Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
archive_50.zip
-
Size
34.1MB
-
Sample
250322-g1rqksy1dw
-
MD5
f616982bc6fd335ed80be8222b04c0a5
-
SHA1
6b36072e183a7615b4e8fe5622af401d28a7061a
-
SHA256
8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1
-
SHA512
1451af74fad160d17b01bb2666e583f414f00a48ad39a2b9a1264bd8f5591fd05a34917615d9480409dc356a92dc8b869832ac13df64321666450eefcbad29f0
-
SSDEEP
786432:xDRKk1QE7oQ//yxNwRKC//yxNxXnTyQ37oE7BSm9NAlHe2yQ37ayQ37I:xAmoEamVad3eQR74m9NcetQdQM
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1177
10.10.10.10:5552
212683d986fb740ad6a40184df48e604
-
reg_key
212683d986fb740ad6a40184df48e604
-
splitter
|'|'|
Extracted
njrat
0.7d
system
cloni.ddns.net:6522
04c8725de2d3b9395384d4ac6906e0da
-
reg_key
04c8725de2d3b9395384d4ac6906e0da
-
splitter
Y262SUCZ4UJJ
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
jIYjCiuJEgqP
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
discordrat
-
discord_token
MTM1MjAwNjM4MDgwMTg4ODQxOA.GdxcwJ.5RM8a455fuQbPFGS5DN7WbaTaUvy7RPq3hqNkE
-
server_id
1352000905708306512
Extracted
njrat
0.7d
H2cKed bY TaKsHeR
z88.ddns.net:5552
63836c251750e788af0d3ead7ef4cada
-
reg_key
63836c251750e788af0d3ead7ef4cada
-
splitter
|'|'|
Extracted
quasar
1.4.1
Microsoft Edge
manseurange-47473.portmap.io:47473
5cb0da4e-1fd9-4c04@@@@@@@@@@@@@@@@@@@@@@-b422-6fd81f82fgjfgj06eb
-
encryption_key
101BAE34B506EDB46E364AF887431233567B4BB1
-
install_name
msedge.exe
-
log_directory
system32
-
reconnect_delay
3000
-
startup_key
Edge
-
subdirectory
Edge
Targets
-
-
Target
cb45bfa4b2fad0151564092bb5803d32.exe
-
Size
580KB
-
MD5
cb45bfa4b2fad0151564092bb5803d32
-
SHA1
5bbc7a82b7dc61e1c73586fb3d9fec9665e22b67
-
SHA256
f94b5b29ce95e24cafe53955807a73c54bd82313be97aa53d1d9b3b5280e2bee
-
SHA512
647065df8972dfcb51fbcd0982c07c9840fe8f67d24a20bfde2de12bcb9618e751a85bd0726a1f8b9cbed30d6007a1995c3444a22a2c495844fb069172103040
-
SSDEEP
12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7L:rBJwdhMJ6ZzHrfcsMGTfZ5PL
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
cb48b9ffc8b360c98bee387aa32270ab.exe
-
Size
23KB
-
MD5
cb48b9ffc8b360c98bee387aa32270ab
-
SHA1
2e7c2476a63004bcbe35f4476b78a33de8aa9a32
-
SHA256
164f6b3fceb09663e83efc87884a62472190ffbd48bc74554cbebc2481daa8d9
-
SHA512
7e0c1e36e67f502629028f1636094ac8a6ff57b5f4a9bbf2601754e840a38400c8848e79eedf17273d7e2bc01d7c0ead6ffb9babddb3a2704ed621d74e29049e
-
SSDEEP
384:r8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZbDlp:AXcwt3tRpcnuSv
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
cb642e19add36851188765fe429e485b62403879d2ce5bac98ae13ea4e55c1e6.exe
-
Size
9.7MB
-
MD5
f7338353f580b0a71f1c73ad2477940f
-
SHA1
b60d7a46dab10e5157039c1921ebdaa88a839ca4
-
SHA256
cb642e19add36851188765fe429e485b62403879d2ce5bac98ae13ea4e55c1e6
-
SHA512
949a1d5884243bdd978e160fc22f6930c87b27760bfac9a96ea4c85ad7f5f5ac6fea7c242eb12c5924725fb8b2cc9ccf3d3f043320f8abe6c8b572a0cc2b0c5e
-
SSDEEP
196608:l6vZPKGVBFUcwti7TQlyVN8iNISRTRmW5QZ0:wI6HwtQQlyXOOQ
Score7/10-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
cb64f92875fbd6c7baa1532c3cfd4a9b3a2d12dd50afe5ace3699945d37129a6.exe
-
Size
373KB
-
MD5
981a5277b68b4e2425542fb1c82dbb6d
-
SHA1
2d60d098e2997e78ecb61958de52ac7ddfccf68e
-
SHA256
cb64f92875fbd6c7baa1532c3cfd4a9b3a2d12dd50afe5ace3699945d37129a6
-
SHA512
437e8360dfe27f29c91b911f0caa4b3bd62cf500603e4c474cc19db3ec3e6f35825c84ac1eede2f2df6f00a7bbe70c90c9902f30e4159ba575936cde70d3ca6e
-
SSDEEP
6144:tyMIULPy/x3xUArN62f7GU7njrbma/3LaQURrM2TuP6zJc8:XDy/xhUAtf7tjrbma7OJxuSzH
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
cb81b6d0e80118002af4508f2d2df288.exe
-
Size
5.9MB
-
MD5
cb81b6d0e80118002af4508f2d2df288
-
SHA1
d0f10e3d9df31a7528fda382bd759bb27af00920
-
SHA256
24ab80aa8bf163a7fc00cb6bfa5922269eb438ca6ce02da56016f6579106bfa2
-
SHA512
028e8bc13cce23c611bf8e1362dc1ceedce8b2d88af4fe8276ae1e631ccb90f3274a23a3e628bd45737a53efe1b08e6851db27823b6eb73b3105012b43083e34
-
SSDEEP
98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4f:RyeU11Rvqmu8TWKnF6N/1w+
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
-
Size
1.6MB
-
MD5
897ea9c4d942c8ff6dad7af9d25612b5
-
SHA1
4e34616e3bc3414cb3d264575f865c4a0f9eefbc
-
SHA256
cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5
-
SHA512
0c580b68fec12b9621a6c62b572cf9035c74fe288db14658aa8a3b04f49419ee19036213bf5c1dfa335e37f409fb816bf04d420905880321aeedb7a3fddee35b
-
SSDEEP
24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
cbbf3160769a29314cc808de6010a005a58b7e52c12b84b90849433c8b87b427.exe
-
Size
34KB
-
MD5
b695ad95341673f28f774e55212da972
-
SHA1
216d461d5083c219fc45c42d69c984c00fbedfa9
-
SHA256
cbbf3160769a29314cc808de6010a005a58b7e52c12b84b90849433c8b87b427
-
SHA512
0849ecbc88331565a8b92f01c9a1a39e72a8828a35044d4cde7ec449c2781eac599e23f9710af997790ee7ab431367e0edcd43aacf1b9dae0032df4ae8f22d86
-
SSDEEP
768:JmQZqx1lYcJnqnaeFRIPdmbhuxfSOxfMfKHf/nXbOfC1mka18:J0lYjFWPdmbhuxXxUYf/XbOOa18
Score1/10 -
-
-
Target
cbc319d8078c6c134b5cc6d67a9d587c.exe
-
Size
78KB
-
MD5
cbc319d8078c6c134b5cc6d67a9d587c
-
SHA1
b5e270722fa7c5bbdd68c0e3f4f2420b6ff23740
-
SHA256
087d6ff0e85c4c64aea33a0951a565a5815c9b0c04b24ab2ebc65fa704b140fe
-
SHA512
e34c31e6896b35913f3018274ad54a2d8f316a656a2abcc8e34849d8070490debeaca1faf651931da5c4c3505296ed1fe2520b423197440c6ccb3fbb1dd2fe1d
-
SSDEEP
1536:rCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt/9/d12H:rCHFo53Ln7N041Qqhg/9/g
Score10/10-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
-
-
Target
cbe09d8033f0210258f6f55beddd26e7.exe
-
Size
218KB
-
MD5
cbe09d8033f0210258f6f55beddd26e7
-
SHA1
7a1b2d5e64431b7ef37b5dbea647595c03bc27a7
-
SHA256
55859093788d4e2057865fafb2e1dced24ef2cbd08925fd535efa609a3904eda
-
SHA512
6b4bc1519659e5bddbebd83a73c885d57e69a71506ad8677d3bb5014f4e24eee0cf645fa39a1993a0f89371510cfdc14da19a0452b4c30387c4530271821e183
-
SSDEEP
6144:RDozv0rgBSVCQ1fPOqtUVmXr3Uxz2Rqb:4xQfttUVigN2
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
-
-
Target
cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe
-
Size
18.0MB
-
MD5
b87558f9dafbbb8ec1101ea9cdfcd5bd
-
SHA1
78fdb6b2808a8797f00f5bf41f619f2620cc7600
-
SHA256
cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1
-
SHA512
c357bcc8f29869ab00abc7ebfde5325dc1df50a7c29381b73b1009eeb7ef7decd37b16b0c65dd33c92a2d919014bbd93f9e135dabf78080e9c584d662921f00c
-
SSDEEP
6144:tvcXK+rhXT2Ef5YTe6VlWT8b9qHVKIGJG3qVbgVSLh:VsFyEf5KPVle8oY1GT
Score10/10-
Modifies WinLogon for persistence
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
cbf9083762908e0056a1584ad1df9457.exe
-
Size
5.9MB
-
MD5
cbf9083762908e0056a1584ad1df9457
-
SHA1
0baab27622e89f104420a8f28b43eed94b3b922d
-
SHA256
ecaf5a16ff5d2163193af68382c1539e94013e2965c331dcfe4c1111d2f7f4ab
-
SHA512
07dae15db1ea7d296d66187ef022a64f46057f57982e3124cad47e54f408caf40a3a87a41981a6916eac50705e68c1b65a2b18b202e0c171a7ef0204403aabca
-
SSDEEP
98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:RyeU11Rvqmu8TWKnF6N/1wO
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
cc027f345eec8bb836216b98c2a013df.exe
-
Size
885KB
-
MD5
cc027f345eec8bb836216b98c2a013df
-
SHA1
f13c3e0e7c6d7938dfb97fb19a55cc47424b174e
-
SHA256
00bc028b5d4f9cdadf18888944bf27281bfe3299b051f9e4f20f129f5f45b400
-
SHA512
4740c0d83f273b50ccfd0a5a1b53a66782d9b811ce323b010a915ca78d6e844ed94b75e57eb8d97b06b1848679fa9ee5abc3b24e97fff8292050c1726449a2b6
-
SSDEEP
12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
-
Size
1.9MB
-
MD5
2084c9d26206ec07c2dc65d1167ee1be
-
SHA1
ff37b5b781c17b3de200bbc1f68530370b4110a9
-
SHA256
cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320
-
SHA512
99740d059fc3cd37fad78ddacd9c149eabb519c7e043cb01cfa92884724bbce326dc9f9d4b716d85b222a6580e1c75ae437680752bf565135a5de9ceee226f44
-
SSDEEP
24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
-
-
Target
cc25555aa250b4c0bc60f50d2460eeec.exe
-
Size
33KB
-
MD5
cc25555aa250b4c0bc60f50d2460eeec
-
SHA1
75eb0965522bb071b222231972d711e13271239d
-
SHA256
048b76918b64f952de6a34aeceb9b6b556afe4c989bde204259a9efc15c008e2
-
SHA512
922c032319ea13d975bd1a26fa6fd5781da3332429dbfa5b42a709d952fbb5683c818db6ccacc915e02289ee76555e4bfc7ecaf3657c913ff8ad64cd3658af1b
-
SSDEEP
768:VXaxirnp7VJMzxn6zQJyRm3dPlvyYQmIDUu0tiMbjY:U0pKakJnQVkjjY
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
cc52f061bf8c4e65f978563a1467b7e7bbd9b5338d7f094f624dc03d4cc164a0.exe
-
Size
6.1MB
-
MD5
059782fc7d7c4d54cb2d5dd7232952a4
-
SHA1
78f465f0d976b9b994b54394f4380313889ad45b
-
SHA256
cc52f061bf8c4e65f978563a1467b7e7bbd9b5338d7f094f624dc03d4cc164a0
-
SHA512
3dc9538928da8bc42f5236858e24dbac5997260d8227dfbc14eebeab82a6f2ac8c05966915e96381bb5437a4dd56fdd729a54c1ed4ef7bd72351d7f1c977c2c9
-
SSDEEP
196608:/j4g5aUoEJMY4QR2WlXpPHA4kkmib/bbx2t7q:/kUdJl4QR2WfPg4BmMZc7q
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
cc609db84e7e0212cb56ad923b1a131e.exe
-
Size
154KB
-
MD5
cc609db84e7e0212cb56ad923b1a131e
-
SHA1
b4a8b797fd65c901c5c4fe422ea7d899ca55ed56
-
SHA256
42a1f8eaa92898caece1d0127b52ee9cca2d665933262a88f71cebf77fac875a
-
SHA512
01ccdfce88181885dff57bd3770688e73f99d0fa13c83b24843a2ba3ba1e0099d2e8aa9342b540de3548389710856ff32529c311ca98fa89604a2e9ed64f3a0a
-
SSDEEP
1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcmL:JZmCb6ROF96zMq1yLAHtUcmKyD
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
5System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1