Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cd94462486...32.exe

windows7-x64

10

cd94462486...32.exe

windows10-2004-x64

10

cdb97c07f0...ca.exe

windows7-x64

1

cdb97c07f0...ca.exe

windows10-2004-x64

1

cdfbee96df...25.exe

windows7-x64

10

cdfbee96df...25.exe

windows10-2004-x64

10

ce01fc8942...b5.exe

windows7-x64

10

ce01fc8942...b5.exe

windows10-2004-x64

10

ce5340f773...6e.exe

windows7-x64

10

ce5340f773...6e.exe

windows10-2004-x64

10

ce6d4255fc...f1.exe

windows7-x64

10

ce6d4255fc...f1.exe

windows10-2004-x64

10

ce8f0a3c5b...fc.exe

windows7-x64

8

ce8f0a3c5b...fc.exe

windows10-2004-x64

8

cef4f0409d...db.exe

windows7-x64

10

cef4f0409d...db.exe

windows10-2004-x64

10

cf15609eab...81.exe

windows7-x64

9

cf15609eab...81.exe

windows10-2004-x64

9

cf3f6f6285...6e.exe

windows7-x64

10

cf3f6f6285...6e.exe

windows10-2004-x64

10

cf450b1869...e9.exe

windows7-x64

10

cf450b1869...e9.exe

windows10-2004-x64

10

cf56059ae5...a1.exe

windows7-x64

10

cf56059ae5...a1.exe

windows10-2004-x64

10

cf79ab31cc...04.exe

windows7-x64

10

cf79ab31cc...04.exe

windows10-2004-x64

10

cf8d6b1a05...68.exe

windows7-x64

10

cf8d6b1a05...68.exe

windows10-2004-x64

10

cf96c893c9...10.exe

windows7-x64

1

cf96c893c9...10.exe

windows10-2004-x64

1

cfd31bf82d...9b.exe

windows7-x64

7

cfd31bf82d...9b.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_51.zip

  • Size

    91.0MB

  • Sample

    250322-g1vr8stj19

  • MD5

    5e0e368e7bebbcf12b87e96250168800

  • SHA1

    da38765d13e7c248cd427cee96d9509efbe00602

  • SHA256

    a23fdeddb683f716be744ef3fe9a8ce2c87b02f5e5c1f6c8bdb70881de528304

  • SHA512

    81db786cd05204ea916fa6d6dbc56a62a583fb28340b60aff7bb557d648d784b0cdd5beb44d43f64e6686dfe0f3abb117c0cf0bacf6acb60d104f978dfc6ae1b

  • SSDEEP

    1572864:rCIKPldlTLzEa2P7tQI7eQCX71Ka3thZA4RlaQMhAVnIioVFORvT2C4:rfudlTLzEa2P7tQICQCX71ZthC3QM4+X

Score
10/10
asyncratdarkcometdcratmetamorpherratnanocoreremcosumbralxwormaugust 2020hostbootkitdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

karmina113.sytes.net:5555

Mutex

9b6cb0a0-83f3-4fe5-a33b-7b70d4dba20b

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    karmina113.sytes.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-04-01T21:00:52.470340736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    5555

  • default_group

    000JULIO2020

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9b6cb0a0-83f3-4fe5-a33b-7b70d4dba20b

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    karmina113.sytes.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352283939531784364/Yf948pwSApUsiLnr9MAGps0lLX8TsGtS1KEtSIr5cILOjz5FV-aq6EBAh3nvYrVp1NTc

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
vmXa0N0yJa9Jr5jww0Ewtx9T9xzAsslh

Extracted

Family

darkcomet

Botnet

AuGUST 2020

C2

chrisle79.ddns.net:3317

jacknop79.ddns.net:3317

smath79.ddns.net:3317

whatis79.ddns.net:3317

goodgt79.ddns.net:3317

bonding79.ddns.net:3317
Mutex

DC_MUTEX-GPF8HHM

Attributes
  • gencode

    PvuvMlKPjBiy

  • install

    false

  • offline_keylogger

    true

  • password

    Password20$

  • persistence

    false

rc4.plain
1
#KCMDDC51#-890

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain
1
#KCMDDC51#-890

Targets

    • Target

      cd94462486ad6fad4ab587ad00762632.exe

    • Size

      78KB

    • MD5

      cd94462486ad6fad4ab587ad00762632

    • SHA1

      600e27f9eaa5040e50513248a440af60040ac9db

    • SHA256

      9868136efa35854a43f56eec9de8c32dff7745db42922395b828f592d56cea04

    • SHA512

      5e1090a78794afcc56304197bec0e90069d02e57808e2f9ac26b0e4dec76b8b148e006ecd8374a0c91648b61a6cf3663b95cc3bc5a601c59ef48b0561487ffb6

    • SSDEEP

      1536:Ay58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6h9/2iL1k6:Ay58An7N041Qqhgp9/2id

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      cdb97c07f0cbc499f78b386b2d398952a930a2715698d9b3589a5f4bb87ae2ca.exe

    • Size

      10.8MB

    • MD5

      27f8f6293118700eb3401ff832976168

    • SHA1

      7edb17a191cd8d652004df7b198b0134cbc9fa68

    • SHA256

      cdb97c07f0cbc499f78b386b2d398952a930a2715698d9b3589a5f4bb87ae2ca

    • SHA512

      5ab92059b9a3633e2bd48117992ce81a93934622f10f9f89bcbc1b89d1ca34797c7f97335285ffc4216b70f1b126908785a9a411a9f82faad25eab42d5493bae

    • SSDEEP

      196608:U1C2DECPLgsFf7FnOgq9Iyx/SyHMoQ5+6uRvgWeMbn:U1C2DECPLgsFf7tpy9fMoLZV

    Score
    1/10
    behavioral3behavioral4

    • Target

      cdfbee96df9f657c44ea8ed17e90e025.exe

    • Size

      758KB

    • MD5

      cdfbee96df9f657c44ea8ed17e90e025

    • SHA1

      60b1c1e4acaa26b34ffb6ea396747a97ac69372c

    • SHA256

      be3703dbb2fd2edad9de7658b62281ed0c66138dd4610872cbe7303e2382b7a6

    • SHA512

      9fd633c89ac8528993c5d040531d851dd410d554d05a6628bf280c4d6dbddebb8ba478c3b9b9836edc9f92b7ee10fe444b96ff98aaadf04f7c065f3f4bea182d

    • SSDEEP

      12288:w2NBsbg9KSBcGyUubSW3Gip0VFA2dh6t18fOklER9pEm5TTT:lPdBcGyfbSW3G8cFoef3E7pEITTT

    Score
    10/10
    darkcometaugust 2020discoverypersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      ce01fc8942b621016741e3fd96b711a32c6375ebea07247fab8b310c8b744ab5.exe

    • Size

      2.0MB

    • MD5

      df757d42baa03d25e763fcdb563282e9

    • SHA1

      14e77f489c862495b7ea6c31e8a5a5b84d49b755

    • SHA256

      ce01fc8942b621016741e3fd96b711a32c6375ebea07247fab8b310c8b744ab5

    • SHA512

      8861b222e7623f661b70d4cbe1cdbb218f53755c98d5b8de628b9cb68b246abfe5b0774f130eea229c81b4ac396c6bbd8dcddc384832f4c9eb5928b66067c4c9

    • SSDEEP

      49152:zrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:zdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral7behavioral8

    • Target

      ce5340f77345fe52a889a5f1543f19e4764b86984973180a8fae158fa960576e.exe

    • Size

      202KB

    • MD5

      964700eb187208919c2c957d466eb775

    • SHA1

      5d241ab240f041582e6fb7ab4d4f66b11530462f

    • SHA256

      ce5340f77345fe52a889a5f1543f19e4764b86984973180a8fae158fa960576e

    • SHA512

      db68a1e7ec77d191680bee581a16756137d6ba32196f6f65b0df31aedddbc2f0c998eeafb50073c0f890393dfad61b64162373b9e05bc2eac97afc1976bce4dd

    • SSDEEP

      6144:wLV6Bta6dtJmakIM5QdbAgjDkjtgyB9bXd:wLV6Btpmk9dNjDkjtn9bt

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
    behavioral10behavioral9

    • Target

      ce6d4255fc2065eaebf1bb640bffbef1.exe

    • Size

      78KB

    • MD5

      ce6d4255fc2065eaebf1bb640bffbef1

    • SHA1

      c0e4b4b8e72c833a611271413af7e43b5f286f62

    • SHA256

      f9b2e7880f9fb79d57ef595c54d31d8a47f0cfbf9970b0fdef7f9e42f1c6d3c6

    • SHA512

      b41b117caa136ff17e790e6304aa8b87f1cdc18c678cdc8763117510213e4bd8a4827bfee4f48175674d0c91a6b3ef4cbde0a86b85ce97233db1193183894ac2

    • SSDEEP

      1536:zHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte29/1M1U/:zHFo53Ln7N041Qqhge29/5

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      ce8f0a3c5b1faff7d414fc5d91588fa50e2806b342d348092d545ebc0a752bfc.exe

    • Size

      3.3MB

    • MD5

      e47e4a04d3f2b833125c3abfd1ddab94

    • SHA1

      87093becae5b3532803257e25dde22bef269f733

    • SHA256

      ce8f0a3c5b1faff7d414fc5d91588fa50e2806b342d348092d545ebc0a752bfc

    • SHA512

      519c6cd04472bc47a1e81d9971d849e6d832ba421742fd812ab1dd4912770f906bea547ff73b72ea2049e32c4078bc824234d60d98d7c9c7bde213c521fee17c

    • SSDEEP

      98304:lRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/6IzL:lkj8NBFwxpNOuk2kzL

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral13behavioral14

    • Target

      cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db.exe

    • Size

      707KB

    • MD5

      96c50f871ceb7ee1a0b41dcca8da5c01

    • SHA1

      d8946f0af6156c6f69895a2808734d2696660ada

    • SHA256

      cef4f0409df2a015e20411fdf8317582dc6ed5f56993dd0122b8006cd695c1db

    • SHA512

      0ac872561e55a4c2cea0cd6aab965637b4ee6945552aee0a9b1e28ba338d065f98e782e433f7e3ccd464f18bc2ba14307b453ab2b3de8172a7f186018008802e

    • SSDEEP

      12288:9Yxg7plFfjTt/iCiUjM2CiRxNvRJdo/G20F2ilcVeaeW52VJ9GkwPhc:9YKp/jR6Cix2PnNRY+20F2jVEwkw5c

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral15behavioral16

    • Target

      cf15609eaba6912ae9b6d7d424c25519f4a8ff30c550a599b00e2ec79d310681.exe

    • Size

      485KB

    • MD5

      b4df9da0440cd7c36fca6880c217b015

    • SHA1

      de8126845c5d57f2a971bc32e0448e18614dc3b1

    • SHA256

      cf15609eaba6912ae9b6d7d424c25519f4a8ff30c550a599b00e2ec79d310681

    • SHA512

      ffc18458f9fed0c3d98fbbc381fc461da7c6ca930ad0e75445988e6b24fb6e2613ee0be602c6605fc2ae6a60c273a56072e1ada533616a8006a22091ab08bea3

    • SSDEEP

      12288:++P0Rhc9iHfc1MUNheqhhRtzCUxIPeLBV9:++PLo/+rHFxCUxI6

    Score
    9/10
    discoveryspywarestealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17behavioral18

    • Target

      cf3f6f628505c197d6909686370e5f6e.exe

    • Size

      5.9MB

    • MD5

      cf3f6f628505c197d6909686370e5f6e

    • SHA1

      98cda86393598f0aa526c80c10e377562a1cf0a2

    • SHA256

      2b323a76d3a42fa7ff85eac60489c1b6dc4347df65203ae95f524d205e9f5a15

    • SHA512

      de5ac0268bec608447260034e784a60a176fb777ec17f0583cbcc1515792ec765c013de4e696456c89ec97bc5c90245fba4104e830a764821544c08acd1b76c0

    • SSDEEP

      98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4e:xyeU11Rvqmu8TWKnF6N/1wH

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      cf450b1869e9064758b27a7df84b5117a9bdc5e448a47f5170904649fa7fefe9.exe

    • Size

      1.8MB

    • MD5

      dc3e79dfedf92a612126b15d8f7c2689

    • SHA1

      0e263e234e10b2064c7f567a8712272968ed9a59

    • SHA256

      cf450b1869e9064758b27a7df84b5117a9bdc5e448a47f5170904649fa7fefe9

    • SHA512

      b1f0d3c929e61eb10affb637b1f4740dcf058c1ac0b71059112acd9f4689c208153140fb2342d7b08a92251e3613e775d768bd1aa11238d21b66fa2d11baf673

    • SSDEEP

      24576:ID39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6Y:IF+QrFUBgq25eKu6Y

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      cf56059ae5d477487f8605c5301ceca1.exe

    • Size

      896KB

    • MD5

      cf56059ae5d477487f8605c5301ceca1

    • SHA1

      7118153147b2cc536e08289ba9c2e798ad38f682

    • SHA256

      cf2fb8d689133eb34553698a3ace508c2cc87c0677df85431cbe89c97e7a1884

    • SHA512

      d6ab0987781cc98723530a8f453cd0667118b235a6ef0700e016893103968a63052e7353ec9875e551f488f2e353a0613bf80e8068e5fe076ccd6aec5d1933af

    • SSDEEP

      12288:7p+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9M9:7pugRNJI1D39dlfGQrFUx9M9

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      cf79ab31cc7f483d3b8572ef14b47804.exe

    • Size

      4.3MB

    • MD5

      cf79ab31cc7f483d3b8572ef14b47804

    • SHA1

      aea4389610858f29651d64e803966aa2c73fd066

    • SHA256

      1ee95a58aee1db0ccfc2b2e9b101709f900424fc09dfb7546a05e10af585e94e

    • SHA512

      298bb3423ebc4c36f9e995c6c19062e7f690c2a25cf5ff863c1763168408cd9e79f3c8ca903be807d923e2c0f3be3adafb5ea448e96ab0799be658bb6d71d4b1

    • SSDEEP

      98304:QPisBEKH5f3TsmgXBoRapwAY5hB+MgTFDraS:QPisBEKH53TsmlRapwAY/B+xBZ

    Score
    10/10
    xwormdefense_evasionexecutionpersistencerattrojanbootkit

    • Detect Xworm Payload

    • Modifies security service

      defense_evasion

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral25behavioral26

    • Target

      cf8d6b1a05c4369c93e7cfd13bf472ffd3ca8206e8ea41e132069d5c485a2a68.exe

    • Size

      273KB

    • MD5

      510563aeed2b9b0098bd9d7555c47e1b

    • SHA1

      98bbc55e43d466ca563aa80eb13ec1a0a822f05f

    • SHA256

      cf8d6b1a05c4369c93e7cfd13bf472ffd3ca8206e8ea41e132069d5c485a2a68

    • SHA512

      6a9740e969f54dbba54373f1ea8f987cacf6846127e888b891d5f69fd0a9ec6056703f4ae498d803c5475a919e9eba128b08300e533131fbfc5fcbc7f7663d78

    • SSDEEP

      3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdTq:WFzDqa86hV6uRRqX1evPlwAEd2

    Score
    10/10
    asyncratdiscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      cf96c893c9bc9bb1f6bbf4d1e00c0910.exe

    • Size

      9KB

    • MD5

      cf96c893c9bc9bb1f6bbf4d1e00c0910

    • SHA1

      e11e16a46ddb5475b01b1c0daceec36dfd465f1d

    • SHA256

      7493d1c2a3fee1884014759f1de1e52f159351ac63ed4333689f0f901e0519f0

    • SHA512

      ca4cd53018b475eb5cf08776ec5e2d0b9098663071cd0b0b5dc89a795da75a8c38e81678ed758eb3fecb2914856ba2e4821fda36da7268ee064d092b9012e459

    • SSDEEP

      96:wkjzBFZHTLGxWGTRqlNzKDhFrvDgZcaNzOG8mY87QtZ9bFEAyGQxDzNt:wkjFTLGxW6g3GzLvaNCG8K7mE3DF

    Score
    1/10
    behavioral29behavioral30

    • Target

      cfd31bf82d7172bd87616d4d9310518d54d29699e851d81df254138d7e29859b.exe

    • Size

      248KB

    • MD5

      ca51d09aab3cbc9702d5ca12fb345028

    • SHA1

      53f4ce3cf684e3f623eab636cecc4db1f3046073

    • SHA256

      cfd31bf82d7172bd87616d4d9310518d54d29699e851d81df254138d7e29859b

    • SHA512

      3b3eb9bb77f9a50d21ce7eebc675530091b94216cf9a758eaa39bdbcae8738e95c79ea35da06f969d80d6ff372978fd54ae37bec74b93344d8cb0454237398cb

    • SSDEEP

      3072:EGUPXd3Y8WinC/4+tNDB0fqHx38jjqIl/587+nypZyqasY5oxl:EjXWinyJMiP7LZpaGx

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

6
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ratdcratnanocoreumbral
Score
10/10

behavioral1

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral2

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

darkcometaugust 2020discoverypersistencerattrojan
Score
10/10

behavioral6

darkcometaugust 2020discoverypersistencerattrojan
Score
10/10

behavioral7

dcratinfostealerrat
Score
10/10

behavioral8

dcratinfostealerrat
Score
10/10

behavioral9

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral10

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral11

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral12

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral13

defense_evasionexecutionspywarestealer
Score
8/10

behavioral14

defense_evasionexecutionspywarestealer
Score
8/10

behavioral15

xwormrattrojan
Score
10/10

behavioral16

xwormrattrojan
Score
10/10

behavioral17

discoveryspywarestealer
Score
9/10

behavioral18

discoveryspywarestealer
Score
9/10

behavioral19

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral20

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral21

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral22

remcoshostdiscoverypersistencerat
Score
10/10

behavioral23

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral24

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral25

xwormdefense_evasionexecutionpersistencerattrojan
Score
10/10

behavioral26

xwormbootkitdefense_evasionexecutionpersistencerattrojan
Score
10/10

behavioral27

asyncratdiscoverypersistencerat
Score
10/10

behavioral28

asyncratdiscoverypersistencerat
Score
10/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

spywarestealer
Score
7/10

behavioral32

Score
1/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.