Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

fe25de503f...5a.exe

windows7-x64

10

fe25de503f...5a.exe

windows10-2004-x64

10

fe282eaa90...45.exe

windows7-x64

10

fe282eaa90...45.exe

windows10-2004-x64

10

fe402f76d3...4d.exe

windows7-x64

10

fe402f76d3...4d.exe

windows10-2004-x64

10

fe55574c53...c0.exe

windows7-x64

1

fe55574c53...c0.exe

windows10-2004-x64

5

fe8a65a43d...3f.exe

windows7-x64

7

fe8a65a43d...3f.exe

windows10-2004-x64

7

fe99ddfdfc...6c.exe

windows7-x64

10

fe99ddfdfc...6c.exe

windows10-2004-x64

10

feb2c82a66...50.exe

windows7-x64

10

feb2c82a66...50.exe

windows10-2004-x64

10

fef2b831e5...91.exe

windows7-x64

8

fef2b831e5...91.exe

windows10-2004-x64

8

ff03c0c01a...cd.exe

windows7-x64

7

ff03c0c01a...cd.exe

windows10-2004-x64

10

ff1699c2d9...5a.exe

windows7-x64

10

ff1699c2d9...5a.exe

windows10-2004-x64

10

ff573ccb26...dd.exe

windows7-x64

10

ff573ccb26...dd.exe

windows10-2004-x64

10

ff5eef1816...3f.exe

windows7-x64

10

ff5eef1816...3f.exe

windows10-2004-x64

10

ff9b69031d...c2.exe

windows7-x64

10

ff9b69031d...c2.exe

windows10-2004-x64

10

ffc0421dee...0b.exe

windows7-x64

10

ffc0421dee...0b.exe

windows10-2004-x64

7

ffc45f2c58...73.exe

windows7-x64

10

ffc45f2c58...73.exe

windows10-2004-x64

10

fffa7ee6ec...91.exe

windows7-x64

10

fffa7ee6ec...91.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_63.zip

  • Size

    16.6MB

  • Sample

    250322-g243asy1gs

  • MD5

    da56157918045aef5a930af0d866cba2

  • SHA1

    ea37d14d38da6c3ee30ad7ec3f9625e83d49ee2a

  • SHA256

    ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

  • SHA512

    018823503967b49b6021a737a5671045aef62fb89b35c33c412e57d19689c8196ec2bed8a380f9fa26bb44364d9ac9dced1cfd025de672b464c6f02f35e3ae68

  • SSDEEP

    393216:H77W5szE6LLPsj7cbOZm3cKU54N6RsBq2xgWNfsNpnqkSC:H7aslsjaOAU54N6uwcPaf

Score
10/10
dcratmetamorpherratremcosumbralxwormhostdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351005466335121518/twCTnfzoSiI-aCcNO4qPr6FH-T4gOkPWQV2wxS9C01GGw7XemgcLtgFXaMAxuEVtAD2v

Extracted

Family

xworm

C2

xkpog9yml.localto.net:5392

:5392
Attributes
  • Install_directory

    %Temp%

  • install_file

    windowsservice.exe

Extracted

Family

xworm

Version

5.0

C2

192.168.31.83:7000

Mutex

YenTYj55WBldZrhk

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    OfficeUpgrade.exe

  • copy_folder

    OfficeUpgrade

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    Upgrader.dat

  • keylog_flag

    false

  • keylog_folder

    Upgrader

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    req_khauflaoyr

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    OfficeUpgrade

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      fe25de503f5fa57842d11d2180a935855b8f89b23fd6fa95ff10272cee5f305a.exe

    • Size

      246KB

    • MD5

      34498c04705f269e79dd09c555ffd2a4

    • SHA1

      744d9cdaaf4033b944563fb79800c8ddeffffeab

    • SHA256

      fe25de503f5fa57842d11d2180a935855b8f89b23fd6fa95ff10272cee5f305a

    • SHA512

      fd3f4f296d62376f08a1ce9dc8b4baefe03334edc2d55633fe8016cf0e90e067a7b6949e73605e102aa22f389da96ef8e8c1589f521583173d28fdd195e0a3a2

    • SSDEEP

      6144:2loZMKrIkd8g+EtXHkv/iD44Uysn9GuBD0dP6aPahb8e1mJchi3:AoZRL+EP84Uysn9GuBD0dP6aPW+c43

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      fe282eaa9036b889aafc6db602127b45.exe

    • Size

      885KB

    • MD5

      fe282eaa9036b889aafc6db602127b45

    • SHA1

      65e037b4c6a892801ac475c201219167f89d1f48

    • SHA256

      1a55e2bcf26895655a7da6acda6ecbdbef033d60bf805aaf4ef88c0cf6348cb6

    • SHA512

      c3a913f2ba698ec5d387cb394b7b6fb600271dcb7d2db8c8162d2f6c90c9dd123d4f9dcbd482d6ee8e76c83cacb566faf4f7bd92fea981e2c49fee8817854d39

    • SSDEEP

      12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral3behavioral4

    • Target

      fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

    • Size

      1.6MB

    • MD5

      82d57ff1bfcade0c2a515e8f860739eb

    • SHA1

      01c4325519c55f650dd5fb98e9c41422c987f982

    • SHA256

      fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d

    • SHA512

      7c0477a2289ff1c1c943f3938166cd8c00c898d212329c84de27140942918b028afa2186fff12694bc914fec8cf1141813f0e3024a5d653ebb4dbc6c6d2fe519

    • SSDEEP

      24576:xU5rv4BImFXHPqAv21Y9odIq+gnEJWoOyrHDBEPkyFzN3AAkzvL+x:hpftpodIq+sEJWArjBEPk4z61vL+

    Score
    10/10
    dcratexecutioninfostealerpersistenceratdiscovery

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      fe55574c53882722b864ad5f07d521c0.exe

    • Size

      474KB

    • MD5

      fe55574c53882722b864ad5f07d521c0

    • SHA1

      b899eadaab87554aa3b7703fcd1f222df4984661

    • SHA256

      3a56e488aafbe5ed4cab6c23d375afdc8a3e5d65a049644505fb11e0ca893361

    • SHA512

      6929e791a0267372e0da0fd646d8f623b6927545680114845b1471824c78aa534cceed82782ad44acb6c7680c53b93b2d642b7a8a3780fd7f2f979d2ad1056ab

    • SSDEEP

      12288:FkQLJR6x0yHmwzyEjEgqaCanpEowh20Y:OQX6x0yG0yEw8OrY

    Score
    5/10
    discoveryexecution

    • Enumerates processes with tasklist

      discovery
    behavioral7behavioral8

    • Target

      fe8a65a43dcdd12c0341ab7e5cc56c3f.exe

    • Size

      7.9MB

    • MD5

      fe8a65a43dcdd12c0341ab7e5cc56c3f

    • SHA1

      237ef3713a9ac7680f4f8ffc8c91c75b23f44b70

    • SHA256

      ffb47a00036b3d8580bd9cb61aed80d3658598bf0fc8a96dc8d81f04980a8f65

    • SHA512

      9032a4015ff5d172e26be7f91e6d11f33032784f48fd5f8d51a4d2a8b2a79c634f2efd081ea448728e14dad338f2f76a57a87bb35e22de5fdc04b9ad0eb01c3e

    • SSDEEP

      196608:J9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZB9:JmqbhrEbn87eZsFmq+J

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral9

    • Target

      fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c.exe

    • Size

      144KB

    • MD5

      2c55bdee9b3ac74ea1c16c0c86deb93c

    • SHA1

      f74a12160819d97888e93e5b56067d4b24413791

    • SHA256

      fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c

    • SHA512

      aebb19b54103f9aa2efda1da908fd08bd9e426610e7c6bccda92ceb0dd8116795b5ed54e6d05c2eb8588eb63fb2916970e443fc6639451e330e093d39f7ce3ae

    • SSDEEP

      3072:3IJrjowkba1TOi1M+lmsolAIrRuw+mqv9j1MWLQI:3IdAbT+lDAA

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      feb2c82a6695709d9304734b55a6a350.exe

    • Size

      1.1MB

    • MD5

      feb2c82a6695709d9304734b55a6a350

    • SHA1

      3554b395961de66e5d84c1fc0ba527a0c205d965

    • SHA256

      56d979b2ce2e20c7cb13c3cf49ec8c462f311fe38f2b75e80a4e90dee425c844

    • SHA512

      952f21c0c48c66e5a17c4cd757d107de6d45fff4b2e0e8506e29910287b9888e8f8f5344edda596393d23d300c3048a60b6ae94386daf1acbf4c8032612ac2db

    • SSDEEP

      12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      fef2b831e5d7a921a1fce11bc1827b87250bbca7552946a14444c35dbc4e1591.exe

    • Size

      3.2MB

    • MD5

      7494010a358747ff81d28f600257398c

    • SHA1

      2e23901e568bc0c51f9c8da9a193c52c0b9b6be8

    • SHA256

      fef2b831e5d7a921a1fce11bc1827b87250bbca7552946a14444c35dbc4e1591

    • SHA512

      be92074b60041dd130f13f548cf5d004605efd9aae0a4f362b5c40060b740ff97b5f531d0648e73e30a63cc611ff007d6a091fed301092485d886ad67eaddcfb

    • SSDEEP

      98304:nRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/d:nkj8NBFwxpNOuk2I

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral15behavioral16

    • Target

      ff03c0c01a5acef84aa5acdf32b445cd.exe

    • Size

      135KB

    • MD5

      ff03c0c01a5acef84aa5acdf32b445cd

    • SHA1

      77af93279f4ae2982295644f6ce973a3ebb7ff9b

    • SHA256

      0b6f9ec209f440c66c54faa378f8208e8aa8d996156161f52d580dcdcaeb3e08

    • SHA512

      b1ea91b7dfe6a3ce52ffd351324c5f623a3dd33788ff0973240b498b0da167121b142bb8642f70692e6f5ff321a5fe6cf647231a520880d7f48b14e46b4cd61f

    • SSDEEP

      1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK4:xPd4n/M+WLcilrpgGH/GwY87mVmIXI

    Score
    10/10
    discoverypersistenceremcoshostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      ff1699c2d9f4f22e51e270417a93a15a.exe

    • Size

      849KB

    • MD5

      ff1699c2d9f4f22e51e270417a93a15a

    • SHA1

      9f17a9e3c2d549d24fa993c723a3ad50b7f60ba6

    • SHA256

      5569d2a749ae8057fb0b05849ad9bf5cef65f28c081cae2a2ddc8ae1e7c76528

    • SHA512

      dc7fac70d397ad94321b1b81c2d53cfe4bc6d444e4f7a5a5f6804ab1529ca6ed41cd1a16675738ce2f083e291bdd4f7efe3053cff61ce4287a5fc719a90c910d

    • SSDEEP

      12288:o6NE5ig5Fttrh5PxjUm5SvDdLILaBFkjKuAMx6A5gtbGk84Ca04jtiPBgGKYTx:o6N297PxbsKtC5AHgk

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      ff573ccb268f734e737c764bc60f0ddd.exe

    • Size

      78KB

    • MD5

      ff573ccb268f734e737c764bc60f0ddd

    • SHA1

      f6307bb87f39aff19b50aa309ad56ea22eb69f65

    • SHA256

      42e0a790c9bbab15940b9e180973a701e2cc10b1bbfe1e2bd7cb2fca96033fed

    • SHA512

      cc143a391b8793609d22fba916ed5ee12719bfd169f31c43cffe926c7bed1c10da17ed7e98ef4cce4709f1000f2b77b558cac1d33be5d72e4e229b688cbf99d9

    • SSDEEP

      1536:SRWV586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6p9/I16D:SRWV581n7N041Qqhgx9/5

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      ff5eef1816b5037715c6da38464a8a3f.exe

    • Size

      1.1MB

    • MD5

      ff5eef1816b5037715c6da38464a8a3f

    • SHA1

      ba123a98299528f73ad8cbfa234d3fd9a78c47f5

    • SHA256

      66495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104

    • SHA512

      daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c

    • SSDEEP

      12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      ff9b69031d761a8641f29c72ab6db843864620d9db1b867995e370840a891cc2.exe

    • Size

      2.0MB

    • MD5

      75bd3c5ea13295c7d85a7fea4a272f07

    • SHA1

      aafcc739ed77771c81c04c51ce9245659f6534cc

    • SHA256

      ff9b69031d761a8641f29c72ab6db843864620d9db1b867995e370840a891cc2

    • SHA512

      9adf5a8ccf294070d01fb19c2bbe784a33cfed2ca87bd31f9ebd1f774d566631c1866b8d66ae80b9c6d9c38f1e498120ac9f738698fa4274f2bc6a79424b1842

    • SSDEEP

      49152:zrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:zdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral25behavioral26

    • Target

      ffc0421deeff7949183a7fbc2e55850b.exe

    • Size

      78KB

    • MD5

      ffc0421deeff7949183a7fbc2e55850b

    • SHA1

      5b888b2bf9e78a7c4c1eababc2446b748278c72c

    • SHA256

      55d9d11da5706ae89bb9891ea49eb9c86b1bc7e253d7bd3cd5d4ce6c28a91a4c

    • SHA512

      c2bb1eb1353ec4903555dac8371ac1740739f5a56976e81c5d6c904047f38c039bd6e302b889278663ddd66f63407f54601ea261919e3155fb8849dc6c35712c

    • SSDEEP

      1536:dHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtM9/Q1GI:dHY53Ln7N041QqhgM9/m

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral27behavioral28

    • Target

      ffc45f2c5865480a76df2d8f64009673.exe

    • Size

      885KB

    • MD5

      ffc45f2c5865480a76df2d8f64009673

    • SHA1

      ed4d772472682c390f3adcbab5f34758e34255a2

    • SHA256

      2301d9d871089a3d47d66f630934afd65d4be33e3650a14e016275635c2b736b

    • SHA512

      44907f4b8add6cbf4534ef39180c054ac80f47e94e730afb4b5ee53207476bea980fcda1be66283f4fd20ff9d6923e89e74c375fda74068249b2fbe27b8e158a

    • SSDEEP

      12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      fffa7ee6ec076412930605bd55bbc491.exe

    • Size

      45KB

    • MD5

      fffa7ee6ec076412930605bd55bbc491

    • SHA1

      a9a19e0a8e7ab2b0770b6507315b764571ba60f6

    • SHA256

      7c4a0a8ba7e030ee3797fd56d465a4261e7a5eb4a57e703485cc702b5c73a35f

    • SHA512

      4fa60f50aa71e65d71595eda3ff4c7dea3d3ae52414714c3fa25d3b666e16968cdc0b24dab3cb4d2b58aad681d55397a9899f7ba3226372dffc037bd782b3293

    • SSDEEP

      768:81jGUOC1hHJ90bUWGdBEcNcJhlVvD4xeVhKfkHLbFEPa9pvN6iOChjzjuf4j:8pL51hp9XRajlZrOM/FJ9NN6iOCBagj

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ratumbraldcratxworm
Score
10/10

behavioral1

umbralstealer
Score
10/10

behavioral2

umbralstealer
Score
10/10

behavioral3

dcratinfostealerrat
Score
10/10

behavioral4

dcratinfostealerrat
Score
10/10

behavioral5

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral6

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral7

Score
1/10

behavioral8

discoveryexecution
Score
5/10

behavioral9

Score
7/10

behavioral10

Score
7/10

behavioral11

xwormpersistencerattrojan
Score
10/10

behavioral12

xwormpersistencerattrojan
Score
10/10

behavioral13

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral14

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral15

defense_evasionexecutionspywarestealer
Score
8/10

behavioral16

defense_evasionexecutionspywarestealer
Score
8/10

behavioral17

discoverypersistence
Score
7/10

behavioral18

remcoshostdiscoverypersistencerat
Score
10/10

behavioral19

dcratinfostealerrat
Score
10/10

behavioral20

dcratinfostealerrat
Score
10/10

behavioral21

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral22

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral23

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral24

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral25

dcratinfostealerrat
Score
10/10

behavioral26

dcratinfostealerrat
Score
10/10

behavioral27

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral28

discoverypersistence
Score
7/10

behavioral29

dcratinfostealerrat
Score
10/10

behavioral30

dcratinfostealerrat
Score
10/10

behavioral31

xwormrattrojan
Score
10/10

behavioral32

xwormrattrojan
Score
10/10