Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Order Spec...ns.exe

windows7-x64

10

Order Spec...ns.exe

windows10-2004-x64

10

Order Spec...64.dll

windows7-x64

1

Order Spec...64.dll

windows10-2004-x64

1

Order Spec...10.dll

windows7-x64

1

Order Spec...10.dll

windows10-2004-x64

1

Order Spec...64.dll

windows7-x64

10

Order Spec...64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1f95f49c2fed61770d92876d95d05657b1bc678f077dff34dbbcba910e068af2

  • Size

    2.5MB

  • Sample

    250307-sr1gxasshz

  • MD5

    62f7340e7bd02c9666c8e1d126ba916a

  • SHA1

    ea112ba1a3c4e3740fbc62d2aa45df96d297f1bf

  • SHA256

    1f95f49c2fed61770d92876d95d05657b1bc678f077dff34dbbcba910e068af2

  • SHA512

    81d7b2c216f2b1300ec3aec1760935bf12f0193553df4b811c4d2888187106db2bf348f4b56821de5ec7f541178240efd09f78a320ee8a8738b2d8df2febeaeb

  • SSDEEP

    49152:CG7cNV+H5rmxWLR+LW/9ebeBHD2C9le3nqussZREW1CERlomd7pSVIzigfT+8NUC:CUIgH5rmUN2q9eaBHD2UA6usgR5J74I7

Score
10/10
warzoneratcollectiondiscoveryexecutioninfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

198.46.177.153:4532

Targets

    • Target

      Order Specifications/Order Specifications.exe

    • Size

      633KB

    • MD5

      573c3aa20cab92c93663f0e475323557

    • SHA1

      647598a3a90b23787b83f0c23ba26a8b4b779592

    • SHA256

      9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a

    • SHA512

      06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694

    • SSDEEP

      6144:WTTzzJeyp1RnC7HJnIApeX9vLSaXmWFiB3WOk6f7h9WgFER0u+GIIIIIIIhIIIIw:GTzNeypHnC7HdeXZEWFTOk6fmBm5GV

    Score
    10/10
    warzoneratcollectiondiscoveryexecutioninfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Order Specifications/tier0_s64.dll

    • Size

      412KB

    • MD5

      de738f87b7a558476d73d590ea20a3b9

    • SHA1

      ea2da2c8b5c811ea798805d3e77250f12cf6da76

    • SHA256

      87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

    • SHA512

      934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

    • SSDEEP

      6144:xgK7Z8Fd7IQx/XYn7z504xbPnTfMrqS63qqp5WEoXWGhYcRo4gFYRu7oJzBV9:hZ8Fd7IM/Xwnz2qS63nYEe6uo4gxyB

    Score
    1/10
    behavioral3behavioral4

    • Target

      Order Specifications/vcruntime210.dll

    • Size

      5KB

    • MD5

      716c8ff1ff396c3b485c3f944e4172af

    • SHA1

      2b019e0c5b869365eda6c09580f914a2a2253c8b

    • SHA256

      f2e60cddcda8d50da0b0604a2ab84e0cd3e72f2b9b4e8fa5f90c5ddad2053a1a

    • SHA512

      28d65a6fb6b301597aae00ea67dceb78e1de0fb50e66068f697b237894e7e05890710e712c70a72a33168c91370e7a7366dac901941d501d5efe32055bb44b5f

    • SSDEEP

      96:dEtLkTUc0CXpVdLXUPMJdiIri93Hs5EbjTlAOPm/xS1yK3MClk4:dCYgcxL7UPyGc2bjRAZ5S1Pjlk4

    Score
    1/10
    behavioral5behavioral6

    • Target

      Order Specifications/vstdlib_s64.dll

    • Size

      5.7MB

    • MD5

      260d5a4caab870d0a8140ac8efcf66a7

    • SHA1

      4ce9ffb86c30e38dc7ebab8c9f9ffe6f6f6ab2d3

    • SHA256

      09c4402940f3d49c8d75c080750846b85346265838e3445597eb9be868a64f59

    • SHA512

      f1f87c7ea7badc731e041cd34a8997639502086e0e08d63222a6009fb39bf76da340be7b3709426f7c46fa55bad850aeae0ee7388acde48d201de0f8ac075c25

    • SSDEEP

      49152:Muiq6njaT/SBGaNxllA65w3z3zodJJY7UjaQoMDBd3hkdF4sk/IRUnunYVs19c3W:wamG+2oajMDnD3unYW+inWvLVh

    Score
    10/10
    warzoneratcollectiondiscoveryexecutioninfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks