks