Overview

overview

10

Static

static

10

2a58deb886...91.exe

windows7-x64

7

2a58deb886...91.exe

windows10-2004-x64

7

2a8a0bca04...56.exe

windows7-x64

1

2a8a0bca04...56.exe

windows10-2004-x64

1

2a9ffe006a...34.exe

windows7-x64

10

2a9ffe006a...34.exe

windows10-2004-x64

10

2ab11ad915...2a.exe

windows7-x64

8

2ab11ad915...2a.exe

windows10-2004-x64

8

2ac1621a2b...d2.exe

windows7-x64

7

2ac1621a2b...d2.exe

windows10-2004-x64

7

2b3308a415...7b.exe

windows7-x64

7

2b3308a415...7b.exe

windows10-2004-x64

7

2b3fba9224...50.exe

windows7-x64

10

2b3fba9224...50.exe

windows10-2004-x64

10

2b820e3de5...95.exe

windows7-x64

7

2b820e3de5...95.exe

windows10-2004-x64

7

2b9233e0b0...ed.exe

windows7-x64

7

2b9233e0b0...ed.exe

windows10-2004-x64

7

2bb7c2979e...c6.exe

windows7-x64

10

2bb7c2979e...c6.exe

windows10-2004-x64

8

2bcc16cd37...1b.exe

windows7-x64

7

2bcc16cd37...1b.exe

windows10-2004-x64

7

2bf6115ff0...e6.exe

windows7-x64

10

2bf6115ff0...e6.exe

windows10-2004-x64

10

2bfb9d98d1...aa.exe

windows7-x64

3

2bfb9d98d1...aa.exe

windows10-2004-x64

3

2c1bb67a63...62.exe

windows7-x64

10

2c1bb67a63...62.exe

windows10-2004-x64

10

2c878e31ca...a9.exe

windows7-x64

9

2c878e31ca...a9.exe

windows10-2004-x64

9

2ccb525855...c9.exe

windows7-x64

1

2ccb525855...c9.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_11.zip

  • Size

    133.7MB

  • Sample

    250322-gwlzjayzcz

  • MD5

    1352f22bfc03ab02b81e3853275739ff

  • SHA1

    f9ccd670b60501698a672eb68527c70a33298b51

  • SHA256

    d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

  • SHA512

    bcad6b7f5c2ab84828cc1fc2061f8ae3ec18168a33d3939e6908cb5cf5a8e0fdea5c7bab136418bbaf620713a053b724c8912efefc5b20deaa5a1e99738d2958

  • SSDEEP

    3145728:b8tFNkFah1i8DzLEvVth4/8tFNk9g2Xfp9fUO6f7/TQNjh5CjI+w/k:b8tLZ73LEdjE8tLcgCLYjI+w/k

Score
10/10
asyncratdcratnjratumbralxwormcrackedhackedloadermybotagilenetdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Cracked

C2

2.tcp.ngrok.io:15489

Mutex

bfcd93b9dd810793ea187614b1cdc5e8

Attributes
  • reg_key

    bfcd93b9dd810793ea187614b1cdc5e8

  • splitter

    |'|'|

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351891077954797598/Z0Zrxyy5hS5H3Ryv4Nqt6pJaijqfFZI_-VfvTeEgIPU9M8d6BoQVB1Dq_LUKAZLuooI4

Extracted

Family

xworm

C2

days-locations.gl.at.ply.gg:65517

127.0.0.1:4255

september-liverpool.gl.at.ply.gg:4255
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

ufd1.no-ip.biz:5552

Mutex

9087a867d845087488fdb240f77c691d

Attributes
  • reg_key

    9087a867d845087488fdb240f77c691d

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

Alfaz-24806.portmap.host:24806

Mutex

f273b02f99e5084d056482af20d33b89

Attributes
  • reg_key

    f273b02f99e5084d056482af20d33b89

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

| nelsontriana980

Botnet

LOADER

C2

paisesbajos12.casacam.net:11102

paisesbajos12.casacam.net:11103
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      2a58deb8862cf7fc15015cfdc2e12d91.exe

    • Size

      40.5MB

    • MD5

      2a58deb8862cf7fc15015cfdc2e12d91

    • SHA1

      682e9293a26c82ad925ac044a72b24d523cb2ea1

    • SHA256

      a46761f2e749190b048aa4d2c0d1e21d5ee0c2959102bd13d164f9ce7209299a

    • SHA512

      2eb1a1f233f0cd6967b591d1a0b5cbf8f90b33d81ab543527c6846643aacb744f668dda259e726c8b27576916a6ce2490c13eddc58db630c4e6869b1de5c7aa1

    • SSDEEP

      786432:xFg84K+BeqgXXr0YXHvHnoalAYBULMEN4Iler1X/C9WEVxdVdENwtfJgyI7zmb:x6K+Bngnr0ovDeL9Jlk0WEVj7xJM7C

    Score
    7/10
    discovery

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      2a8a0bca043dc99715ebb4415693e52371edde1f37fb8451d9175328fefa7456.exe

    • Size

      128KB

    • MD5

      93a0ced9df323555924b05567cae7c55

    • SHA1

      549db07d2441e0993ba6045c314ad26763285c9b

    • SHA256

      2a8a0bca043dc99715ebb4415693e52371edde1f37fb8451d9175328fefa7456

    • SHA512

      6a74df1c3022598a41a513fae598a8220f8ea36f97ec1cbc8273b7247613cdece59b0fad609665346e50c192bbaa3246a8d03eee5bf2c38739d716b0b8dbd360

    • SSDEEP

      3072:c28RlusaYCyUfzbspKNMOccF6l3iMAelbWTz6fLYXDMxt:5RscyUMyMOUIGbWIS

    Score
    1/10
    behavioral3behavioral4

    • Target

      2a9ffe006a29261c5f168fdf0fe26434.exe

    • Size

      1.6MB

    • MD5

      2a9ffe006a29261c5f168fdf0fe26434

    • SHA1

      f445b266e10c6aa8862836249b7191e6844daea7

    • SHA256

      44e8546f8e588d48b8cff32d70abcef37d3e3612cc84097832eda999bf621b95

    • SHA512

      03cf6be019011547574ef760b8a2cc16396c43f4b392a93fd52004bbb2df712751d085f081c4c55926756fe6b2186a801d6d2557080c675281966881fba8cc63

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      2ab11ad915b74ff1dd9a0ab743f7bb2a.exe

    • Size

      5.7MB

    • MD5

      2ab11ad915b74ff1dd9a0ab743f7bb2a

    • SHA1

      b0d2258559eb5d5bd58af52e68fe17fa4f99109c

    • SHA256

      09b4c204845790b4a2cb57a569ee7151d94e038099e3c175807aa27e68bd919c

    • SHA512

      a4cec88eba462ad4e20f267806379054629b736db8c670d7cccfa0ca12a97deb2152ea63b5371662701ca70ea214a029918f584ae89a0187c5ed81253b06a656

    • SSDEEP

      98304:6b4j5YtLaDORGGPAgOUeocP/cjsuS34/4ccmvgJ9FzpI4iWBPzL6OKsgsXPhU4ln:6U5YdUGEJl+oI/BcqgD1SeLuOKsg8BEy

    Score
    8/10
    executionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      2ac1621a2b0813529021feefa223b3124176ec82974f0bc9b4b1365328e3d7d2.exe

    • Size

      1.4MB

    • MD5

      907a89ef19de4e51298eb6ef3b2ca3a0

    • SHA1

      dd9ad084860fb6582efba4cc7e14854502d288fe

    • SHA256

      2ac1621a2b0813529021feefa223b3124176ec82974f0bc9b4b1365328e3d7d2

    • SHA512

      0ddb00a707ea452eb82eb81feea604d7a4b56263009e3dbe5ce8e949e40d5e277c71b2ecc027850d3b0d421fafebdd445536050193de8a323e1a7dbd95f0a864

    • SSDEEP

      24576:M8dvIOVmW6AbPsArkueRKmV3sNlHfiqJX:MowONbkBuyKmBs7d

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe

    • Size

      510KB

    • MD5

      b4f566f5a727720b1ff62aef921c0e0e

    • SHA1

      f889fca2aa15e304d2a1a6f721bd40a03a9e5735

    • SHA256

      2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b

    • SHA512

      9a6c4e1236a7972a3ee56653d32fd49933ca023c08b1c90b1366c3457cf0f5746595b688c7bee626ea846eb92bf9482452dde3d7196bd9384874b1f8b51ed774

    • SSDEEP

      1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      2b3fba9224cbcf82f7414bdb4108a150.exe

    • Size

      999KB

    • MD5

      2b3fba9224cbcf82f7414bdb4108a150

    • SHA1

      635d95fb9bab5e8064fad1dd0fa6092633931f38

    • SHA256

      30af24055c179294f9ad01cf551c4cce6d901cbaaeaf371e4cc3a7f584e994ba

    • SHA512

      e4a960c6a8d273ef0d8bcf7f9943d17b4d2c4cd7dfe5620afe46d16ec87f1bbf564fa0b298d6e5bff40a350c58913b5e4576c46a8adefa8775895c98400422f8

    • SSDEEP

      12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      2b820e3de58782883087f0783d484f95.exe

    • Size

      6.5MB

    • MD5

      2b820e3de58782883087f0783d484f95

    • SHA1

      b5a4c93813e01b10f948cd46e83ae16c64299284

    • SHA256

      b5eaf05525428e4f6db4343e9070a7afefb91694926e3c75b7b0ec0d16cf57c8

    • SHA512

      f48ad7fae5b3c453dd6e7a291836376865e690b20bca38e6465832dd6c5d7aa568f655939e4f3f530eec4285bf01b23e7acec72c52a691fd31d92e3b05bce984

    • SSDEEP

      98304:0VgvtU3ioYGQlAkxpP2vrXGwy6T4ng5WbkTYFnZ2+mPjcElY5ZubP+uvq:0T2GIAkxpuvrXGwygzEFQ+pEl0Zuj

    Score
    7/10
    agilenet

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral15behavioral16

    • Target

      2b9233e0b054ff4f7ea7d7a0a77e3fed.exe

    • Size

      33.9MB

    • MD5

      2b9233e0b054ff4f7ea7d7a0a77e3fed

    • SHA1

      e88f81c3461ecd478e566907423f5f317540ae49

    • SHA256

      b4993da36b30b3d8bfb6e3890a4f23247797de18c0a321fd1ccffbd5b89a486d

    • SHA512

      bd1141ef789a34f485fe21b2c1c8239489c73eee900e1bc1e248bda5927de8817be8189da4f6a764cedfcd72739e4b26c06c6da805f161328c1a6e63e11c2152

    • SSDEEP

      786432:xFg84K+BeqgXXr72zF2dTCLhg7/p/Vi7glkL1cNN:x6K+Bngnr72qTjrp/3TNN

    Score
    7/10
    discovery

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    behavioral17behavioral18

    • Target

      2bb7c2979e9372d006198745f13bf5c6.exe

    • Size

      37KB

    • MD5

      2bb7c2979e9372d006198745f13bf5c6

    • SHA1

      1c4b3f17b3d2640976d9126fdcc42344bb2b9cf3

    • SHA256

      d5673188c792f3265504fbb7fd9f01a016443b24e3f16321b92c2f8cd2781e99

    • SHA512

      c8e17bc5dca8d462f96a6bfea459f6e8c73a35978e55db2f3e34b14a221595c9ba9acf27c838b906b6ae6c66afc73967d28508da0e754ec10dfe4e26ba14b46b

    • SSDEEP

      384:c0bKMizdhjnBhFbJ8ycPpbfbLwCwEfrAF+rMRTyN/0L+EcoinblneHQM3epzXTNp:bbghlLJfcPpb/FwyrM+rMRa8NuNVt

    Score
    10/10
    njratcrackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral19behavioral20

    • Target

      2bcc16cd37f40f56e357c814f3958491062e5be750c5c8dc9d077815d7f5461b.exe

    • Size

      154KB

    • MD5

      855becde69c9143a128a4c026ba5b9fd

    • SHA1

      1a540c733b9418c60df6557b73eb1300e6beb6de

    • SHA256

      2bcc16cd37f40f56e357c814f3958491062e5be750c5c8dc9d077815d7f5461b

    • SHA512

      8f4c6cfe29fe41523e0af720339e27ffe11d3495ffffe29e7c930d2fb33be3f167778f4be867c6111b69e24e163d5c871b95c169fd052eb58ada34c00f9a9c4d

    • SSDEEP

      1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcmj:JZmCb6ROF96zMq1yLAHtUcmKyb

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      2bf6115ff0a234d8ea278864c5abbbe6.exe

    • Size

      2.0MB

    • MD5

      2bf6115ff0a234d8ea278864c5abbbe6

    • SHA1

      c08a5d188cb9cb7f9da54f634fe20d3b1b8c8895

    • SHA256

      4ac0480a4604a1f0d3d488fc6d73d0599d0d389df241c89c62a0f574d0fbdf30

    • SHA512

      880bcf6cd4b55ddba6865a49702dbde7f77194996230d7294774e6880e2b9a18be634b4cc335d52b470bffb48fd6906bb3ccb229fe3927a4c4dab94861650a6d

    • SSDEEP

      49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral23behavioral24

    • Target

      2bfb9d98d1176802c3f20b3ed364ccaa.exe

    • Size

      101KB

    • MD5

      2bfb9d98d1176802c3f20b3ed364ccaa

    • SHA1

      32c0d3e97d3ab60431a9e90469fa4c954cfb798d

    • SHA256

      2a85b82af04c0c36c34df09351be5f48a5d902232cdc8ad35131ab8893d55503

    • SHA512

      eda3822a141787972d6f0db4230c796e691f0c44bdc45131a94e437623a93d3ea3b5a545024d13d5167c3bb3c7714f7b68aebca0ed7aea336f67b318d3a9400f

    • SSDEEP

      3072:GTEWtc0/ENZTnk+1Neby+rT+wS3FDn0HqY:6u0gNebJrYhnCq

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      2c1bb67a6359e933d609019759d98e62.exe

    • Size

      229KB

    • MD5

      2c1bb67a6359e933d609019759d98e62

    • SHA1

      16f7c962049102dfcff4394f66adadbd666332f0

    • SHA256

      7efe4f5f38f64ed942025f9960529002902130347382f93b43b63d1d1d48d5b4

    • SHA512

      e43921a49bde1b25354ee5001f13f6ca11329c98b46e04aa25a4490fea33e5a9b614b612cc1bda427aadc8152736e5901a1b38ec644939724c52c6e470999414

    • SSDEEP

      6144:lloZM9rIkd8g+EtXHkv/iD4WVFqoOJBi/HaIJtMfzb8e1mwTi:noZmL+EP8WVFqoOJBi/HaIJtMf2

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      2c878e31cad36b4acf60c3cbde88ebe56fdb1cd5d4bab9a60508b1023d3a33a9.exe

    • Size

      2.4MB

    • MD5

      00ecc33d2970e267a05c9d0794bf7f15

    • SHA1

      d88cbf78dfa0e934ce9966ca6d01b9ffec0e2638

    • SHA256

      2c878e31cad36b4acf60c3cbde88ebe56fdb1cd5d4bab9a60508b1023d3a33a9

    • SHA512

      8d8fa14305b6a7a7728adf2f7a15e7d53966a9c17fe8573732e74286a2a04f003c86c74450fa805603a5edacbf4863378b1279399dc39c6f1ad135a00e70cc61

    • SSDEEP

      3072:4hTOHenMkhTOHenMkhTOHenMKdBUBXK2T3wnhTOHenMkhTOHenMKen8F9c3wpZn7:Jw4w6fVfQZ

    Score
    9/10
    discoveryexecutionpersistenceprivilege_escalation

    • Modifies boot configuration data using bcdedit

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence
    behavioral29behavioral30

    • Target

      2ccb525855c096117a4ce773ceb6afc9.exe

    • Size

      6KB

    • MD5

      2ccb525855c096117a4ce773ceb6afc9

    • SHA1

      73511e29705b8b1c86887dc3fb5cca27fc3c274b

    • SHA256

      c21b7d62a7c1d0c645a21c19d1f37b440a61bc7fd3cb4f636547d831eb135ca4

    • SHA512

      6d7a2a8224f53a97885ad1f042e4b4ed284b48abc2f8bced77a2f68ecc2144957fcbf8bdafb0681cd5232df3570274d00a4564aa099c4917b4bf9781ceea65f0

    • SSDEEP

      48:6teKkkpN62l9ZngmaSVfhsqdGVNMKyQPA2EXncKilUnAGq6fIxDN22/Rnm54tdfj:gt/62lf1YLhGcKpnxf+r/R/puzNt

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

ratcrackedhackedmybotloaderdcratnjratumbralxwormasyncrat
Score
10/10

behavioral1

discovery
Score
7/10

behavioral2

discovery
Score
7/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

dcratexecutioninfostealerrat
Score
10/10

behavioral6

dcratexecutioninfostealerrat
Score
10/10

behavioral7

execution
Score
8/10

behavioral8

executionpersistence
Score
8/10

behavioral9

discoverypersistence
Score
7/10

behavioral10

discoverypersistence
Score
7/10

behavioral11

discovery
Score
7/10

behavioral12

discovery
Score
7/10

behavioral13

dcratinfostealerpersistencerat
Score
10/10

behavioral14

dcratinfostealerpersistencerat
Score
10/10

behavioral15

agilenet
Score
7/10

behavioral16

agilenet
Score
7/10

behavioral17

discovery
Score
7/10

behavioral18

discovery
Score
7/10

behavioral19

njratcrackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral20

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral21

discovery
Score
7/10

behavioral22

discovery
Score
7/10

behavioral23

dcratinfostealerrat
Score
10/10

behavioral24

dcratinfostealerrat
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

umbralstealer
Score
10/10

behavioral28

umbralstealer
Score
10/10

behavioral29

discoveryexecutionpersistenceprivilege_escalation
Score
9/10

behavioral30

discoveryexecutionpersistenceprivilege_escalation
Score
9/10

behavioral31

Score
1/10

behavioral32

Score
1/10