Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2ed5096b88...b5.exe

windows7-x64

10

2ed5096b88...b5.exe

windows10-2004-x64

10

2ee9655c23...67.exe

windows7-x64

10

2ee9655c23...67.exe

windows10-2004-x64

10

2eff63cdfb...1a.exe

windows7-x64

10

2eff63cdfb...1a.exe

windows10-2004-x64

10

2f148dd5c5...0b.exe

windows7-x64

10

2f148dd5c5...0b.exe

windows10-2004-x64

10

2f20805841...4a.exe

windows7-x64

10

2f20805841...4a.exe

windows10-2004-x64

10

2f3c6dcb67...d1.exe

windows7-x64

3

2f3c6dcb67...d1.exe

windows10-2004-x64

3

2f3ef255d9...18.exe

windows7-x64

8

2f3ef255d9...18.exe

windows10-2004-x64

8

2f51ba1ede...be.exe

windows7-x64

10

2f51ba1ede...be.exe

windows10-2004-x64

10

2f61e23326...8e.exe

windows7-x64

10

2f61e23326...8e.exe

windows10-2004-x64

10

2f8f60984e...42.exe

windows7-x64

10

2f8f60984e...42.exe

windows10-2004-x64

10

2faeca4666...e9.exe

windows7-x64

10

2faeca4666...e9.exe

windows10-2004-x64

10

2fd4eb3e27...82.exe

windows7-x64

10

2fd4eb3e27...82.exe

windows10-2004-x64

10

2fde7f3ffb...c6.exe

windows7-x64

10

2fde7f3ffb...c6.exe

windows10-2004-x64

10

30143fedf8...ac.exe

windows7-x64

10

30143fedf8...ac.exe

windows10-2004-x64

10

301cceb8e4...db.exe

windows7-x64

10

301cceb8e4...db.exe

windows10-2004-x64

10

3020571d24...5f.exe

windows7-x64

10

3020571d24...5f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_12.zip

  • Size

    30.9MB

  • Sample

    250322-gwqygstjt5

  • MD5

    01b14dcd8632a3f46ed0eb3ab458bec1

  • SHA1

    1f14cd3b3cdb248861bac37bb292b9714a9bd384

  • SHA256

    fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

  • SHA512

    5c98011563f9bb645402940e7a551791d535d9cc0c92d9f04187140c370909f6ad300114db3d2ad65820a0663195952947af3d112c7e36e3dbb0ec8dffb01336

  • SSDEEP

    786432:IPa+//yxNDXN6u4g+7/yQ37J0XOyQ37QTyQ37mPaL//yxNIOyQ37dc6:Ira3Fa7aQlGQceQaea4QZz

Score
10/10
dcratmetamorpherratnanocoreremcossilverratumbralxwormhostdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

activity-majority.gl.at.ply.gg:44249

hours-rwanda.gl.at.ply.gg:56111

26.ip.gl.ply.gg:53142
Attributes
  • Install_directory

    %Public%

  • install_file

    Runtime Broker.exe

  • telegram

    https://api.telegram.org/bot7657358333:AAGqjkQn3Y1tidi4Fg35oc8a1cgXRB-oI2U/sendMessage?chat_id=5998738333

Extracted

Family

silverrat

Version

1.0.0.0

C2

american-designed.gl.at.ply.gg:50767

Mutex

lAxDBRhAFu

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE

  • reconnect_delay

    1

  • server_signature

    t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352030769437999154/eHu9teXq3wb8vwo-mbucZM6yN8mzEkClwJkHlfw6PYnKb7ka01uXXl9PnwprVKtnEAcK

Extracted

Family

xworm

Version

5.0

C2

26.ip.gl.ply.gg:64114

178.173.236.10:7000
Mutex

umIoBtEHzCp9rce5

Attributes
  • Install_directory

    %Temp%

  • telegram

    https://api.telegram.org/bot8077594773:AAHYskqxgBzgnMjO1ZgcDV6YMtdGVJITdy0/sendMessage?chat_id=7936506106

aes.plain
aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

nanocore

Version

1.2.2.0

C2

[email protected]:46218

178.32.224.116:46218
Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    178.32.224.116

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2018-07-28T12:59:38.488799236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    46218

  • default_group

    tourex

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4af74541-e3f1-469c-8af7-efe4071b81cf

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    [email protected]

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      2ed5096b882676b134d0935da3ef223d65987bcf50b0b15b63515eabfb4f40b5.exe

    • Size

      2.0MB

    • MD5

      92b1cb315e282e07a726d141f8fc481c

    • SHA1

      f5b14319b7736887beec6fc505ee427dcfbd45e0

    • SHA256

      2ed5096b882676b134d0935da3ef223d65987bcf50b0b15b63515eabfb4f40b5

    • SHA512

      b44d6c86f937965ffb31a91b9ca965ae0ee4449441f0d72d2615e2399a25f006b5768d809a2b4f60ba12dc80b32cd3b9fc918fe8d5ffeca915728ae66b740cd7

    • SSDEEP

      49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral1behavioral2

    • Target

      2ee9655c23e38841be4731180b89a967.exe

    • Size

      68KB

    • MD5

      2ee9655c23e38841be4731180b89a967

    • SHA1

      092f21246d35e965195a1fc24a78f92c0173d79d

    • SHA256

      73b62e276faa18be5bb73c9f26ba43c6dd456cf6999db0f995c06f9041c4bf83

    • SHA512

      2555327bdeeb5e2de612862bd9c3dfbc5cce7fed9f1abbfe577549bcfacfb6efbc8f92df23d6f87058a2f5e14eb4b9cc3f329a8fc6bfb80ceb0099139c0f3a0c

    • SSDEEP

      1536:qpNdh5WbHFnvL1FJOOmbk4G6Z5ax4J2/N6VHdyiJUkObc9J:qjdzOnvLzJtmbk/Y5a+vH/JUkObc9J

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      2eff63cdfbb658f2a6e69851e7de131a.exe

    • Size

      5.9MB

    • MD5

      2eff63cdfbb658f2a6e69851e7de131a

    • SHA1

      8a9e262a7319d2699cbee02b9de83fecd4bb3457

    • SHA256

      5174e6fefa2a518cdaadb75f07a9bb7f9aaa6e0e24ba1610d3e400036cf02900

    • SHA512

      3e3ea7e36e9dbaa5a969846f575f5138ba416a88bdc07f1e99af66a6c18a458434c680ade203dda242be3aa10c02c21e3f9427ad39ef90b72cc03855ddc93e40

    • SSDEEP

      98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4T:hyeU11Rvqmu8TWKnF6N/1wO

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      2f148dd5c5e1754e666715462f5a410b.exe

    • Size

      885KB

    • MD5

      2f148dd5c5e1754e666715462f5a410b

    • SHA1

      0c5f8fcab489df669639c334af2e1f1e4868fab6

    • SHA256

      070cd87bc58c7b6dc8a21b89e93a548f173fcc7668f68c2e9462ce18eeccf11a

    • SHA512

      a515fe57b44d71a0709e9a1cb56f5c2f87bc9cf609ee111af21b12bae620305a2df102b93d34c48784bbcdba39092e8eeb2be5f15cbf99ba256c973172c7e4fe

    • SSDEEP

      12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      2f208058419a16ca3fa3574867071b4a.exe

    • Size

      43KB

    • MD5

      2f208058419a16ca3fa3574867071b4a

    • SHA1

      ebaf2a437720c0d5915fee4f2943d35ff70d7258

    • SHA256

      572b99caeb57f1999a3c7ec8ebea458cbde138bec44ed5531b8877249a1f594f

    • SHA512

      e1c720cc30303303d7d850e5d72fce2d8e1274739b46516e684ea2761446fe090b35e58c4aa1e7405c1908e0dc614767cec3b749b262e5dde6370dfc02427967

    • SSDEEP

      768:aR8c2Sev8VX/Ol6IoZmLPHBm7p4A6+HWbxk5XORULQI9PNGUz1QB6Sj/lo:aR8c2SeMwt5Jml5bWOOGsI94I1Qo4/lo

    Score
    10/10
    silverratdefense_evasionexecutionpersistencetrojan

    • SilverRat

      SilverRat is trojan written in C#.

      trojansilverrat

    • Silverrat family

      silverrat

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral10behavioral9

    • Target

      2f3c6dcb6788a3f4fa590f81130679d1.exe

    • Size

      4KB

    • MD5

      2f3c6dcb6788a3f4fa590f81130679d1

    • SHA1

      f0496390d2b5d507d022e1e67806fdcd17a3e44b

    • SHA256

      d6c8197b3728c7dc51a8d13d3f7fc236cf93e1d75b70b1f8b5a37226b505b501

    • SHA512

      58a643ff40471534e0d761454b65052ca6deb7c5a27d338487743563c6f7557f54ef8ff83d5a7a6f7211c079491e830f54a24172859cd6667c257a0cc90918eb

    • SSDEEP

      48:6emltbaxZ8RxeOAkFJOcV4MKe28dZvqBHvuulB+hnqXSfbNtm:4VTxvxVx95vkBTkZzNt

    Score
    3/10
    behavioral11behavioral12

    • Target

      2f3ef255d917f50ba453d9e3856d730438a86f2e419fc17c8bcc8f40e4a6f218.exe

    • Size

      3.3MB

    • MD5

      ef68c86e5dbf79b7501ba7ee7a00db7a

    • SHA1

      7629c9ad3c0dbc30a6367adeb54f495abdd9a0ac

    • SHA256

      2f3ef255d917f50ba453d9e3856d730438a86f2e419fc17c8bcc8f40e4a6f218

    • SHA512

      c79e0ed5bc4985b5e809e1710a4b2010490e924ddaa052d7ef9d44fcb5f4dffd83be9bd41fa07061a3e10e5fd053bda2ef18616e7f33e688cf023059d9e5a63b

    • SSDEEP

      98304:eRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/R/j:ekj8NBFwxpNOuk26j

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral13behavioral14

    • Target

      2f51ba1ede9584e95a2dea20a67369be.exe

    • Size

      78KB

    • MD5

      2f51ba1ede9584e95a2dea20a67369be

    • SHA1

      cc386ce71edb2c6ced31fff9c396ae1fe988d8a8

    • SHA256

      3e4643d89c807e25e8bbcacf4b7274b466e88f11185f183b320eab95bc889d43

    • SHA512

      81d69dedf94ee7fb0f129c29778a8510af7e905c37eb915662c5259c18a3c8dfe377cc6dc1a18cc3da619f4305def72cd014ac0196cdc2faa895ef51990e332a

    • SSDEEP

      1536:sJPWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtzb9/r1wL:sJPWtHa3Ln7N041Qqhgzb9/o

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral15behavioral16

    • Target

      2f61e23326b11de39e126e1baf46488e.exe

    • Size

      2.0MB

    • MD5

      2f61e23326b11de39e126e1baf46488e

    • SHA1

      530a94ef319c7ef102cc3ddc19ff2f0dcd891565

    • SHA256

      d5c20e1b5c91b69d26064a9a539d6e262218630a99cfb06955bcb7e3a4108f36

    • SHA512

      beaea9e6314ab6ef4123666cb50da724c774713fcadb9106f15513e20d8ddebd67a6e84875f0e037e6f53acc2dc6f696061f27d0a5a32bb2196ee81e6dad10fd

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral17behavioral18

    • Target

      2f8f60984eeeb021676bd9fcf791dd42.exe

    • Size

      65KB

    • MD5

      2f8f60984eeeb021676bd9fcf791dd42

    • SHA1

      b3806c7c5890cf44a8709fc5a7ae28ba6abf8571

    • SHA256

      4c6151582b07c50f82e0a6c06b1762791019db26a4a9d43c9144585d357829b7

    • SHA512

      dbab51e363fd034bcab27c86bf75a8590383775dac0c491afcbca16db074dfc0845da3084f3c34459257c89dc51e07ff9ae84053beabc3d82e14c57ead82481c

    • SSDEEP

      1536:pc89KDltkLtEXs4Oannbao5X+x6uJPOiDneklYaTP:S89kEXXYba/7OiDnhlP

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19behavioral20

    • Target

      2faeca4666ab05cf6704a2976357a5783bec6deb9c377aac3c94088405ce14e9.exe

    • Size

      183KB

    • MD5

      25aeb519d4e4e511a014053e5671b2df

    • SHA1

      46ceafdfd2f51018e9fa80b0e6c2c675b81ed547

    • SHA256

      2faeca4666ab05cf6704a2976357a5783bec6deb9c377aac3c94088405ce14e9

    • SHA512

      3c8d9bcb1bd3207fcfb65bffb865276f59a1486221e9e24f5d6a2f0382a7a31bb30aa87a90aa410061c855d549545a366ff000dc5128bcb7d830e7e90940943b

    • SSDEEP

      3072:XmP7SGeqAiGs7tQbihaXIVjtKLqJGH63cDBvyxJD2OW9bpXjWkwmfoo:W2GEmyihaXGtKLqJ1s1yHD2Oeb0Lmfo

    Score
    10/10
    persistenceprivilege_escalation

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral21behavioral22

    • Target

      2fd4eb3e27778484c6c7d957a980c00563b9e5b83750393d08aa39154a7cff82.exe

    • Size

      1.7MB

    • MD5

      af3051e752cce78b57735f04d7d5c848

    • SHA1

      e64d7999e191b361d85634cb9144bad9026d070d

    • SHA256

      2fd4eb3e27778484c6c7d957a980c00563b9e5b83750393d08aa39154a7cff82

    • SHA512

      113ccb90d689343e5512975e5c277dd6bb3aa5422cfdc4ccffd85ca3831277fd4c0a5559cce1c6531c88691cb2172287820975f435ebb737a6f72baf92a06613

    • SSDEEP

      24576:DD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjos:Dp7E+QrFUBgq2x

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      2fde7f3ffb6b753f4f38d56d9b5a7cc6.exe

    • Size

      42KB

    • MD5

      2fde7f3ffb6b753f4f38d56d9b5a7cc6

    • SHA1

      d1db9a01cda04ba123dd98fd84675bcec94bdad4

    • SHA256

      6c97ecc2c61d32ed69642e73d95768d47cff87f2e6f71d3561ed5b23ffede4e5

    • SHA512

      0dd9a010aade521d8450e30fc9f465498a977ae26e74e3725f00540e276387ee979d6e8608d9faca124521413a55ac45836a0ee05fff8f225bba198b14099799

    • SSDEEP

      384:Tn07iHzfrw+BNPMRTPfckQn2ki/ftcRg2/+QNa95V4doERUrT0h+glcoCL78LY09:TciQqPGkke21/fm7xJRUrOw78LvaD8

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Downloads MZ/PE file

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      30143fedf8d4f08b82ae24f18f50e5ac.exe

    • Size

      53KB

    • MD5

      30143fedf8d4f08b82ae24f18f50e5ac

    • SHA1

      e31de66bbdf8aad355a6e8c6c98f591ba2d1d8ff

    • SHA256

      8b05a54bc8f930d8a9ed6db438e3bbff857b5a65cc309195f884e177f1cae263

    • SHA512

      cbc44f3681145245354d23adc979f224c05e34dfeadad0c74a800c278616f59c4f4b9e545079e840a1cc9aa7bbf2ffd776569820a0410561f0b00b159fd1759e

    • SSDEEP

      768:a4jAmlg/qrWt05vQ7z2TRl3XOnn+G/kboEP0rZDY2Trm0pdSmifj6YOHSJNhwFI0:a+AEgAcYv8xkboK3sDpd+7lOHYNv6

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    behavioral27behavioral28

    • Target

      301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe

    • Size

      1.6MB

    • MD5

      e9a51358da08f22af241931abad598ae

    • SHA1

      04afc75b8bd8a406d03b844292ac955499feb7bf

    • SHA256

      301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db

    • SHA512

      fe3c8a7ecca641122815dc2ecdaec54811318291df3fd278a9516e5a87b95b76b92caef20efbdf382bf286fa5d3d71ddc35d53a8097b5972e8c03a7b1cc36eab

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral29behavioral30

    • Target

      3020571d24ad91e5aabd74a3c92f5014ee1f3aa8805d066e34a9289b4325d75f.exe

    • Size

      418KB

    • MD5

      c157899ac1cd17ceb52c43b403dbf647

    • SHA1

      85036f05dc58d68c8f9dca29a2a69a1e8b55b08d

    • SHA256

      3020571d24ad91e5aabd74a3c92f5014ee1f3aa8805d066e34a9289b4325d75f

    • SHA512

      95d9bed3103191c765d67a4babc57538e0e490c9a354fddeb351f541253cef5af3a23f223ac7453a51a4f8952d99ef0e91b8bdedcb15f9bfa888e305fe51811a

    • SSDEEP

      6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwbvh:ITNYrnE3bm/CiejewY5vXJ

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ratdcratxwormsilverratumbral
Score
10/10

behavioral1

dcratinfostealerrat
Score
10/10

behavioral2

dcratinfostealerrat
Score
10/10

behavioral3

xwormrattrojan
Score
10/10

behavioral4

xwormrattrojan
Score
10/10

behavioral5

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral6

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral7

dcratinfostealerrat
Score
10/10

behavioral8

dcratinfostealerrat
Score
10/10

behavioral9

silverratdefense_evasionexecutionpersistencetrojan
Score
10/10

behavioral10

silverratdefense_evasionexecutionpersistencetrojan
Score
10/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

defense_evasionexecutionspywarestealer
Score
8/10

behavioral14

defense_evasionexecutionspywarestealer
Score
8/10

behavioral15

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral16

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral17

dcratinfostealerrat
Score
10/10

behavioral18

dcratinfostealerrat
Score
10/10

behavioral19

xwormrattrojan
Score
10/10

behavioral20

xwormrattrojan
Score
10/10

behavioral21

persistenceprivilege_escalation
Score
10/10

behavioral22

persistenceprivilege_escalation
Score
10/10

behavioral23

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral24

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral25

xwormdiscoveryrattrojan
Score
10/10

behavioral26

xwormdiscoveryrattrojan
Score
10/10

behavioral27

xwormrattrojan
Score
10/10

behavioral28

xwormrattrojan
Score
10/10

behavioral29

dcratexecutioninfostealerrat
Score
10/10

behavioral30

dcratexecutioninfostealerrat
Score
10/10

behavioral31

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral32

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10