Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ee5fd05cf5...c3.exe

windows7-x64

7

ee5fd05cf5...c3.exe

windows10-2004-x64

7

ee69b74300...91.exe

windows7-x64

10

ee69b74300...91.exe

windows10-2004-x64

10

ee907a3b63...42.exe

windows7-x64

10

ee907a3b63...42.exe

windows10-2004-x64

10

eea4dcd11b...6f.exe

windows7-x64

10

eea4dcd11b...6f.exe

windows10-2004-x64

10

eebe0a35fa...82.exe

windows7-x64

10

eebe0a35fa...82.exe

windows10-2004-x64

10

eee37b5af1...b0.exe

windows7-x64

10

eee37b5af1...b0.exe

windows10-2004-x64

10

eeeaec4088...b4.exe

windows7-x64

eeeaec4088...b4.exe

windows10-2004-x64

eeffb35d2a...98.exe

windows7-x64

10

eeffb35d2a...98.exe

windows10-2004-x64

10

ef1a8eac84...30.exe

windows7-x64

8

ef1a8eac84...30.exe

windows10-2004-x64

8

ef5d9dc508...d4.exe

windows7-x64

10

ef5d9dc508...d4.exe

windows10-2004-x64

10

ef9c94ed2f...f4.exe

windows7-x64

10

ef9c94ed2f...f4.exe

windows10-2004-x64

10

efa0bac8ed...d4.exe

windows7-x64

5

efa0bac8ed...d4.exe

windows10-2004-x64

5

efb13a6c7f...aa.exe

windows7-x64

7

efb13a6c7f...aa.exe

windows10-2004-x64

7

efbf15e364...42.exe

windows7-x64

7

efbf15e364...42.exe

windows10-2004-x64

7

efdcbe8680...47.exe

windows7-x64

7

efdcbe8680...47.exe

windows10-2004-x64

7

eff37c0a73...c5.exe

windows7-x64

10

eff37c0a73...c5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_59.zip

  • Size

    120.1MB

  • Sample

    250322-g2sz2ay1fw

  • MD5

    e34747f9e25633d987d3b03db9d6d584

  • SHA1

    a28bdd3027aa07eea8c82a9fd2337d9d5d7a5d1d

  • SHA256

    667cb510540d8e7a6cd30007d30a8ca11110dde57bd03d2cbf87ca6b7868bdb9

  • SHA512

    d45e6669592943f748ff488200b9a8762be9ccfb4cc3b2b98a8521a3e2d8c70f7256e4429c6eff4aede49b33e8efdd9f76fbb40bde49fc506ee3b2f9f2a05113

  • SSDEEP

    3145728:ig3CN/AYN+OvOQ8ZlW/MXN2eCwx5iEM04QQiQm:i/OYgOpx0XYeX/LM16

Score
10/10
blackguarddcratmetamorpherratnjratxredxwormhackedneufbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

spring-ieee.gl.at.ply.gg:5538

Mutex

uGHPZV7WLjELjoF9

Attributes
  • Install_directory

    %AppData%

  • install_file

    Startup.exe

  • pastebin_url

    https://pastebin.com/raw/7PqSDzWd

aes.plain
aes.plain

Extracted

Family

blackguard

C2

https://api.telegram.org/bot5462535347:AAHlP5VsbkJxA-_665IAnlCMhyJqJPhxRsQ/sendMessage?chat_id=5307599783

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

xworm

C2

127.0.0.1:5535

27.ip.gl.ply.gg:5535

127.0.0.1:52828

introduction-notre.gl.at.ply.gg:52828
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe

    • Size

      13.6MB

    • MD5

      a8df11e04a5378d02af94ac361a89dec

    • SHA1

      000fe04f1a2c25029fbea090936694dfaf44ad3d

    • SHA256

      ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3

    • SHA512

      44f8dcfc741b19283db37d628658ed0f5942fed6cb35b0aae7c0e651349421200d2d53542ee38dee9f94cde03c96f3150d2886d9c1edc727a8f335fdcb085cf7

    • SSDEEP

      12288:nssssDsssssssssssssssssssssssssssssssssssssbsssssssssssssssssssP:7

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      ee69b743006be8b845c65756f0efdb91.exe

    • Size

      45KB

    • MD5

      ee69b743006be8b845c65756f0efdb91

    • SHA1

      1e7096ffd53332ad7863e1eed2ec16df74bed80a

    • SHA256

      7002c8a9a724a1ae7a3134505504fefc80f719541712ba64bec665a4f25ef277

    • SHA512

      f4e93dbf5202ab5522f909ed09ad29fe917d19e7ba5ff0b5b436e881c761de74061c074cc156ea8f03cf39c9f0f6ba4758581ce3f97ee63d73bbce1a214aba82

    • SSDEEP

      768:CJmGUxoBZyRCi0Vvxf7jCNZsorQF+t9eG86iOChUbVgjC:SmjoBQs/VwWFw9f86iOCmV/

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      ee907a3b632b8f170f358fd622afba93c929176f32b3b6db0bc806a8a3cc2e42.exe

    • Size

      956KB

    • MD5

      36bb1d6a080898a3d78ee85fc56adee2

    • SHA1

      69871e4d11ad0ea04a9946199e996e2e65d8e179

    • SHA256

      ee907a3b632b8f170f358fd622afba93c929176f32b3b6db0bc806a8a3cc2e42

    • SHA512

      cf516dfb84aa30f81a06c6307ec7ee510302976b5af34119b7fae108ae8eeba88c4bdaf76796ee6ed42aacc1a1994dd99f8bbbc654189a254c0b698c71cfdaea

    • SSDEEP

      12288:vz7IFjvelQypyfy7z6u7+4DvbMUsIvOcg7:vz0FfMz6TEbMUs8Ot7

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      eea4dcd11b7f7e40bb76cc5d43c0246f.exe

    • Size

      97KB

    • MD5

      eea4dcd11b7f7e40bb76cc5d43c0246f

    • SHA1

      91847b99e1d157c1560e7e1578c8f58bba2297be

    • SHA256

      aec2e4e9a10fca3c6c14da1931179fc80a6176986bc6ff24656a7efa367a53c5

    • SHA512

      5c22f16fe6f9c612fa2a2485c443644bb7dfbc2c601b57a8e74cc53263ea7240aaa1c3ef99aafdfb4db46467113ce31ce269e6dda0ed19b723c19c0529dc7845

    • SSDEEP

      1536:MYxlY23kGwgMBUQGum2U8aVCguHEvQEbFeDVC3woFRKpTded:DlY23kg3sguGDFaXed

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      eebe0a35fa5791aae284e3ecd38c0682.exe

    • Size

      78KB

    • MD5

      eebe0a35fa5791aae284e3ecd38c0682

    • SHA1

      00a64541958a45c40879da39e74a25fb87635bdb

    • SHA256

      be7fb2fc4c7be245699e0ee777015cd584fb02dd1cbbea9d477d74307dee0f41

    • SHA512

      227fc9f348fd349b30565f196b7e79977be3995a630c723be85bfe31742a57d4a661b621e401302d422e0955f05283388487be08d2849f99651395c148e5dc5a

    • SSDEEP

      1536:8Py58/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN66t9/C1bq:8Py58en7N041Qqhgpt9/t

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      eee37b5af157395dc54d091245c04e5be6bbd0ac63101d6016efedaab23afdb0.exe

    • Size

      2.0MB

    • MD5

      9be63a2739e4d6e0f9a0dc1df2480c59

    • SHA1

      168f3f59ac25cb24a59157755597995ec7d5a33b

    • SHA256

      eee37b5af157395dc54d091245c04e5be6bbd0ac63101d6016efedaab23afdb0

    • SHA512

      cd513da52261237bcfdeea7285638a67b08375682ad5db64880ed22991a50c34fbbb436f9e5ccf083660ae538ac2240ef3fc59dd3bcdd5e44e8b7ff4f41e00e0

    • SSDEEP

      49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral11behavioral12

    • Target

      eeeaec4088574f6dede1eb2751e9a793293ea19c5e2f8a8dd4f470cc593febb4.exe

    • Size

      228KB

    • MD5

      12271a8e545f63b540fd07f42f533372

    • SHA1

      94f3f1729aa7d243f3ba1629fd9e34bea103e454

    • SHA256

      eeeaec4088574f6dede1eb2751e9a793293ea19c5e2f8a8dd4f470cc593febb4

    • SHA512

      902ef0095d96b9f158c6700710f1af1362943cc7a350a5ff17df9d509bea7c315b0c2d9ebf077c600257113f1825a0d038da3a2f9f539ccb174ddefc929a016e

    • SSDEEP

      3072:s3+qIP+0lDsm/MeVqummn2bcDH6fGfIkIeCtwbaE6czFKJLgPeI/Kh73WmqcSCJg:IaP+0lp/pn2bxfGflCKbLjko7xlR

    Score
    1/10
    behavioral13behavioral14

    • Target

      eeffb35d2a79c3f83ee7c4a4500b1c98.exe

    • Size

      10.5MB

    • MD5

      eeffb35d2a79c3f83ee7c4a4500b1c98

    • SHA1

      f4e2377bfee4680bb00ee5134cfb860bb965d785

    • SHA256

      55421d015184644cfa29fc2badf383443433ffc72fdbb24f57b341a29e07e90f

    • SHA512

      f1630e3c82ad3bc3f969f96995fe545e383d7ed9dddc70afef907da70dcfbee405cbb7bb58307a12356e73404028a0f4b9467acfc19dd3ddba1fe054c8526c33

    • SSDEEP

      196608:/Nsg4AMgAuNsg4AMgAMNsg4AMgA5Nsg4AMgARNsg4AMgANNsg4AMgABNsg4AMgAh:/Gg4a9Gg4anGg4aCGg4a2Gg4amGg4am0

    Score
    10/10
    xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30.exe

    • Size

      545KB

    • MD5

      c6d7786cb9e334f730ba4fb984b43bf0

    • SHA1

      f67a77aaea6bfc19766500c2100b2aa3d449c328

    • SHA256

      ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30

    • SHA512

      a536128a1ed94efb3e864769a70f0e4786a97c15aab9f8eae431066d783a3e58453fe0bb0cf5bb52586d2a0d2034005771e286d57bd92b5866077d9e26f9d4a6

    • SSDEEP

      12288:PKx6YNxBRA0L1jKwXmsykcJlKRrbW4r2GNnqOs/fKSd/XNKN5A+:E6ERA0Low2TkKlmbW4lNnq7/V85

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      ef5d9dc50867f0430aabd8e6696b76d4.exe

    • Size

      43KB

    • MD5

      ef5d9dc50867f0430aabd8e6696b76d4

    • SHA1

      50f1ba52f2c2a267be79420096d6e51eaca51c71

    • SHA256

      dacf484637d5c59cb0f5237ac36f762172b73ead8e16d81a3333656f6eecda57

    • SHA512

      d60699916826738cd0b1c5dcbe1a2e7b2488d08b2936efd6d9067954bd40882d16104cc4df80019a66c3bdf80bcb2f2b20e681c5d89857f22235b31b4efc58c1

    • SSDEEP

      384:ZZy+Hl9n1iDcsyEqt3ptKwQsElGhOEazcIij+ZsNO3PlpJKkkjh/TzF7pWn5mgra:799nU4pEqt5tKhohuuXQ/o8C+L

    Score
    10/10
    njrathackeddiscoverytrojan
    behavioral19behavioral20

    • Target

      ef9c94ed2f87a7be79dfaaa427604df4.exe

    • Size

      1.1MB

    • MD5

      ef9c94ed2f87a7be79dfaaa427604df4

    • SHA1

      ca7fc1e83b76575b172d1e8da2b95a32929004a4

    • SHA256

      897d2f5a9ba328ff88d123d0900e9727fed9da63b44e870f0369233510a8ec04

    • SHA512

      4065d78cd8fa37cd0155fb13f173397601b1b1a669bfd8b8bf7bb0be31c0521aaa03d1dfd18bb437cb154a12e64c9083322d348334829ee79d4b6837d4e4d9dd

    • SSDEEP

      12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      efa0bac8ed96bc50c4cd73e16850cfd6cf7c6ba23f272d87e534eb7ac250d4d4.exe

    • Size

      19.1MB

    • MD5

      77cb754c49c66714567918e2b77ba85b

    • SHA1

      13e4c54ac8a9fd69ad5d2e832d53be563208f72d

    • SHA256

      efa0bac8ed96bc50c4cd73e16850cfd6cf7c6ba23f272d87e534eb7ac250d4d4

    • SHA512

      001feeddb93d1979f188b4d989116e926e7169a1fead041b3830cf86760f7b0e7e90fb0dc4170af8673a7455de65c971e530334e2de920e07a70f828c57d4bf8

    • SSDEEP

      393216:mdesClDlJTOtTLpQONm5v0NDktFGjTPE8SFYm6Tshrq1zaXu419VCIF:md4ZO9aONm5v0NQWj4lXmFa+419VCIF

    Score
    5/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23behavioral24

    • Target

      efb13a6c7f3b3923b440d094e7abe8aa.exe

    • Size

      2.1MB

    • MD5

      efb13a6c7f3b3923b440d094e7abe8aa

    • SHA1

      d32ce22d33ded09ae5d11a240b320945de13a403

    • SHA256

      3922011926532435941a3806520a838edbc986796fd30b8b7ec631a8c2ecbff8

    • SHA512

      01254aa10451874e82701d07f0adeb6b70a55818b0c21ac7bbc1a4c1d1ad073670ebe8d7241c5ef7bf405aecacdfc579bfe703de491cd44b165f700bf49114fa

    • SSDEEP

      49152:KB/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cfq:q

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral25behavioral26

    • Target

      efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe

    • Size

      50.8MB

    • MD5

      272ac1334eee433b37db2477cf45b100

    • SHA1

      3a0f26e058b1cad27accfcb0f8cdc58d5ebb1146

    • SHA256

      efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542

    • SHA512

      4565c9b13522dd619c36b8df04f5ff873a89ee559fbe97cd7f53d4db24b9e6c125dbaa5e87178241de07ad2d2f2fd98e5ecff8c233e730ff6031545d4b600869

    • SSDEEP

      1572864:VeWso3p+etILvQobxYcU6oBOHH94dpDyNcdJxkU2d:VHss+h3QZOHH8yCm5d

    Score
    7/10
    defense_evasiondiscovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      efdcbe8680cf18754cb9d1895a148647.exe

    • Size

      4.0MB

    • MD5

      efdcbe8680cf18754cb9d1895a148647

    • SHA1

      c038e7bb64758f6475ab1e546fbf933a1f591dba

    • SHA256

      f30ee201a602cb5e5018e1fca40051eede97e6ee253d5d78f2b4144ec7c693d0

    • SHA512

      f0bfaac8a24233b129b570a02df0959884ad3d02eeeacebad13678ad55cae18c24c029007bed9ae7445f8ca094028bb998e088e628774d1ac1a2e8233edfc6e0

    • SSDEEP

      49152:eojzt8EQHJxZexzJNRL/8n5jYjViRPK3Fi8BdS1P+iKj6k+vp0T8+HEYT8+HEsTG:eojzGlcvGt

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral29behavioral30

    • Target

      eff37c0a73a6e26dacdcb0ed3001e2c5.exe

    • Size

      36KB

    • MD5

      eff37c0a73a6e26dacdcb0ed3001e2c5

    • SHA1

      39497770cf0aab8b77e4fa9f6282002051bfe347

    • SHA256

      7c64fb861dc56d82df0f3915492c0614624999cf9ec72a42f957e986dd628639

    • SHA512

      fdc3de44ca49627120f2d349804b3453877f705b4bfad8dfaeb52fcce6770a04628d69fc6d63c8c4ebffdfcf422db6ab221c47c29c17affaac37403db53ded71

    • SSDEEP

      768:W65+GilKzo6tIpmAmOe6W4oJ5Fyw99Sv6KO/hky4VR:Wu+Gbzo6t9Au6GTFr99G6KO/yjR

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

rathackedupxxwormdcratblackguardnjrat
Score
10/10

behavioral1

discoverypersistence
Score
7/10

behavioral2

discoverypersistence
Score
7/10

behavioral3

xwormrattrojan
Score
10/10

behavioral4

xwormrattrojan
Score
10/10

behavioral5

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral6

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral7

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral8

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral9

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral10

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral16

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral17

execution
Score
8/10

behavioral18

execution
Score
8/10

behavioral19

njrathackeddiscoverytrojan
Score
10/10

behavioral20

njrathackeddiscoverytrojan
Score
10/10

behavioral21

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral22

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral23

upx
Score
5/10

behavioral24

upx
Score
5/10

behavioral25

Score
7/10

behavioral26

Score
7/10

behavioral27

defense_evasiondiscovery
Score
7/10

behavioral28

defense_evasiondiscovery
Score
7/10

behavioral29

discovery
Score
7/10

behavioral30

discovery
Score
7/10

behavioral31

xwormexecutionpersistencerattrojan
Score
10/10

behavioral32

xwormexecutionpersistencerattrojan
Score
10/10