Extracted

Extracted

Extracted

Extracted

• • Target

    http://web.archive.org

  Score

  10^/10

  asyncratazorultdiscordratquasarrmswarzoneratdefaultdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratrezer0rootkitspywarestealertrojanupx

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms

  • UAC bypass

    evasiontrojan

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Windows security bypass

    evasiontrojan

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Warzone RAT payload

    rat

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Server Software Component: Terminal Services DLL

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Hide Artifacts: Hidden Users

    defense_evasion

  • Suspicious use of SetThreadContext

  behavioral1