Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b8b78dcf13...d2.exe

windows7-x64

10

b8b78dcf13...d2.exe

windows10-2004-x64

10

b8d253be83...33.exe

windows7-x64

10

b8d253be83...33.exe

windows10-2004-x64

7

b8ed4395ab...f9.exe

windows7-x64

7

b8ed4395ab...f9.exe

windows10-2004-x64

7

b93347150f...89.exe

windows7-x64

1

b93347150f...89.exe

windows10-2004-x64

1

b936c3a846...59.exe

windows7-x64

1

b936c3a846...59.exe

windows10-2004-x64

1

b985e2e2a0...ef.exe

windows7-x64

3

b985e2e2a0...ef.exe

windows10-2004-x64

10

b99adb733f...40.exe

windows7-x64

10

b99adb733f...40.exe

windows10-2004-x64

10

b9cfd0a072...65.exe

windows7-x64

10

b9cfd0a072...65.exe

windows10-2004-x64

10

b9d4ce4583...bc.exe

windows7-x64

10

b9d4ce4583...bc.exe

windows10-2004-x64

10

b9eb72c666...72.exe

windows7-x64

10

b9eb72c666...72.exe

windows10-2004-x64

10

b9f7b13b1d...ef.exe

windows7-x64

10

b9f7b13b1d...ef.exe

windows10-2004-x64

10

ba0566e43d...23.exe

windows7-x64

1

ba0566e43d...23.exe

windows10-2004-x64

1

ba21b0abda...c0.exe

windows7-x64

9

ba21b0abda...c0.exe

windows10-2004-x64

9

ba4d84a77a...85.exe

windows7-x64

10

ba4d84a77a...85.exe

windows10-2004-x64

10

ba598ceed6...17.exe

windows7-x64

10

ba598ceed6...17.exe

windows10-2004-x64

10

ba6c7a8dc7...59.exe

windows7-x64

10

ba6c7a8dc7...59.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_45.zip

  • Size

    25.5MB

  • Sample

    250322-g1cawstj12

  • MD5

    5aa318b9e872569f1b741eed8a01d21e

  • SHA1

    ccd259d58d33196df18dd0d2cecae7b72957706f

  • SHA256

    f8eb9b286a0d33e287568961f883aa9d1be6e9ec8cf5eee3a3a1a6b106d02f74

  • SHA512

    94714812baffde39a20dc703070852ca33430e7843f528ab1336cb2ebfc2a25f9d77002f94431024e896e8c8b8d89fda7ce473d98534aa43d6d5e0e79dac8d46

  • SSDEEP

    786432:A7EAw/pjqkUGM0il8dThb/RFF6u2XJIlm+iF1OyQ37G:FAwxjqkUGM0il8d1b/p2XalmQ6

Score
10/10
dcratmetamorpherratnanocorenjratstealcxwormdefaultneufsystemcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

markl.ddns.net:3703

45.139.104.175:3703

vanechkin-51361.portmap.host:51361
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

Extracted

Family

njrat

Version

im523

Botnet

System

C2

37.46.211.91:80

Mutex

36c4941fa82e16073ca1c25f489b4f47

Attributes
  • reg_key

    36c4941fa82e16073ca1c25f489b4f47

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

stealc

Botnet

default

C2

http://176.65.142.161

Attributes
  • url_path

    /f698bbaeef359c28.php

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      b8b78dcf13364a7f2dc9097d204efbfc8157ca213933396b9c408467e74b1dd2.exe

    • Size

      115KB

    • MD5

      cbb4496a4c6c4c6d08079f060b3f8e14

    • SHA1

      ef6e16c2084be9b0c591707e1aff307ecf62ba71

    • SHA256

      b8b78dcf13364a7f2dc9097d204efbfc8157ca213933396b9c408467e74b1dd2

    • SHA512

      48e0692c88b937574d29b5ef76d85957f776013f2bf6a07683995fe46d9fc1402a4e67f975016dd9de96f7afde784b5fd1511ef647e8b464d4f90c53cf8ee120

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDQgh:P5eznsjsguGDFqGZ2rDth

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      b8d253be839cc683e7c8c056a7272d33.exe

    • Size

      256KB

    • MD5

      b8d253be839cc683e7c8c056a7272d33

    • SHA1

      0596e3072db7d22fe4097e06528fbd5bf00e1a6d

    • SHA256

      94c7aadd66bbfe116da0524fb80d36e4fd64238aeef7524cbfe0d8bf1ef73953

    • SHA512

      f72c52993cb70c1d7cea24b97f8bd0477c63c310469999cbc594cb7ea4a47dc19d878377b2835a04937220787cc3d2f342da300a938f0a6a27fdfff982db9445

    • SSDEEP

      6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ+S:EeGUA5YZazpXUmZhlS

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      b8ed4395ab30b9516f18506071099c95993b70ed8001935c83f64abd866f82f9.exe

    • Size

      369KB

    • MD5

      35bcba5f7eec3979a033bc1c99d56e43

    • SHA1

      d3d58d2454e9be4cd6ce40945fa18f4e4163d128

    • SHA256

      b8ed4395ab30b9516f18506071099c95993b70ed8001935c83f64abd866f82f9

    • SHA512

      d290a81903daabadff0201042a29b6bd6c9f15d81bb68159ccc484d3f32130fced3a385718b4b0229023efc566a26884f6c7eb67fa1b892de7980d5400cc7588

    • SSDEEP

      6144:fn6zJ4mHcCLCYTnWz79nWz7NYp6hYp6rvDLuimKkBREsVf+3Kgd:y6m2QiQrfqRExd

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      b93347150f9a9e8853d714859da79289.exe

    • Size

      47KB

    • MD5

      b93347150f9a9e8853d714859da79289

    • SHA1

      de9a1b3a9ec39376f53d4ece84aac9a78dd2d0bb

    • SHA256

      d528ea0e2ecfd9ccdba4de1e3dcc093a3b817ce70e8a73a8ef73c050fab8256b

    • SHA512

      d500a5f3605b8c93c9308a59dde5419cdb2e4c641b5d038254205d6c00cb11feae895b7362482cb3707c3ca16b2d555d53a3ec5aea5d5bda20b779d2673a1dae

    • SSDEEP

      768:IiyLoD5SDW+mEqZlxwxhinhkKViE9b/fplJrhzx/rA:ZyU9N/lxzRz9bHHdhFs

    Score
    1/10
    behavioral7behavioral8

    • Target

      b936c3a84619de80572b95a1ff1518c9af5821e5ec6e32220ed12169a571f859.exe

    • Size

      532KB

    • MD5

      767f73b8365f7957c25b65a6a0d0d25e

    • SHA1

      af06ba14b05de9d518a55172441b490d0c01670b

    • SHA256

      b936c3a84619de80572b95a1ff1518c9af5821e5ec6e32220ed12169a571f859

    • SHA512

      4defe0a9e8d3d2224646d2173fa28757ea2e9b89ffd4f2bcf6c711acd07143e867489db5881cc479ebde34a137520e6a0f16f5b65e4932d1387d494a7f30c250

    • SSDEEP

      6144:WaDZtugqU86pAu/MWsIwEEZ4F6KWdXKnrn7bOHix0jGCAcIAJ:hVMX6uuELZ45WdXKSHix0jGZZA

    Score
    1/10
    behavioral10behavioral9

    • Target

      b985e2e2a066a11c89dd5559cb9cdbef.exe

    • Size

      1.2MB

    • MD5

      b985e2e2a066a11c89dd5559cb9cdbef

    • SHA1

      87af6a1a91f709b045b05e28fd3e8cb7e662e80b

    • SHA256

      766ab23a314977156bd7b40904d72a755f2df9426144aa1d8ca54e941cd973ca

    • SHA512

      e7d181ff075c8e296da373ff50089a8d4441b49ab6b7d5feca23c19bbbf52273b8e8be522fc56aef504ed73d56b2ab178f4f901c12bf5d21567d5d42c4bc2ee1

    • SSDEEP

      24576:5yh5xU9XB5Q0w4h5eh3e3y/b9tqvrpTUomJxc:5yhXUdBS0noM3RvqoMK

    Score
    10/10
    discoverystealcdefaultcredential_accessspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      b99adb733f5130e17033aa18a6ef1363fa8e45b4de8bfb82d16749d0ad825040.exe

    • Size

      594KB

    • MD5

      80e94253e23b7f2207ec4bdb253324c9

    • SHA1

      c1f19905eb43c59c23ebd32ee6eef99326587228

    • SHA256

      b99adb733f5130e17033aa18a6ef1363fa8e45b4de8bfb82d16749d0ad825040

    • SHA512

      a5931493526e7904c6d6759ff178b533c23c1717c01e51189d30d2dbf0758c5bca48d0e261c8975418c7633b5ba986e381de59cc7cefd43d46ccdc23970f0c9a

    • SSDEEP

      6144:CtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rL7:e6u7+487IFjvelQypyfy7L7

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      b9cfd0a072e3e0386a247f51c2191a65.exe

    • Size

      78KB

    • MD5

      b9cfd0a072e3e0386a247f51c2191a65

    • SHA1

      88dac9c88aab956be038e06aaf7388605657c868

    • SHA256

      6d6b0f0a08acaef445833b1a9347a17ef59928295dfdb5f20c9e6f629ac5dba0

    • SHA512

      a7a12d2843fefa387b2e11466336360bf8fc02bdc86b38724a87ef42a6ad60c7e66ed227d56e8feb13314705a8ae35eab59e8d1608a37ba03a7b02ee3e10563a

    • SSDEEP

      1536:EsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQts9/Z1ik:EsHY53Ln7N041Qqhgs9/r

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral15behavioral16

    • Target

      b9d4ce458330a463e0bbea9c825699bc.exe

    • Size

      78KB

    • MD5

      b9d4ce458330a463e0bbea9c825699bc

    • SHA1

      5c290ad3db5b0d28582215169eab4cd2effa9bdc

    • SHA256

      d70b6fb644a5c04cfe2cf77146444b2e35caaa7d2e24ccdf90db816c13370de6

    • SHA512

      7ad319239ef8d1a0ecff1ef5b6db64a4cdd9d084eda697433aa6edabc1f93ff5eb3b10c1159919e678f11fcc88e4490620de1b983ee2d0921602acb647574015

    • SSDEEP

      1536:BsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtR9/Z81kh:BsHY53Ln7N041QqhgR9/D

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral17behavioral18

    • Target

      b9eb72c6666c879fe3b7532bbf050b72.exe

    • Size

      78KB

    • MD5

      b9eb72c6666c879fe3b7532bbf050b72

    • SHA1

      8d35f944aa44bfd898c51b9645ba98f33298d458

    • SHA256

      989b61ad0d18110a3b953a90885bc9a1f4dadec6a5958d43890e9189506719bc

    • SHA512

      8b8665064c587332405648d578865d63e6edcc504045ef71f2e9cdfed9bb626053cbb543d2fd0bdb037f99b22c49c9c9fe0eae46c65d5154b896567dd3f22f71

    • SSDEEP

      1536:LHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRb9/o1bM:LHFo53Ln7N041QqhgRb9/9

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      b9f7b13b1d4a5686a42d38aaefabcaef.exe

    • Size

      1.6MB

    • MD5

      b9f7b13b1d4a5686a42d38aaefabcaef

    • SHA1

      baef9eecc475391823826ba526c718bb37000265

    • SHA256

      bbb979cf25c1acc089ab5d96f2a2a4f7d0276ad7d28f111f8f7d3b23226d07c9

    • SHA512

      3905dc8820531d1c395c497ead44b034622b6277272cb64b0ed8c3906f4bd4dda396676db6cd8a520ad9c3a6420c67887ca2e5bbfc5388ea5e2b5caf8a9a7834

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      ba0566e43d769a982fa83229aa91c19d9b96ebeb16abb8be188836e40b79b323.exe

    • Size

      1.4MB

    • MD5

      9f853d4ffc6f6c8ab578082820da8601

    • SHA1

      b3a6ce539d4a87b986e89841623ebd0b91da4cde

    • SHA256

      ba0566e43d769a982fa83229aa91c19d9b96ebeb16abb8be188836e40b79b323

    • SHA512

      6b1dcd801a05c503d7e7513116d5e684612cef6ec041e93d103f8481d223fa20dca79334bc42ceb22c7d90bee7dc81968becf6fbe7cf9f7e678d30deca0d2cab

    • SSDEEP

      24576:ouwVlXkX8XOvCCK9B18gvPxXf/73UaubFYv0erEZQpgIWTfs90HXWt:ouwVxo8XOvg9kCpXr3MbwzpDWg9MW

    Score
    1/10
    behavioral23behavioral24

    • Target

      ba21b0abda333b699668dfd7b15c9317f61073e34166f91688550a34a2aa9dc0.exe

    • Size

      5.3MB

    • MD5

      425a912db46f4bf3769b198b7efbe9e6

    • SHA1

      b0f9bb4764c62e6e0a1a30388762ad5ea47eda44

    • SHA256

      ba21b0abda333b699668dfd7b15c9317f61073e34166f91688550a34a2aa9dc0

    • SHA512

      a1ed554f9b606de3dc16b3e28ec65e9967d6f48eb67992660657cf3ea34b6a8b19a0b1c69a40db5e34fd31134976c30a9f3cb4e066775845df58497b6881b06c

    • SSDEEP

      98304:LHwNvrWmlErFkv6rtHjlb7Z3KydH0GwYQCxu:LHwwNrrtHx/lK6HVnE

    Score
    9/10
    defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral25behavioral26

    • Target

      ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85.exe

    • Size

      1.6MB

    • MD5

      7ea9ab2735abf3ed79269a0b44ddd447

    • SHA1

      92e8b7c97db955d908a108764cb570926d2fa2ed

    • SHA256

      ba4d84a77a0cf661df6c88fd41e6d9688f0d2a98ccbdc0555941206969c2df85

    • SHA512

      b6bd25318dbab31b4e56ecb35a1a11efff6fcfa3c92a16432f55acf8082fb5f90f0a9a8b1774a11711ffa832fef639edfbf58dbbb4213b356619a2c799433254

    • SSDEEP

      49152:94FdetMVCK1LVXXQezP3+Wgm18VeWoAVvqPDe:OdkCCK3XXQO18VeWTVvqPDe

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      ba598ceed60e345cfd3e69c2a9a847980011290c2fccfadb294f8872954c9e17.exe

    • Size

      697KB

    • MD5

      dd7746850cddf656d1078369b4341b37

    • SHA1

      557b7b69d48989a66912b119b7b31329269bbc56

    • SHA256

      ba598ceed60e345cfd3e69c2a9a847980011290c2fccfadb294f8872954c9e17

    • SHA512

      28d7cb0ca2ee917d83d4dff29b3d8b5ba54ba7f7559a8a291e7eaf038d4426dbdecfaa01f3e2be01fb7506d787be2ab7e95f26ea1f08c104eb00a1312545cd40

    • SSDEEP

      6144:LtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rC0:96u7+487IFjvelQypyfy7C0

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      ba6c7a8dc76a63c70a2e018c2bd2a059.exe

    • Size

      984KB

    • MD5

      ba6c7a8dc76a63c70a2e018c2bd2a059

    • SHA1

      180970254354af46194e8ff74362230c6b667cd6

    • SHA256

      89333332d2bf50e37c6df1a85b3d03d7f6bdd1b16fae842656dab89ba42252ec

    • SHA512

      cfc904608b4af9b6be68c3750fb3b134e88c387c5521e4d4e9a4dd2a26cfc17774096d78e5c50bdffa7d0e12c941c850f72de46e639d441b511f193dc5d7ce6e

    • SSDEEP

      12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

8
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

ratsystemdcratxwormnjrat
Score
10/10

behavioral1

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral2

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral3

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

discoverypersistence
Score
7/10

behavioral5

discovery
Score
7/10

behavioral6

discovery
Score
7/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

discovery
Score
3/10

behavioral12

stealcdefaultcredential_accessdiscoveryspywarestealer
Score
10/10

behavioral13

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral14

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral15

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral16

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral17

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral18

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral19

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral20

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral21

dcratexecutioninfostealerrat
Score
10/10

behavioral22

dcratexecutioninfostealerrat
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

defense_evasion
Score
9/10

behavioral26

defense_evasion
Score
9/10

behavioral27

xwormrattrojan
Score
10/10

behavioral28

xwormrattrojan
Score
10/10

behavioral29

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral30

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral31

dcratinfostealerpersistencerat
Score
10/10

behavioral32

dcratinfostealerpersistencerat
Score
10/10