Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

rat.exe

windows7-x64

10

rat.exe

windows10-2004-x64

10

Resubmissions

24/10/2023, 12:00

231024-n6mgdacg4s 10

24/10/2023, 11:52

231024-n1sq7see73 10

24/10/2023, 11:33

231024-nnxjmace71 10

24/10/2023, 11:30

231024-nl9feace6y 10

24/10/2023, 11:27

231024-nkf3gace5v 10

24/10/2023, 09:15

231024-k73m7sdg27 10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    24/10/2023, 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rat.exe

  • Size

    512KB

  • MD5

    738c07f22ff7922d8fcff5ba6555dbb3

  • SHA1

    86a08e0cb6b92b08d358c75e47dd5325b4aba323

  • SHA256

    7a83115ab46ba6a3c237d78f32bd3386ff4d4d7cd7b06ad731fe8071b2246278

  • SHA512

    c49a900d0165f56cc513c6e4e6551a69f3b49c8c0a9719ac925c6004b69554540999d1f3c9d63c397564e6ec67bb65cc31fa6e0ff9c2685a325fea7c8c0868dd

  • SSDEEP

    3072:7HivS2XIxjLnBnbmOKIudTziZ3w2OAGzCZ44Lz/w:LxvnBJh+T63wZzCZ44Lzw

Score
10/10
asyncratdefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\rat.exe
    "C:\Users\Admin\AppData\Local\Temp\rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1948
  • C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /s
    1⤵
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2628
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\perfc007.dat
    Filesize

    145KB

    MD5

    19c7052de3b7281b4c1c6bfbb543c5dc

    SHA1

    d2e12081a14c1069c89f2cee7357a559c27786e7

    SHA256

    14ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a

    SHA512

    289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83

    Download Submit

  • C:\Windows\System32\perfc00A.dat
    Filesize

    150KB

    MD5

    540138285295c68de32a419b7d9de687

    SHA1

    1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56

    SHA256

    33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb

    SHA512

    7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

    Download Submit

  • C:\Windows\System32\perfc00C.dat
    Filesize

    141KB

    MD5

    831dbe568992299e589143ee8898e131

    SHA1

    737726173aab8b76fe1f98104d72bb91abd273bf

    SHA256

    4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405

    SHA512

    39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

    Download Submit

  • C:\Windows\System32\perfc010.dat
    Filesize

    138KB

    MD5

    cf82e7354e591c1408eb2cc0e29dd274

    SHA1

    7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9

    SHA256

    59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d

    SHA512

    98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620

    Download Submit

  • C:\Windows\System32\perfc011.dat
    Filesize

    114KB

    MD5

    1f998386566e5f9b7f11cc79254d1820

    SHA1

    e1da5fe1f305099b94de565d06bc6f36c6794481

    SHA256

    1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

    SHA512

    a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

    Download Submit

  • C:\Windows\System32\perfh007.dat
    Filesize

    680KB

    MD5

    b69ab3aeddb720d6ef8c05ff88c23b38

    SHA1

    d830c2155159656ed1806c7c66cae2a54a2441fa

    SHA256

    24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625

    SHA512

    4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

    Download Submit

  • C:\Windows\System32\perfh009.dat
    Filesize

    634KB

    MD5

    1c678ee06bd02b5d9e4d51c3a4ec2d2b

    SHA1

    90aa7fdfaaa37fb4f2edfc8efc3994871087dedb

    SHA256

    2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3

    SHA512

    ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

    Download Submit

  • C:\Windows\System32\perfh00A.dat
    Filesize

    715KB

    MD5

    340af83514a525c50ffbbf8475ed62b7

    SHA1

    e2f382ae75afe7df8a323320bbb2aafa1ff6e407

    SHA256

    fb298e9a90476b4698def395a8ee1974c1cee3959b658662c730da915caea417

    SHA512

    8236aab579456ef4614ddd5fbfe72d0b0b26617c43a9cd53c3de56d3ac052eee8ca7d70749aaca0692855ecd4fd5f1460ac0b1dd30481dee519b910755c1cc2d

    Download Submit

  • C:\Windows\System32\perfh00C.dat
    Filesize

    715KB

    MD5

    718bb9564980029a2e3341093a4bb082

    SHA1

    8953d96e47b65c2c70f2bcc3d9e2e7c55d41ee61

    SHA256

    ad7b5314ef00ce846ae2c91a32dd1c1f2b4905cf182005e251ad6d4af66cc977

    SHA512

    3f22961d108271dc098ae2c75d217991da38c18a587b44abd74da853ea26d171ca1a507c3200f3b7c2a8175bfff5a8b968a551a4804082064dc6f2ef98b5432d

    Download Submit

  • C:\Windows\System32\perfh010.dat
    Filesize

    710KB

    MD5

    66fd0e1999023d23c9f8e3cd7a92af77

    SHA1

    e0e61df319ddbc7c9d425612295f825c47888658

    SHA256

    bdbadcf6f408c6d223974d52a69413aebe1d50ac7eaeacefa2beb2f7321355d0

    SHA512

    b8924cdf53eb5589820a16890fa7abdca20dfc3ca44063d3fdaef484f506419dbf9cd660bc80e8dfe7b7eba7d9db8fe0046accc1fca8d3faf70dedfa1ee0e68f

    Download Submit

  • C:\Windows\System32\perfh011.dat
    Filesize

    394KB

    MD5

    24da30cbb5f0fe4939862880e72cc32c

    SHA1

    9132497736f52dae62b79be1677c05e32a7ba2ab

    SHA256

    a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f

    SHA512

    332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2

    Download Submit

  • C:\Windows\System32\wbem\Performance\WmiApRpl.h
    Filesize

    3KB

    MD5

    b133a676d139032a27de3d9619e70091

    SHA1

    1248aa89938a13640252a79113930ede2f26f1fa

    SHA256

    ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

    SHA512

    c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

    Download Submit

  • C:\Windows\System32\wbem\Performance\WmiApRpl.ini
    Filesize

    27KB

    MD5

    46d08e3a55f007c523ac64dce6dcf478

    SHA1

    62edf88697e98d43f32090a2197bead7e7244245

    SHA256

    5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

    SHA512

    b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

    Download Submit

  • memory/1948-0-0x000000013FDB0000-0x000000013FDFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1948-34-0x0000000077270000-0x0000000077419000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1948-33-0x0000000077270000-0x0000000077419000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1948-32-0x0000000000690000-0x00000000006A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1948-10-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1948-4-0x00000000007A0000-0x00000000007B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1948-3-0x0000000000640000-0x000000000065C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1948-2-0x000000001BCC0000-0x000000001BD40000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1948-1-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2628-31-0x0000000002680000-0x0000000002681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-25-0x000007FFFFF60000-0x000007FFFFF70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2628-5-0x0000000002680000-0x0000000002681000-memory.dmp

    Filesize

    4KB

    Download