Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6465e923bf...61.exe

windows7-x64

10

6465e923bf...61.exe

windows10-2004-x64

10

6677fcb62e...50.exe

windows7-x64

3

6677fcb62e...50.exe

windows10-2004-x64

3

691d9802fa...e9.exe

windows7-x64

1

691d9802fa...e9.exe

windows10-2004-x64

1

6a150e7eee...36.exe

windows7-x64

8

6a150e7eee...36.exe

windows10-2004-x64

8

6aa340437e...c2.exe

windows7-x64

10

6aa340437e...c2.exe

windows10-2004-x64

10

6c5bf2ea45...8f.exe

windows7-x64

10

6c5bf2ea45...8f.exe

windows10-2004-x64

10

6e40e3ab02...99.exe

windows7-x64

6e40e3ab02...99.exe

windows10-2004-x64

6f2c23f7e9...78.exe

windows7-x64

7

6f2c23f7e9...78.exe

windows10-2004-x64

7

788cfdaeb7...ed.exe

windows7-x64

7

788cfdaeb7...ed.exe

windows10-2004-x64

7

7cfc40d94f...f2.exe

windows7-x64

3

7cfc40d94f...f2.exe

windows10-2004-x64

3

7f237484f5...1d.exe

windows7-x64

1

7f237484f5...1d.exe

windows10-2004-x64

1

7f8bcaf3c1...5d.exe

windows7-x64

10

7f8bcaf3c1...5d.exe

windows10-2004-x64

10

863385d41f...34.exe

windows7-x64

10

863385d41f...34.exe

windows10-2004-x64

10

89c11885c2...31.exe

windows7-x64

10

89c11885c2...31.exe

windows10-2004-x64

10

8abccfea53...41.exe

windows7-x64

1

8abccfea53...41.exe

windows10-2004-x64

1

8ea7566ef3...44.exe

windows7-x64

10

8ea7566ef3...44.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    downloaded_files.zip

  • Size

    179.9MB

  • Sample

    250311-jvjtwsxygz

  • MD5

    65e23c3f9531b2b05779c2adb44b5721

  • SHA1

    0a9380aea748c87512974730b5fc626fcb4e470c

  • SHA256

    83fd2015a5499a8c2703d91aa047d0f099b85e8aa5ef9f2643a4eda4144a8772

  • SHA512

    cbeb9e770cccbc6b3d23fd77461a422426673d0600bd340ae71b5da9a9960315a61f90525049e2495b542f52383af4d0de3953e5ddb3ef9d42f5d9d2efaf60b6

  • SSDEEP

    3145728:vWwip5hctgQvdUBJe8Evp+560MrnTtD5+Dnzky7wip5hctgH+ZcJ3watkj6ujpf0:vMk06vp5555+DnzpkIJ3/Wj6SfcJmJ4

Score
10/10
asyncratdcratnjratquasarremcossectopratstormkittyvipkeyloggerxenoratxwormdefaultfeb 27 logshackedhostoffice04collectiondefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

culture-collect.gl.at.ply.gg:28921

compare-positioning.gl.at.ply.gg:37310

w-translations.gl.at.ply.gg:46052

127.0.0.1:5552
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.22:41812

Mutex

dlydidrgiwetibspjno

Attributes
  • delay

    1

  • install

    true

  • install_file

    hjhjhj8.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

here123.ddns.net:1177

Mutex

301b5fcf8ce2fab8868e80b6c1f912fe

Attributes
  • reg_key

    301b5fcf8ce2fab8868e80b6c1f912fe

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

29.108.204.55:4782

Mutex

25a40824-af89-44c7-904a-02df809f23ff

Attributes
  • encryption_key

    C048AC4A4021B85F60313CB2B2CD1D086A994110

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

FEB 27 LOGS

Mutex

dwjsrlleihmlidl

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/i3NzmwEg

aes.plain

Extracted

Family

xenorat

C2

172.22.88.67

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    nothingset

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7673519259:AAGUwbXxrWPJoCRg_ta-se6HtLD6EqcyAnI/sendMessage?chat_id=7560238910

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561

    • Size

      1.1MB

    • MD5

      1a6a898a0abfa818a97e0c741f62a651

    • SHA1

      e64e7fa94a829b00de8d7a9442745f1fccfd4d26

    • SHA256

      6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561

    • SHA512

      d659ce4b692548eb33283398b8065296a7fb251865734c0b6269b1618999c8da7cef528a0644e9ca83a89b5c194ca44de3b8ff34e77abc0c221756f0ce2ef9ca

    • SSDEEP

      12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      6677fcb62e94c51701129d45bf8b4fe7fc3c570c60a95e67939c4c2830e9d250

    • Size

      6.1MB

    • MD5

      8184753db143e24297c9623ffbe9dd4d

    • SHA1

      81a6ba9026d1e84975abf76e5f20b39faade8d89

    • SHA256

      6677fcb62e94c51701129d45bf8b4fe7fc3c570c60a95e67939c4c2830e9d250

    • SHA512

      88c863d9e664880c40c92ceb853174d2c5850db90d2d1aa1abc0ca03b9c52ce19e002914ffec3de0932fbc7d5dcae2bc3a51869b44a3a9274df1a07e714e580a

    • SSDEEP

      98304:mOO6PB2wotr/VQMx1UsxqH0VwrekeYuo4ssJ3cu3SeAEBR3BnS6:VOW/od/SWu0VwCnYuo+JBSe7PS6

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      691d9802facb4880b056112b035368f77f5f23a56c59a895ae5d1f5182ddbce9

    • Size

      23KB

    • MD5

      2f2be8fe5fdeb66b14be5f0265893546

    • SHA1

      62a8ee3b4d508034ca229dc08be9e91ee4fe3088

    • SHA256

      691d9802facb4880b056112b035368f77f5f23a56c59a895ae5d1f5182ddbce9

    • SHA512

      617239b3fe4fa7dccc4657e92a13eb47c3738f3d77dfd94a4b8fe461d6e747144906606905df740892173bf0f14c959318c20cc089f53cff7cd0580bb606a470

    • SSDEEP

      384:RVtLOmaPzJzRm2JCkFkauH+44XZBf7v1JF8T7:Ht2wkFjCCJfE

    Score
    1/10
    behavioral5behavioral6

    • Target

      6a150e7eee969746cc6cc4579d13d2fd6cef5bdc77223aa24e9a6c1c6bf7b036

    • Size

      3.6MB

    • MD5

      09e6f988f991b837912b66572c850ef3

    • SHA1

      156d553cdf1ceac2a73053f5a118c3ec6376227e

    • SHA256

      6a150e7eee969746cc6cc4579d13d2fd6cef5bdc77223aa24e9a6c1c6bf7b036

    • SHA512

      78d3656f8b335a116dc33ee1cf8f16f78bf297d4b4c7b88ae78a7bef69e710a5e1dd53c5b59cb36298075a3fd1a2aa448af37f8596ff1f7588916ff0a8f76654

    • SSDEEP

      98304:HRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/YQ2S1QdY:Hkj8NBFwxpNOuk2jq1Qy

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral7behavioral8

    • Target

      6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2

    • Size

      377KB

    • MD5

      c12a252c4eb0b2b8a0f58e40a61657af

    • SHA1

      5f5d1232d72e8e7e483f384e6d0190641220f840

    • SHA256

      6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2

    • SHA512

      8b2ec810876eb98f1a9ba1f6bf8a40e838e2830fbe0f4f23599461adec057676a38efbf6924a655cdb26264f9fd4e3b4c0b40dd8877c66a1ba57fe2b54493c4f

    • SSDEEP

      6144:/Ukp93F9P7YZ79m74rprzQ2Fl5lkV7nfFhvD+gnrkvF:/Uk73v7YZxm7ypDlTkV7nvdkv

    Score
    10/10
    defense_evasionevasionpersistencetrojan

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Disables RegEdit via registry modification

      defense_evasion

    • Disables Task Manager via registry modification

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      6c5bf2ea45920850b041a5a75288570d464ce6c27da4f16c5f25106089985f8f

    • Size

      189KB

    • MD5

      915cbdb3e95c7c5d9af2a6a76e99b9fa

    • SHA1

      3443a3820f0e096a107e9d4344c7fa0d63d0ad58

    • SHA256

      6c5bf2ea45920850b041a5a75288570d464ce6c27da4f16c5f25106089985f8f

    • SHA512

      10dca0da39cc7c71f6c7a7fe5f413d24039792933ceca84b38d984db46231440f05d30d188b7d4d59eab35079f54e2896459905b841f85d46b2e83d4d86fe2ff

    • SSDEEP

      1536:f9/b8dSZ65VfhJd2y+TV3p6Xr2bQd9MUZATj5Qx64wKX3aOJtGnAOnc:f9/b8dSw5VT+hrbQaTjEFKO3mAOc

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      6e40e3ab026935212a686af172ed8403d196cfaf350b91915ac31a33d81b3799

    • Size

      4.2MB

    • MD5

      3133a47cd893dd5094e471067accec72

    • SHA1

      2b7d91cd3f6d6d68491d7d10d78f61ae90202562

    • SHA256

      6e40e3ab026935212a686af172ed8403d196cfaf350b91915ac31a33d81b3799

    • SHA512

      d2c2e4aaad335b2791135690a8290eeeca24159d8c9e2555fbf4f087bd2a918faa3755d2234a82b805aa501cb4b886826f32cb31a8e71ba431212b2d803b8d12

    • SSDEEP

      98304:TLiPmSmiuQFZ83mfVzP0S3/UIS75t7uswziPPy:6P+iFFZ8mVPBMIuO2y

    Score
    1/10
    behavioral13behavioral14

    • Target

      6f2c23f7e99a6712509c9f30f9ce3dcd9ea2bfd6ea020ed3b8dcb3641bd34478

    • Size

      2.7MB

    • MD5

      b7a0695707383c13e5ead57b86252398

    • SHA1

      808ce65c31d8bd65d243d8961330068101773118

    • SHA256

      6f2c23f7e99a6712509c9f30f9ce3dcd9ea2bfd6ea020ed3b8dcb3641bd34478

    • SHA512

      b1b4e6fbdace24d8e3e44cf5199c605352dbd2eaa92af695c49132ce978f1a1052c0e2492cd7264f6e49c99797eb5414c12047f244aa7be93ba6c34e3819234a

    • SSDEEP

      49152:94yT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:1TE66yXZ02DwUHoazRofxIhELjf/IVgs

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral15behavioral16

    • Target

      788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed

    • Size

      5.5MB

    • MD5

      fed90d20541293b06aa1ca125820fbba

    • SHA1

      f6ac6edc20889f0137717751b4465a4e08756d2e

    • SHA256

      788cfdaeb7e97e9b24de3cb416d2f88a373d4813a0d362902731f54f519ad3ed

    • SHA512

      f38a821acc321d5b6beafc9b26e5cf217d70a1da87874ee8cf868fa7b78b24f2a18e9b8f3ac9fe3f3c6db015af9396420239ffcf8ca7eb87c5e3d4905d156381

    • SSDEEP

      98304:XB3nlxIFAEVkXSVzdIczGwFmChHwZE7/xy4:R3w+Sx7I4

    Score
    7/10

    • Executes dropped EXE

    behavioral17behavioral18

    • Target

      7cfc40d94f3ffc3a8c3c8824f031dcbb07d673cfa1fc7dd6ed02e3ca01c326f2

    • Size

      90KB

    • MD5

      4a5997c07d87ce407541dc7b907111cf

    • SHA1

      433a77b6aea38cdf07631d8367c53bd7cbe2b360

    • SHA256

      7cfc40d94f3ffc3a8c3c8824f031dcbb07d673cfa1fc7dd6ed02e3ca01c326f2

    • SHA512

      ae02fd00d2daa887787e4f3e7a4f4ef33bf56379fd0f696c6346d480dcb3c26786a4b262207b9c75fcf2a965cfeb252583ca07dccb5748bc11ae032bba9ccb21

    • SSDEEP

      1536:3/vWWhAcc/LZv29jSYz/xs8hNp8dXHEEkh3ntpJFRumb2O/OAFYCnvQ:PvQ/LZv2J79UH/khXtBRDbX/OAFlo

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      7f237484f5bd1786c2c4eceb85b121443a11f98e62273da8a2b4835ab6c1971d

    • Size

      471KB

    • MD5

      a5863ea9f1b901be3f78db2e5373c9b4

    • SHA1

      32305c7986231de4bddcda16ece0e854d058c38e

    • SHA256

      7f237484f5bd1786c2c4eceb85b121443a11f98e62273da8a2b4835ab6c1971d

    • SHA512

      02e2966226cafed66bcc008eb4e76fc3eae7eeb23047d2cfecf111d2a7a832e49e9c42e0c8fbb10f05c080a26094d60d6bdf3041d52513bbe0e54bb8df2567ea

    • SSDEEP

      12288:zKwW4X8GPhBHUsf2kiRc0XwEr7e+o3eQOk:75BHxgAE+++

    Score
    1/10
    behavioral21behavioral22

    • Target

      7f8bcaf3c125b12f6b8cc4cd98bfe089b433753bed821414b1fcf6b958b1935d

    • Size

      3.1MB

    • MD5

      b4cd9c13456ab1f1a898dfad9c41e2c7

    • SHA1

      57a07384227d70739d2bbaad50ab7fa0dde6aa99

    • SHA256

      7f8bcaf3c125b12f6b8cc4cd98bfe089b433753bed821414b1fcf6b958b1935d

    • SHA512

      d8934a132f11cbab2c7f7006f52c627d19b0ad93d3621271041647f5af71028444d3199dcf08c2e9e32097662bb4871361ffeddcd62b036f44f51d4cc01d21a8

    • SSDEEP

      49152:bv+I22SsaNYfdPBldt698dBcjH9j2V1JqLoGdm3THHB72eh2NT:bvz22SsaNYfdPBldt6+dBcjH9j22W

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral23behavioral24

    • Target

      863385d41fea84d79d3ded4aec09ae9a6d71ce80f16ebfef20752f65e4ac5834

    • Size

      800KB

    • MD5

      affdb23019a5d784fffda0e3f2aad32a

    • SHA1

      7de6af9392899efc2c5da2a1f195389088fef9b0

    • SHA256

      863385d41fea84d79d3ded4aec09ae9a6d71ce80f16ebfef20752f65e4ac5834

    • SHA512

      3e9f531a83d21fdd3bed9c5ecc6e8b11f82441d9a52e8a169adfc8328d4885090caf25d4f739074c6dc8f807dca978cacd5d6ade05ef02acd9f61329db5d2685

    • SSDEEP

      24576:RFIjcvitx65rubaywV1Fg5mOPF65yxq5:RFIjcvitx65rubyFg5fPE4q5

    Score
    10/10
    vipkeyloggercollectiondiscoverykeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      89c11885c24f281671cc737a808764a62e128a0dad890ae6d444d14d682e2631

    • Size

      211KB

    • MD5

      54792e2c895391481463427bc6b5264a

    • SHA1

      ce31eb8fe60022d2389f9268813f20ae683b2894

    • SHA256

      89c11885c24f281671cc737a808764a62e128a0dad890ae6d444d14d682e2631

    • SHA512

      f2173d58010305f9c37cf17432db1d15e7d5a4a58eb1bf226c94a0e371b16bd606f19e41e5d7549b4e1eb272365fafb2add8f73b5ff206c551286368ca752aaa

    • SSDEEP

      3072:Fp8Lc70UkL/JHt6VpkBzEhE0faKQAc7LGZPHb/5FVuBJ+U53TXbYwEKXFJ:sLTr5t6Vpk8E0CfSb1gpEKX

    Score
    10/10
    stormkittydiscoverystealercollectionpersistenceprivilege_escalationspyware

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      8abccfea539da5a03d784ff60d88d128a3f901e9a9ae51ddb3caf0e05e192341

    • Size

      525KB

    • MD5

      5090c8e8ca4d269478ec2b9d82ba29db

    • SHA1

      08f7f460f5d3d1e70a0226ed74a806046b77f7b1

    • SHA256

      8abccfea539da5a03d784ff60d88d128a3f901e9a9ae51ddb3caf0e05e192341

    • SHA512

      be1832c6e6c42a9a9dc0dbd3fc61272d5823437e65da332ef582b04c261878c110aa05bec80f430eaad6d4731d573d649681394885177875ebe862973eea2647

    • SSDEEP

      6144:+DxylACMDSiKlZjYzERe6VlWT8b9bZX4jrpz8OPoUgbvVsHHkCtIauoWX:6ylumLjYmPVle8vXYBPbhHuauo6

    Score
    1/10
    behavioral29behavioral30

    • Target

      8ea7566ef322ea6fec4ec75f7aed5fd8dad6adceab78f6ea5b557ef925b6a644

    • Size

      832KB

    • MD5

      e1ae78d967df9902bb2ff77d2ae57244

    • SHA1

      4b1e9efc238ead290b8762e9fc26c919da34d23b

    • SHA256

      8ea7566ef322ea6fec4ec75f7aed5fd8dad6adceab78f6ea5b557ef925b6a644

    • SHA512

      1e0638fabb6e56c5f3253eea21a5bc63e10c0a5a9883bac0cbee69ea86782c73237db99891aa3dd6e8a1926047d702800c59d1985667c62e841720eab17366e5

    • SSDEEP

      12288:Qp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9n4r:QpugRNJI1D39dlfGQrFUx9n6

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

6
T1562

Disable or Modify Tools

5
T1562.001

Modify Registry

8
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ratdefaulthackedoffice04feb 27 logsxwormasyncratnjratquasarstormkittydcratxenoratsectoprat
Score
10/10

behavioral1

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral2

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

defense_evasionexecutionspywarestealer
Score
8/10

behavioral8

defense_evasionexecutionspywarestealer
Score
8/10

behavioral9

defense_evasionevasionpersistencetrojan
Score
10/10

behavioral10

defense_evasionevasionpersistencetrojan
Score
10/10

behavioral11

xwormrattrojan
Score
10/10

behavioral12

xwormrattrojan
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

discovery
Score
7/10

behavioral16

discovery
Score
7/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

quasaroffice04spywaretrojan
Score
10/10

behavioral24

quasaroffice04spywaretrojan
Score
10/10

behavioral25

vipkeyloggercollectiondiscoverykeyloggerspywarestealer
Score
10/10

behavioral26

vipkeyloggercollectiondiscoverykeyloggerspywarestealer
Score
10/10

behavioral27

stormkittydiscoverystealer
Score
10/10

behavioral28

stormkittycollectiondiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral32

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10