Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ea2b9ce0bf...e8.exe

windows7-x64

10

ea2b9ce0bf...e8.exe

windows10-2004-x64

10

ea412d4c42...1c.exe

windows7-x64

10

ea412d4c42...1c.exe

windows10-2004-x64

10

ea5b328e16...cd.exe

windows7-x64

10

ea5b328e16...cd.exe

windows10-2004-x64

10

ea6fec7b9d...1b.exe

windows7-x64

1

ea6fec7b9d...1b.exe

windows10-2004-x64

1

ea78193c0a...a1.exe

windows7-x64

10

ea78193c0a...a1.exe

windows10-2004-x64

10

ea89c0c553...a2.exe

windows7-x64

1

ea89c0c553...a2.exe

windows10-2004-x64

1

eac98ebb34...f5.exe

windows7-x64

10

eac98ebb34...f5.exe

windows10-2004-x64

10

ead0a43ebb...05.exe

windows7-x64

10

ead0a43ebb...05.exe

windows10-2004-x64

10

eb00f484dd...2a.exe

windows7-x64

10

eb00f484dd...2a.exe

windows10-2004-x64

10

eb0d447842...57.exe

windows7-x64

7

eb0d447842...57.exe

windows10-2004-x64

7

eb3cc89ac8...b9.exe

windows7-x64

1

eb3cc89ac8...b9.exe

windows10-2004-x64

1

eb5a48e4b7...a2.exe

windows7-x64

10

eb5a48e4b7...a2.exe

windows10-2004-x64

10

eb5b067a2c...c7.exe

windows7-x64

7

eb5b067a2c...c7.exe

windows10-2004-x64

7

eb7e5b2843...5a.exe

windows7-x64

10

eb7e5b2843...5a.exe

windows10-2004-x64

10

eb8ab40a3b...5e.exe

windows7-x64

10

eb8ab40a3b...5e.exe

windows10-2004-x64

10

ebe2e28a80...2e.exe

windows7-x64

10

ebe2e28a80...2e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_58.zip

  • Size

    52.3MB

  • Sample

    250322-g2nqbay1fv

  • MD5

    de939d9ca55e5d0b60a0fe6573ee24c6

  • SHA1

    12193c227db039f7ba8ce506808490686239040b

  • SHA256

    8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

  • SHA512

    2cfc10d1296ebe95d3b45b92acfa69dcecdc51690bbcab9dcd5c9c319bd1b23238092a43dd4943410b866e7440630a8a5ecbb3a87b6d70b65bba5d78737dca52

  • SSDEEP

    1572864:KLQnusF+q3v2bude8OuVf8s723966Xl+48KW5MXy:WQue++MuvOQ8ZlW/MXy

Score
10/10
dcratnjratquasarstormkittyumbralhackedmicrosoft wordneufoffice04collectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.ngrok.io:16515

Mutex

8d4f5337-a7b5-4237-9349-d9bede1e2337

Attributes
  • encryption_key

    CC1E18558E65763D4940C1C87A6788F6761FFA4D

  • install_name

    svchostt.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win64launcher

  • subdirectory

    SubDirr

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

10.10.1.11:5552

hakim32.ddns.net:2000

127.0.0.1:7777
Mutex

7657c14284185fbd3fb108b43c7467ba

Attributes
  • reg_key

    7657c14284185fbd3fb108b43c7467ba

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Microsoft Word

C2

192.168.0.180:4782

Mutex

e0e6ccfc-aefe-43bf-9a5e-a99f8921c935

Attributes
  • encryption_key

    CBC9CA489516D0B612EF726C60A4EB635F0C1650

  • install_name

    Word.exe

  • log_directory

    logs

  • reconnect_delay

    1000

  • startup_key

    Microsoft Word

  • subdirectory

    Microsoft

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352316633804312686/nbzRvq0xatwDQRdzQCR3IGUXCZOGkrwHGzTKb1BSarOnM-81DTbCsnfJEdphckSwY49P

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8.exe

    • Size

      3.1MB

    • MD5

      59cced923e3a96704b1e7b5549559aa7

    • SHA1

      2a463e2d878673c2041d0064b5185193efbd3113

    • SHA256

      ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8

    • SHA512

      6f232972332a860120c663462b836124575ef9208eb1e0e9c7e75b9720f1a22ff09c264e8339f7fb75bb04bafed79bd282bf3d65837f7beec09642cf0dc80d61

    • SSDEEP

      49152:mvBt62XlaSFNWPjljiFa2RoUYIxpxNESE2k/iNLoGdXTHHB72eh2NT:mvr62XlaSFNWPjljiFXRoUYIrxJF

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      ea412d4c422e5c43fa4cd8547ef5a41c.exe

    • Size

      23KB

    • MD5

      ea412d4c422e5c43fa4cd8547ef5a41c

    • SHA1

      bcf0bc385596039ad6677ec5836147189c074ece

    • SHA256

      80d5dc010b47f1fcfa209a514a47728635cebe108da7e6fd7c670a74a5d1e846

    • SHA512

      2bf18956fe28301c964b6e6c2c5b69aefef6b3d5c056f5d8b36c04824572aca94534ce487d9ada3f001348eb24b44f182e958176cd1f27b94652dbd492de2939

    • SSDEEP

      384:uoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZIl:h7O89p2rRpcnu/

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      ea5b328e16846035adbbb9b261ee4ae28a27ef84788fbf339ed55c110672d2cd.exe

    • Size

      115KB

    • MD5

      6fbcb0aec527717a65e2daf76136918a

    • SHA1

      b386242c0e7cd39bca902bf6c2bba251c57eeb3e

    • SHA256

      ea5b328e16846035adbbb9b261ee4ae28a27ef84788fbf339ed55c110672d2cd

    • SHA512

      4577b1388edc609beb91c001eedec5d68b72963b5d5a2481e7d54d326626233aa6ca30a5b5c0bfe07e736c397b6d71e4f1b3d526f35ce118b1f336e8c716e069

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat61/:P5eznsjsguGDFqGZ2ri1/

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      ea6fec7b9d9d1396f76bcc7a8ebb811b.exe

    • Size

      6KB

    • MD5

      ea6fec7b9d9d1396f76bcc7a8ebb811b

    • SHA1

      db4b8a980c6414dd6d87e910b08f1733592ddab2

    • SHA256

      60c3037f1c05f3dc0414fee76f88e66c97c8a20c9546e9744e22b335209bd00e

    • SHA512

      27473a25174c9a2ac1a5e3bc8989f0c47b2d166fb2f12a9efc54ba5e495631f302a4c54db03e777b6514d854048bf074f7b7600eff745b80b008bfea77633e99

    • SSDEEP

      48:6v/eCg5N62TaZIgmaSVS1VNMKyQPA2gXncKiaB0sYJqj1LGo1Jk54tdflLP3LFCY:W3gv620PLhicKxasJcypuzNt

    Score
    1/10
    behavioral7behavioral8

    • Target

      ea78193c0a312343dc3d6ecf4c9709a1.exe

    • Size

      1.9MB

    • MD5

      ea78193c0a312343dc3d6ecf4c9709a1

    • SHA1

      a0ef53ffbda9e058034c460dcf924971da8dedcb

    • SHA256

      af910cca03f917e9f66f2928480d463c358ae42246e32b0900e5572a09920cb2

    • SHA512

      835efc748beddcdf0ca2a8203d9f461e5a6f831dec65a6f0fa56f158b947ce53228ed0c89a688bd0fcd2883cae89bb86a88ab3f9b8a9d98d5f96a46759fc913a

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral10behavioral9

    • Target

      ea89c0c553183fa2daf996e5f36472a2.exe

    • Size

      283KB

    • MD5

      ea89c0c553183fa2daf996e5f36472a2

    • SHA1

      70d4c75410bfd7bd3816639d08c83a6b9109e409

    • SHA256

      c9ad4ef654c1dfdd0a52d72773283f41b16502e0839c379bf0e59aaa516a16a4

    • SHA512

      1afefda2dad4323ce664cecdf503c35743aa44c9ee6998d2209a66ea8dfba175a097cf3ebccb7b48035341b30a8b72aa50cf6b988b31a505e632f5a48813356d

    • SSDEEP

      6144:+OznCQ0AW6JQR/QfI+fZfIZRyqtxiMiXHUGxPuSX:Nzn3kX+fZfYRyqtxifXHUGJ

    Score
    1/10
    behavioral11behavioral12

    • Target

      eac98ebb342782d2e8ef453b3d4006f5.exe

    • Size

      885KB

    • MD5

      eac98ebb342782d2e8ef453b3d4006f5

    • SHA1

      b8bfb2496a72d101e9c8f0a86c6a838615b99b72

    • SHA256

      554055083c7aee5ed747c7fad8cd8232365485281f84a05ffb757732b0f323f4

    • SHA512

      f4778728326651083824f1e0023b04959077a722ef333d981e614c8cd45824c357a341d757e0a6427ebd6ac00f7c2b8204f6706f4a047e775ff70269d1112dc2

    • SSDEEP

      12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral13behavioral14

    • Target

      ead0a43ebb6b12f8ad99cd38ad40ce05.exe

    • Size

      2.0MB

    • MD5

      ead0a43ebb6b12f8ad99cd38ad40ce05

    • SHA1

      f6591b5073130237d13d8c405d202f67cca5bfa4

    • SHA256

      546efa76997c0f290b3617c3933e3ec1d7c0759c9a7cfa5878cb41f05ea1f7e5

    • SHA512

      80f36f71785153002fba3a4437ccf89405fa3c9f3c7216303dc0975252c8e4da130b540a9a91d5528e3037863394bd5ae70a0ada9fe9bdc62a6a26b59302313e

    • SSDEEP

      49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral15behavioral16

    • Target

      eb00f484dd8074177d1c4ad20203982a.exe

    • Size

      1.6MB

    • MD5

      eb00f484dd8074177d1c4ad20203982a

    • SHA1

      9f3ac964a1c915cf7b2954dca26acb17baa73586

    • SHA256

      64cf79a4ca419db52372e76dea60756bd9b17e62c3c416145b37e88d1fe17def

    • SHA512

      20664145ca390fe8bd9028e772e9263a83063ee2ff460d44fa2653f38879c00d9311ff0c7dc4a84735d952761fb1e5f9da95ec39070e459371b4675fd52a4551

    • SSDEEP

      24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral17behavioral18

    • Target

      eb0d44784227459b3966965eeef8fcd82fd68514b4ca1f1609985001348b9357.exe

    • Size

      921KB

    • MD5

      461c6571e39013140e06e9446a028b37

    • SHA1

      992bec278f375a4cee0d3c130e9363a3955da59a

    • SHA256

      eb0d44784227459b3966965eeef8fcd82fd68514b4ca1f1609985001348b9357

    • SHA512

      57105bfac84e19fc451f75359199938d7465f7a64dc3e10e6c694d1d53a41eccb3f8ca1f91e8509bcc462b914067fee8056eaa09250bd489ae7488432ad61d4f

    • SSDEEP

      12288:Ewb/OjHHZYKOQnGaGQk8DOwoZ9JDiuMSd/fDmO3q9xK12vh:zbOHH+KJnGqiwG9Jbfd/fDm994gvh

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral19behavioral20

    • Target

      eb3cc89ac84272f4025e31b7c92adf1ab793e3ab44bf0c65e7271287f77d28b9.exe

    • Size

      38KB

    • MD5

      814c4a9eba9ce6298b3d6c272350bbda

    • SHA1

      969c48cbe0b57baaccf00993e11c6912b7d12370

    • SHA256

      eb3cc89ac84272f4025e31b7c92adf1ab793e3ab44bf0c65e7271287f77d28b9

    • SHA512

      550ac2bc2a858e6d3a400e3b87d6f7dec2e49a3b5bcbbd14983cb51cf29be87f7593ae3ccd621437a127533144aa8561604d849338f38562eb508918a5ad14bc

    • SSDEEP

      768:8EcbpTifp+nLXVzW8xeVD0Xrj6xEZK2yWYlDbD8KhCdM:8rbpWfsLXVzW8xtOx2ebCdM

    Score
    1/10
    behavioral21behavioral22

    • Target

      eb5a48e4b722c2f4c9ca3f9fb9ce8d8e67c8f7163e2c68aeb52a3578fc55e2a2.exe

    • Size

      213KB

    • MD5

      50acae57ba1ab9318cedb111b39d1e55

    • SHA1

      d71f6240e36c4c91c7c649025bbb866932485472

    • SHA256

      eb5a48e4b722c2f4c9ca3f9fb9ce8d8e67c8f7163e2c68aeb52a3578fc55e2a2

    • SHA512

      f098f5e1045a31c24898d82fd7abe2c84bc389c533e62f1b1fdd6745a61561753271e1fa9c98c56567c8b2958ae347c3eaabb94ada02d0aafdc39ecdd4f65877

    • SSDEEP

      6144:zgu0c4uUfX8fpVV+ZRH8rq9JrKbRG1EK1:zr0tPPT8rq9Jr1

    Score
    10/10
    stormkittydiscoverystealercollectionpersistenceprivilege_escalationspyware

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral23behavioral24

    • Target

      eb5b067a2ccdc246fb4ea5202566c9c7.exe

    • Size

      1.5MB

    • MD5

      eb5b067a2ccdc246fb4ea5202566c9c7

    • SHA1

      1831f474a47c7b928ba09d1a81f5ffedec4454df

    • SHA256

      b9a37cdc14dc5d2be8d0062698d0ee0ff7753b10284bd1549872d4f0e6fa0c0a

    • SHA512

      0dd54dc60cc9180fed262a90b41fd1ade8ab20c48ec271d4761cd202b3d0b3d2a3335b79104550fd04476ff826e19faf34cf1b9d48ee53d4dac39539c572a878

    • SSDEEP

      24576:01RcNgDzLolZghqVf3A1qZoJIBlbtSwSu+BKDCIKAn0xHGVk2dkwbMy56yleaix0:7qzLbqBDWIpskZqGDRMMl2xn3iS

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral25behavioral26

    • Target

      eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe

    • Size

      2.5MB

    • MD5

      1e5801255eb014a44c56370d9c7e5019

    • SHA1

      9000eacf24a374e6e8512dce6deaae28454ea422

    • SHA256

      eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a

    • SHA512

      d2ba4e8022ba845a124c676b928358b99365691a3b6c4cdc0b488c184325e0cc29bd43ef54833b5c7c527beceab407d96d4d89050bcb6f19fdbc65f7456f8ddd

    • SSDEEP

      49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

    Score
    10/10
    dcratexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      eb8ab40a3b8c5f7ef38f0720ce0b796ab7369b62db21fc43d9c46dd71dbbf75e.exe

    • Size

      988KB

    • MD5

      1e47165a3c289d818e0992d627d492ba

    • SHA1

      1a76c728e6fa8b57a1f2a277af2c7f851089cd2f

    • SHA256

      eb8ab40a3b8c5f7ef38f0720ce0b796ab7369b62db21fc43d9c46dd71dbbf75e

    • SHA512

      571dfd29b1d6be82eed1786e64e070457e6c78cf6d1098e22154fdc208fd0aba5ddeaba7a68dfa71a7ab515f1c6f46827074e0c70b0933a1ce796379875ad860

    • SSDEEP

      6144:9WusAIFB++velibxPyp/64wjOjn6cB3rZtT/Yq3v9Auky+4N1vbMM/c51k:9z7IFjvelQypyfy7z6u7+4DvbMM/c51k

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      ebe2e28a80ef59e70bca6e005782732e.exe

    • Size

      885KB

    • MD5

      ebe2e28a80ef59e70bca6e005782732e

    • SHA1

      fd22205faabb86821db5c7f5d626ea8784d39731

    • SHA256

      53b4ab4625fc60780e7ef00317080ded6f6ec02dcdbb6d681f8665918abd6b91

    • SHA512

      6e5331f768f709e4f9b5a3a2d85d381e3c6d8b0e04fe3237bae6ade2a3ad4b4831cf93518705119226f70b735d90c44abf4c38ea2eb44d2a8d8c58b7da085aec

    • SSDEEP

      12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

office04hackedratvmprotectmicrosoft wordquasarnjratdcratstormkittyumbral
Score
10/10

behavioral1

quasaroffice04spywaretrojan
Score
10/10

behavioral2

quasaroffice04spywaretrojan
Score
10/10

behavioral3

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral4

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral5

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral6

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

defense_evasionexecutiontrojan
Score
10/10

behavioral10

defense_evasionexecutiontrojan
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

dcratinfostealerrat
Score
10/10

behavioral14

dcratinfostealerrat
Score
10/10

behavioral15

dcratinfostealerrat
Score
10/10

behavioral16

dcratinfostealerrat
Score
10/10

behavioral17

dcratexecutioninfostealerrat
Score
10/10

behavioral18

dcratexecutioninfostealerrat
Score
10/10

behavioral19

vmprotect
Score
7/10

behavioral20

vmprotect
Score
7/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

stormkittydiscoverystealer
Score
10/10

behavioral24

stormkittycollectiondiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral25

Score
7/10

behavioral26

discovery
Score
7/10

behavioral27

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral28

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral29

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral30

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral31

dcratinfostealerrat
Score
10/10

behavioral32

dcratinfostealerrat
Score
10/10