Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

192f0f1221...a0.exe

windows7-x64

10

192f0f1221...a0.exe

windows10-2004-x64

10

193e069cb0...e1.exe

windows7-x64

10

193e069cb0...e1.exe

windows10-2004-x64

10

196a171e0e...b9.exe

windows7-x64

10

196a171e0e...b9.exe

windows10-2004-x64

10

197a511efa...32.exe

windows7-x64

8

197a511efa...32.exe

windows10-2004-x64

8

19ec0ef7b7...c4.exe

windows7-x64

10

19ec0ef7b7...c4.exe

windows10-2004-x64

10

1a4ae15ef3...a3.exe

windows7-x64

10

1a4ae15ef3...a3.exe

windows10-2004-x64

10

1a76abc85d...f9.exe

windows7-x64

6

1a76abc85d...f9.exe

windows10-2004-x64

6

1a9cd1714a...bf.exe

windows7-x64

10

1a9cd1714a...bf.exe

windows10-2004-x64

10

1b06c73e9c...af.exe

windows7-x64

10

1b06c73e9c...af.exe

windows10-2004-x64

10

1b0acebe24...06.exe

windows7-x64

10

1b0acebe24...06.exe

windows10-2004-x64

10

1b64ed84e0...ca.exe

windows7-x64

10

1b64ed84e0...ca.exe

windows10-2004-x64

10

1b7c2cbdf7...fc.exe

windows7-x64

10

1b7c2cbdf7...fc.exe

windows10-2004-x64

10

1bb302f6b2...b3.exe

windows7-x64

10

1bb302f6b2...b3.exe

windows10-2004-x64

10

1bbf7d818b...fd.exe

windows7-x64

10

1bbf7d818b...fd.exe

windows10-2004-x64

10

1be2b92cea...ae.exe

windows7-x64

10

1be2b92cea...ae.exe

windows10-2004-x64

10

1c2345047a...a0.exe

windows7-x64

10

1c2345047a...a0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_7.zip

  • Size

    29.8MB

  • Sample

    250322-gv683ssr18

  • MD5

    efd13eb66bccf795ebfce3ca797ebacf

  • SHA1

    7e98af897b5ceb29351c7788d3d73405206d4b0e

  • SHA256

    6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

  • SHA512

    7161e2738bad4f1ac4327bb52c22de670d740eaeb37f4361460a78d24199810f13d6cd15e7d4b7c9f4f09b0430e696a0949e8d144cbb2ae2c9163dc4229e92a9

  • SSDEEP

    786432:wyQ37QmxFI1md+3Jx9S//yxNCl/OVsT1Uc1r/6upFgi//yxNePahl:DQcmTYx3ZKaWlmy2uLpLaqG

Score
10/10
dcratnjratquasarremcosumbralvipkeyloggerxenoratxwormhackedhostneufoffice04collectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351374291261718571/m5LIIWlqorXnzT48pitTuxfMUMetQJ52rJhbTqyDfIywVmJ3ZnM3iUIHTa3R0uTiMSFB

https://discordapp.com/api/webhooks/1350073573628182561/2DYub47A6xP1fSHyBXOEXtL2QCQa8H7j7N6MESy4JU7oXWwRid56lZYZdUgZ5LsMARNG

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.55:4782

Mutex

87124d35-b950-4c06-bdf9-de6bd7aaa9ef

Attributes
  • encryption_key

    CF3A949D653E8E253D64DB361EE16669CD9DE402

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

gdgdfgs.ddns.net:1155

Mutex

111bb0701ad9b05569f09b860219d4d9

Attributes
  • reg_key

    111bb0701ad9b05569f09b860219d4d9

  • splitter

    |'|'|

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    dasdas

Extracted

Family

vipkeylogger

Credentials

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      192f0f1221e376146e725a4d23ee69a0.exe

    • Size

      1.9MB

    • MD5

      192f0f1221e376146e725a4d23ee69a0

    • SHA1

      9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff

    • SHA256

      019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d

    • SHA512

      daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral1behavioral2

    • Target

      193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe

    • Size

      229KB

    • MD5

      dfaf5dade27d5e1c2d8db9f7ec2a41dc

    • SHA1

      725ea0f0b95e8d4e1357845b5f85ec36e87f799f

    • SHA256

      193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1

    • SHA512

      bba10375b69ca847c2f0a6249fb52b46ddd441cb3406e70118b99b6ad7fcae4dc49bbad9406e14f057359e732574d5bdc0cf1de324fefa23696ac65d6962edfe

    • SSDEEP

      6144:9loZMprIkd8g+EtXHkv/iD4iXptbhS6FgAxDeebVfBb8e1m3oi:foZCL+EP8iXptbhS6FgAxDeebVxa

    Score
    10/10
    umbralexecutionspywarestealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe

    • Size

      612KB

    • MD5

      bdb77d58043cefc7581b2792f2ec98b9

    • SHA1

      d5382de5bcc1e6e0023609dbd5aad800268bca03

    • SHA256

      196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9

    • SHA512

      bac49df7343b647b3b391261adc2c031c2653f97807ada25850e96af4389c1ebf43ed38b37ef92f0d92084636cb0fb70032631d5c3e016c1080470d27d425ad7

    • SSDEEP

      6144:StT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rigZ+:O6u7+487IFjvelQypyfy7igZ+

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      197a511efac9c171f1a50077e9ae4a32.exe

    • Size

      3.3MB

    • MD5

      197a511efac9c171f1a50077e9ae4a32

    • SHA1

      4c6880674211b0e8351aed5d4af21cc567928511

    • SHA256

      5223ad3b31ff6fa8fd9dda7f98144b13cfc08f44a068c6a9e63664634534bb9c

    • SHA512

      153e5a2d48a44d484a35037be8352ba5039052238ecbb1633294d5645ccacaf0145895806d514aeb910c17feff77550b8678bf0be1c1f1b9e169c210c1525826

    • SSDEEP

      98304:PRnLxCdeGeguBMFkqXf0FkXw0lxY7/FyAO3haMLV9SsfnM+g:5LxrG9uOFkSIkjl+/ApRL+sc

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

    • Size

      692KB

    • MD5

      19ec0ef7b7ce9c5d9d5a2c9ee955a5c4

    • SHA1

      bbd3e289f570cd50d76f9df0179d3febb4d97664

    • SHA256

      a9a87510d6ea1ba4e8ac3d7fe1fc5099a356b6d99fe729d384cbf2b665a653a5

    • SHA512

      a50c1bb6fa61e714c2087f1f840000cf80f60b18667d64d3f7537caa9aaef10f533c3b64786cd4df451d2ef9b5ea175ecd33281909496e3d33e31adde479323c

    • SSDEEP

      12288:BiSXA/qAJFACu0/MB3IXE8Hqmxs3+1umRdHJtMTHAVqaKHenI4PY:BxXWb/E3IXE8KWstmRNHXgHenlA

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      1a4ae15ef300f51f70607edc1e8e62a3.exe

    • Size

      2.0MB

    • MD5

      1a4ae15ef300f51f70607edc1e8e62a3

    • SHA1

      7c7676a6a840fcc90ae149b023cb118a4e5b4b1e

    • SHA256

      cad85208ae406a0f41e302f2c0b7faaa81f4addbdc74ffa81aa9f34a96609a87

    • SHA512

      16e601a904a68e93af239ff5d60151268806c56eddfdbb520f1f5ac3e197d59201df35459ff6892e202252a7170d6476cff7a84fe80be4d80bb95133defc4d62

    • SSDEEP

      49152:prYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:pdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral11behavioral12

    • Target

      1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe

    • Size

      163KB

    • MD5

      67adbe1a2a9c36325075585b6a13226c

    • SHA1

      efccaa6986654dcd6d002468e60acc0936020611

    • SHA256

      1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9

    • SHA512

      ca8866a23bf69cbdd20cf6155b2464b2003a7626f413b4b0a45c752aefe9ce100665066369a22e1ffb1be640502f21714eb53381d1264d2e9cf44898973fdd45

    • SSDEEP

      3072:qseWzBQLoX/1X4Z8kTMutu4OZcg0R2l5AOggVjN:7L+Z5MVVZcg62l5AlgV

    Score
    6/10
    persistence
    behavioral13behavioral14

    • Target

      1a9cd1714a3e518cfd51f84f1be819bf.exe

    • Size

      115KB

    • MD5

      1a9cd1714a3e518cfd51f84f1be819bf

    • SHA1

      61dbf2e64f209b08894c7fb36169cdaef3a34c81

    • SHA256

      0656c6824990738c6f682fa090842ef42c20b11e68e1857fa3a8d8111248de0e

    • SHA512

      264e230d6609570a14e5db8a573f64ef1caa82f8c10d1c8f7e2dad31e4b3f8ee7764ca19d23a3e4476b4bf0f7ccd180a8097fa1d92a7fc58e79a0f78987ffe53

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIP:P5eznsjsguGDFqGZ2rDIP

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

    • Size

      1.6MB

    • MD5

      8b03d1f60bdf0b6465c0623109e7269e

    • SHA1

      33fb1f09f53ca182e1112ed973fce8fa97e4398f

    • SHA256

      1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf

    • SHA512

      8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral17behavioral18

    • Target

      1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe

    • Size

      316KB

    • MD5

      3712cf0750a5fd9bec05a0b62be6397d

    • SHA1

      1024df56ce919a3695a7a881de4742b9ea06a221

    • SHA256

      1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306

    • SHA512

      416c2c3e16049ff492f48de8d0d6b8b009d9468d90fd2e07250b8c2a9b7dcd746098f834ebe30adfea1f5457271ba9480bd4db3d7882deb235c0579d140e6ee8

    • SSDEEP

      6144:4xURWkZv8/643Toyn6jIvril1nKMn9oW6AL/RN2ozqd9K:4qYkZODoy6je2nKM9oKD2oem

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

    • Size

      5.9MB

    • MD5

      5d8505501b7faa4c7e541b0a32467a58

    • SHA1

      ed0b9de10c38774af49d9279e25a8958817f33a7

    • SHA256

      1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca

    • SHA512

      a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

    • SSDEEP

      98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw44:xyeU11Rvqmu8TWKnF6N/1wt

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe

    • Size

      690KB

    • MD5

      35601b7130551a046fa679258abf9c24

    • SHA1

      9711eecf37d8c5572c9f9980db5016e3ce9aba52

    • SHA256

      1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc

    • SHA512

      f4df981544c7d97b6703e1dc1888c45b8d8c3e793b98190a8207b60aea7ec963c4e0a15070ecf1360aedcd72d927a821062c4993e9588e510019ea3807d9d976

    • SSDEEP

      6144:JtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rC9:D6u7+487IFjvelQypyfy7C9

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe

    • Size

      2.0MB

    • MD5

      cff9ca9120602540c29a2e16e0afa5cb

    • SHA1

      b1e6bde1e22ef1c869b37a4d50fb8b5d604b0cf5

    • SHA256

      1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3

    • SHA512

      c6bfb0897a1453d21e921c8b4bde7dfec7f05b569e74bb492c03066f5b4eb9ba2fa015353d0809a233e24c59f36e41381507aeed256835eda658dd41583bffd1

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral25behavioral26

    • Target

      1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe

    • Size

      3.1MB

    • MD5

      35110eedb3518d1905b88025bf11b77d

    • SHA1

      c39e96cc0dcb14065984c3d3fbff331070e37feb

    • SHA256

      1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd

    • SHA512

      08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2

    • SSDEEP

      49152:DvDI22SsaNYfdPBldt698dBcjHEhE3uarOLoGdtTHHB72eh2NT:Dv822SsaNYfdPBldt6+dBcjHZ3I

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral27behavioral28

    • Target

      1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe

    • Size

      231KB

    • MD5

      e9f42fb8ff100cbfc5510e317728db6b

    • SHA1

      313d570c9f8d9a03c0ed7111e1593ebaaa98c2fc

    • SHA256

      1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae

    • SHA512

      24432e606d2d27f19eb398826632a65b183d5169c6a31148575d0ee88dff8a84c95e43eaa7589c8afd6c5bd585bdfa861834bc67b180a6b4898b94b49e2f2171

    • SSDEEP

      6144:xloZM3fsXtioRkts/cnnK6cMlDMRA8il92SDe8NhoFGb8e1m+i:DoZ1tlRk83MlDMRA8il92SDe8Nhokg

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral29behavioral30

    • Target

      1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe

    • Size

      1.7MB

    • MD5

      0b8863f2ca44fc72217c48308d38387f

    • SHA1

      519fc543f053e7d7967f8eee3854c4dac8d7d479

    • SHA256

      1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0

    • SHA512

      9c261d8e8a75eb80c2348a180084522ef11231d570ecb0f826ce45248d5c7fa232389891155177f813ad1a79f26ee459174fa81143f62db66db66098759b4bef

    • SSDEEP

      24576:yD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjom:yp7E+QrFUBgq2r

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

ratoffice04hackedumbraldcratquasarnjratxenorat
Score
10/10

behavioral1

defense_evasionexecutiontrojan
Score
10/10

behavioral2

defense_evasionexecutiontrojan
Score
10/10

behavioral3

umbralexecutionspywarestealer
Score
10/10

behavioral4

umbralexecutionspywarestealer
Score
10/10

behavioral5

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral6

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral7

discoveryexecution
Score
8/10

behavioral8

discoveryexecution
Score
8/10

behavioral9

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral10

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

persistence
Score
6/10

behavioral14

persistence
Score
6/10

behavioral15

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral17

dcratexecutioninfostealerrat
Score
10/10

behavioral18

dcratexecutioninfostealerrat
Score
10/10

behavioral19

xwormrattrojan
Score
10/10

behavioral20

xwormrattrojan
Score
10/10

behavioral21

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral22

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral23

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral24

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral25

dcratinfostealerrat
Score
10/10

behavioral26

dcratinfostealerrat
Score
10/10

behavioral27

quasaroffice04spywaretrojan
Score
10/10

behavioral28

quasaroffice04spywaretrojan
Score
10/10

behavioral29

umbralstealer
Score
10/10

behavioral30

umbralstealer
Score
10/10

behavioral31

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral32

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10