Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

de1299d65e...07.exe

windows7-x64

10

de1299d65e...07.exe

windows10-2004-x64

10

de3206bd13...8d.exe

windows7-x64

8

de3206bd13...8d.exe

windows10-2004-x64

8

de41dac906...f2.exe

windows7-x64

10

de41dac906...f2.exe

windows10-2004-x64

10

de55ad6fba...fe.exe

windows7-x64

10

de55ad6fba...fe.exe

windows10-2004-x64

10

de7c6ded50...6f.exe

windows7-x64

10

de7c6ded50...6f.exe

windows10-2004-x64

10

de85b03beb...f7.exe

windows7-x64

10

de85b03beb...f7.exe

windows10-2004-x64

10

de8984199c...45.exe

windows7-x64

10

de8984199c...45.exe

windows10-2004-x64

10

deb9b3528e...91.exe

windows7-x64

10

deb9b3528e...91.exe

windows10-2004-x64

10

dec0fc30b5...d0.exe

windows7-x64

10

dec0fc30b5...d0.exe

windows10-2004-x64

10

ded424937a...b5.exe

windows7-x64

10

ded424937a...b5.exe

windows10-2004-x64

10

defcdae3dc...64.exe

windows7-x64

10

defcdae3dc...64.exe

windows10-2004-x64

10

df04d21f8f...1c.exe

windows7-x64

10

df04d21f8f...1c.exe

windows10-2004-x64

10

df0e554958...e9.exe

windows7-x64

7

df0e554958...e9.exe

windows10-2004-x64

7

df35e63228...2e.exe

windows7-x64

10

df35e63228...2e.exe

windows10-2004-x64

10

df43aaf53c...31.exe

windows7-x64

8

df43aaf53c...31.exe

windows10-2004-x64

8

df9cc0d83f...35.exe

windows7-x64

7

df9cc0d83f...35.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_55.zip

  • Size

    44.1MB

  • Sample

    250322-g2a48ay1ex

  • MD5

    b1f632a38dad46fe3f75167e16e6900f

  • SHA1

    706f9baaab570f335dcae020910295b2f60ca8f6

  • SHA256

    249f9bd035685660ae45fc4138334e744c30ce7e1038c140a98529b90c4270c5

  • SHA512

    b548ad298a6dbc0db0a08afe2d332e3b2422067f8806571ea262843449727d46fce3af9aae1024c6a15aa333db2891346cceb4be2acca3592f85a92b87a64339

  • SSDEEP

    786432:p6uPzXvgbxWVZ/LQGcsjaOAU4f8DCb+RS8kPaRN5Q//yxNw:hPnjoU4Qv48k+N5Ea0

Score
10/10
asyncratdcratmetamorpherratnjratxredxwormhackedvenom clientsbackdoorcollectiondefense_evasiondiscoveryexecutioninfostealermacropersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

registered-marilyn.gl.at.ply.gg:38151

127.0.0.1:8080

127.0.0.1:7000

adult-acquired.gl.at.ply.gg:30471
Attributes
  • Install_directory

    %AppData%

  • install_file

    NursultanCrack.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

we404.ddns.net:1515

192.168.1.3:1177
Mutex

7c8399d75b895f7dcec5e6e26c45acdd

Attributes
  • reg_key

    7c8399d75b895f7dcec5e6e26c45acdd

  • splitter

    |'|'|

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:1488

face-projected.gl.at.ply.gg:1488
Mutex

C50p0CtjGvq1oBFB

Attributes
  • Install_directory

    %Temp%

  • install_file

    tmp123456323423423463234131.exe

aes.plain

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

103.125.217.116:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      de1299d65e55eeb63ddc8320cafe3f07.exe

    • Size

      78KB

    • MD5

      de1299d65e55eeb63ddc8320cafe3f07

    • SHA1

      7a129ef919232a00a650bd6ac1747f693e1bce28

    • SHA256

      7548e1cfe2b627de637b2b91f493b408869a283f04151b182e2c74b20f7932e1

    • SHA512

      2b171c392a84a42e2f83e20a00a14998758dba76c814de8b28814bf2b84a8b9843a262effc74ec3a67167443083a8be2e0972d85874ed2ab68b5e99fe65d223d

    • SSDEEP

      1536:URWV5gdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6i9/u1e9:URWV5vn7N041Qqhg69/Z

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      de3206bd1391c2d6e3dda6c031db8f8298a2a97ecad547adb06ebe31d2d00c8d.exe

    • Size

      3.4MB

    • MD5

      d48b635ca68d1da2a705d15c9fea449a

    • SHA1

      d5fe49c9ce895281d315e27086c0f80890c31b6c

    • SHA256

      de3206bd1391c2d6e3dda6c031db8f8298a2a97ecad547adb06ebe31d2d00c8d

    • SHA512

      259f28179f138d946c1fa52bfac7f276d14a78060fcd33adc67968f3287e8fbb94e93dfb8a560ac9ba472ecf49ef5bf745a1ceb9fcfd3ed8ae279cfc2dc28ed5

    • SSDEEP

      98304:XRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/tk69Rx:Xkj8NBFwxpNOuk2qx

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

    • Target

      de41dac906b1f4218d2cf3e93d994af2.exe

    • Size

      211KB

    • MD5

      de41dac906b1f4218d2cf3e93d994af2

    • SHA1

      f7f121a5c283da23bd6038119cefb56ffe956074

    • SHA256

      4725aee3b6b9b01f81a1288d83f24a061adeea4a18a61e9255063900041ffa46

    • SHA512

      1c165685801c23fd45f7ae28b4c3ea48fa9a354a47edf417d345573219ede67663174cbdf18fb202d0ba2b2495016f1c8be7d66be92337e1f0324cf56205998b

    • SSDEEP

      6144:ShOGf/c6q4gHtLu3faUzPFzzGy2jt45JrzrnKpUsD4l:mf/c6rSK3faGX1r3lsD4l

    Score
    10/10
    asyncratvenom clientsdiscoveryexecutionpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      de55ad6fba2d168ad7a56c2c2f71d119b5912b6c1653e3b77f8a9773626d11fe.exe

    • Size

      2.0MB

    • MD5

      c74d91bd0c11cdb431426f71820a6cc6

    • SHA1

      c691c3b6518858e97f534837bb0081a420e60f38

    • SHA256

      de55ad6fba2d168ad7a56c2c2f71d119b5912b6c1653e3b77f8a9773626d11fe

    • SHA512

      ef6cb74de718a43862a43c09f2b89d30ea5db4935946a16f6a59e364b86f5fadc9a2b8fd501d94697c8576ec9a357d075ca322c9d1f21aeec62c4c3efb8a320f

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral7behavioral8

    • Target

      de7c6ded508e6b46e7f6b385572c426f.exe

    • Size

      885KB

    • MD5

      de7c6ded508e6b46e7f6b385572c426f

    • SHA1

      13cb214fcfaca4c85c59c002ea2769d8db3fccc0

    • SHA256

      aa8cbabea544c7e766f4a2096cf7aa8ebc23e4677812b23910524d0a089d2502

    • SHA512

      c98b77f486f1d0c607eab5b9776dbbd1fc97581e313302d03cc9b18cf5af53196cc280503acdb8c91cd7a44906001bb24fa423cb8eb8a732562fffdb18dc7b0c

    • SSDEEP

      12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyxT:8lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      de85b03bebfb919df53912cb0ca84af7.exe

    • Size

      1.6MB

    • MD5

      de85b03bebfb919df53912cb0ca84af7

    • SHA1

      336bd7b1faf7e3cddb45c071ff5f5d6d64f94fb9

    • SHA256

      5c7f27a1cc7422a66ac2e509f12015bff8fe6db6c09bbd293944fd5b736270da

    • SHA512

      ed2c9fbc59c21d07d1894b189569b8539a4a05e94df4a9af1608a4580c90247b011792334a9b08040eefd71d7130ae76019e0ef55a85c56dde12642dcc1564ef

    • SSDEEP

      24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral11behavioral12

    • Target

      de8984199cea928c5ce0773ce065a545.exe

    • Size

      71KB

    • MD5

      de8984199cea928c5ce0773ce065a545

    • SHA1

      1f85e446829d06841869eda7cc0a9767ee4b7c1e

    • SHA256

      a3b73fded2b9faa31303d7dc5905781ddfed85b17beff7042b212554fb25acac

    • SHA512

      677c58836e563dc708bc89ca2f70b675783762dbdd28b070dece97c66f7aacc969dfe575ab4b68c0dd93b809746373eb61d63253ce2d7ecea170fe3c52747d60

    • SSDEEP

      1536:N0/NWyFYaOmsMFvStuG5IR+e1ywgpDQYbUckDP6dTrOAGH:N0FW2MkR+eAw+bUHgrOAGH

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      deb9b3528e54334bf14621892e130791.exe

    • Size

      23KB

    • MD5

      deb9b3528e54334bf14621892e130791

    • SHA1

      d8f57df629888b00a305d5bc366006c0ea16fddb

    • SHA256

      42fe0ff2703f14ea1053a3807a6ea6f91756e092acf684092c7f87c1f3077f79

    • SHA512

      7a0e095b4ba47d0174ece98aa3c9fbefa2ba74b860a70684695aec4709b336006f499b6458badab27ca2fa8644e7eb0fd6404936c4d40fbe76f667ec53a15934

    • SSDEEP

      384:kQ+ILgIbOprgPsUOSU0kB1kd6dg7GYh/JomRvR6JZlbw8hqIusZzZ2KL:3LL6MVU0NRpcnuqL

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral15behavioral16

    • Target

      dec0fc30b53f55787ffb4b054bd59fb796c9f2d43dc8d56ab749215f05957fd0.exe

    • Size

      339KB

    • MD5

      4a77a1c9a249763cebfea7733858a6f3

    • SHA1

      3416b157b51163da10d80ae29acae257c09739bb

    • SHA256

      dec0fc30b53f55787ffb4b054bd59fb796c9f2d43dc8d56ab749215f05957fd0

    • SHA512

      0945e656966c6cfefa99a7862f19ab41850ffccecd384aac3353d1bc566352435cdb9a413501151a7c6a8283a06662ddcdfce30b646c32f7b3608b55f4691304

    • SSDEEP

      6144:MQiHCKbkkB2+GIIIIIIIhIIIIIIIIIIIIIIIU:MQiifkBh

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17behavioral18

    • Target

      ded424937a30c22016f9766e627fccb5.exe

    • Size

      13.8MB

    • MD5

      ded424937a30c22016f9766e627fccb5

    • SHA1

      c073e74f656a7c5c0a74cc1cae3d059ae6715204

    • SHA256

      81694e7be43cf7bbe907aa1a152951ae3d0e665782485fb0915a6c146b63dde6

    • SHA512

      2a387db31c91bc6b212a99323f47f4ae37d37570bc2ea497a5d01f4ac99ed397d669c66ff01ed8f100b4b3f0d0a113de68f102b0e59a8aa569fd050b3502ef27

    • SSDEEP

      393216:hGg4aNGg4aeGg4aMGg4avGg4a5Gg4aFGg4aYGg4aWGg4aEGg4an:plcKvRt2kyn

    Score
    10/10
    xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      defcdae3dc9e03410d78ef0ab357f764.exe

    • Size

      1.9MB

    • MD5

      defcdae3dc9e03410d78ef0ab357f764

    • SHA1

      d9e1223e947b96d32607b66ec3bdb41608ae58cd

    • SHA256

      479e4d08f33e904dadbf2af464d24e42eec66a2301a85fc2ef3552cf037c0bd5

    • SHA512

      7d958b544df58fd1444b06c48ccdf79eadddbffbe729a7fd696b5dfd025b08fa7ddfa22a19f3bf1d79836587832d5c3b4a8d1959c83798b0a3239f9b1021443f

    • SSDEEP

      24576:5cIqg3pZ9Lbp1x5mMnbJ4ANfUAlkDd/2uUpET57RLGKETv/cyUM6MniOlsxvZBSg:XrhDbJ4dAlkpuuUpY57cKEr0a7iOyKc

    Score
    10/10
    dcratexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      df04d21f8f4edc307cb444b18e8f201c.exe

    • Size

      999KB

    • MD5

      df04d21f8f4edc307cb444b18e8f201c

    • SHA1

      9008920285ae41fe099cbfd11baa15e3909d140f

    • SHA256

      51ef466bd86c5e96bff1611da1f13ec2691923618e9db5c490f6104cb95cd6d1

    • SHA512

      a8e76e398d3de32aef34e3d424d52dd33a073a261958ddc8b6dff62941288aaf359e1d3604de025f021789f2eb70b932cb69f09e4b6aa79e5ff3528d4315c52c

    • SSDEEP

      12288:P9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:P9pP5WS3lrMNyC9TJPCXBi

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      df0e554958405ce1e7b15ab03585cce9.exe

    • Size

      581KB

    • MD5

      df0e554958405ce1e7b15ab03585cce9

    • SHA1

      ada1b7bc267f49080f8b63c67263f9ff0f46959b

    • SHA256

      1f04b463cd46e0057347ecfbfbe6e8722cd10bc5bc5069d119ff517f736481c1

    • SHA512

      859bb7281a6aa84f308f5e2108deeeef2b35c5263a0f8fd4bb6695accd0212da0aafdd93803ff6cbafa87648a2f900805da2f8305134aaa048ea0c617cbcf484

    • SSDEEP

      12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7q:rBJwdhMJ6ZzHrfcsMGTfZ5Pq

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral25behavioral26

    • Target

      df35e63228a07a080a53b1bd5b62de3a09337c7d3c2eeef01adf41de434da82e.exe

    • Size

      124KB

    • MD5

      d5a3fae6444d05b7a6d0b306f0c4d17a

    • SHA1

      ddc5ef9d851844b56af587f31acc24067f2aec98

    • SHA256

      df35e63228a07a080a53b1bd5b62de3a09337c7d3c2eeef01adf41de434da82e

    • SHA512

      8c72e1640a195696682bc235c6e8c261681dc72880264d136799e9e3476cc31975ddccc174295011d83fdaafcbc80bbe27809761c9530a9aa021feb0d25462e2

    • SSDEEP

      3072:/HI+yH9c7p51N/HmSsVzFoAjuQHQMXNEhuWL7HM:fVCoj1N/mDHjuMQkShV7

    Score
    10/10
    njrathackeddefense_evasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral27behavioral28

    • Target

      df43aaf53cf823766f98d138827f3931.exe

    • Size

      8KB

    • MD5

      df43aaf53cf823766f98d138827f3931

    • SHA1

      371d4384bcf0098c3decca695268d4255f3b87bf

    • SHA256

      b851b7e9300924a6af5e9030c320a442cf65cd5276d216aadf114ae1737d8b38

    • SHA512

      4b187c397a23fd1c8395b27620ebd30ac8336bf0b75a400bfb718a8c1368654f83c84e6564d0b4f8661c8f01529b5935bfee6a2d0a9bf4a29b4283be99a0892d

    • SSDEEP

      96:E2YjX/R8Dn4qwuK/ncVqZ790AvKn6riLNQ+e3q5dNtosZ2Y843TWVWe16GRlLtfW:GjmDn+nAK9/vkvWHqzL3aVPDR9Nin

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral29behavioral30

    • Target

      df9cc0d83fdf3053b95b91afe74fa035.exe

    • Size

      7.9MB

    • MD5

      df9cc0d83fdf3053b95b91afe74fa035

    • SHA1

      daba73ed9762fa5acf66855971b751aaf31da78b

    • SHA256

      d859e26169204f7ac64c0fa11e7b32d23c22d92992f7778d825fe7cf0095ce4c

    • SHA512

      c8cd7b4bdfc9fe337e26c13e3373b492d20d8e91ff1daeb375037d79ae04b4c7fe632395c328c3e097a43c3177a448c372edc9b7bc5cf9f74cf4724dd6589c87

    • SSDEEP

      196608:z9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZBb:zmqbhrEbn87eZsFmq+H

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

rathackeddcratxwormnjrat
Score
10/10

behavioral1

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral2

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral3

defense_evasionexecutionspywarestealer
Score
8/10

behavioral4

defense_evasionexecutionspywarestealer
Score
8/10

behavioral5

asyncratvenom clientsdiscoveryexecutionpersistencerat
Score
10/10

behavioral6

asyncratvenom clientsdiscoveryexecutionpersistencerat
Score
10/10

behavioral7

dcratinfostealerrat
Score
10/10

behavioral8

dcratinfostealerrat
Score
10/10

behavioral9

dcratinfostealerrat
Score
10/10

behavioral10

dcratinfostealerrat
Score
10/10

behavioral11

dcratexecutioninfostealerrat
Score
10/10

behavioral12

dcratexecutioninfostealerrat
Score
10/10

behavioral13

xwormrattrojan
Score
10/10

behavioral14

xwormrattrojan
Score
10/10

behavioral15

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral17

xwormrattrojan
Score
10/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer
Score
10/10

behavioral20

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral21

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral22

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral23

dcratinfostealerpersistencerat
Score
10/10

behavioral24

dcratinfostealerpersistencerat
Score
10/10

behavioral25

discoverypersistence
Score
7/10

behavioral26

discoverypersistence
Score
7/10

behavioral27

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral28

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral29

Score
8/10

behavioral30

Score
8/10

behavioral31

Score
7/10

behavioral32

Score
7/10