Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

5066d63f68...41.exe

windows7-x64

10

5066d63f68...41.exe

windows10-2004-x64

10

508fd9ddd0...0e.exe

windows7-x64

10

508fd9ddd0...0e.exe

windows10-2004-x64

10

50a0e27c44...1b.exe

windows7-x64

10

50a0e27c44...1b.exe

windows10-2004-x64

10

50ca83ea97...a1.exe

windows7-x64

7

50ca83ea97...a1.exe

windows10-2004-x64

7

5131f70fe8...c9.exe

windows7-x64

10

5131f70fe8...c9.exe

windows10-2004-x64

10

51a043361b...63.exe

windows7-x64

10

51a043361b...63.exe

windows10-2004-x64

7

51ae5a5c12...16.exe

windows7-x64

7

51ae5a5c12...16.exe

windows10-2004-x64

10

51bce03659...62.exe

windows7-x64

10

51bce03659...62.exe

windows10-2004-x64

10

521cf0805a...97.exe

windows7-x64

10

521cf0805a...97.exe

windows10-2004-x64

7

5250379192...f1.exe

windows7-x64

10

5250379192...f1.exe

windows10-2004-x64

10

5271d48de9...2e.exe

windows7-x64

7

5271d48de9...2e.exe

windows10-2004-x64

7

52af658910...b8.exe

windows7-x64

1

52af658910...b8.exe

windows10-2004-x64

1

52ef63d721...1f.exe

windows7-x64

10

52ef63d721...1f.exe

windows10-2004-x64

10

53008e68ab...9e.exe

windows7-x64

10

53008e68ab...9e.exe

windows10-2004-x64

10

535aeca70c...a0.exe

windows7-x64

6

535aeca70c...a0.exe

windows10-2004-x64

6

5370f14c68...3e.exe

windows7-x64

10

5370f14c68...3e.exe

windows10-2004-x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_20.zip

  • Size

    114.2MB

  • Sample

    250322-gxhcqstjv7

  • MD5

    287620b7b39a119f3c0b85add47ea626

  • SHA1

    4c336b348170c6e3a3d3e958e4bf291b08a062b1

  • SHA256

    4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

  • SHA512

    c492cb9dc4df116e942b3cc33e46913a91ca10e2cada36ac986574332d16e97823addc3208a2a02cf8e61927e1453bb8dfeecffbe2534d3495b09aa11561fe59

  • SSDEEP

    3145728:nQlZtyJU+d3ULaShPdFdFitijbNEXjtK168N4RhhsBi+z9c:OZtyJbd+H9EXRKANh8i+a

Score
10/10
asyncratdcratmetamorpherratnjratquasarxwormdefaulthackedoffice04collectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4037

gl.at.ply.gg:4037

centre-health.gl.at.ply.gg:4037:4037

27.ip.gl.ply.gg:4037

centre-health.gl.at.ply.gg:4037

picture-horn.gl.at.ply.gg:4060

floor-steam.gl.at.ply.gg:58684

127.0.0.1:8848
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.68.101:4782

Mutex

fbe2fd24-30b6-43ab-98e0-24e8e427f779

Attributes
  • encryption_key

    3BF4A75B9DFA3D9887A60E8B0225F10311842D24

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:6522

Mutex

Star Client

Attributes
  • reg_key

    Star Client

  • splitter

    |Ghost|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

2.tcp.eu.ngrok.io:18848
Mutex

0114494881a2e09e62a13c90a46e0caa

Attributes
  • reg_key

    0114494881a2e09e62a13c90a46e0caa

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:1024

85.235.74.114:8848

85.235.74.114:1024
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      5066d63f683553725c60860d021a0d41.exe

    • Size

      75KB

    • MD5

      5066d63f683553725c60860d021a0d41

    • SHA1

      670595d28ee9ea1c5c9deef41a141b9d6c741b79

    • SHA256

      49ee34af90202af0967e6936aa7f33625d53b27f4450ec028875f8c22a940a92

    • SHA512

      9ff1a75664e11e8946085a29c02f391b4030a2e1425f2aa9720956d8da1232ccfd65826d74ee4ecb2e675eda8ed7fc32020dcb85e9dda99fb2ba61ae5d5139dc

    • SSDEEP

      1536:xK8hBz/HAZvE6o0k5GMFbr/M7s7XC6/3fh2O+muMwe:hhZuE6Mzbr/MI/UO25e

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe

    • Size

      1.9MB

    • MD5

      0a63e063ab8eb5d26764d60214cc718e

    • SHA1

      5fd444ff88f9cbe1f31109a1332de2958ad8428a

    • SHA256

      508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e

    • SHA512

      f06131120f27e8c9e8138c7cce521ece72ad3c7187c1866a05f743caa11c32c4f9927838599d129d82d583dd5f1af5a5eaa91a6cbedd10adbcfd6db7f3633e2a

    • SSDEEP

      24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral3behavioral4

    • Target

      50a0e27c44685967486053465ad72a11a9a431ddf9c9e8a5c6f47c87a76d101b.exe

    • Size

      777KB

    • MD5

      c37c80c198bc0ba6c977861b810f367f

    • SHA1

      c8fb2ccdb1ad0382c7de904bcd910feaba61f597

    • SHA256

      50a0e27c44685967486053465ad72a11a9a431ddf9c9e8a5c6f47c87a76d101b

    • SHA512

      cd71003d3a1db1fafbaaeda0d0bdc3c9b3c7104b8b97d0854c563af5688108b39982e79f3606b995d27679ec61ae6c6743a651f756a6bd91d6cbe719bee99832

    • SSDEEP

      6144:HtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKHg:B6u7+487IFjvelQypyfy7cnKHg

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      50ca83ea97b149fc0cddcfe79e9ecb2a0d230da4d26f0549f5792060be18aaa1.exe

    • Size

      7.8MB

    • MD5

      8fe6b6220c4f4461f276dab6a81ac311

    • SHA1

      f3703d71bdb3a9610dd6d31900ea543b231aac23

    • SHA256

      50ca83ea97b149fc0cddcfe79e9ecb2a0d230da4d26f0549f5792060be18aaa1

    • SHA512

      a1e7872030de012e3ba25e64b4ae535e69959b6482164f20c201018979fc72623bf9c1b24d062171d182cec879e5f9d599199f2c1e62472889889318c3618b5e

    • SSDEEP

      196608:g5R2exssVAq6uBYCntjxnOYh2QdBVHJtufU3azccAed:gzJVAqPYCth24BHtSlSed

    Score
    7/10
    discoveryvmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral7behavioral8

    • Target

      5131f70fe8e529308014ee35b2ff10c9.exe

    • Size

      69KB

    • MD5

      5131f70fe8e529308014ee35b2ff10c9

    • SHA1

      b66b25b59049122be0d87e14a30531824dd8b426

    • SHA256

      f53dbb7fbd6754c387278172322cc5dedc431c2e801a069356b2b9fa72861d4c

    • SHA512

      3b86b47a47d81d78f36e5005e310ac67424bd4c0e7c4c60e5bd4a70944c3e9145edd1492a5ab9293d1f29aa7c25e9c3b9ee761f726a53921906540798daa5d25

    • SSDEEP

      1536:C1+pOncQLtqpZ59UzLtj4sgbd+r+Mx6vmyO7OEmJa:W+UnLLtkL9KGsgbde+M17OEmJa

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      51a043361bd59e21a64fdb95fb472f63.exe

    • Size

      78KB

    • MD5

      51a043361bd59e21a64fdb95fb472f63

    • SHA1

      e605acc42664303e4776e95977af26cfcab3e02a

    • SHA256

      751f6b8d77920eec4226c83b41e972117864bd8749369f33da5591bee60a3814

    • SHA512

      fb8726f88ec0ed281eb6f38d70360208b5fefbcb66479541d17455d96446816c6522900e26057c79d9bb5587d53b6c4c1dbce0b7faa9623de21e9d9fba429ecc

    • SSDEEP

      1536:He5sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6W9/t1l0:He5bn7N041Qqhg19/K

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      51ae5a5c1253ce8fbc9483a1e412a144a27ec6d1dc0b6c8832a36475b8912616.exe

    • Size

      810KB

    • MD5

      fc8e550d9358e925ee5f7a566ed511a3

    • SHA1

      fa468541e12df16913674a7d2487885df7bd519c

    • SHA256

      51ae5a5c1253ce8fbc9483a1e412a144a27ec6d1dc0b6c8832a36475b8912616

    • SHA512

      4fe9d72a2b0c42258bdadb484f41c77712ce8a855fef629a329efb35c72933c6c8ba9e5721003fbe938458fc9214514ced6f2a4e7a1eed79d26074093ddb7f8f

    • SSDEEP

      6144:StT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKkR:O6u7+487IFjvelQypyfy7cnKkR

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe

    • Size

      3.1MB

    • MD5

      df996beac5ac63cb5bccd4aac8ff4213

    • SHA1

      9187a4889e41e805c1a2fc485193c3df52aaebd2

    • SHA256

      51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462

    • SHA512

      4befae5aa20984b6445b053b8f222da5e4f5cc72af9aa04a0010ef78157905f2d2791d149515fab63a33889dfedad22e7f57b15c9fac0ec5437398be6539dd7d

    • SSDEEP

      49152:SvvI22SsaNYfdPBldt698dBcjHYRxNESEJk/i5LoGdHTHHB72eh2NT:Svg22SsaNYfdPBldt6+dBcjHWx8J

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral15behavioral16

    • Target

      521cf0805a2515e0ccfc307f4b045897.exe

    • Size

      670KB

    • MD5

      521cf0805a2515e0ccfc307f4b045897

    • SHA1

      d3350a750d46bba3a503a89e323cda3f38c6f7c3

    • SHA256

      173dddf20ec8f4d138fe9c0ebb8f49624ab983e15634f9da225d258b18c99cf8

    • SHA512

      18ba9ec46fe6b1050ae8f7dcb779e71aaac6c8abf2637271b5e5bf1ca16233074502bad1c426590ae776c30838874843e15b15664bd2d5123343f9cdbd9f3649

    • SSDEEP

      6144:BtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rCQ:r6u7+487IFjvelQypyfy7CQ

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

    • Size

      1.6MB

    • MD5

      f78812be8328346fd09f480c9737963a

    • SHA1

      0db02b799e80a1659c9aede03b54a26aef2beb4a

    • SHA256

      5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1

    • SHA512

      4be91e19f7eb4d1475ad142cbe66620320f4ab62dbdf8555fe7701aa1d2ddd19d739c73b4a1c05669282de374ba1a5dca449464154bf141a62e6842250ad79ad

    • SSDEEP

      24576:Usm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:UD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      5271d48de9aafb06b6371ef7035e993215063cc57fa7253ff06ef6a277da772e.exe

    • Size

      66.9MB

    • MD5

      cb980516456576cb91483b0ba7a11dcc

    • SHA1

      408b5698e1740afcc0dcc59d44f688d32f5a73e2

    • SHA256

      5271d48de9aafb06b6371ef7035e993215063cc57fa7253ff06ef6a277da772e

    • SHA512

      7f5257c34dede1efb10be2a01acf65de8e2e8fdd10ef041209cfc46bae0b02bbe6665f120c6cfb9d3c64c54bbe40139adc6a34c02a068fe6b0743172798932fc

    • SSDEEP

      1572864:+1YnA7A8R7tqEwTDYKJbQ0JxcgjnrUBOO8CPdAoIQ4DyRGYluN4fxn:+10A7B+DYKJbndjnoH8Nb/yRPluN4p

    Score
    7/10

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      52af6589107938cd3e3225f3a91e05b8.exe

    • Size

      452KB

    • MD5

      52af6589107938cd3e3225f3a91e05b8

    • SHA1

      10448a15bc3d157ab305496056d49a2c3ddbcd65

    • SHA256

      9cb3da95530682f64bd1d419949425cd01c7f7df0b54bf3d0f7df159cb224b3c

    • SHA512

      53a2a91c646b8bc2a3de27a9e058498eb65526479e483f64b49b640872b0d507f4e1c4b8377a04e0299c4a9fa3f184869f88b763fa02fb6e4faa8a5b0d31d680

    • SSDEEP

      12288:oANyhVQnLLPoRzv0cOuXFK8bW8yHAgZQHUExfgO2OOF/ij:jJo+SW8ytMV

    Score
    1/10
    behavioral23behavioral24

    • Target

      52ef63d7213d2cdef68a755faf5b44bd93e1eb92fb0701b37704d243c6d4861f.exe

    • Size

      3.1MB

    • MD5

      a6dcf6d06ca5bc34e91aeb9d8113ca9e

    • SHA1

      191cf5eeeee959f8979104f4367e2bde4acd1b7d

    • SHA256

      52ef63d7213d2cdef68a755faf5b44bd93e1eb92fb0701b37704d243c6d4861f

    • SHA512

      3066c8370040e12610888872c74971ebd7ab5afc447b5c22a5d35fde7e75e087d0f67d4ade91b87793f889de49a72e72c32b5afa472e7b738974e7f53c884204

    • SSDEEP

      49152:fs/B8Y7YlTDYTT3s2AcYhqpG1Z+qlw404QhMlTtR:fsZ8yYlTkTT3ALGGn+qwcQWlr

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      53008e68ab00657702ebd582ff8dd1164b9809330083711a0409ed9dbdc50a9e.exe

    • Size

      689KB

    • MD5

      f89e261105f86757235ba0eb7b117686

    • SHA1

      46ce1eaed14ce7f78260503d11a0535b62b3f5f0

    • SHA256

      53008e68ab00657702ebd582ff8dd1164b9809330083711a0409ed9dbdc50a9e

    • SHA512

      17fb411f5326302522f1b3d9c7e66f2d46f4eea0f1aba20963af5424b3beabd6bc3d1373feaa76d61079c4de3587828aad73f87ae8768c930712b597c2c4e521

    • SSDEEP

      6144:VtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rCC6:H6u7+487IFjvelQypyfy7CC6

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      535aeca70c4f3e3aedbcef76f5870ddd86af9459a907dd3012e3f4e9c8c6dba0.exe

    • Size

      14.8MB

    • MD5

      3f58a3e07aa254de3aabfd1dbcc678af

    • SHA1

      b05dd01d72396328a42cdab7d988bc50594ec406

    • SHA256

      535aeca70c4f3e3aedbcef76f5870ddd86af9459a907dd3012e3f4e9c8c6dba0

    • SHA512

      d93bf8a550cd2b1e497baf2d63dc00ba1b239b03a5e6c6bf9289b468107ac6cab9637c3d526dd6b156455a2ddb431fb3231c468bb9d03db83adb74c971279354

    • SSDEEP

      393216:D/wgbPQQp7Nrb+exM5xyCBlmjKE4HisGTH897sBK:D/5B7NrvIx7lNkA

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral29behavioral30

    • Target

      5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e.exe

    • Size

      131KB

    • MD5

      844a5fcb3644af223a45da950e14801b

    • SHA1

      928d3c7afa140e9b9e96d4f03ea1d82b4ad37634

    • SHA256

      5370f14c685c1c1c6c9a206afc4657f2e57ca67a68580cf6291797f143e6963e

    • SHA512

      7aac0f58ff1bf21cd540ef2acecc5866a0d7056496b932e04593d4c256f498079d810b326695e36c62442545a6793b566c50474c9784bb8436905ce4da70e8c4

    • SSDEEP

      3072:4+RlQoN36tGQviFCnMBnMfWl9zmaF9bhYvMY:4jM9zCvMY

    Score
    10/10
    njrathackeddiscoverytrojan
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

vmprotectoffice04rathackeddefaultxwormquasardcratnjratasyncrat
Score
10/10

behavioral1

xwormrattrojan
Score
10/10

behavioral2

xwormrattrojan
Score
10/10

behavioral3

defense_evasionexecutiontrojan
Score
10/10

behavioral4

defense_evasionexecutiontrojan
Score
10/10

behavioral5

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral6

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral7

discoveryvmprotect
Score
7/10

behavioral8

discoveryvmprotect
Score
7/10

behavioral9

xwormrattrojan
Score
10/10

behavioral10

xwormrattrojan
Score
10/10

behavioral11

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral12

discoverypersistence
Score
7/10

behavioral13

collectioncredential_accessdiscoverypersistencespywarestealer
Score
7/10

behavioral14

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral15

quasaroffice04spywaretrojan
Score
10/10

behavioral16

quasaroffice04spywaretrojan
Score
10/10

behavioral17

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral18

collectioncredential_accessdiscoverypersistencespywarestealer
Score
7/10

behavioral19

dcratexecutioninfostealerrat
Score
10/10

behavioral20

dcratexecutioninfostealerrat
Score
10/10

behavioral21

Score
7/10

behavioral22

Score
7/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

xwormdiscoveryexecutionpersistencerattrojan
Score
10/10

behavioral26

xwormdiscoverypersistencerattrojan
Score
10/10

behavioral27

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral28

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral29

Score
6/10

behavioral30

Score
6/10

behavioral31

njrathackeddiscoverytrojan
Score
10/10

behavioral32

discovery
Score
4/10