Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

099355d506...eb.exe

windows7-x64

10

099355d506...eb.exe

windows10-2004-x64

10

23d6f9a120...1e.exe

windows7-x64

8

23d6f9a120...1e.exe

windows10-2004-x64

8

3a9efda763...8a.exe

windows7-x64

10

3a9efda763...8a.exe

windows10-2004-x64

10

3b49b6c1cc...86.exe

windows7-x64

10

3b49b6c1cc...86.exe

windows10-2004-x64

10

4f8799e544...b7.exe

windows7-x64

10

4f8799e544...b7.exe

windows10-2004-x64

10

51bd8c50dd...09.exe

windows7-x64

10

51bd8c50dd...09.exe

windows10-2004-x64

10

56b7b7798a...0e.exe

windows7-x64

10

56b7b7798a...0e.exe

windows10-2004-x64

10

57fb495954...9d.exe

windows7-x64

10

57fb495954...9d.exe

windows10-2004-x64

10

5f278f8bde...cb.exe

windows7-x64

10

5f278f8bde...cb.exe

windows10-2004-x64

10

66b157a3d4...e6.exe

windows7-x64

10

66b157a3d4...e6.exe

windows10-2004-x64

10

6ec9f82a79...36.exe

windows7-x64

10

6ec9f82a79...36.exe

windows10-2004-x64

10

8d469fed80...33.exe

windows7-x64

10

8d469fed80...33.exe

windows10-2004-x64

10

977e5ce44a...f1.exe

windows7-x64

10

977e5ce44a...f1.exe

windows10-2004-x64

10

a4865b2ed7...c6.exe

windows7-x64

10

a4865b2ed7...c6.exe

windows10-2004-x64

10

cbee3a2ab9...7f.exe

windows7-x64

10

cbee3a2ab9...7f.exe

windows10-2004-x64

10

cd3b81fbf9...1c.exe

windows7-x64

10

cd3b81fbf9...1c.exe

windows10-2004-x64

10

Resubmissions

12/03/2025, 21:32

250312-1dmynatxey 10

11/03/2025, 16:10

250311-tmgdxaxnx4 10

06/03/2025, 02:30

250306-cze8yav1az 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bluestealer.rar

  • Size

    5.6MB

  • Sample

    250311-tmgdxaxnx4

  • MD5

    a90f4f14fd13ca22cfeb32127493bb3c

  • SHA1

    680a9f3b7d74575cdd91f461e9e2b47c10e5c79c

  • SHA256

    ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b

  • SHA512

    69fee2468fdb90e4dfebe18dd90f040be372a8d7c35f049d1f594c4f6ec37a7bb9fb8f2c847114e315b214e823d3921d4260b3770628903a875a8b9fbb270a66

  • SSDEEP

    98304:xIb3rOEojkouUyLJ/IIDwOMTwKoD+ORWkt78cZfHKDDFaWI5Sz3ptM9b3Pd4g6wx:izaEJvD0WD+OP8QfqmSz3pt2zV4g6SmC

Score
10/10
agentteslaasyncratazorultformbooklokibotredlinerevengeratsectopratsnakekeyloggerxloader@baobabss@bbakoch@l_like_a_sir_l@tupa187defaultnyancatrevengemjyvo4mscollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerloaderpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.boydsteamships.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    co*tNjEBt4

Extracted

Family

formbook

Version

4.1

Campaign

o4ms

Decoy

fishingboatpub.com

trebor72.com

qualitycleanaustralia.com

amphilykenyx.com

jayte90.net

alveegrace.com

le-fleursoleil.com

volumoffer.com

businessbookwriters.com

alpin-art.com

firsttastetogo.com

catofc.com

ref-290.com

sbo2008.com

fortlauderdaleelevators.com

shanghaiyalian.com

majestybags.com

afcerd.com

myceliated.com

ls0a.com

Extracted

Family

xloader

Version

2.5

Campaign

mjyv

Decoy

wenyuexuan.com

tropicaldepression.info

healthylifefit.com

reemletenleafy.com

jmrrve.com

mabduh.com

esomvw.com

selfcaresereneneness.com

murdabudz.com

meinemail.online

brandqrcodes.com

live-in-pflege.com

nickrecovery.com

ziototoristorante.com

chatcure.com

corlora.com

localagentlab.com

yogo7.net

krveop.com

heianswer.xyz

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

iphy.strangled.net:1604

gpmaw.duckdns.org:3040

gpmaw.duckdns.org:2020

gpmaw.duckdns.org:4040

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:4040
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Extracted

Family

redline

Botnet

@l_Like_a_Sir_l

C2

185.230.143.48:14462

Extracted

Family

redline

Botnet

@bbakoch

C2

185.230.143.48:14462

Extracted

Family

azorult

C2

https://guifenergy.co.ke/bin/32/index.php

Extracted

Family

redline

Botnet

@Baobabss

C2

185.230.143.48:14462

Extracted

Family

redline

Botnet

@tupa187

C2

185.230.143.48:14462

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=19622864628953696

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      099355d506f15966ba946cd6f58a72f6c02c73232349cf7f2d6af5641eed0ceb.bin

    • Size

      296KB

    • MD5

      d88fc1f23009d945ef6096b14a2b52ff

    • SHA1

      c1a7e896034692aa6ae337d9034aa09baedac9d8

    • SHA256

      099355d506f15966ba946cd6f58a72f6c02c73232349cf7f2d6af5641eed0ceb

    • SHA512

      359d8d15130582112dcff3a5ec596f23d9ce5cfec60b011d1d5623919e5f9581f49ae1b9fc47a177d16002baa8b8dbced2413740664ffaa0fcf61bfbc9a321ea

    • SSDEEP

      6144:/thH4bzgXvWApfRS55SR7KFdWSuzW2oQyI6PHC5D6XGC:l+cXvxpZY4WDuzWCY2C

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojancollectioncredential_access

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.bin

    • Size

      324KB

    • MD5

      638264dabfa294ec7b31dfb89a85edbc

    • SHA1

      2029e54083f1900349c89cc49a72f914c0db943f

    • SHA256

      23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e

    • SHA512

      2bc06a4789bcdecc338a53410ffdbf4c4f7914884db9a2ab05940296824aaae5c94a33cce61f82c32d83164efbec9c53ffc4a2ba76e27f6c417d78a9a15e3d0f

    • SSDEEP

      6144:HSP8tg4knZXvKh8528ZE/PqOl4LF8SbbAkIlerfDUSwR8t:yPC5jw28ZEl4LF1bUk86bmWt

    Score
    8/10
    defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      3a9efda763f017e1ca8237aa27f8659b081f62f42e11aa36b6e122f65caca48a.bin

    • Size

      429KB

    • MD5

      3aa19b791cd0ec8d9bc25a631bbad827

    • SHA1

      d807bc8785423b59ce08fa1a89205eb95f0e57fc

    • SHA256

      3a9efda763f017e1ca8237aa27f8659b081f62f42e11aa36b6e122f65caca48a

    • SHA512

      a9a4a3e8603d28c7df254507f668052c722b742e937fefd5c9c687e48e502f147f22deacfad8510d09faac59a928a536061c5a1865247fcc6bebb9abdcffc489

    • SSDEEP

      12288:/ExB4fX6MoVf8A7ND6J40rFrKmwgKfVKPzgG+ivaZX5qlhCCkqyR+NFNf9rdUrp7:6lUr7aphdST1c

    Score
    10/10
    redlinesectoprat@tupa187discoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      3b49b6c1cc92bed7fb10ec3399c1f03449c5ab983a7d03f22bd83392b7a2dc86.bin

    • Size

      1.6MB

    • MD5

      7ea2249f22066a4dafa98d3a054d8dfb

    • SHA1

      fc7582154e909a4ffae91f7e672be8c084a999d1

    • SHA256

      3b49b6c1cc92bed7fb10ec3399c1f03449c5ab983a7d03f22bd83392b7a2dc86

    • SHA512

      351abe96e14a2872a6e3e087c645b0547fdd61e2e64092ab76e29412f22196151deb27d3f79a53182ae235601e5e8757a13d38beedbd22c8cdbfab4c3846aba7

    • SSDEEP

      49152:Pl6VQ6lnFvFU325uLtrBXyxJf9g9uQidA:sflFvFUmuLtrBXyxJfNQkA

    Score
    10/10
    lokibotdiscoveryspywarestealertrojancollection

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.bin

    • Size

      436KB

    • MD5

      9284392fd96b31b3de8d8f664de3f0e4

    • SHA1

      9b2e8d834a7e50ec7e674433d019dbd19996036c

    • SHA256

      4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7

    • SHA512

      61efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922

    • SSDEEP

      6144:qrX0zvg3rjIxvuJMQzp5dVw4JAUvxWgFdgqwixiak3IfMRfkHYgV:iEDg33IpqU4JA61dgq2G74

    Score
    10/10
    formbooko4msdiscoveryratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.bin

    • Size

      482KB

    • MD5

      d5c6afc24d4fff226ae1190fde23e514

    • SHA1

      e342136d49082c798e5da37f27a0bad894e3e4ce

    • SHA256

      51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209

    • SHA512

      4cfa0f5bacd1521792bc3278bd0b25871da1b86afc7e7a243b89cd2a7ccd7119ab013422c1cccad06790e2d5b3885180047684d5a3504d6a1f86ad42aba0a575

    • SSDEEP

      12288:iCMnvQcYyer7in58R3wgG56gtIRQA/wpS:WvgyKG5c45ptIiA/wpS

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      56b7b7798a01e1bad522a375b7b096efeba0e118885b353b525b44471cdec90e.bin

    • Size

      296KB

    • MD5

      31a70c300f7286f3621ae7836616190c

    • SHA1

      094b64bbd18840512fc9e044d79bb32cf4dc9ca3

    • SHA256

      56b7b7798a01e1bad522a375b7b096efeba0e118885b353b525b44471cdec90e

    • SHA512

      37c420cb69669ed5aad32131fc78a8e6f3cdd90d156151fe6c928c407fb13654d37b99cdfd0a78ab9c396e917168ac8f8d977a1c054cd9903a442e3aa5614be3

    • SSDEEP

      6144:RJe+FBq9MaeSDWKKZM0sExVyGuczaN1vTLpe+5H:RQkRaeSMM0sEvlu+Mv/0+p

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      57fb4959548b3597ea3689167e496cdbb83d07afa9f0f3acb6a56987cd50099d.bin

    • Size

      402KB

    • MD5

      f4d5ddad31a703040adf721a9f9378c1

    • SHA1

      21475642eb3561ba5d34a1a7f02899bb1ca61432

    • SHA256

      57fb4959548b3597ea3689167e496cdbb83d07afa9f0f3acb6a56987cd50099d

    • SHA512

      d595b167f88f3e5fe2329e2423914dd32a79a38dda9197d6d87517cf1cdd2322cac9ac42f1e02e934e310d9e5a3a431217983888bb293f617ca88528a075a776

    • SSDEEP

      3072:EWrIy8kmoEBZBB2lrEtC1JZdDFs3sb5fkaLZ2sf2h8yezeci6x46xXX07/Bg9s9L:N/ZzLfkuS8yADi6vxU7/w8+PsFT8lw

    Score
    10/10
    xloadermjyvdiscoveryloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • Xloader payload

      rat

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      5f278f8bdee6e51c769320f10506c28a4e84a56ee3ff44f63eec9a189236b1cb.bin

    • Size

      659KB

    • MD5

      183ebe37f8f5b5b3e324577327363c3f

    • SHA1

      8ae40a52e750efa0f8c7014583770f9ff2343291

    • SHA256

      5f278f8bdee6e51c769320f10506c28a4e84a56ee3ff44f63eec9a189236b1cb

    • SHA512

      0b2600468a1977e14f592ca5ddda8ec5c0ab8bcab15a3cce9107360e3fdc95b00f55f424ba42ab9ba6624586e5e9f27d00270adf12e5f651ef5c46030b186034

    • SSDEEP

      12288:X6jPyvD3aKx7bqyLZY7NsNAVSW/4zwHJeJ7zzwHJe:6sK4/qyLZoQAVSW/uwpeJDwpe

    Score
    10/10
    snakekeyloggerdiscoverykeyloggerpersistencestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      66b157a3d414b913b1a436edc71e8fc733c1f5457302fe9ca950a8b16d86b9e6.bin

    • Size

      363KB

    • MD5

      ddbbbb0895f1997339c1c388f853f65d

    • SHA1

      d79b5cab17509a0aaeef232947a3992a20a706be

    • SHA256

      66b157a3d414b913b1a436edc71e8fc733c1f5457302fe9ca950a8b16d86b9e6

    • SHA512

      a3912b39b1efe5e56b970ba4e2a64bc76a36c1edfc1774ac3dc987e9f89fa6468ff26db69e58854a1b11e58bcaa64789a223fadc9f599649cb5cc08db936307a

    • SSDEEP

      6144:/dua0sl91E4sxEMu7PyV+xEv7C8825EbpU5:/dua0slPEZyMujyV2Op8O4U5

    Score
    10/10
    asyncratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral19behavioral20

    • Target

      6ec9f82a79152492b6a50a55dee43665e5205d607206573ce3729f824a05db36.bin

    • Size

      376KB

    • MD5

      9ceb9d87e88e9183841d70781b4dbf2f

    • SHA1

      1d6c5ec438aa3d6e79487a1ec0340c34128d2c85

    • SHA256

      6ec9f82a79152492b6a50a55dee43665e5205d607206573ce3729f824a05db36

    • SHA512

      5abea7da457d239799555b8263c7f7b945ba1b327f88fecc2bee8faea7731634fd99f7e99d1b08b38a406e297de638306e45079ec78d7e970be01ee37124bc16

    • SSDEEP

      6144:nqEVr2/qK1pyQh6taaDBZ5/jsJVNA/yrg2Nz7Dw6qXaWB7dybpFr1b:qEVr2/q08Qh2akBZdjsJVNA/92NjuaWw

    Score
    10/10
    asyncratrevengeratdefaultnyancatrevengediscoveryrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Revengerat family

      revengerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      8d469fed80fcd597d17e15df98cd15a4646abb69cd7f81795af94c2c46ed2a33.bin

    • Size

      401KB

    • MD5

      4e0d7de9ab90eae3d73e82c516746b1d

    • SHA1

      319c1b1ebcb538f0b74b56e5087b2cf960b33ce9

    • SHA256

      8d469fed80fcd597d17e15df98cd15a4646abb69cd7f81795af94c2c46ed2a33

    • SHA512

      2d9abc62b8033ef874d09d274efd1e1546c5a51790d990a5c8dffed70d0cca0c6f76868b745322e1638e1b79970e42c277327052f6024275b864cae3eae65936

    • SSDEEP

      12288:lLNBxE00SO00rps9VsCZTJyskD5IXjBPiValeuxYWajIs+sSDosZY3XsR5KeM08h:9NAwBiR3HD

    Score
    10/10
    redlinesectoprat@l_like_a_sir_ldiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.bin

    • Size

      376KB

    • MD5

      5022069109525eccc6b1f9aea5310c30

    • SHA1

      07427c696897bbe46a384aed624c4fd0b55d155c

    • SHA256

      977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1

    • SHA512

      d2c6b6175bf776d61efdeaf522ff5b73da883d84dfa10804d4bab2e0c8e83b82af839a0328e4ef1493dddf323edc2c496df55f13e99912b27a6b61d4cd363600

    • SSDEEP

      6144:nqEVr2/qK1pyQh6taaDBZ5/jsJVNA/yrg2Nz7Dw6qXaWB7dybpFr1:qEVr2/q08Qh2akBZdjsJVNA/92NjuaWE

    Score
    10/10
    asyncratrevengeratdefaultnyancatrevengediscoveryrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Revengerat family

      revengerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      a4865b2ed7dce154e50357674e8f15052a532609af0026dc4c8ea69b8a2f77c6.bin

    • Size

      397KB

    • MD5

      399d700b5b33aaa71dfd3663d3f726ca

    • SHA1

      e19122ffc9ac23b15cda09c01d949e938e533f9e

    • SHA256

      a4865b2ed7dce154e50357674e8f15052a532609af0026dc4c8ea69b8a2f77c6

    • SHA512

      58e337a1fec459c6124a45e6eb9298fe0743987dd279f5f0c350e78c2b189d635c661a2e7696456262f0da4a61a0e3755e436278ad337905dd888e15fee81108

    • SSDEEP

      12288:CfJ5BKNLz4L57YpZh5CSLJbjEGvmCUAtIU/eXHjWU3gqYNd3DuzDfeHJXOtDGzPm:ibRkAGK

    Score
    10/10
    redlinesectoprat@bbakochdiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      cbee3a2ab943816de40704ed266962b9d84d1a9b58a4a79f0200eb2a7258197f.bin

    • Size

      471KB

    • MD5

      ab1a54b9bc677256e1757897de53211e

    • SHA1

      d8dff0fc44fb65c2ec1f4d43fb69f979b78c8c29

    • SHA256

      cbee3a2ab943816de40704ed266962b9d84d1a9b58a4a79f0200eb2a7258197f

    • SHA512

      d434d9ba2ccef628e4e8288557e22578ddfe7128daf3b626e480cbae887ef81278f9a6b9824b7e67b392a982f116e84f6b73f36fa976f23cc6869f4643854615

    • SSDEEP

      3072:Pkk8u4dv5/Jml3CKACe7HQreetoSII52wAtdGl4QrIM4T9QTWQc7iXRURKx4onSM:PZUJ7sZXIM4TTQc7ZxCSIp0byrDukk

    Score
    10/10
    azorultdiscoveryinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.bin

    • Size

      397KB

    • MD5

      03a32b8f44708e43ba5655d735eaebc0

    • SHA1

      1d5aa010a79241fb75eab2cab75acd4a449338b5

    • SHA256

      cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c

    • SHA512

      9a93097bd0a5a57103c3099c6c0738c56c38cfb6fabb9036326d06c1761cf03dd78802f357380949c3f0d507ca0f8f13e0a0b5158d7148b3db077c80065036df

    • SSDEEP

      12288:7mdt5PueXy5k7X369OrN49Fzu75XJ+VdRlOQl9QwhteKAUHwEBz6+4uBkcQ6fcih:MwNRL/ud0a9m

    Score
    10/10
    redlinesectoprat@baobabssdiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral2

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral3

defense_evasiondiscoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral4

defense_evasiondiscoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral5

redlinesectoprat@tupa187discoveryinfostealerrattrojan
Score
10/10

behavioral6

redlinesectoprat@tupa187discoveryinfostealerrattrojan
Score
10/10

behavioral7

lokibotdiscoveryspywarestealertrojan
Score
10/10

behavioral8

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral9

formbooko4msdiscoverypersistenceratspywarestealertrojan
Score
10/10

behavioral10

formbooko4msdiscoveryratspywarestealertrojan
Score
10/10

behavioral11

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral13

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral14

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral15

xloadermjyvdiscoveryloaderrat
Score
10/10

behavioral16

xloadermjyvdiscoveryloaderrat
Score
10/10

behavioral17

snakekeyloggerdiscoverykeyloggerpersistencestealer
Score
10/10

behavioral18

snakekeyloggerdiscoverykeyloggerpersistencestealer
Score
10/10

behavioral19

asyncratdefaultdiscoveryrat
Score
10/10

behavioral20

asyncratdefaultdiscoveryrat
Score
10/10

behavioral21

asyncratrevengeratdefaultnyancatrevengediscoveryrattrojan
Score
10/10

behavioral22

asyncratrevengeratdefaultnyancatrevengediscoveryrattrojan
Score
10/10

behavioral23

redlinesectoprat@l_like_a_sir_ldiscoveryinfostealerrattrojan
Score
10/10

behavioral24

redlinesectoprat@l_like_a_sir_ldiscoveryinfostealerrattrojan
Score
10/10

behavioral25

asyncratrevengeratdefaultnyancatrevengediscoveryrattrojan
Score
10/10

behavioral26

asyncratrevengeratdefaultnyancatrevengediscoveryrattrojan
Score
10/10

behavioral27

redlinesectoprat@bbakochdiscoveryinfostealerrattrojan
Score
10/10

behavioral28

redlinesectoprat@bbakochdiscoveryinfostealerrattrojan
Score
10/10

behavioral29

azorultdiscoveryinfostealertrojan
Score
10/10

behavioral30

azorultdiscoveryinfostealertrojan
Score
10/10

behavioral31

redlinesectoprat@baobabssdiscoveryinfostealerrattrojan
Score
10/10

behavioral32

redlinesectoprat@baobabssdiscoveryinfostealerrattrojan
Score
10/10