Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
archive_13.zip
-
Size
40.0MB
-
Sample
250322-g6tr5azsbx
-
MD5
db92218cb652ba5e679f6136fab8f5eb
-
SHA1
5bb7b9e016e72f82f3bed38d3e90aacfb0383807
-
SHA256
5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8
-
SHA512
40f28ac8b3d704958e02c9c694e03dcadaca28b2197c0b5b9a92ab5df7c46568e8e56f49b08206318f09892306ff83873e20cd0030856125d027e46787bb1cba
-
SSDEEP
786432:6NTyQ37YoQPaPnEd00oDL0LSnLuPZD776CSyImXaQaCZxf/ctXvwi:MeQlQanO00oDoLSyBhxIipaD
Malware Config
Extracted
xworm
gas-representative.gl.at.ply.gg:28749
master-decor.gl.at.ply.gg:43820
127.0.0.1:7000
-
Install_directory
%AppData%
-
install_file
system.exe
Extracted
umbral
https://discord.com/api/webhooks/1351005466335121518/twCTnfzoSiI-aCcNO4qPr6FH-T4gOkPWQV2wxS9C01GGw7XemgcLtgFXaMAxuEVtAD2v
Extracted
discordrat
-
discord_token
MTMzODE1ODY5MDUzMjA2NTQ1MA.GtXorc.j6mFX16JgeG_cuIkV6MhYza6EyxxjwaUH0pJJ0
-
server_id
1338122316436996187
Extracted
asyncrat
Venom Pwn3rzs' Edtition v6.0.1
V-lg60
37.48.64.102:4950
yawyrgpacvfvsfgbz
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
remcos
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
326fcf48062cbb0bacf4663fee8a51c740e810ee0477fcf6eb3e8c5420909e79.exe
-
Size
281KB
-
MD5
11a206843f7380a2768c3ef10d7d287b
-
SHA1
39df631695e0cd57e95239e07b4ccb3f133b4cde
-
SHA256
326fcf48062cbb0bacf4663fee8a51c740e810ee0477fcf6eb3e8c5420909e79
-
SHA512
aa96cd1a0dba83fcd9e6eebb6f19239586bb65e9a66ccdd301a62df9ee0eb601849bb84ffd359d334e632a6f310093df7f6b4e3277776a6db9416fae0a188ab5
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66faD:boSeGUA5YZazpXUmZhZ6iD
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
-
-
Target
3293f41661f096b9d6839d0389f94416.exe
-
Size
281KB
-
MD5
3293f41661f096b9d6839d0389f94416
-
SHA1
a6859f9404d495fae0d97943cbe1eca18533d88f
-
SHA256
5184fed556ebc70582af5db9792f111346abab38aa5f022769fbb2b82d64708d
-
SHA512
4e52d61fc3a1fd2813c86cce57e139dfe22587d97be2eb5beb2f3e2410a0f2aaa0a2a0475ab2f130062b7b7bf3d1a162c375ea7dc3eb5051ad9bd6913d637a20
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66faS:boSeGUA5YZazpXUmZhZ6iS
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
-
-
Target
32af824687697346da2d415bfb80fa29.exe
-
Size
13.1MB
-
MD5
32af824687697346da2d415bfb80fa29
-
SHA1
bc83dec747cc6fc84c61df9df6d0ca5e82227040
-
SHA256
cc1927347aa066e1fca14fe1669362dd817ee950f9727a38e3a7b8ced8553062
-
SHA512
873e74cd1623ee150d3528ba42875048e379e1a577b828215c35f4375bd9817ab25c21113353c3107dc4ab3bcd076a6df5191647c19b373e1472d1b38fbca719
-
SSDEEP
6144:RAIvHAsjfyx0Sd/jkraPjhEe6VlWT8b9AtHqrXjXx4uzTb8M59cTT4l2P:RAWx5raEPVle8/rttzEccTQY
Score10/10-
Modifies WinLogon for persistence
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
-
Size
484KB
-
MD5
a343fed4bd504af60503fbd80efa5326
-
SHA1
239da9a238861c2e9fcd0cfc534259116f283eeb
-
SHA256
332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5
-
SHA512
d62b44e5c9637f10a7b0c54db4f389a16888a5132673375daf5cf0ad2fe2302adb17a3630599dc512a4aa18fceb8f47b7324a7c6c66c6823446894b642181b19
-
SSDEEP
1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
337f25a258012c5c5802696b2f2b1a51.exe
-
Size
322KB
-
MD5
337f25a258012c5c5802696b2f2b1a51
-
SHA1
06269501194236c5086c4883e169b17d9202e685
-
SHA256
85fa680ff456723ad6dbcbc48f9e5baad961aa7d67143bf5e277268be7035a1f
-
SHA512
9289327fa5c573c0a4c8998ddad6a5740c887302053c30a3c1e1eb8246501305f3e63d63ad7abb9c6f20be42790c37dddcd8e88ec01590db345ad70528f50bfd
-
SSDEEP
6144:ejWTebuRcLMjH5WBz2YT7jRhMV1gEpkNkMdP+D202ZDa:kWTzcLMjH5GSpjGP+I
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
-
Size
1.6MB
-
MD5
43460cdfde5083d6f692f08813ef6dd1
-
SHA1
55756e184df04ffe1c502a40f8f859de16d19003
-
SHA256
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b
-
SHA512
23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875.exe
-
Size
446KB
-
MD5
68e298b36db386382e7dfbe5bd784699
-
SHA1
123700bc8004ee6c9967a6818689658c23cf4996
-
SHA256
342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875
-
SHA512
879f41008ddd3464026b5c93338246fddfcc640e2790bf3d106555e22103dde1bfc33e23125e891a676daa263635518142cbf481f91b0671adfadce63222a562
-
SSDEEP
12288:CEgwe8+6XzGT4DaHK8mzQz9vIQozyiScxvN4HZwujQ:C1wjDaq5zOgRzyQvNKh
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
344b47e81ef94c8f7a3a1c229f4c167bcb516900647d82936084677320a4960c.exe
-
Size
246KB
-
MD5
6f6984234dc6714ab8fb6ff673423d1e
-
SHA1
2976c3f2a47b976913758c1800db5350498a3bc1
-
SHA256
344b47e81ef94c8f7a3a1c229f4c167bcb516900647d82936084677320a4960c
-
SHA512
686e2919cc945ac930073f9244435e40a2fa135a911ac26822c27ea9bb13b1e72b7beb828ca5ed8c45c18c349f11669bb9d0b41f246a7837755545d49627e6d5
-
SSDEEP
6144:5loZM7rIkd8g+EtXHkv/iD40M1nMS1NmPzus9x45Pb8e1mqiv:LoZcL+EP80M1nMS1NmPzus9x4dcv
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
345db905b17d371d0355419841ad7d8a.exe
-
Size
8KB
-
MD5
345db905b17d371d0355419841ad7d8a
-
SHA1
3835b14ef9f753d09ef8ecb1cec95cb7e6c21b05
-
SHA256
f0e78989bf53872845049f3bd65c749a952a731c02c6a2ab4d7c2fc49324d84c
-
SHA512
b72316f6ad09368d52fb46a79d3c33308c55897248a9c2d9955cc9cb1e9173142d1541e084cd781e938e4faf989894225d9fc33c442ff11dd83e1aa3b324df6a
-
SSDEEP
96:XAvwadJ8k2fqmNkFMEcE2UYlnlYJnLDXL0Kffs179KIV61r5tXmmRgCS+8/Tl:QPJx8hNq0VNnlYJLDXLT+9Klb2CSt
Score3/10 -
-
-
Target
34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
-
Size
1.9MB
-
MD5
34655ac11b4f6a8d6f1ea8e2fbbe0676
-
SHA1
d17ed388047ec77145ef4c96e3760ea94985caa7
-
SHA256
75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688
-
SHA512
2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2
-
SSDEEP
24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
-
-
Target
34a292bd76e629b9fd512f94ba2f6bea582de6e9f7cdc0129c233fa4df357ab7.exe
-
Size
910KB
-
MD5
78b459487d77b2af6ddfcc1e82e86832
-
SHA1
4bd3949d2f1704e5d50befa9998631e59a29fb4e
-
SHA256
34a292bd76e629b9fd512f94ba2f6bea582de6e9f7cdc0129c233fa4df357ab7
-
SHA512
0b719d230d6e2dc90723f7cfcb54e934e8e61d28dc7e432053a881fd432c8a9dad4b3ac3949c984649b20a6ffa5db32a15d56d04da5f51638ade64a653a1a863
-
SSDEEP
12288:7p+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9Ma:7pugRNJI1D39dlfGQrFUx9Ma
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
34d765717a065c8984c1663ed6d88c18ce58ea3a1780da7947d9686ff01f1ee4.exe
-
Size
580KB
-
MD5
8cfc3f50d92b1919d85306fa26d53a73
-
SHA1
9bcdae674f2508df2e9c98fe441d4e0fa9bb85e4
-
SHA256
34d765717a065c8984c1663ed6d88c18ce58ea3a1780da7947d9686ff01f1ee4
-
SHA512
04c62010776379fb46f90081db7cc4040ccaae373610475088fd891bc487d8e3a4c7396d73a1941538c398bd639b04d1e9cd0271ed596eaa80cd2b62162dff55
-
SSDEEP
12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7J:rBJwdhMJ6ZzHrfcsMGTfZ5PJ
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe
-
Size
211KB
-
MD5
dfc95dfdc917270aedadb22238d7cae8
-
SHA1
91c80164d7411805c86fa014536fb7d74cab616d
-
SHA256
34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9
-
SHA512
fd97d703d4d57f5bfb38426fec2d343234258c5c8c5559662d6917a8770a7001b8011cfae812cc7aa9ccc5947d4b37db610f459ec58d7602ef55884334e79745
-
SSDEEP
3072:Zp8Lc70UkL/JHt6RpkBzEhE0faKQAc7lGZPHb/5FVuBJ+U53TXbYwEKXFR:ILTr5t6Rpk8E0CZSb1gpEKX
Score10/10-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
350eba0e7b89b10b4b0f886f34ddc62dec985f55ef6ee0f9f5a7e93da5cdac2b.exe
-
Size
2.0MB
-
MD5
e2a8f9c3e2d7e7a4676e00faf4936624
-
SHA1
80b1b2aba8e059c04cb24a98a80c707f588f0672
-
SHA256
350eba0e7b89b10b4b0f886f34ddc62dec985f55ef6ee0f9f5a7e93da5cdac2b
-
SHA512
346bf29a29ac694aba4453bca42bab9cbec51d893508f7767e14072233ca2e34a9ce5e4c78c2189958e392a609576531b3cca2695ff7e2ef497c8c74604f5434
-
SSDEEP
49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
353233e5a415519357daf1258d66e8ec.exe
-
Size
1.2MB
-
MD5
353233e5a415519357daf1258d66e8ec
-
SHA1
0e19761907c0be60353733092cc0a31a07bfc52d
-
SHA256
3af5cc1b136250c241fb66a28ed1e21225ae414d51ce854a6ca2041793ff5f18
-
SHA512
d02d80a982ef42500b7883bb51a4a98f85feb90b990a61702e1281a9e76b9806deb71a7745e82cd77841965eabfb4cc573583646993e0bc65e031c258fc6c55f
-
SSDEEP
24576:7lUzGRo8D89NAF7ttEL48EobWkCfjCZmRxA1+rc9TwFSKAbe/x0yb:8GLD89uFDQbWkO42xA1kc6bAbe/a
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
35459ca7521a8565cf4acaadd346537b.exe
-
Size
984KB
-
MD5
35459ca7521a8565cf4acaadd346537b
-
SHA1
c22ce5beb121ecbba910dec28dedc0781d379524
-
SHA256
9622708341e5ac35563f5f258ae7736ad0a9f3c5875cfbf6e4570778b2e2c8bb
-
SHA512
691dc64caeb7a892b54c970f5d750a47a525004b162994c7e71eefbd4821c5c65961b2bbf08c356799e005de7c258fede7058cc3cc7f939f5ce1cd4ba40becd1
-
SSDEEP
12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1