Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

43e3cf7f28...56.exe

windows7-x64

10

43e3cf7f28...56.exe

windows10-2004-x64

10

441b1668aa...5d.exe

windows7-x64

10

441b1668aa...5d.exe

windows10-2004-x64

10

442867883c...aa.exe

windows7-x64

10

442867883c...aa.exe

windows10-2004-x64

10

444561befc...24.exe

windows7-x64

8

444561befc...24.exe

windows10-2004-x64

10

4454ceb491...79.exe

windows7-x64

10

4454ceb491...79.exe

windows10-2004-x64

10

4455bb88d2...82.exe

windows7-x64

10

4455bb88d2...82.exe

windows10-2004-x64

10

4478036b24...33.exe

windows7-x64

10

4478036b24...33.exe

windows10-2004-x64

10

44936a5622...c4.exe

windows7-x64

7

44936a5622...c4.exe

windows10-2004-x64

10

44a74f61ee...28.exe

windows7-x64

10

44a74f61ee...28.exe

windows10-2004-x64

10

4502536cf4...2e.exe

windows7-x64

10

4502536cf4...2e.exe

windows10-2004-x64

10

45031250d6...94.exe

windows7-x64

10

45031250d6...94.exe

windows10-2004-x64

10

45031a9738...74.exe

windows7-x64

7

45031a9738...74.exe

windows10-2004-x64

7

450bef50c0...67.exe

windows7-x64

1

450bef50c0...67.exe

windows10-2004-x64

1

453d8a7000...22.exe

windows7-x64

10

453d8a7000...22.exe

windows10-2004-x64

10

454e6ce92c...08.exe

windows7-x64

10

454e6ce92c...08.exe

windows10-2004-x64

10

45707ca513...4f.exe

windows7-x64

7

45707ca513...4f.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_17.zip

  • Size

    86.0MB

  • Sample

    250322-gw6zpsyzd1

  • MD5

    19fb4e894c62e324b0bedc2187241c47

  • SHA1

    83b5fc153e31399c85f61a204e87984bbe47e1f3

  • SHA256

    df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

  • SHA512

    952e1024da2cb0b199dff8e7e1f72e98e41e74b932f824fd0ab100c77fb5650d5a77f240cb2046d882b1a94e5260345a066c25271c9a7a6ab324f703e7526c61

  • SSDEEP

    1572864:YmQw0iXhAVnIioVFORvozU3KeQ4kuH2eFcwgGsj1u0Pkk6rC6LAOl:YmQ8X4+nORu6JQQHlqwvis0YC6LZl

Score
10/10
asyncratdcratmetamorpherratnjratremcossalatstealerxredhackedbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealermacropersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

aali13212.ddns.net:1177

Mutex

6f3851bd96f8b2182bdbb36e94744d6e

Attributes
  • reg_key

    6f3851bd96f8b2182bdbb36e94744d6e

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      43e3cf7f28351d5c551164a74a93d356.exe

    • Size

      885KB

    • MD5

      43e3cf7f28351d5c551164a74a93d356

    • SHA1

      9437db06357fce38247b3f3ef0f67185b3f5a9f0

    • SHA256

      ed6e748881b649402434d33ab8831f87d239ef339b7909620877678b09c0e6eb

    • SHA512

      c5651323110e6af4400664baab5238b5b5ab55835737b64d2e0cb971694023e8bce2307d26dcbfc7b7a2a2a53b4bb3c157f55156ba095795d081fe19208516cc

    • SSDEEP

      12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      441b1668aa7980a3ec40cf151cea5f5d.exe

    • Size

      1.9MB

    • MD5

      441b1668aa7980a3ec40cf151cea5f5d

    • SHA1

      c38963f651a4a062fb712e9fbe7cb39cb9b4b0f5

    • SHA256

      8fff8f0b312deb03f0f95f4df36073a6b5da22b83d571151c7b5d0ee4837c06a

    • SHA512

      299c3014e97c402f59d8878ed67e406ada3b277c3d43a1c4e698c825e27631c8acf3987459f588d3e02d7a7d7b4f0e656b641a56d11ba1bfca2e813a1e9fa817

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral3behavioral4

    • Target

      442867883ccfe230ba518cbc7ccc1faa.exe

    • Size

      1.6MB

    • MD5

      442867883ccfe230ba518cbc7ccc1faa

    • SHA1

      395dc86a807f4675c172bc5e4177aca9cb948cf7

    • SHA256

      e73b6a783715ee86d06a645c158eb006e14b7eaed35c23d2b83afa9377fb7be1

    • SHA512

      507d50d70abbc07b9f46d5567da998850bae6423c8a77ac7369347bb238a14c96788f9149654dda34eb3d0f5f710df8d369e3d00b52024ead4bf87a4fc9d12b3

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      444561befcef7bad6bb899304fb31524.exe

    • Size

      5.6MB

    • MD5

      444561befcef7bad6bb899304fb31524

    • SHA1

      152d9d0b64d30dbcafed5bf728e576e384b9fd81

    • SHA256

      945a6d17823852e7f5442b87d6282cc480ba90aa4892a0f8ed20eefaec0a0739

    • SHA512

      37e07aa564a9b21a4e8d6299d2d359684512757a23a78b1c33669e755d3c29f8b8d9775efd0e872a03dafd7b7d28edf21c4ae2f8270f0d32f3ebfbb1c46c220c

    • SSDEEP

      98304:F3h6d68gwIteZNiiPwVpL/fh6ImzzJoDfuBcMv+A73XA2:FR668aaELPHh6ImzD+F2

    Score
    10/10
    discoveryexecutionremcosxredbackdoorpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      4454ceb4919130c9dd9ac71aefa53879.exe

    • Size

      885KB

    • MD5

      4454ceb4919130c9dd9ac71aefa53879

    • SHA1

      718ee7efda5afef9a41513902c33a767d3eba95c

    • SHA256

      b7c8e0d773962b93371cd3a7f5617d0ced09ed117b3082fdabe319954cc2c59d

    • SHA512

      7a7a4f2bca12d9a518d8e5dbee655a4a210c13eb44edd1d93597bd6a010a4fe9ede1c0ef6d9baca14f411ca27524ccdee486758cfb36bc67727b9c42ecca7cd1

    • SSDEEP

      12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      4455bb88d29981861dadef760040858a341c74e4bb39a4ae4007b4522f354382.exe

    • Size

      2.0MB

    • MD5

      fb06d061e7ff1dabba7a22f8346d1669

    • SHA1

      7373b076fa51511e844efc5363c205b2161bc808

    • SHA256

      4455bb88d29981861dadef760040858a341c74e4bb39a4ae4007b4522f354382

    • SHA512

      687448c2c719297bd6b65c5d8710567c357f9dc4c0f261b7099180e3fdcf28f595f04bc1c238c09dc8819b42532f26541c305a39c63313a364e9c044c257ec90

    • SSDEEP

      49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral11behavioral12

    • Target

      4478036b24730075b2da4b9c1a601533.exe

    • Size

      272KB

    • MD5

      4478036b24730075b2da4b9c1a601533

    • SHA1

      34dfa5ee56ed334f2ad46e2dfdc024498d27dc56

    • SHA256

      d233b1e7a55864b83d22ab61d24b66a4d68fe503efe6b568bd058833f146f3f9

    • SHA512

      ae887bfc70049ffc72fb250e50f5f1ea6825ce4765c1174a073e804fb1b21fd4032d30e28ff52e49dc61e070aa98ef393646f8824a10f6946eb40566c6cdd7ef

    • SSDEEP

      3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdT3:WFzDqa86hV6uRRqX1evPlwAEd7

    Score
    10/10
    asyncratdiscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      44936a5622329c67528012ecd4ad27c4.exe

    • Size

      1.1MB

    • MD5

      44936a5622329c67528012ecd4ad27c4

    • SHA1

      85d931f92ca4aacd7958ddc87d5a3d91ae82816a

    • SHA256

      9f749c1460165ddda4f8f035219b995054ded815675fcda8a2355b7683101506

    • SHA512

      28a33009baa9836f7c29fe01259f49331ac0eb0e43a1c7ae0a1aa4e1a9c0c59f1f83c6fc1b2e3b08b79ad527f46769d48a4e43b21fdfea6b5f4a61ee336babf6

    • SSDEEP

      24576:MR+DqKevReoudkvQyPOe5qejfR4H0B33lIx:MiqK4udkvQyPZ5qejfjB31

    Score
    10/10
    discoverycollection

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      44a74f61eef0e7cea8bf142172ed4228.exe

    • Size

      23KB

    • MD5

      44a74f61eef0e7cea8bf142172ed4228

    • SHA1

      9d116e6efa4a3510c28d9d46726786af8f65a2c3

    • SHA256

      71bd4842dc10d1b104046e06e2fd9d7dd0ee8b6ac6ec4b47e8db3a60a82d85a2

    • SHA512

      1bd97dca228848e9dd705e36072c42f846706f058260a637d625b248fd83f49c1f644d0ef319ce39685046e26ad1ca126e50bfc19987041eb0330e2be238eb9c

    • SSDEEP

      384:5+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZjiI:Om+71d5XRpcnu4

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral17behavioral18

    • Target

      4502536cf49aa03ba4a7b695d7eaef2e.exe

    • Size

      78KB

    • MD5

      4502536cf49aa03ba4a7b695d7eaef2e

    • SHA1

      5496f9936d988aef528f785ae7c3d3d4a1cd3e25

    • SHA256

      7057a204b5f0886da9c758a11bc7587df6cd50cf6b1f47587d05aef2f3411027

    • SHA512

      31be44ed80cb071345024ccafc841db6df4bdf8e0e1e3c9f041740d7209164bd7c6cd7325c0eab0bd812159fb8989da445e9ceaed43cadea5809b6205f60a784

    • SSDEEP

      1536:HRWtHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtR79/cd1Up:HRWtHFq3Ln7N041QqhgR79/F

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      45031250d699e08b14558e0a13a75d94.exe

    • Size

      16.1MB

    • MD5

      45031250d699e08b14558e0a13a75d94

    • SHA1

      f52f77522198079fef50d275d7b465b08741245f

    • SHA256

      da9de4402f6983b7c93b6f30084b115e98f1c7603828922ff37cf6af9cccb9f9

    • SHA512

      0b8e97999ffaf0b676b81dd0aeda0ec9a48f8dc982f7f3e380c91711ed30615e1d7502dfc9f8cef95efde5e979ef57feb76ae232f0ffe3419d8e2a0f133ea946

    • SSDEEP

      393216:PGg4aXGg4amGg4aiGg4aiGg4aCGg4aOGg4aCGg4a6Gg4aKGg4aGGg4ayGg4a74:PH0QQwMwYoUg74

    Score
    10/10
    xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealermacro

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      45031a9738ccab5f9cf3a399c5ac0374.exe

    • Size

      2.1MB

    • MD5

      45031a9738ccab5f9cf3a399c5ac0374

    • SHA1

      933ac6f5a5316b47ae8e9e808022058db565d8fa

    • SHA256

      8c56eb191159283133ef2e71898f39e75b14decb237ca5f98911ca1394dcb44d

    • SHA512

      b3ca645819df6325e985063799e505a1837cf56585a27ddf599ce397cd50ab28f926c4af9270da8b5fc8038188d28c4342ecaf78f1ab09f3fcb84f2614e58000

    • SSDEEP

      49152:b/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf:

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral23behavioral24

    • Target

      450bef50c0fe86686e7577c80502e567.exe

    • Size

      657KB

    • MD5

      450bef50c0fe86686e7577c80502e567

    • SHA1

      ef2c159f3e8ffe43c69bbed077ac3ce7455548d1

    • SHA256

      311d7ba7581d7e8f887a64c9d5c9712e5560544aef7e7a2315f706133104f26e

    • SHA512

      ad883cf2b59a217aea50e1aadc36631ca55428a12e5715c2475acb2d840655974eeafff3c06ea4bec359cfa1ab729ef0d1673ab79cee30be3de2373c4e269be4

    • SSDEEP

      6144:D+8j7qF9OdSGTMNEGNvfO+994bqOc+UznPg7aIFKn9g5uS:D+8j7e9O0GA2wXO+99ucqL

    Score
    1/10
    behavioral25behavioral26

    • Target

      453d8a70001855e0de88f95920eecd22.exe

    • Size

      3.7MB

    • MD5

      453d8a70001855e0de88f95920eecd22

    • SHA1

      01aeba5a239a5bec4a1028343d48692a5f75794b

    • SHA256

      099ac5c59d32074a1883ef3f4e17796c1244b20f6ca311446062f493f80c8997

    • SHA512

      e7b601043fdc65eb4667865fc55928ef0eb4e5693eb6cb1e1203a9351a44d18209ce652afb2ed86e0806a28d53bdbcc0f7687897b678600362d3d3460d73fe9a

    • SSDEEP

      98304:WdLdnDeAr4fRH/o+2y90A+KyuqvkmNBNMWEUVH:Wdcq4ZfoltAiHvRmWZ

    Score
    10/10
    salatstealerdiscoverypersistenceprivilege_escalationspywarestealerupxcredential_accessdefense_evasiontrojan

    • Detect SalatStealer payload

    • Modifies WinLogon for persistence

      persistence

    • Salatstealer family

      salatstealer

    • UAC bypass

      defense_evasiontrojan

    • salatstealer

      SalatStealer is a stealer that takes sceenshot written in Golang.

      stealersalatstealer

    • Drops file in Drivers directory

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27behavioral28

    • Target

      454e6ce92c1c3a8c55164afd9b2d4f08.exe

    • Size

      1.6MB

    • MD5

      454e6ce92c1c3a8c55164afd9b2d4f08

    • SHA1

      fe300937097e5e84fe9b9ee61292a8aa4462cec2

    • SHA256

      f2931e5d0ed208b3ff25ea01cb1b3c2f9e03990b9e5ac912a6abce922aa16501

    • SHA512

      91f631962f40a284638509a4c5087327b39fc1f65d3eb2e69369a611f0dffc0e60ba69aaa2061682a2ed979e42cad2b3c8c95483031f492acfce13b31662483a

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral29behavioral30

    • Target

      45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe

    • Size

      28.9MB

    • MD5

      f326cb6f424adc400a0dfbb365d7050e

    • SHA1

      2bf5995d4f6d67b278422bc0f8e7d53e0c1da1c8

    • SHA256

      45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f

    • SHA512

      f5fc0fae93a86d332d41d04aba72f0cc4d7649b1aeab2f6e3decd7a298d48c525e7b9a7b03b80e799e575e11fcd1dfc3e67d1dee94231531c9cd4710c4649e8a

    • SSDEEP

      786432:4XuCHGJTk6G76kgFVM9MKbb6vpJ3ckMeD+Ud:5ZPkWM1/6xJMv0Pd

    Score
    7/10
    discovery

    • Deletes itself

    • Drops startup file

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

rathackeddcratnjratasyncrat
Score
10/10

behavioral1

dcratinfostealerrat
Score
10/10

behavioral2

dcratinfostealerrat
Score
10/10

behavioral3

defense_evasionexecutiontrojan
Score
10/10

behavioral4

defense_evasionexecutiontrojan
Score
10/10

behavioral5

dcratexecutioninfostealerrat
Score
10/10

behavioral6

dcratexecutioninfostealerrat
Score
10/10

behavioral7

discoveryexecution
Score
8/10

behavioral8

remcosxredbackdoordiscoveryexecutionpersistencerat
Score
10/10

behavioral9

dcratinfostealerrat
Score
10/10

behavioral10

dcratinfostealerrat
Score
10/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

asyncratdiscoverypersistencerat
Score
10/10

behavioral14

asyncratdiscoverypersistencerat
Score
10/10

behavioral15

discovery
Score
7/10

behavioral16

collectiondiscovery
Score
10/10

behavioral17

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral18

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral19

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral20

metamorpherratdiscoveryratstealertrojan
Score
10/10

behavioral21

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral22

xredbackdoordiscoveryexecutionmacro
Score
10/10

behavioral23

Score
7/10

behavioral24

Score
7/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

salatstealerdiscoverypersistenceprivilege_escalationspywarestealerupx
Score
10/10

behavioral28

salatstealercredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojanupx
Score
10/10

behavioral29

dcratexecutioninfostealerrat
Score
10/10

behavioral30

dcratexecutioninfostealerrat
Score
10/10

behavioral31

discovery
Score
7/10

behavioral32

discovery
Score
7/10