Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0033f75804...e5.exe

windows7-x64

1

0033f75804...e5.exe

windows10-2004-x64

1

00ecd8a50b...ab.exe

windows7-x64

10

00ecd8a50b...ab.exe

windows10-2004-x64

10

07f66695f4...21.exe

windows7-x64

8

07f66695f4...21.exe

windows10-2004-x64

8

09e259cbe7...ee.exe

windows7-x64

10

09e259cbe7...ee.exe

windows10-2004-x64

10

0c41a305e8...cd.exe

windows7-x64

8

0c41a305e8...cd.exe

windows10-2004-x64

8

0ca149e59a...32.exe

windows7-x64

7

0ca149e59a...32.exe

windows10-2004-x64

10

10ebd229b7...09.exe

windows7-x64

7

10ebd229b7...09.exe

windows10-2004-x64

7

170b3d1749...5a.exe

windows7-x64

8

170b3d1749...5a.exe

windows10-2004-x64

8

1b812937c3...1a.exe

windows7-x64

10

1b812937c3...1a.exe

windows10-2004-x64

10

1c7facff8b...44.exe

windows7-x64

10

1c7facff8b...44.exe

windows10-2004-x64

10

1d5d209fb6...fc.exe

windows7-x64

7

1d5d209fb6...fc.exe

windows10-2004-x64

10

20b9ae8a5a...ad.exe

windows7-x64

8

20b9ae8a5a...ad.exe

windows10-2004-x64

8

21aaf28e05...f4.exe

windows7-x64

10

21aaf28e05...f4.exe

windows10-2004-x64

10

22ea24b9b0...6c.exe

windows7-x64

3

22ea24b9b0...6c.exe

windows10-2004-x64

3

2646ec6c76...0a.exe

windows7-x64

10

2646ec6c76...0a.exe

windows10-2004-x64

8

2963197f54...71.exe

windows7-x64

10

2963197f54...71.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    downloaded_files.zip

  • Size

    179.9MB

  • Sample

    250311-js4fhsxyey

  • MD5

    65e23c3f9531b2b05779c2adb44b5721

  • SHA1

    0a9380aea748c87512974730b5fc626fcb4e470c

  • SHA256

    83fd2015a5499a8c2703d91aa047d0f099b85e8aa5ef9f2643a4eda4144a8772

  • SHA512

    cbeb9e770cccbc6b3d23fd77461a422426673d0600bd340ae71b5da9a9960315a61f90525049e2495b542f52383af4d0de3953e5ddb3ef9d42f5d9d2efaf60b6

  • SSDEEP

    3145728:vWwip5hctgQvdUBJe8Evp+560MrnTtD5+Dnzky7wip5hctgH+ZcJ3watkj6ujpf0:vMk06vp5555+DnzpkIJ3/Wj6SfcJmJ4

Score
10/10
agentteslaasyncratdcratnjratquasarsectopratstormkittytestvipkeyloggerxenoratxwormdefaultfeb 27 logshackedoffice04SMTPcollectiondefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationpyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

culture-collect.gl.at.ply.gg:28921

compare-positioning.gl.at.ply.gg:37310

w-translations.gl.at.ply.gg:46052

127.0.0.1:5552

super-crisis.gl.at.ply.gg:9245
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.22:41812

Mutex

dlydidrgiwetibspjno

Attributes
  • delay

    1

  • install

    true

  • install_file

    hjhjhj8.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

here123.ddns.net:1177

Mutex

301b5fcf8ce2fab8868e80b6c1f912fe

Attributes
  • reg_key

    301b5fcf8ce2fab8868e80b6c1f912fe

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

29.108.204.55:4782

Mutex

25a40824-af89-44c7-904a-02df809f23ff

Attributes
  • encryption_key

    C048AC4A4021B85F60313CB2B2CD1D086A994110

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

FEB 27 LOGS

Mutex

dwjsrlleihmlidl

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/i3NzmwEg

aes.plain

Extracted

Family

xenorat

C2

172.22.88.67

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    nothingset

Extracted

Family

agenttesla

Credentials

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

46.183.220.52:6200

sirbanty.ddnsgeek.com:6200
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    SolidAudio.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7101591191:AAEvaCwZQ7Q5Bv2eHB84xOK0gWoBH9EAAtI/sendMessage?chat_id=7055219760

Targets

    • Target

      0033f75804f1bdff0d0bd5153a6114c3757da40fa823dd18a5742373a905a3e5

    • Size

      897KB

    • MD5

      c04e4f1333266020596775751ba8e035

    • SHA1

      85b265f799ef3d195df6021c280e63376f4b6a90

    • SHA256

      0033f75804f1bdff0d0bd5153a6114c3757da40fa823dd18a5742373a905a3e5

    • SHA512

      47257b2d4483dd1f5c993d49ab19e8a022fb5e08229519d37ce04c2d8a0cb6c2842e866a459d286dcdd4755e2c7a532c3c6ec9bc87a50602c12c57e76e855a98

    • SSDEEP

      12288:5fsW4YtltC18U/Fk6K+ORnO6r+PKlWPT9KoLQmx9YnFcPRmcZjwkNBJN3LwY:5fsWHtltYk9+ORnO6rkTYofx9sSjhp

    Score
    1/10
    behavioral1behavioral2

    • Target

      00ecd8a50bb6f18b13df817d36962dd625cc98b05a90ef9f539c8506226790ab

    • Size

      232KB

    • MD5

      2e47b289811837b11f473a8f0d7e859e

    • SHA1

      e392c29c11baf327eac766b9809ad6c4ce901972

    • SHA256

      00ecd8a50bb6f18b13df817d36962dd625cc98b05a90ef9f539c8506226790ab

    • SHA512

      db8a94aca45bca5c1d61d1ea5b0679f23f3452c4b13db28f533b5f796dbd1cf366cd2b1189903b1189409be33dbf52f8b1edf2e384e03929669f849e270a4ad4

    • SSDEEP

      6144:ASwlzgU6EHTpFP3nWhvhbxGCbVZ9lBhqa:KWUzpFPmhnGSBhqa

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      07f66695f4dde786aabfdcb965764f4cc785308308a7d5b3d871373557b4e121

    • Size

      808KB

    • MD5

      90986fdc6ec4c4007910f09341ce4838

    • SHA1

      545c6c849ffe650a64f9d2c994ce3e63d9257cca

    • SHA256

      07f66695f4dde786aabfdcb965764f4cc785308308a7d5b3d871373557b4e121

    • SHA512

      ae9194181ca59da2174d96f879ff6175addeeb24371ef683398b7bf9977c781639d6c9297a44a00c98fe4ca648d2a644fe3fb23970253490e74d824b68dc39f7

    • SSDEEP

      12288:qP11vYHfuc154pdJwmxZ5mfWMOWBJzAIf4RPi4HMk4ZM9SN1Qhf5qqfR3Oi1l36E:q91Efub31ZiMWvEm4pgC6g5vZ+i1U

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      09e259cbe7adb2947fdbf6b556ab82948a320042b2d4738988ac756d5539bfee

    • Size

      70KB

    • MD5

      ea3647c26bd4540f2f3833ec891ba95c

    • SHA1

      8f45570afbedfa335bafd8cad3cd7afff9fd1c71

    • SHA256

      09e259cbe7adb2947fdbf6b556ab82948a320042b2d4738988ac756d5539bfee

    • SHA512

      6145d2557662291668ab4e1ea825e02ff22773ad6f6b3fd012f17cb2da76df854f915a25b02d070afde998622a53f491eec6ec9e494dd27d8d7d330a59e0f959

    • SSDEEP

      1536:GyA617B2By2OD0snaTKEmZswbvb/tRm6YiOqmh9sd84:Gn6BB2zOZnarmZVbvZqiOqmJ4

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

    • Target

      0c41a305e80960e4c7c2c890fd707429091d3bb87d5726ed7c13373d626e85cd

    • Size

      689KB

    • MD5

      83f46a8de55661333b9a0fbb0cba1be4

    • SHA1

      2ce0edccc93a8595c70c2dd3829b26611dccb718

    • SHA256

      0c41a305e80960e4c7c2c890fd707429091d3bb87d5726ed7c13373d626e85cd

    • SHA512

      d2b056f3a80ce7b99f826b3f3507231e0c94300a28a870b7b9c9a035e2fe01db11bd06f7228955995410b79eadf78dfaecc364d4ca3ef453d72291f583d9b355

    • SSDEEP

      12288:aAjoKfqTrzP4mBZ8uc154ppPojfKuBtF/lgTM5hEIVXt0A/4OHZs4H4444CikR:aWoKfqXzP4mBZ8ubpO7BtwM5+8d0AJSL

    Score
    8/10
    collectiondiscoveryexecutionspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      0ca149e59a526c1811fcac3c14943acdbc43a3261af653670bc9e71436b1fc32

    • Size

      1.1MB

    • MD5

      94c16379efe1d3a7c600b2f83f8c50f0

    • SHA1

      c6ccf2056134a3376eb89f2507d17bae14da2f30

    • SHA256

      0ca149e59a526c1811fcac3c14943acdbc43a3261af653670bc9e71436b1fc32

    • SHA512

      ce80b8904cb29d5f8bec537bdcd1563a6ee45cb2d79b7d69b3820d17def2442f916b13c968a86c121fff72f1ee04534ff260a0311722db6e4184a248cf1f7686

    • SSDEEP

      24576:D8pWRfv/akLPItzMxj09JLKttNC4m0ykiIT:DgeHiksgxj0zmM6ykp

    Score
    10/10
    discoveryagentteslatestSMTPinfostealerkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • SMTP Tesla TEST

      SMTP_Tesla_TEST_triage_description.

      SMTPinfostealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Test family

      test

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409

    • Size

      21.8MB

    • MD5

      53d77e893eadb542ec6ed0205edb0426

    • SHA1

      9f64ea0034fb697f2e79bbc765744dc94d56f363

    • SHA256

      10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409

    • SHA512

      25e6c899034b2cb7c2e58025c88136e1f13e336dd6083031664687666bb64489c0309c26e1e0ebd86f1ffa3202d81ad3fb134be07074752bb05640201ca34cdc

    • SSDEEP

      393216:8YGbY6iHonlQCe88BYdY3SHFPJXFODKSbT3DIfpTwmZf0of12Wmv2ZyX+vVAAc:87Y2CCe4dAmFOmSPMhpfTf15mv2ZyURc

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      170b3d1749618a0f84e58913c4d799660fe29ca3b7f421b9eb42f54c54fba85a

    • Size

      822KB

    • MD5

      deb100f4fae0ac07a714e0a53f0a7b87

    • SHA1

      946118fdd1037608d14e8c024a1bc0c808344134

    • SHA256

      170b3d1749618a0f84e58913c4d799660fe29ca3b7f421b9eb42f54c54fba85a

    • SHA512

      7229f572665114b552aa54f59347e651f9f7f6a6b255111159cbc33bd6c2faba2e957e471ceb5ac1b05929dc625de05ba5a1728abca21a13e4ceda40b86259cb

    • SSDEEP

      12288:kbNZuc154p9YU2a32rDINzek4/I5Zjq4EXxK/Cgc+aJBjisrIkEyAZsoqkR:0NZubxcIhR1dEXxACe4Bji/kE

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      1b812937c39179ae1fbd25f82d70d98d3d718ded40c08357e4ec36a372cfba1a

    • Size

      347KB

    • MD5

      5bffb8d7b5c57858b0e815d4b8de8af0

    • SHA1

      9024405039522915bba1139bbbddbb396e167393

    • SHA256

      1b812937c39179ae1fbd25f82d70d98d3d718ded40c08357e4ec36a372cfba1a

    • SHA512

      d2137bdd45e62705d09086c399013b71a5761ea8e3c8aacb556cca6471a27431a53b36f377109e44473724137114a068d59a136f4ad8b1e35ac3d5b92eea327c

    • SSDEEP

      6144:YGTo8tqR6SuFSO86L/3NvZ12PbkOXJ/1v3D3Rl/ojdVhjAdHf:Rhq4FM6DvmVt1vz3Rl/ojdVhjAp

    Score
    10/10
    asyncratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      1c7facff8b5db7f2186d2574b32b72d5f00467e85f56189d461cec22b9b3b144

    • Size

      799KB

    • MD5

      536e106569cc9470b6ec09cdad62ca7c

    • SHA1

      f16b531ada06c5fe192ac08d9d7fc071e6060250

    • SHA256

      1c7facff8b5db7f2186d2574b32b72d5f00467e85f56189d461cec22b9b3b144

    • SHA512

      f4270519cf1c3a0d4f262231ca48ce03c72d7d076fa890a18d223c2c1019e44dc6ffd1aec5c510736a63958230ec92229262c7c44e021440aed87bff297439cc

    • SSDEEP

      12288:P6uZuc154pOVhoxSqqcVHduU2TbAQ74XkrNKFV5TQyBXiU/Hvz9UCVJa9GNb7r:P6uZubAhWHdcXUUrsxiiPzGCC

    Score
    10/10
    vipkeyloggercollectiondiscoverykeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      1d5d209fb69f3a9b4cb8799fb7be62b22df0fecee3a7ddd45d4504d5c2d311fc

    • Size

      1.1MB

    • MD5

      5ba064a8aa92326665d18ace2968a5b9

    • SHA1

      6f8feac2ea86377973a3c09189b49bfbfe954a43

    • SHA256

      1d5d209fb69f3a9b4cb8799fb7be62b22df0fecee3a7ddd45d4504d5c2d311fc

    • SHA512

      ea9b7c0cc3ff6648c7f5030dbb08d377ad9faab07b606a531569bd6faf74cfb0d5a89d6c423b683df33af321b5dca6501e87f34157d686c2b1fed92e0b087cca

    • SSDEEP

      24576:7ICnsMWkPJDOKPnWQon3EBYAvhen6L4pjwm+o43d5c69ene1Lugv92T:/nsFkRD1PWZngnvhen6cpsUMTc0DFv9

    Score
    10/10
    discoverycollectionspywarestealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      20b9ae8a5ac2fee80a07e504d2a6be09d2be39055b349baf7c38813e26d13fad

    • Size

      625KB

    • MD5

      57fc0b7300b50389e8a82dd2ffccec9a

    • SHA1

      17db2aa58e09aac86ce056ad45bb6c387b257992

    • SHA256

      20b9ae8a5ac2fee80a07e504d2a6be09d2be39055b349baf7c38813e26d13fad

    • SHA512

      c7055d33516df2a3aa5df99819fea01c57a43b6a685b2f3358d04ad136045356d8f1b46294a18834f356f78300be1835d6cb93201d5042fc899e33d0dd437ec6

    • SSDEEP

      12288:GlPuc154pAgQO8D0sRKl8fnEKOErYsrfecrqEjCw8izuCFN15kR:MPubAFObsBfJOpweytyCO

    Score
    8/10
    collectiondiscoveryexecutionspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      21aaf28e05a6224b2a5b338a738ff9321a56ebc2babe6b194709f9a00fb97af4

    • Size

      74KB

    • MD5

      7eb39790605fb73d938bb1b9df6f092e

    • SHA1

      ad1fe923091467c48114ed09e09f284c470a4d3d

    • SHA256

      21aaf28e05a6224b2a5b338a738ff9321a56ebc2babe6b194709f9a00fb97af4

    • SHA512

      f63105cb5eb14fe84ea650804b33900a11f4a2ba5b5fc879471ca5b236ece8028a6578afa9ed1b21e83b370ed3b6235fdff97ad05589adb3d1542bd401477e6f

    • SSDEEP

      1536:6UKUcxoyR1CriPMVOdyievvI0/1bk/dhdIC6/7QzcWLVclN:6UzcxoyXkiPMVsyzd/1bkPCC6zQvBY

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral25behavioral26

    • Target

      22ea24b9b0535d9687352b4a6208e299c4a64f79290c939f553b1eb9ec60706c

    • Size

      1.0MB

    • MD5

      ec7b9685796f6018c0e197e4d2b5c4da

    • SHA1

      1073cf8c7a93ed7e37722503c5ac0705c61615fb

    • SHA256

      22ea24b9b0535d9687352b4a6208e299c4a64f79290c939f553b1eb9ec60706c

    • SHA512

      d441e8f0ed86e5a4948a042c20d01fe20bd00fb338f4fbc2f6a62d7879c2a668a4b07b7ab0e40ef64609ddab812a7b9106c68adea0d682e18ee085b068e70878

    • SSDEEP

      12288:XvfNnnlghpqsUlZ5bAtgHx12PgHx12ngHx12kiX3ukkkkkkkkk:XNnnlg2AQx8Sx86x8J

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      2646ec6c76057d721a872ba333ac65cd7d962fa27338923b8a2d18099ba0f00a

    • Size

      29KB

    • MD5

      e8889b6c7d9cb25fb2788016a7b287c3

    • SHA1

      e99980baeebaeb9efdf8ec737937d777ce420635

    • SHA256

      2646ec6c76057d721a872ba333ac65cd7d962fa27338923b8a2d18099ba0f00a

    • SHA512

      66b9aa4bec8d0e023c4203f855ecfc84323cf7a3c960c90dbfa00e3f41040e299bbebf14d26803f4263f0411730b5fa57a362435f3f86230c097e2e997be4d9f

    • SSDEEP

      768:UA7LeNXwlhgDZKUHZa93ooq5neXBKh0p29SgREp:H7LPbI+KhG29jEp

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral29behavioral30

    • Target

      2963197f5419c180c099f042b013a53a3ebe97928717a199872f73667f488471

    • Size

      11.1MB

    • MD5

      e8d87522a8d9fde86d76c5e778fd921f

    • SHA1

      b18fad7c0a4f43f4eeee03f9589433611341b909

    • SHA256

      2963197f5419c180c099f042b013a53a3ebe97928717a199872f73667f488471

    • SHA512

      f84cbdaa241e3209bf18ce1e40b622e5d9335070c74770cf15371d7f90de71b702f9f8c4e03bca12227c7a3acc4cb12f87f16521a5a1435fe4968633f42f9e4b

    • SSDEEP

      196608:X5vKjtcrItOBF+5/4iU/QnbU8ifQO6S8hHOV6guNYfyBNWZjpGqnLyXmEoT4:XtqtMItOBF+5/FQn6S8huVResZjUqLy6

    Score
    10/10
    xwormpersistencepyinstallerrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratdefaulthackedoffice04feb 27 logsxwormasyncratnjratquasarstormkittydcratxenoratsectoprat
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

xwormrattrojan
Score
10/10

behavioral4

xwormrattrojan
Score
10/10

behavioral5

discoveryexecution
Score
8/10

behavioral6

discoveryexecution
Score
8/10

behavioral7

xwormrattrojan
Score
10/10

behavioral8

xwormrattrojan
Score
10/10

behavioral9

collectiondiscoveryexecutionspywarestealer
Score
8/10

behavioral10

collectiondiscoveryexecutionspywarestealer
Score
8/10

behavioral11

discovery
Score
7/10

behavioral12

agentteslatestSMTPdiscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral13

persistence
Score
7/10

behavioral14

persistence
Score
7/10

behavioral15

discoveryexecution
Score
8/10

behavioral16

discoveryexecution
Score
8/10

behavioral17

asyncratdefaultdiscoveryrat
Score
10/10

behavioral18

asyncratdefaultdiscoveryrat
Score
10/10

behavioral19

vipkeyloggercollectiondiscoverykeyloggerspywarestealer
Score
10/10

behavioral20

vipkeyloggercollectiondiscoverykeyloggerspywarestealer
Score
10/10

behavioral21

discovery
Score
7/10

behavioral22

collectiondiscoveryspywarestealer
Score
10/10

behavioral23

collectiondiscoveryexecutionspywarestealer
Score
8/10

behavioral24

collectiondiscoveryexecutionspywarestealer
Score
8/10

behavioral25

asyncratdefaultrat
Score
10/10

behavioral26

asyncratdefaultrat
Score
10/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral30

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral31

xwormpersistencepyinstallerrattrojan
Score
10/10

behavioral32

xwormpersistencepyinstallerrattrojan
Score
10/10