Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
mod.ini
-
Size
186B
-
Sample
250307-v9x6lstyd1
-
MD5
2ec29052802b52b26b2f39e96b080207
-
SHA1
b4ab5932c296007c60b1a9c5cc14caed6f7c655d
-
SHA256
e3da68675adced383d4da3a645af72bc32456040ebda2ded9ccc5ea3469ba5f6
-
SHA512
3b1919143db7ac45a8ac7f61a08949bf94181aa50fab3473320d030c41afde92d64b14e2ef17203e0cf0e3024f6df1353f5ff0e22b49088941e57ae2e163c98c
Malware Config
Extracted
warzonerat
168.61.222.215:5400
Targets
-
-
Target
mod.ini
-
Size
186B
-
MD5
2ec29052802b52b26b2f39e96b080207
-
SHA1
b4ab5932c296007c60b1a9c5cc14caed6f7c655d
-
SHA256
e3da68675adced383d4da3a645af72bc32456040ebda2ded9ccc5ea3469ba5f6
-
SHA512
3b1919143db7ac45a8ac7f61a08949bf94181aa50fab3473320d030c41afde92d64b14e2ef17203e0cf0e3024f6df1353f5ff0e22b49088941e57ae2e163c98c
Score10/10-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2