Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
archive_14.zip
-
Size
49.2MB
-
Sample
250322-gwvxfayzdv
-
MD5
c38f3bc54b8e04ca733d80b5ac961685
-
SHA1
bbfc5a44f6828039314f9fe91f37ef19de34ac69
-
SHA256
5b1a883fc342ab1654912c119190f04771ae47477f1a006b932150129675134c
-
SHA512
6317e525bb05a934c4560a24ef8d3cf9be6934e1c0466552f85df4e44a6f0e5d7544c4422dbb52354346b743151cf21eeb7dcc6b4060cdfc2a2e4f920a0188c8
-
SSDEEP
1572864:0NJXJwm7LVvArT7fbmfZoGaBWeQMjGndafAmakygy:0NJSm0T2f6GkVQMjGdfmaV
Malware Config
Extracted
xworm
5.0
127.0.0.1:51521
santifzm-51521.portmap.host:51521
cartomen-43567.portmap.host:43567
b72MvNSRMPJDN4rw
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
asyncrat
5.0.5
Venom Clients
127.0.0.1:5050
127.0.0.1:3368
147.185.221.27:5050
147.185.221.27:3368
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
Update.exe
-
install_folder
%Temp%
Extracted
discordrat
-
discord_token
MTM1MDQ4NzQ5Mzk2Mjc2NDM0OA.GZbvyA.PKNFIhetpzF95YcuCNgq7R2v-BQBC2fehZx5cY
-
server_id
1350487296222171147
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Targets
-
-
Target
37b5b3a3044b6d582546b772fa8cee08.exe
-
Size
41KB
-
MD5
37b5b3a3044b6d582546b772fa8cee08
-
SHA1
976fe55af8260423d47d07859655eafb46aee11f
-
SHA256
45474924043bbf73569c9efb1273c22d37ce780eb8f53c5e8836e62c0b78abc5
-
SHA512
34e9cf859769d2f0f0c0a83bad045b5392ac120e942040a9d9827b5dc80b4f27e4bf328628e542b28c1c1d2a13e9d07f5caa2ddc2f9f199498e89e38dd567f64
-
SSDEEP
768:bHzZwCyfrD6QdI9Efsq2xFPw9b20h6sOuh5Pe1rpU:nC9vtdI2SFY9q0h6sOuz2rpU
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
37d3fcd5058c45d2c2bba065a5c22296.exe
-
Size
3.4MB
-
MD5
37d3fcd5058c45d2c2bba065a5c22296
-
SHA1
22debc7d8cdf3efd9b65ad099592c68ad7fa2713
-
SHA256
774cc2deb69d990bb908b5b4a77314e474b357268dad92d917dcd85176f43ffd
-
SHA512
fcad1f64c733180c7812a673379a35e488ed3306ca6146b187c7627a670012cec2a9166bf88815fbc1468cb70e7a1215a54e34aab37cba0f4ded8ce914323bdc
-
SSDEEP
98304:IZXfHaFoQyDIvqkqXf0FglY1XOe97vLn:SaBqkSIglY1XOCnn
Score1/10 -
-
-
Target
37e1fc1ec800f44c686bd7c2ea3c8890.exe
-
Size
32KB
-
MD5
37e1fc1ec800f44c686bd7c2ea3c8890
-
SHA1
026064129cbd17a16cc224c19a2265b9815f47f6
-
SHA256
143c57beb1a983bd47ff8ce1ed7ebc266c5a822fe592aa2086d4989db2cc0f0e
-
SHA512
8e7089a8cb4d2c033ea74a49613edd87bf3edd48f0ba7f974cd57df4e9468568c394e2c060c33a83e890032a6feea5a0b18d74535d7bc5d215bceac4854957a3
-
SSDEEP
768:nRPD9OQhx/BV3Tw49FzVFE9jjROjhGbC:nd9OW/V3U49HFE9jjROj02
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
-
-
Target
3806b87b2562c44df09560409b8759bae8ba6dbe918fe9020f61088360cb99f8.exe
-
Size
3.5MB
-
MD5
96ba88c16acc54a90745e1213583e62d
-
SHA1
f19926cc3931a36fc378285bfacb20b9e1559b1b
-
SHA256
3806b87b2562c44df09560409b8759bae8ba6dbe918fe9020f61088360cb99f8
-
SHA512
176416f3936060a2c68a690fd3557f550261e59ef68496d3f4dd477c573f770c566f93b125ccc45af7bfc8279648188f006cad82c9d93df898a555af660e1536
-
SSDEEP
98304:ZRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y//jIXov32:Zkj8NBFwxpNOuk2sjIXoP2
Score8/10-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
3834ae494af0fd48ecc667bea1ef47cf.exe
-
Size
78KB
-
MD5
3834ae494af0fd48ecc667bea1ef47cf
-
SHA1
f9eaf46f7a2984ea27b86cfe0a8a22f5cf8f84ad
-
SHA256
c791781a31dc589e586824324fd17b81091656130f2efceca554adddc668f8e0
-
SHA512
eaec00e79da4238f13ba254fdd9dc1b19f660a0d09401c1deaa9fc17ac3bff4b2d0b711a54c6cdb460aa57141f32994072695e210cc57efa2b7a1bfe4da0a75c
-
SSDEEP
1536:q5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6/9/S1R2:q5jSrn7N041Qqhg09/T
Score10/10-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
-
-
Target
385f35ff50b3c39fd02425bb9baf09a100e555087c6dedafddcc98052d8f703c.exe
-
Size
320KB
-
MD5
dc1392d4a8faaa7ceaf20c19c80df4ff
-
SHA1
6a155c571dc8817c6967c67dca487e9e9789fa45
-
SHA256
385f35ff50b3c39fd02425bb9baf09a100e555087c6dedafddcc98052d8f703c
-
SHA512
778625bf8ab8b44357cfc27d630a087026182bbc6a9780acb62aca9e9e45e3b1ea1fb248173accdef88ef794f98f827aa2467290d682c84f8a2b1000a1823a6b
-
SSDEEP
6144:i4YWZrRk+GTkWANv49qD8SguChBGOUKEMHLn+UurWCXXSJGHH7c:tYWZYTkWANv49qD8Sg1uMrDsAJT
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
38e8b4b1294e5d3ddacd9be4727487cf.exe
-
Size
78KB
-
MD5
38e8b4b1294e5d3ddacd9be4727487cf
-
SHA1
40c172c9c1986d88f4d06c9a2442b395b4d20272
-
SHA256
2507c5df7551477aaab6eaf7c07ea04f3989dd052986bd4a4b17f9e947f524b3
-
SHA512
b6da35f3673f9070d2a909a955817927bf4394d00016f2a09e023e9363a289099813bc0f905836ecfe89797fc6b2708707b2c81761fc87d79ea162ce03cbfd34
-
SSDEEP
1536:3WV5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt9629/e1y3:3WV5jSen7N041QqhgN9/7
Score10/10-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
-
-
Target
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
-
Size
1.6MB
-
MD5
38f861dde9adcb292ab747d998438b20
-
SHA1
0ace12fd6fda2f2663b5b2c83c9451ad439436e0
-
SHA256
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0
-
SHA512
3ce0f60b7031d2e5d3e108663d1c7b3d07bb467be1ec0b02e61e2e49161593e2700fec12d144ffaa7e2d1401b5adeb53bb3c1d8a3d48e711c1e5f9ecaa96513a
-
SSDEEP
24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
38fa74b5c6f3bc1f8061998ae2d881d1.exe
-
Size
115KB
-
MD5
38fa74b5c6f3bc1f8061998ae2d881d1
-
SHA1
7afb1a1e5d6439078dd3b20b178d6de3db22ae46
-
SHA256
37febdb4fa00c92cbef1b29d01c02d6d9fd8c9239c13d3a89958bcd3fa762702
-
SHA512
d163d289a0afcc97aa1e0ee36e8daeea5387719494815168e2f605f9fe62db8cf28bdc9a87aa140e69a2a5582b5ed5aeaec910111a345461889219fa19b6e75a
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL2:P5eznsjsguGDFqGZ2rDL2
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
3925d50ec09cade5278e78250a503852.exe
-
Size
885KB
-
MD5
3925d50ec09cade5278e78250a503852
-
SHA1
2bc4c2fc3e2b24577b7e6901378fa378e6601dc9
-
SHA256
70095186bd0a9bdafdf96d48c8d17b1539b12fd80480259a5be27c3d5de188cb
-
SHA512
e93d68eed7a30d6dcbcc3d113b8c0dd80330753b8163f3ca7cfbe484391952e22649d2d33e652b0bf7ffc03afbbee5aaffd076b5dc1426ac802de95554426a3c
-
SSDEEP
12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
3941105d7c81e962f92d2023da9ec9e6.exe
-
Size
580KB
-
MD5
3941105d7c81e962f92d2023da9ec9e6
-
SHA1
4046440a3417519401e23a0997d4c4a6d74a047b
-
SHA256
45f343e693bd7d3e4292206cd974ab4d06a353ffaf590afec19b1c01a2554802
-
SHA512
287e611104381367a7a4212ece8da1a6f3c68c86506b43d6721ab590ea89d42846cf77b58669fabdb69510f9b56a2d64c99378a4684ff1f379a529010e04dcdb
-
SSDEEP
12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7o:rBJwdhMJ6ZzHrfcsMGTfZ5Po
Score10/10-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
394f64ff5b12eab1067babefe641f23e.exe
-
Size
63KB
-
MD5
394f64ff5b12eab1067babefe641f23e
-
SHA1
204a1a4572c5545afd99b61a87174ca83596c0b8
-
SHA256
776e0900fa622854f9e032773e373017b9cd9d814e19703ad6f366c53fe0aa77
-
SHA512
a8dca3a1e3e0e4faefc678fbfb0def4588f111865669cd63f9c77f02658f9fedcc9c31e1b56f84429a459a02fecb606a7b43519e0472c27d72c3cf1136a1e60d
-
SSDEEP
1536:ghYRpM16zMsN2eeiIVrGbbXwz+rYNDwGWDpqKmY7:ghYRpM16/NveXGbbXyTIgz
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
39813551d3b3ee13a718ee63b2d63dec.exe
-
Size
115KB
-
MD5
39813551d3b3ee13a718ee63b2d63dec
-
SHA1
a6c982cb46fa939c2ac5d362a6c2b776a0decf8f
-
SHA256
ad75e44f4d7865222cf484b4947e354c21b55b8533fb06147520ce40e014f541
-
SHA512
f1743c457774f372795d980316b5a24cfb90e991a7537c2da0843e27b5344576ef4d20b0537d61377242131d529472bf4a5114312608b61bb922abf5841b427a
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMW:P5eznsjsguGDFqGZ2rW
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
398d0de7a9676d640f72d3e865a704c9577be0e57cde62434a628ed88dccf79d.exe
-
Size
15.0MB
-
MD5
fd7eb8fa0e37f735e61933deea02ebc9
-
SHA1
1e500e2689d437f27e578202be6a488ff9f26a0e
-
SHA256
398d0de7a9676d640f72d3e865a704c9577be0e57cde62434a628ed88dccf79d
-
SHA512
7977ab0dc44123a68e6c7763e758f4f6cad9fd1d5433d37e8c223ed1cde27d9b915895ecfe8b7849907e87072eb1d8b76df464a1c8e8f58fa83e642b1e74b2d5
-
SSDEEP
6144:8zs6lgz+NGLIuEadtl+AJe6VlWT8b9z0ghDGDbK1INHYF:ePle7ZtYAJPVle8VpXIN4
Score1/10 -
-
-
Target
39a387cb5e2530237c32fac8504faed4b43ca4929459af88a9362697f2f9172f.exe
-
Size
14.7MB
-
MD5
f411bf0b4e3c18f0d6edc644675648e7
-
SHA1
fb22d798adad0963213d54ce2ccc754f02c858ce
-
SHA256
39a387cb5e2530237c32fac8504faed4b43ca4929459af88a9362697f2f9172f
-
SHA512
bafdf8b0cbb11129164343e793c3b166969ec518db334e9d1bec41fc1e6c00157718f8cfd0277bb9ea1eb5c6272e92435abd38eb43daedbf01ef125e351c1327
-
SSDEEP
393216:eEUqNdLdxrHIQPWIlMqrSEIlg2k4m1IOGJHenckwnRBqn/HBIX:7U6dLdxrHIQuIyHVdSIzJHenfwCvB0
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
39a7f02d9e76b2b1d996ec00e73d9e5ad7a78380e50bf46ee013df73a37a10aa.exe
-
Size
3.3MB
-
MD5
58e145216b006e9458e1bd6227136341
-
SHA1
bb3299286a7cc28539a3ddf77401981c3bb99b14
-
SHA256
39a7f02d9e76b2b1d996ec00e73d9e5ad7a78380e50bf46ee013df73a37a10aa
-
SHA512
4f93fb7fc2ea717ce0c5a6576bc7a40bdf896106098c05cf6fcd4dd5c9f71486c4bd6e5e68022fc83fcaba9e22bc953e8da18cc613d73e3c78b1f06707119f1a
-
SSDEEP
98304:nRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/8xB:nkj8NBFwxpNOuk27xB
Score8/10-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1