Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

08ced0b985...9b.exe

windows7-x64

10

08ced0b985...9b.exe

windows10-2004-x64

10

0913fbedc2...24.exe

windows7-x64

10

0913fbedc2...24.exe

windows10-2004-x64

10

0973173c13...96.exe

windows7-x64

10

0973173c13...96.exe

windows10-2004-x64

10

098168b228...dc.exe

windows7-x64

10

098168b228...dc.exe

windows10-2004-x64

10

09a344d3da...2f.exe

windows7-x64

10

09a344d3da...2f.exe

windows10-2004-x64

10

09b5a73b30...84.exe

windows7-x64

10

09b5a73b30...84.exe

windows10-2004-x64

10

09df096633...ea.exe

windows7-x64

10

09df096633...ea.exe

windows10-2004-x64

10

0a06fa9dd0...c2.exe

windows7-x64

10

0a06fa9dd0...c2.exe

windows10-2004-x64

10

0a0c745477...fb.exe

windows7-x64

10

0a0c745477...fb.exe

windows10-2004-x64

7

0a121eca45...10.exe

windows7-x64

10

0a121eca45...10.exe

windows10-2004-x64

10

0a29f2916b...f7.exe

windows7-x64

10

0a29f2916b...f7.exe

windows10-2004-x64

10

0a2ec00b91...32.exe

windows7-x64

10

0a2ec00b91...32.exe

windows10-2004-x64

10

0a7efdf437...01.exe

windows7-x64

10

0a7efdf437...01.exe

windows10-2004-x64

10

0ab7e56cad...61.exe

windows7-x64

10

0ab7e56cad...61.exe

windows10-2004-x64

10

0ac60987a1...26.exe

windows7-x64

10

0ac60987a1...26.exe

windows10-2004-x64

10

0ace08628f...91.exe

windows7-x64

8

0ace08628f...91.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_3.zip

  • Size

    48.5MB

  • Sample

    250322-g6vdnatkw8

  • MD5

    37c09f96c638a66b382013a378537950

  • SHA1

    c2e00f7e1d01f83396d82628e5b1d28c6a97897d

  • SHA256

    1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

  • SHA512

    0b504744e13a4a1c226bdc54b4b5f01f1e524700bcf2d27e51110d3ff81e28866ae43793f1412ee419a5c692fcefc1758a9846a5e84ea959c4bff51812f8eee0

  • SSDEEP

    786432:4af8pyQ37Bg5yQ37Y6umTyQ37dAdhkAJXPcaPEmRmRrs31OzJI8LmEzUBSs8ZUbJ:/9QdggQAmeQelfhMbQ3YI8LrmSQLWQV

Score
10/10
asyncratdcratimminentnjratremcossnakekeyloggervipkeyloggerxwormhackedhostcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

ghwls44.codns.com:5552

Mutex

0d8b02a53f25f0cbfad93db79a63a5c6

Attributes
  • reg_key

    0d8b02a53f25f0cbfad93db79a63a5c6

  • splitter

    |'|'|

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.omzpnomatik.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Mustafa2023x

Extracted

Family

xworm

Version

3.1

C2

request-busy.gl.at.ply.gg:6728

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

vipkeylogger

Credentials

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      08ced0b9853b7831e9f562c15ecbfb06a676bc1e9e133a6f9264e4bb7dd2049b.exe

    • Size

      1.3MB

    • MD5

      133aa017463cb6cacf2126c1f1253095

    • SHA1

      e9a7a4ec2aaea967afccac50c08953b45db70ff0

    • SHA256

      08ced0b9853b7831e9f562c15ecbfb06a676bc1e9e133a6f9264e4bb7dd2049b

    • SHA512

      ae9a3418e4d4a03bcfc85526454ff7f9621995df75898fafd8f565b9d3b1d29f034936fa335aded384e9dcd915cbe9e322fdfb70648259769533f6f9627403a1

    • SSDEEP

      24576:cSexfdreGMUzwpFOeSX2Pe3iDcZ/rG9dT5v/PhdR:ZRGhuFOeSX2C9G9v/Phj

    Score
    10/10
    snakekeyloggerdiscoverykeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe

    • Size

      1.6MB

    • MD5

      3f11fa2cd76162ff88f473e5ce7370bd

    • SHA1

      c9d23fd0b96a490dd737f8cee733d2efdebe5b17

    • SHA256

      0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624

    • SHA512

      2c54a9e1dd2eb6cd53517f4731920bfa324aa867a81adefee61f1ec487ba1f38a2f403e0f083b73c489281f7956dad294e3c179bcf71e8392ec01c039be13c75

    • SSDEEP

      24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral3behavioral4

    • Target

      0973173c13d86b9430c7f43bb76a0496.exe

    • Size

      272KB

    • MD5

      0973173c13d86b9430c7f43bb76a0496

    • SHA1

      b494afc415507920bad5d3e574786f607fcfb8a3

    • SHA256

      c4dfa221f0192780a5b185255a59384cda6aee2de0ce13498edf85e92342c39b

    • SHA512

      44f82582e5d57582f0fcb9be1bdcee7a623f89715b6f6ba4b3df9b1824b97d611866446da368398b62134391f3c63f168c0371e92732af2ae71cd4a83ef9bbf9

    • SSDEEP

      3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdTt:WFzDqa86hV6uRRqX1evPlwAEdJ

    Score
    10/10
    asyncratdiscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      098168b2280eefaacf38576dc5c2ef26b9d27034c62094aa4273aa4ccb24e7dc.exe

    • Size

      136KB

    • MD5

      2f895cecfca4864762f3fc4f9824b1d5

    • SHA1

      473d869827e00c166977718907c289e48c8e599f

    • SHA256

      098168b2280eefaacf38576dc5c2ef26b9d27034c62094aa4273aa4ccb24e7dc

    • SHA512

      bdda49fa876eaade3247efba192924ef2e67f7e93f41bcd8c37d3c5ebebb4091bfe7a167a0796cf5187d08b786071399558e728f3d4ac420816b444877dfbfb1

    • SSDEEP

      1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKd:xPd4n/M+WLcilrpgGH/GwY87mVmIXt

    Score
    10/10
    remcoshostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      09a344d3dad53e34501fb523f1c35f2f.exe

    • Size

      85KB

    • MD5

      09a344d3dad53e34501fb523f1c35f2f

    • SHA1

      152917574da9739fe354e19ecf0bc24c68bac2bd

    • SHA256

      a3cb2bc97c93afbd75583a7bf3eab46179ee7233ebebdc32c3e46b8fd062956d

    • SHA512

      34930bb741f3d24e780f3bbe7821d20c3bdb0e11456da39e44abc0332b9068541170f4c6e244ed50abc22529cc2984b02734ffe209fd564ad4a393df42cdca80

    • SSDEEP

      1536:j0nPVmOiyMChXYxrg94Ko//xNB/yim/1y1ejY6yFOBOXj9:4nvdPhXYxrg9zet/yjgf6yFOBMJ

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      09b5a73b30c3c0c56d3b973a837a6284.exe

    • Size

      885KB

    • MD5

      09b5a73b30c3c0c56d3b973a837a6284

    • SHA1

      2684da78d21f04c153436304950448a41e989f69

    • SHA256

      0993169c4eec852201fcf3719983b5a00a356111c2ad86b89b293ef157a2e712

    • SHA512

      49ecb467a265f962e9634e3cad074e95534e8389673c9dd70cbe738677b9770878c088273d22cc4303b4a54b8f4acf876b504d4e0ce1b09b8b7a8ab12a639dc3

    • SSDEEP

      12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral11behavioral12

    • Target

      09df096633080be658753777a8e7feea.exe

    • Size

      1.9MB

    • MD5

      09df096633080be658753777a8e7feea

    • SHA1

      4b1b789ff3db59b07c1013c527273c350e78bf08

    • SHA256

      63671cdfb5eddd70bfa3e97395c34e860c217a0838c853029ca85a40a5520298

    • SHA512

      7216e17df59456ad6d0139be6ddd65c02c6f58519acc0f57aaacc7f7728d362abdd1470ebb5be67a1c446ae8ba1c596cf4d19ba8b8dbc65bbe5b241fb5a7b32a

    • SSDEEP

      24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral13behavioral14

    • Target

      0a06fa9dd00cdb3428faa863184cc6c2.exe

    • Size

      941KB

    • MD5

      0a06fa9dd00cdb3428faa863184cc6c2

    • SHA1

      3a559d2334a2b33fb87916839af7cfc048a49bd0

    • SHA256

      527585387c3e86c046e9b2ca1f7c5204d0d26caa417f69825f5e379d4e8a0170

    • SHA512

      93cd9e7f007dd94da9562e4d286730f896ef597ff73fb22e5b2e8620dd528b33790738d4b5e3ad1f05f6b799c014258544557a23cca38197bfd3bd5a13d9428b

    • SSDEEP

      12288:vz7IFjvelQypyfy7z6u7+4DvbMUsIvOck:vz0FfMz6TEbMUs8OV

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      0a0c745477f1243667cbaf590f0e5dfb.exe

    • Size

      580KB

    • MD5

      0a0c745477f1243667cbaf590f0e5dfb

    • SHA1

      63d6b0d51020dad8d23ce4d5f4fafe8e8d94a506

    • SHA256

      38ad3c5d278f2abf6ebb5a310c4de06dda97a13fa3d90037e870fd53e2bb4f17

    • SHA512

      d5bb5b76261d6d3a00856202a93728542f3f90fb910e2d3da16d20eacf818d22e36bcb4278b47ac80a94a2d0ece4224653099ee4b94b1806192dc4fa3cefcd36

    • SSDEEP

      12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7x:rBJwdhMJ6ZzHrfcsMGTfZ5Px

    Score
    10/10
    imminentdiscoverypersistencespywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Imminent family

      imminent

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe

    • Size

      1.6MB

    • MD5

      2cd96728fb8f5bef05b7c1d14200ffa0

    • SHA1

      9c1ba4495ad7bb48aaac4123f62528ab80485c3e

    • SHA256

      0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310

    • SHA512

      aa6b10a50e766cc1203e05eb63eb6299cd528e836456368d3a2aa45dcf51cea26aa1380256e93e59245b0275d3568aeb8e9968e764c6d81483e77c258ea449f9

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      0a29f2916bfe7d25154bdee719d97af7.exe

    • Size

      736KB

    • MD5

      0a29f2916bfe7d25154bdee719d97af7

    • SHA1

      456db7219be5b82adebb9a50ff382a659d84f902

    • SHA256

      f524e8de3a298a9465202bb6307e8df95fe0372b7c9b005c79ea5ee7127e7b24

    • SHA512

      f9d0cc334a0e29ebe5a2764038ab83de0bba1ba550478019ab7de34a16f50a4abe1ee98fc8839eb3a3441ed5826ed1e6c71cddac3643c340d8ad27288bf2c361

    • SSDEEP

      12288:o0tbNOJXLCspqjkoTSwO7A+pmSwkqePQBNwSBEowOgvvXfP/6ruDt24VDrSeKgJc:o0JNCXLCsyknFwkewcevvCwieKgb

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      0a2ec00b91350189993338c37f03ee32.exe

    • Size

      572KB

    • MD5

      0a2ec00b91350189993338c37f03ee32

    • SHA1

      e7f502f05bc6ef911dfdc9b83145953bdec4a478

    • SHA256

      602226be2e7546c3f81965f017ab86f87341bc6079600f0a2d6999effe23b789

    • SHA512

      f3a44312cab5f3c48e2ad5a53b09b3fefc33b6d45630629a77f9c0e7dec626f439223564e571c537a77c1027a58e9b5b19820b50a875b9814d5034c6a6ff339a

    • SSDEEP

      6144:4tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rigZG:s6u7+487IFjvelQypyfy7igZG

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      0a7efdf437b268455f4d328ffb164701.exe

    • Size

      1.6MB

    • MD5

      0a7efdf437b268455f4d328ffb164701

    • SHA1

      c8004052c57affe1a1dcd8a4c85d1df28f980fc9

    • SHA256

      4fbccd0e2aec34305c845e4f50ff90aeef7701d2e94e866ba47f9e4b0beb2b92

    • SHA512

      2fe6c1531ac2fe4ef6a128b132dad6bca73db277d884924433e814e2b7b89757ef7fc9b6d127fdf29b4776f8b3c5ea80d5593d3476db3116efcfc0b778d23720

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral25behavioral26

    • Target

      0ab7e56cada9281e0177e5b1bd800a9e3ab481eeab4719cae1b91f36b1275561.exe

    • Size

      1.9MB

    • MD5

      d7122058f59607ff3dc57c88cf2d3aff

    • SHA1

      6a5420d2edcc3e6d04417cf57a1086dca2677db3

    • SHA256

      0ab7e56cada9281e0177e5b1bd800a9e3ab481eeab4719cae1b91f36b1275561

    • SHA512

      c34c948986845939118e38109fb5e536e1f01ba0e4f7bad2c2188466ca7227904ff84ae1cdd0c4de79931859d310f5330018bed8f02130af248b1f6dc6a8d62e

    • SSDEEP

      24576:nD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6X:nF+QrFUBgq25eKu6X

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

    • Size

      1.9MB

    • MD5

      28e39f9d02ebd13216c240dff7276a30

    • SHA1

      255206f138148168b57856ecff22fa1d08e857eb

    • SHA256

      0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26

    • SHA512

      fb4d52179efa3bd1aa83ffc9bc592393a999b2c6c847365e0e4108b10000c6bed9f621bc584650b66a5ecb165b8b372f15d7b780ef5ee9ea99f6dcb502f42d6a

    • SSDEEP

      24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      0ace08628fec1c94697c5b0e6bed6ea1a955772fb493a52cde144e662f214791.exe

    • Size

      3.4MB

    • MD5

      c492e8c8507de24047598128c068f9b5

    • SHA1

      0102f531e7c1cd9d58280b7409bd5861740b1ea6

    • SHA256

      0ace08628fec1c94697c5b0e6bed6ea1a955772fb493a52cde144e662f214791

    • SHA512

      15edf4eb649784450e8ffbd726888d1b032074b206be7d328bfb35135704eaec50fa1807b3ab608fd3412d42b06b896afb37e5b96f51d1ce08b5e24e77951c72

    • SSDEEP

      98304:hRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/i7:hkj8NBFwxpNOuk2v7

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

rathackeddcratnjrat
Score
10/10

behavioral1

snakekeyloggerdiscoverykeyloggerstealer
Score
10/10

behavioral2

snakekeyloggerdiscoverykeyloggerstealer
Score
10/10

behavioral3

dcratexecutioninfostealerrat
Score
10/10

behavioral4

dcratexecutioninfostealerrat
Score
10/10

behavioral5

asyncratdiscoverypersistencerat
Score
10/10

behavioral6

asyncratdiscoverypersistencerat
Score
10/10

behavioral7

remcoshostdiscoverypersistencerat
Score
10/10

behavioral8

remcoshostdiscoverypersistencerat
Score
10/10

behavioral9

xwormpersistencerattrojan
Score
10/10

behavioral10

xwormpersistencerattrojan
Score
10/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

defense_evasionexecutiontrojan
Score
10/10

behavioral14

defense_evasionexecutiontrojan
Score
10/10

behavioral15

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral16

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral17

imminentdiscoverypersistencespywaretrojan
Score
10/10

behavioral18

discoverypersistence
Score
7/10

behavioral19

dcratexecutioninfostealerrat
Score
10/10

behavioral20

dcratexecutioninfostealerrat
Score
10/10

behavioral21

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral22

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral23

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral24

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral25

dcratexecutioninfostealerrat
Score
10/10

behavioral26

dcratexecutioninfostealerrat
Score
10/10

behavioral27

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral28

remcoshostdiscoverypersistencerat
Score
10/10

behavioral29

defense_evasionexecutiontrojan
Score
10/10

behavioral30

defense_evasionexecutiontrojan
Score
10/10

behavioral31

defense_evasionexecutionspywarestealer
Score
8/10

behavioral32

defense_evasionexecutionspywarestealer
Score
8/10