Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
archive_62.zip
-
Size
68.8MB
-
Sample
250322-g22beay1f1
-
MD5
2f214aaae98b8aed199299298e7fe7ab
-
SHA1
221a0795b2a49fdf7b68a17c7c86fd5ffaac3c2c
-
SHA256
35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7
-
SHA512
65b5c02702a42746f7aceb4e1a8429a265de8946c1100df2d88d93a469ed74ed15140476ee4f198098fcad06c9a52f40f6a4e9b1978f52c3250925d3068f1536
-
SSDEEP
1572864:OtL73jpYsjZix3e5jkf5KcUlqW/xTy6xjrHHaMS:OtLbWiZiYL9Tfjrni
Malware Config
Extracted
xworm
5.0
147.185.221.27:9999
Xb1ZZPuPdjP7zT1W
-
Install_directory
%Temp%
-
install_file
smhost.exe
Extracted
nanocore
1.2.2.0
hmm.serveirc.com:2012
91.236.116.142:5888
03ec6394-477c-40ab-8714-c4a0b6b5b06e
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-07-24T22:11:33.573107136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2012
-
default_group
Porteeeee
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
03ec6394-477c-40ab-8714-c4a0b6b5b06e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hmm.serveirc.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
xworm
girls-res.gl.at.ply.gg:28072
-
Install_directory
%AppData%
-
install_file
BlueStaks.exe
Extracted
njrat
0.7d
dwm
sniper30.ddns.net:5552
724edd0c3bf5845562ab6fe5833d6399
-
reg_key
724edd0c3bf5845562ab6fe5833d6399
-
splitter
|'|'|
Extracted
umbral
https://discord.com/api/webhooks/1351374291261718571/m5LIIWlqorXnzT48pitTuxfMUMetQJ52rJhbTqyDfIywVmJ3ZnM3iUIHTa3R0uTiMSFB
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Boy12345#
Targets
-
-
Target
fa9684b8aa290d6ff1b647323a6d35f5.exe
-
Size
885KB
-
MD5
fa9684b8aa290d6ff1b647323a6d35f5
-
SHA1
eaa2e4dec8b464bb28620701b1be6e43c213e353
-
SHA256
c9fe3fb036b54f47621312aa2237e9b9038c52f1b089c3c5fa047d4d7e5d7eca
-
SHA512
7f47d4b4b51fdf860ed53cd9710a72898fe14200904542d7a7ec8e0c6c2b617ee094307b061d8cb951c0966a66779e5bfda9a60d9782055b17e2005adcadf1ca
-
SSDEEP
12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
fab34117f7b728cbe6b6a07d7ff129aa.exe
-
Size
43KB
-
MD5
fab34117f7b728cbe6b6a07d7ff129aa
-
SHA1
3178382ca5e4939a5f57d981eeaec6ed23764af6
-
SHA256
23affea66ac01cca328934667b06c301d50de4e626ab6a157c312b9846556768
-
SHA512
08da868977244b4b4dde7e17e6b265b9f073fbd25ac6d82b942e5d76311792730c0576d4fee907a1ee0f2c86a0942fca5ef17357ef1befb27d57ed2ac5a9c416
-
SSDEEP
768:8Ty91r8Osg+lxS4YKzMrw99GT92sv5M136HbvjHnEqvtW13GVIL16Ycxgjd8NgsW:tKGgNObz7iNpuRHCCrk
Score8/10-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
fab48bce3470fcdc7b77131b73cd9db4.exe
-
Size
916KB
-
MD5
fab48bce3470fcdc7b77131b73cd9db4
-
SHA1
621d0c5b4e3268a57578ed32dccd75228fe3fe57
-
SHA256
fff49706e34b96eb43f5511abebc81549f6c387f5bd40f38e9dedb6da7a5ed80
-
SHA512
28c983347875ca864a16206206563a8d0da370d387df7abb0cff75834664b432f3d4dfcc1eeb2fe0013ec9942b628a4be2bf8fd47ba779766352bddfdfe52448
-
SSDEEP
24576:xdtP2cbksTpugRNJI5kFMJF9OWjwjLOjZA:CgqC
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
fab98623ff825ef3c56bf150ac25d34d.exe
-
Size
78KB
-
MD5
fab98623ff825ef3c56bf150ac25d34d
-
SHA1
0aacdb9038e7cc75c3ab5f1e372443fd14169034
-
SHA256
b390dbd5fb779b5cd769c4ff27bcb90b10b4516578ef184f0030008ad4413610
-
SHA512
203052dfd4463b61374e0c7407fc3399198ed1a33ef89a22f85be41435a10b670128038ab16822eafc212841685eee27d7cf12c7bedea4948f01be021c5d6bff
-
SSDEEP
1536:4V5jS9dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6r9/615A:4V5jSon7N041QqhgE9/l
Score10/10-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
-
-
Target
fac2d1b39cd0231d245b4d4271a32dae40a51d5ac6091f83cf645af3d83e571b.exe
-
Size
2.2MB
-
MD5
c2a095de1f7f245e7f058eb5c2face93
-
SHA1
fb1e5340b65b8a3dad1895356a76d823901d2d9f
-
SHA256
fac2d1b39cd0231d245b4d4271a32dae40a51d5ac6091f83cf645af3d83e571b
-
SHA512
ca19159b474a90834e07b6f43529dce92d0d3987f371c154896fb8fe90c7525568acd5447e29204195ecc70acb2c8b592f0c09ab4d7e034f0a90400edb2cda92
-
SSDEEP
49152:uNqeHDuVqAuGODITYbNbNWo4kSH3OqtwIrkqXfd+/9AqhMa:u6VqA30IT4bNJFY3Oqt3kqXf0FnhM
Score1/10 -
-
-
Target
fafdd4e18554dbe82fc6f522d5bbd4a32162ce3e9dc0a11ccc5b91d6767a841c.exe
-
Size
920KB
-
MD5
b914cbb2752c2f58ab475961ab6a272e
-
SHA1
29f668f21b83d694718a47d0b1656b53285a4951
-
SHA256
fafdd4e18554dbe82fc6f522d5bbd4a32162ce3e9dc0a11ccc5b91d6767a841c
-
SHA512
cba115906d84794020fe16213421d1221036b675444eab95002a10a331138bc5c77f568b4f29eea3a11c75a1df5b85b36461cba1a81fae4afb992048dd056bbc
-
SSDEEP
24576:7dtP2cbksTpugRNJI5kFMJF9OWjwjLOjZ8:4gqK
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
fb29a0de0487b94558425bddaebcd35bc23178df4dfd02764d210ac340aecbad.exe
-
Size
4.2MB
-
MD5
b142c22a4b730698066a9b01dd1cd332
-
SHA1
1db27bccc26eeef4ea2892f833c6363c239a3b0c
-
SHA256
fb29a0de0487b94558425bddaebcd35bc23178df4dfd02764d210ac340aecbad
-
SHA512
6294776bc8d7d16502be660819e2e3dfb11ce59724d4eb925244f1b06ca7a2129a57fa7cefceeb42e016c2b7b7880e0fa47f9c13691d00b414d501e1f859d7ca
-
SSDEEP
98304:5BBBYSBFyRfZBBBBBBBBBBBRZFIF2C0Ucwti78OqJ7TPB66K:AIGUcwti7TQl6
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
-
-
Target
fba3c6ae202184e540a331393c5f16e7.exe
-
Size
1.0MB
-
MD5
fba3c6ae202184e540a331393c5f16e7
-
SHA1
3a62fab7a75b9f09618973d3fd02baef3d3eddd6
-
SHA256
e739161dae14c84de4d442a5bb824831c682ecaab8620d01f4123d4609053864
-
SHA512
9b60e1993ab64f1c69aedbbf6f94bbdd2f310fe12b91d9adc92de035e6bb14d229cb93e0db1f8b05fa20b91f30a28dcc4b2d5726ed1392939a4f5bee562bdd86
-
SSDEEP
12288:lz7IFjvelQypyfy7z6u7+4DvbMUsIGoHut2W:lz0FfMz6TEbMUskH0
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
fba6f3a4d4330513edec704de64fa9b5.exe
-
Size
12KB
-
MD5
fba6f3a4d4330513edec704de64fa9b5
-
SHA1
19de35a13c98834019e75efc26ba4055d153633a
-
SHA256
56e5a7de1ecff4ac94a3c8efb0a1592b8df057062996e20bab3312cf32d352ca
-
SHA512
4b7ab16c957b634da29fc9db68588f6e2ff3824e82a5e154e751e58e2d590b53988464d4a05df8e4e4335dc4a658591446e04eb910caf38c917370a0810ecccd
-
SSDEEP
384:0L7li/2z5q2DcEQvdacJKLTp/NK9xaZz:iZMIQ9cZz
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
-
-
Target
fbcf00ed27bac15c981d237c31af77c6.exe
-
Size
722KB
-
MD5
fbcf00ed27bac15c981d237c31af77c6
-
SHA1
d22710a8d38fa7e326e050ef413f287eeb8dc990
-
SHA256
c82c8f715142e8bb457caeef673c059332a6bbcc4dbb9c5648b5af9228fffda7
-
SHA512
486afdcd21c13c4c3ad39028c32e699eb8bcbff36828a2d7cb2e1fe58cb05012993067f54d06f065a9b58f2c58e7495cb727244957cf214199bd27c5e0cf42ed
-
SSDEEP
12288:FCxlloF+e4yELhDwd+svQihT7p05NIlRvbz8wIc4CvnlOrmJDSdyxCyASoVbc4z:FClQELhkag7p0D2vbbIc4CNy6SdyxySK
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe
-
Size
3.3MB
-
MD5
931086827557928414c989f9fe3e8026
-
SHA1
e2f7b5eaf7690965351425775bce2ac1dcff2991
-
SHA256
fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc
-
SHA512
a9397a2a8a09c4f7075cac8179291c745f9ef71e9ea0c11912ff26267acf17a9ec9f0867d561c790ef78de8fccb93fd8588a5b3b7cae94a7edc7efa9ac76f27e
-
SSDEEP
98304:mRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/vWd:mkj8NBFwxpNOuk24Wd
Score8/10-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
fc0103e816984d1e97626e76a8d18d3d.exe
-
Size
35KB
-
MD5
fc0103e816984d1e97626e76a8d18d3d
-
SHA1
2dc01271ff1b12d7371b9b00814b352ec7fec649
-
SHA256
26dcef17d03bf49ee2800449e47fe58e65a1850463f5bee3ce8d8db47db97ab1
-
SHA512
88b9d200a949bf8b12ecc41d3020ed8c3f7bfafcf1175203ed5691eabba6c546b204f1f6f2148da168e3849be2312a295a8d118fd269c6b6855b67e7bc87e68d
-
SSDEEP
768:zDS4bdiN/IGd6fm5Fyw9P+6RO/hIS/g9:S4bdwBAIFP9P+6RO/yIW
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
-
Size
17.1MB
-
MD5
fa0e322603aaf81e5fa0a87eb1c09709
-
SHA1
06c4419a8d992ca2c5e0b082cb7b8884aedc7135
-
SHA256
fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7
-
SHA512
258082e619cb8ea13f97de4438eb2bbd98ab04bb744e7b3ae40eaa311feceba80d9110ec9f42c1867bc7d3c2d7baf296fac1b03cf9d38db17c4a83d753cc62c1
-
SSDEEP
393216:8YGbY6iHonlQCe88BGAOvDPuyyjIIn98BP7ZrsBSrOi83t:87Y2CCeSupnQsBFt
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
fc6ef4e0d5a7d150903c47cf60fa3ea21d7f0cdf7d0eeadff0cd910bdced0e7d.exe
-
Size
2.0MB
-
MD5
ce0ba340321e441f21e744b474940350
-
SHA1
e145ecc8a3aec3c78f3779cf0f88b01eb24632f4
-
SHA256
fc6ef4e0d5a7d150903c47cf60fa3ea21d7f0cdf7d0eeadff0cd910bdced0e7d
-
SHA512
a6010e53230f8e6c006205c54adc50a2485813e0dd4c0f3b83fd9e928e74366a123e478b3536af8656d87f08a777aa02797c05dcf99c917b80ffb365077408d7
-
SSDEEP
49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
fc79307cdb028b94519033c54ade814fe381ebb17c66a81aa6624a7c6db9a5f3.exe
-
Size
202KB
-
MD5
a92a42330d077b5bc8837f9465ac619b
-
SHA1
b264154a3291b413bfa88032f71f8eb632ce1340
-
SHA256
fc79307cdb028b94519033c54ade814fe381ebb17c66a81aa6624a7c6db9a5f3
-
SHA512
e57255a267263d4c70d74b5bd9a99996326ea0450e9fab9c8d5bbe2d2f4dddbb402bb0254b89737280031f7fa7dce4cefa261f68fb2d7f46e08cc6efe8065b6a
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI0VblAoZefM9cUpHtFQuIXnUUW:QLV6Bta6dtJmakIM5jZefMDCBij
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
fc89267e95fb4313863bc6e01cb80dad.exe
-
Size
610KB
-
MD5
fc89267e95fb4313863bc6e01cb80dad
-
SHA1
d81543b40e2de4788777c6fdc916cb8fa713531f
-
SHA256
a73964de2bac548d66d8e4cc2d0375bdbd62542ac01bc39a80ae58b06ee44661
-
SHA512
04149a8353c1898c683e72ffda8180884499a10974d157743d7aa2c43dc526946ab953bd59c72566c8809e43eb93e7d4b684d6470145d31dd5f179724d639181
-
SSDEEP
6144:RCZFtPj9clDVCnKfBzU7l0df6WzfMaWH+1fbp7l8U4Ooi:RCZFpjKlDVDppPsxBi
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1