Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

11a186984a...8e.exe

windows7-x64

10

11a186984a...8e.exe

windows10-2004-x64

10

12085ebb04...95.exe

windows7-x64

7

12085ebb04...95.exe

windows10-2004-x64

7

12106013cf...70.exe

windows7-x64

7

12106013cf...70.exe

windows10-2004-x64

10

12199d72af...85.exe

windows7-x64

7

12199d72af...85.exe

windows10-2004-x64

7

1221040998...44.exe

windows7-x64

1

1221040998...44.exe

windows10-2004-x64

1

124dba0b2d...f5.exe

windows7-x64

10

124dba0b2d...f5.exe

windows10-2004-x64

10

1277e3138b...40.exe

windows7-x64

7

1277e3138b...40.exe

windows10-2004-x64

7

128d992668...24.exe

windows7-x64

128d992668...24.exe

windows10-2004-x64

12ad57fc11...51.exe

windows7-x64

10

12ad57fc11...51.exe

windows10-2004-x64

10

12c28767fd...83.exe

windows7-x64

7

12c28767fd...83.exe

windows10-2004-x64

7

12c96664a8...ef.exe

windows7-x64

1

12c96664a8...ef.exe

windows10-2004-x64

8

12d3790d20...e3.exe

windows7-x64

10

12d3790d20...e3.exe

windows10-2004-x64

10

12e02e413d...cd.exe

windows7-x64

10

12e02e413d...cd.exe

windows10-2004-x64

10

1300fbf843...ba.exe

windows7-x64

1

1300fbf843...ba.exe

windows10-2004-x64

1

1302b023e7...d0.exe

windows7-x64

10

1302b023e7...d0.exe

windows10-2004-x64

10

132d07a999...ba.exe

windows7-x64

10

132d07a999...ba.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_5.zip

  • Size

    59.7MB

  • Sample

    250322-gvy8gasr12

  • MD5

    6ec9713d49e3bbb3b8123ce977e676a0

  • SHA1

    75c03d4714a34d07054f426124199f74f4c608b7

  • SHA256

    70bba6e748b04c937188f113389a3c90bf30806add70222b920886a57b0bdd98

  • SHA512

    26c4720da3e219197502daaf6ed4a0f6153b97def3c20d451e90c77e8adaff04ab8bce14e95aa3032f5b00141cef87b5c510ad017d2f05aa88826becfd02e488

  • SSDEEP

    1572864:BEa/hAVnIioVFORvozEjoUl9LhdnlCk4x0Ta4:BEa/4+nORuEjhNFlHLz

Score
10/10
dcratmetamorpherratquasarremcosumbralxwormhostoffice04quasarcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

192.168.0.21:5353

Mutex

VNM_MUTEX_q5avZlLo2x5A3hZN2u

Attributes
  • encryption_key

    S9jP4jrWt5brSuM19i1o

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Quasar

C2

and-src.gl.at.ply.gg:18383

Mutex

ee302a7b-deaf-407d-b960-9146df23418c

Attributes
  • encryption_key

    949DE24AF338D7D53CFBF8B5AECB266465BDA791

  • install_name

    fontdvrhost.exe

  • log_directory

    WindowsLogs

  • reconnect_delay

    3000

  • startup_key

    Anti-Malware Service Executeable

  • subdirectory

    WindowsLocal

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:1603

morning-ultimately.gl.at.ply.gg:1603
Mutex

48rM9cm7mgrSZiup

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351005466335121518/twCTnfzoSiI-aCcNO4qPr6FH-T4gOkPWQV2wxS9C01GGw7XemgcLtgFXaMAxuEVtAD2v

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      11a186984a7cc6c1fd4317dffed3a78e.exe

    • Size

      5.9MB

    • MD5

      11a186984a7cc6c1fd4317dffed3a78e

    • SHA1

      d31fb2b589d256066864e0440a89016b1faf1ef6

    • SHA256

      4d29cffe0e740e46838c1497e7988b857b5b124b64d9788fffcd8ae35b36d23b

    • SHA512

      b624b6326300e95dc2fb6867ac8cc3614fddcadfabb5dcc7949546bd4454b1df1be15b468c5e8e208d74e3b7ad69e4f7a820e942f1683fc012535d8edc23a1fc

    • SSDEEP

      98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4m:hyeU11Rvqmu8TWKnF6N/1wb

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      12085ebb04414916835a2dbcd2cdfa95.exe

    • Size

      27.7MB

    • MD5

      12085ebb04414916835a2dbcd2cdfa95

    • SHA1

      0d38b164e8346878d58c8abfc0bddfe558c7880a

    • SHA256

      5c2c1e644e9ce1a00f3b7893bdc1c49c66f0a7e8f7f9f655a1b238cc589cfbba

    • SHA512

      ef256cd5694c5d336fdffd7b9d1c6bffe271f765c5f6b25e5722a7eb9095d719b18505ba9e47d848a5131cf842ed50f9dcca0eb9e43f1f7a4a1a629aa74b1108

    • SSDEEP

      393216:BAjXuTDSvfGJ8uGAAPXV8D4hSBG7LJQkL1JnsXjRBZcs5eH9MKgzUa6n5Q6LEBwS:4XuCHGJTk6G76kgFVM9MKbb6vpJ3ckMe

    Score
    7/10
    discovery

    • Deletes itself

    • Drops startup file

    behavioral3behavioral4

    • Target

      12106013cf4b5ee1826ab514eb4f7270.exe

    • Size

      78KB

    • MD5

      12106013cf4b5ee1826ab514eb4f7270

    • SHA1

      2a83fdefe957118925152b578b42fef9382b0bfc

    • SHA256

      a0110b1ca62fd74b4ab17d381a0c8a7872e360dd6e0ff1ba4c570c0f6870006f

    • SHA512

      8f37acb6784224f7411518261b4663a33678fff116ec0de55cb740123cca91a9c1ce9c3cb19209babd52345bd882b9263b1b3b81186f4ef0f32c2b4b85134c58

    • SSDEEP

      1536:nHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRe9/f1xA:nHFo53Ln7N041QqhgRe9/0

    Score
    10/10
    discoverypersistencemetamorpherratratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      12199d72af0652fdf09349f59304d485.exe

    • Size

      7.9MB

    • MD5

      12199d72af0652fdf09349f59304d485

    • SHA1

      b4d0ce7b6f4f014bbc1235b5c26d2f8304328618

    • SHA256

      07bc2ca1348f662330734e4de3996566587cd7db17fdb137e35c645a872257c0

    • SHA512

      990365aa82b820de02e80ff295bc50b5e1dd57615e906cc485b715baa9df89010034feff825f86bcb046de6d326a6bad26e9cee300fc7e7ea41239f379f6f21d

    • SSDEEP

      196608:i9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZBy:imqbhrEbn87eZsFmq+m

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral7behavioral8

    • Target

      1221040998425fdd5a21132a64664d44.exe

    • Size

      106KB

    • MD5

      1221040998425fdd5a21132a64664d44

    • SHA1

      ff4312b3ac1b14fac9606d314365395a87728e50

    • SHA256

      916321ab4494dacbf893be94344ce3e9dc9bf49a3aa505e338fd0654755faff7

    • SHA512

      dfd61ee1b7896c8f7159be8e7d27d70bd8633283f55ec88b44f9e380e208c43a1dce388210bb650da38970142fdec5fd9c3c1b8f885fad89a2268b3d9f3912d3

    • SSDEEP

      1536:0MAQBqdMm3V/y9j1OUuqXSVVAue5x5hQFAomhRg12tE/F+jrwiw3C5EpOW37GuhJ:0CAPsdcIXSvN0QFAoqyerYsiOEqutfR

    Score
    1/10
    behavioral10behavioral9

    • Target

      124dba0b2dc9c0fbfca662c90c117b8d64b655ae41744a3ac84f9e4772e722f5.exe

    • Size

      1.6MB

    • MD5

      7a804818509c673c8eac615c46c20d43

    • SHA1

      5694b5cbd6a788da95ecd2c7fb0f15b4728ce7a1

    • SHA256

      124dba0b2dc9c0fbfca662c90c117b8d64b655ae41744a3ac84f9e4772e722f5

    • SHA512

      0eb7923b4f0af584a9d030df3482eefbdddb128517f81840e6d0e364a4889fc7543ef357d810febd15851008317d12ec21397dfba81d3e5fe384137c2a005c2e

    • SSDEEP

      24576:ED39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjo8:Ep7E+QrFUBgq2F

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      1277e3138bd062ad1b4496b667377740.exe

    • Size

      7.1MB

    • MD5

      1277e3138bd062ad1b4496b667377740

    • SHA1

      2091d2d4c59f21bc4098945fdae8bae0ac0ea4d9

    • SHA256

      848c8698c5ad1d0a70007f854a9a5340bf76df4d2bcbf8984cae08b8a7fe8186

    • SHA512

      c512673228128349f6854a1dbf184b5d3d51470316ec7ed9e2bac919d03a24c463ef9fb3d09761f71b338d95affb74f85f03e3cba877662f7435715da4509432

    • SSDEEP

      12288:nsssssssssssDsssssssssssssssssssssssssssssssssssssbsssssssssssss:I

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      128d99266894940572aa679491991ffa32c69a3f30b328a316ff2106d88bbf24.exe

    • Size

      49KB

    • MD5

      cd15880a58e661851251caacb26fd72f

    • SHA1

      2aa1ec926fae934ed75c9a4053bd9fc2f8b6e119

    • SHA256

      128d99266894940572aa679491991ffa32c69a3f30b328a316ff2106d88bbf24

    • SHA512

      b3df91dd5239a5b0ecf811dc7f3328f20a93314e4de95615f5e622e3be75a5a0f479178a964f01bce8ecd5c357901a09145eac22442956187f6f60e51c7738b0

    • SSDEEP

      768:qYZObX2FfVP0ZOdpvAZy7JSFPNNNNYvJwMX8Yhi:fFfN0epX0FwvJiX

    Score
    1/10
    behavioral15behavioral16

    • Target

      12ad57fc1129bbd8f479ba77406cf3b88d6da57c734a97299bb080341edefc51.exe

    • Size

      597KB

    • MD5

      1642395f019042cb04eb96692307bc34

    • SHA1

      f4ee987d0b5484c225c93e8003dedd5a27bef5da

    • SHA256

      12ad57fc1129bbd8f479ba77406cf3b88d6da57c734a97299bb080341edefc51

    • SHA512

      5295d71e95ac3be2671c605c59eb7b59a2648112eba75f3a53d37623fe1c08335e1a53ae2477ec87db7a675c28f645333f0842958cb777b6a3ab080d302b6960

    • SSDEEP

      6144:3tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rx7:R6u7+487IFjvelQypyfy7x7

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      12c28767fd63064bd07e6679f2c45083.exe

    • Size

      754KB

    • MD5

      12c28767fd63064bd07e6679f2c45083

    • SHA1

      189d3500c305138076a2e9586bfb3f74800d5dd4

    • SHA256

      111ce5934bfe0efb9a97a68e44de717c2230f0b4b0580f71811c78e4873f3301

    • SHA512

      014af0e46f69487495e71eeb4239bfdc3004e19ac04ae6646e917283e0962168321c258a463788faed1fedc7c9034b7a734215bdad3f9957e20c6d2b4bda7b89

    • SSDEEP

      12288:bnOe+4MOiV1BVlVlVVVboe+iu1oGl+zYbO6gVbfo86bG0YhR5nuFivS8ZVlVG:bnOe9MOiXBVlVlVVVJaLl+OO5VbD6S8h

    Score
    7/10
    collectiondiscoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      12c96664a866ff277b9245ef96eb64bd45af3f29145600b828a14312ba332fef.exe

    • Size

      7KB

    • MD5

      052f8da8eca0f195329d1a618a6683ce

    • SHA1

      8c087025e9b024e25e27ab00ddc048293c54d412

    • SHA256

      12c96664a866ff277b9245ef96eb64bd45af3f29145600b828a14312ba332fef

    • SHA512

      c476be2aa32aa6b580bec8999f3c8c117ef11c671b41dc901c3a696b229039955af88db981b51557503e489307e5afa526a9f17898d1705c3ebd4488203d0ab4

    • SSDEEP

      96:Mf3XHOS6XdF4T8IMcE6eKAZZ0QIiyBLyAO61V3iKUNDNQa90a:MP/6XdOTztwZ0QIr31V3KNDr

    Score
    8/10
    persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral21behavioral22

    • Target

      12d3790d20dcd64ff72360ebd3b199e3.exe

    • Size

      1.6MB

    • MD5

      12d3790d20dcd64ff72360ebd3b199e3

    • SHA1

      548c99a5137a38ed6fefdfdb9fd1d528d7795b74

    • SHA256

      e4f54860982aa850776dbb14e8cd179b9afff0f02a06a7fcf7cada35fee4e6cc

    • SHA512

      32e3da761ac34f1e920190619b2449a96ff2e3ede2cea65b11efbeaf5e049f22645e378bb3187406786b2fd2e8f3a8180ce1d6b3dd75cbd57b8a16a17fdae4fc

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral23behavioral24

    • Target

      12e02e413d59c118fb50dcbf2f8ef3cd.exe

    • Size

      78KB

    • MD5

      12e02e413d59c118fb50dcbf2f8ef3cd

    • SHA1

      8bacab7d1e97c72ea77a88505846f23c9ea5521a

    • SHA256

      3550e8bf4400c2c8580dcb7776a133cee3ce9bce09022fdd27daf9f23fb25ea5

    • SHA512

      0e58cd7c7af4f4f3930148958a19420f028f46de9975e40e1714db500ff0ef1f029018cc989eac7f2b1e1f3a068ea8c8686e316a30979b2a4ab721c314839154

    • SSDEEP

      1536:oPWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtm9/ZE1vK:oPWtHa3Ln7N041Qqhgm9/Z/

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral25behavioral26

    • Target

      1300fbf843b8fcf8554979a45a3e48ba.exe

    • Size

      18KB

    • MD5

      1300fbf843b8fcf8554979a45a3e48ba

    • SHA1

      a638fa0faf167f80cf60fd4520f12a4197a8c823

    • SHA256

      5beca5742ada639b75e52f51f897e92d12f8b5e4e48d69914d24d8a1d58ab65b

    • SHA512

      52814f9ab25d050270db13e17f3c3ffd8218d489e092b0f0235d5ad9cfd57072b1d994b977cedc8ef10f522a5165e6ac8ef58c8f5a41fa12bbc6e51ce40b53e7

    • SSDEEP

      384:qPbacrkOSc6vBJ58c0cB71MY6i18HVRW7NLthmOTkK6aHv+7:kbc/c6tXpB7WuMjstBT4

    Score
    1/10
    behavioral27behavioral28

    • Target

      1302b023e7a6467907a6e1d40829dbfda775881d842b72f6b58ac85e92d559d0.exe

    • Size

      292KB

    • MD5

      2c8710e45af4a4ad7b9302039b54e9f2

    • SHA1

      c538d61838ff6dea5af244da9cc166230d97d6d8

    • SHA256

      1302b023e7a6467907a6e1d40829dbfda775881d842b72f6b58ac85e92d559d0

    • SHA512

      4b6862bf7d13835b70577140de686a5beda617bbbe1af6655bf86942fb2b93bc04d8f3c1414b1884005fcfc1530fa28efe5bcb445f1b5c3eedafda6a1dbe9bf2

    • SSDEEP

      6144:EHs491fPeXle6VlWT8b9nBSb64H5Xbfr:qH9elPVle8FgVZLr

    Score
    10/10
    persistenceprivilege_escalation

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral29behavioral30

    • Target

      132d07a999d32afb20d86ba84981ceed907353b3d7b5b0aae98c59759c41e3ba.exe

    • Size

      2.0MB

    • MD5

      fd5fc7b3a7d9f5a20e68a2c2d44bd8bb

    • SHA1

      0fe7304d23170afbd019277dc2538b875815e0c1

    • SHA256

      132d07a999d32afb20d86ba84981ceed907353b3d7b5b0aae98c59759c41e3ba

    • SHA512

      d2c16cd175f219280cbe41f74ad3a7b6d29d3c518234145298127a2bffbdc1a6fff415f19c4b909590adc8ca1f05daf14110f38e8099b66c2997ab7a63685be1

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratoffice04quasardcratquasarxwormumbral
Score
10/10

behavioral1

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral2

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral3

discovery
Score
7/10

behavioral4

discovery
Score
7/10

behavioral5

discoverypersistence
Score
7/10

behavioral6

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral7

Score
7/10

behavioral8

Score
7/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral12

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral13

discoverypersistence
Score
7/10

behavioral14

discoverypersistence
Score
7/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral18

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral19

collectiondiscoveryspywarestealer
Score
7/10

behavioral20

collectiondiscoveryspywarestealer
Score
7/10

behavioral21

Score
1/10

behavioral22

persistence
Score
8/10

behavioral23

dcratexecutioninfostealerrat
Score
10/10

behavioral24

dcratexecutioninfostealerrat
Score
10/10

behavioral25

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral26

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

persistenceprivilege_escalation
Score
10/10

behavioral30

persistenceprivilege_escalation
Score
10/10

behavioral31

dcratinfostealerrat
Score
10/10

behavioral32

dcratinfostealerrat
Score
10/10