Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

820e99e073...06.exe

windows7-x64

7

820e99e073...06.exe

windows10-2004-x64

7

82159a5146...bd.exe

windows7-x64

3

82159a5146...bd.exe

windows10-2004-x64

3

822a16f7ff...c0.exe

windows7-x64

10

822a16f7ff...c0.exe

windows10-2004-x64

10

8242f8a803...ff.exe

windows7-x64

10

8242f8a803...ff.exe

windows10-2004-x64

10

825b5bf780...55.exe

windows7-x64

10

825b5bf780...55.exe

windows10-2004-x64

10

825cbe9334...3e.exe

windows7-x64

7

825cbe9334...3e.exe

windows10-2004-x64

7

828b11fa8d...bb.exe

windows7-x64

3

828b11fa8d...bb.exe

windows10-2004-x64

3

82a9dfe728...ab.exe

windows7-x64

10

82a9dfe728...ab.exe

windows10-2004-x64

10

82aff6a3f0...e2.exe

windows7-x64

10

82aff6a3f0...e2.exe

windows10-2004-x64

10

82dc0c2f48...04.exe

windows7-x64

10

82dc0c2f48...04.exe

windows10-2004-x64

10

82eb00f02e...57.exe

windows7-x64

10

82eb00f02e...57.exe

windows10-2004-x64

10

82fdd73396...ed.exe

windows7-x64

1

82fdd73396...ed.exe

windows10-2004-x64

1

832a48a191...90.exe

windows7-x64

10

832a48a191...90.exe

windows10-2004-x64

10

833949a7ff...98.exe

windows7-x64

10

833949a7ff...98.exe

windows10-2004-x64

10

833aad3410...1f.exe

windows7-x64

8

833aad3410...1f.exe

windows10-2004-x64

8

834458e6ef...93.exe

windows7-x64

7

834458e6ef...93.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_32.zip

  • Size

    37.3MB

  • Sample

    250322-gy3eastjx9

  • MD5

    b8532cc208bc909f6a7226da7ba6d44a

  • SHA1

    c0146a0fdad86fc92b95b0f571c89213655bb947

  • SHA256

    5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

  • SHA512

    7bd3d0e409f7a1f20b478b30c7e379d5bcc0bb17a6db19329ea30e3fa40aa98552a594c354673fd188fde488038ed362b878dabf2a9e46e7bac3211e560f8e34

  • SSDEEP

    786432:Mlv8ao+pxPeFhJiWyQ37myQ37sArOC//yxN+//yxNn//yxNSJW62idf4yWXlQ:qrcJsQZQIArOaa6a7amJlgzlQ

Score
10/10
44caliberasyncratdcratnjratquasarredlinestormkittyxenoratxwormhackedhacked by ; wswsh.nounulloffice04test conexioncollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKEd By ; WsWsh.

C2

wso22.ddns.net:911

Mutex

fc95dd350940f8060476f2a3dc4d93bc

Attributes
  • reg_key

    fc95dd350940f8060476f2a3dc4d93bc

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

127.0.0.1:4782

Mutex

84175f70-6895-4140-be06-b5c46fc6df10

Attributes
  • encryption_key

    6BD7AEB86CDFCFD871F4180FF15AF1BB30573FC6

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

3of0BUcZm7XWUIl3

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    unbranded.exe

aes.plain

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:6126

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    |Ghost|

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

thisismylifemimeyo-22560.portmap.host:1447

thisismylifemimeyo-22560.portmap.host:44139
Mutex

cynpbafqnccbvbm

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

aali13212.ddns.net:1177

Mutex

1579703444a5d397a491c60a5505be31

Attributes
  • reg_key

    1579703444a5d397a491c60a5505be31

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

TEST CONEXION

C2

127.0.0.1:2019

Mutex

3e0f95aea5587d40cb3bf2352e3ebc71

Attributes
  • reg_key

    3e0f95aea5587d40cb3bf2352e3ebc71

  • splitter

    |'|'|

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1352360542572118117/7f9wG_rPG-iPesPEZoe8AP9dmD6QUYNqAh7p-PUonhxSISvkadp-hCn8GKPQPPojQ3Vc

Extracted

Family

xworm

C2

xkpog9yml.localto.net:8977

:8977
Attributes
  • install_file

    USB.exe

Extracted

Family

xenorat

C2

62.122.202.186

Extracted

Family

redline

Botnet

nou

C2

135.125.21.41:1912

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      820e99e0735f8d9d1de08e386589c506.exe

    • Size

      15KB

    • MD5

      820e99e0735f8d9d1de08e386589c506

    • SHA1

      335b44f3ea73fc36519ca1f823f3afd7ce2c64dd

    • SHA256

      701b77e509df1ce240271f9cc9ac874df64e593e0eb8f3cd207db9dcebbc22bc

    • SHA512

      378353ffdafa706600a0a6c2efcf0bfa0d2d6eec948557a31667d9de2fccae6ac3fe735730ce4ed38210526834cfbdb1f549f48337cde2615d4cee3e78fc3e54

    • SSDEEP

      384:8MrJk6GClRZt9qGOVNJk7ha4H949dyNx:hk6pRZPrOVh4H9wQx

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    behavioral1behavioral2

    • Target

      82159a5146f475b4ae5350327fdc1abd.exe

    • Size

      4.4MB

    • MD5

      82159a5146f475b4ae5350327fdc1abd

    • SHA1

      fc8c4954b3d647fc73b04257a97c4049f83358a9

    • SHA256

      aaed254ce2762baa11e118afc6efcce235544e213238feed3a39b36e56ccf014

    • SHA512

      e1b4acde36a8edd9b8e9e3870b0154d0fbecd39ca15ef3d1058d92386a6905e7466490679bbcf3baf9d5b756d0f5e548e09299978450437c100d81a8fc416157

    • SSDEEP

      49152:8X+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+c:866666666666666666666666

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      822a16f7ff868ecf1ac2602e4b40e7c0.exe

    • Size

      23KB

    • MD5

      822a16f7ff868ecf1ac2602e4b40e7c0

    • SHA1

      33b780733d1ecf3a50523a458b6634a5e7573441

    • SHA256

      12f57299bfa01cdba9a07dbc468601f158fc025d52554bc48102d1b960d5741f

    • SHA512

      e5c058548c93e1fa30ebf681d0b77ced2da7425351b11c8a74d9cc0e3124ccbb31eff677af5fdeec44a1818269b971f214d2907f7eb57c64e5102a93ece9c61b

    • SSDEEP

      384:R3gexUw/L+JrgUon5b9uSDMwT9Pfg6NgrWoBYi51mRvR6JZlbw8hqIusZzZpxuU:9IAKG91DP1hPRpcnukcU

    Score
    10/10
    njrathacked by ; wswsh.defense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      8242f8a80325df8bb3e826fd03cf2d8ba7595d26428d7594f15b2cec819013ff.exe

    • Size

      3.1MB

    • MD5

      7ba765750b28b352b1770f1f0972b0b4

    • SHA1

      1c8a508c4d15570564c0a0aeb30f1a025dd6d979

    • SHA256

      8242f8a80325df8bb3e826fd03cf2d8ba7595d26428d7594f15b2cec819013ff

    • SHA512

      560529ad098bb0e53c752eeb8821dd1c74edd68b1ae684da75435376dd330ad2f75b1c9497e71947737131e341f66e08ba7ee1a5a1e99e1137313a0e1af2feef

    • SSDEEP

      49152:2vtt62XlaSFNWPjljiFa2RoUYIp9X4ECsOk/G8BoGdoEFTHHB72eh2NT:2vP62XlaSFNWPjljiFXRoUYIp9XeGt

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral7behavioral8

    • Target

      825b5bf7809427781ab9eefb0f139255.exe

    • Size

      38KB

    • MD5

      825b5bf7809427781ab9eefb0f139255

    • SHA1

      6864d57c5fc44e43fca8fda5bfb40c26b7a70804

    • SHA256

      0e7b11f47c021e3e338d099da258cc2e068aff9eddc68e603f82d53347134a31

    • SHA512

      6dad901703326ab2b853d9a0ec73fcbac523127c7de33cf787a217d61818cb7e350bef87fa6d0553977eaf46840260873c6a9087aa234624d62d4c01bbd16b14

    • SSDEEP

      768:vzpm6oL50kuAM6tQijixOTFQ9UBOwhebJE:rpmLekMFeFQ9UBOwIVE

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      825cbe9334005aa8e6a90be34a4d583e.exe

    • Size

      6.8MB

    • MD5

      825cbe9334005aa8e6a90be34a4d583e

    • SHA1

      9f9c68781cb3117eeee5d3297a92199693336781

    • SHA256

      c1e584a76a6587ac2a63aff79fe403e6db3c025dd1a2fa3d35a559f4f99794e1

    • SHA512

      97cd710ab5274120a732cd669b7e9fa08dd15a603ea545e576a4d6ce069cf7dc160637ee01d2d4a80742ca048fe9aa12a958b83a8805b638fd1dfdbfe236e737

    • SSDEEP

      12288:nssssDsssssssssssssssssssssssssssssssssssssbsssssssssssssssssssK:W

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      828b11fa8d8c85c08db7353be46e7ebb.exe

    • Size

      65KB

    • MD5

      828b11fa8d8c85c08db7353be46e7ebb

    • SHA1

      9e657a2bbe7e4158dd9a96afd23f5951dd898786

    • SHA256

      5993610c7b2ea08f970681eea4594b30c6843eceab0dcec3592ca0e14ed9cf58

    • SHA512

      b2d298ffc2b4aa267245c95c9424f9cfdd8514f5fdad81e1894554b00d81df77353736b29f351d2dfce6fccd561f290e054b410fe51689f1874f641bb6476bae

    • SSDEEP

      1536:ojg0VoN36tVQviFw1uAqo+V+3O/1BnvbGfLteF3nLrB9z3nAaF9bXS9vM:ojg0VoN36tVQviFCJg9BnqfWl9zQaF9f

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      82a9dfe7288184b982ebc2d37e82aaab.exe

    • Size

      46KB

    • MD5

      82a9dfe7288184b982ebc2d37e82aaab

    • SHA1

      6c94b07674b2552693baba855829793f1c6a9aa7

    • SHA256

      13a04802f83323cbe31ca28d606b4ec73452a506b227b8401a33882e14392f57

    • SHA512

      50c063a2806e3013c8991f56eebf0117b1e98fed17702c2545fd04696c605702be63857571e7c27297f1c9753c85625442cb78405fe105fc01c89fab854d5e76

    • SSDEEP

      768:jqq2PbXwE7Z2XkOicvHk3eHlWMPbPgF0qYMPwppp/UzYI6OC62tYcFmVc6K:jcwXXvZH0ub4FrYMPa3/S6OPKmVcl

    Score
    10/10
    asyncratnullrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral15behavioral16

    • Target

      82aff6a3f0ad4533029392f48502a7e2.exe

    • Size

      1.9MB

    • MD5

      82aff6a3f0ad4533029392f48502a7e2

    • SHA1

      f895f75e4ca2fa64ea2f7fc8026f7d45d6fb7a63

    • SHA256

      40ea09eeb440e55f9020c374046c518009e516ee3efba244fa94fcf753325d61

    • SHA512

      8f12d8f615b260cd390139a82bc8b8ec70bd383f7c0fc17df86c8edc6d1b2a902bb9c4f40209f7d096ff1ed8c1aac12806972ab14e4fe59248d152b7992134e7

    • SSDEEP

      24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral17behavioral18

    • Target

      82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

    • Size

      1.9MB

    • MD5

      137d068c92f966611feaee3383ab28ce

    • SHA1

      31afc2071c0f899e12a210b44a460468807af620

    • SHA256

      82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404

    • SHA512

      8024f3502da2ef447887a0f97578a5c84dd86db7f2552dd5c5ac5c7da41b15bb4649dc478f33c2a5a31526ceebe947ed1c0f4cf679f046d90f10997c46117912

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral19behavioral20

    • Target

      82eb00f02e7f035adb6a08912ec1b957.exe

    • Size

      23KB

    • MD5

      82eb00f02e7f035adb6a08912ec1b957

    • SHA1

      d2294c34098d10dfe623c6db5be71077fb803c2d

    • SHA256

      054388334d4d0d9fa1e45e259880b2b5874379351f664bc6d4b130fe44ec122d

    • SHA512

      dcf9df9cadc79ff2fcfce17605fb669cec5cc58ea5bfddd5446d05a169bf57e6a8ffb6149086be7953337a12849205f56aec7c72e0b457bdf70093ac0f86d1e2

    • SSDEEP

      384:fwz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZB+v:0TbC81NgRpcnuJ

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      82fdd73396f0e932123186cd1418e8eaad1577fa9cd9293b0429fb35e05deeed.exe

    • Size

      310KB

    • MD5

      fda658b8af52e8d695000bb4636cafd8

    • SHA1

      b2012c5533925bcf9e6ef9b041498f3560b3cb42

    • SHA256

      82fdd73396f0e932123186cd1418e8eaad1577fa9cd9293b0429fb35e05deeed

    • SHA512

      e8e6b870731cac09548cc42742290df0d468fe339a2817cbe2fa23c4ec3d47db4b236c1a8d3509a51972131a6be464e00760e0c3404ecb0acbf005dad54a9f0b

    • SSDEEP

      6144:0NdMUDnvp1i+pLVzGe6VlWT8b9j8Cvn/Rk7IbUQ2lK:0dMUDnvXDBFGPVle8iy5

    Score
    1/10
    behavioral23behavioral24

    • Target

      832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe

    • Size

      1.6MB

    • MD5

      cd1634a0788a7e0c1120930a46dcceed

    • SHA1

      5e990eda55dd6b4f6001898f8f4d828518d05c9b

    • SHA256

      832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90

    • SHA512

      7c4758fdb7fdc7fe06e542b0e64e245c6dae141b4355458e90fb7a600db94ef0d53cb0b18760833112d1e21e42528b03bce6f6196bbe9fe0aa228803e5ac2335

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral25behavioral26

    • Target

      833949a7ffdc7975f7e894f152e0289e6d3b1131b56c9180bb9fe772780efc98.exe

    • Size

      317KB

    • MD5

      46e1c0ad2e5908a14ad57b48c6a2ff6e

    • SHA1

      a72694d91496745d75aee99a09dd084b4746f367

    • SHA256

      833949a7ffdc7975f7e894f152e0289e6d3b1131b56c9180bb9fe772780efc98

    • SHA512

      a353913b9976b12fec679f47c4c9ad14c9e1120a07f2fcf0145f6666e78bfd6c2aea07fbb19793dc6c9cf7bb185aa521dc5a92269b043b76507faa33af6d5350

    • SSDEEP

      6144:xkPm84vhCbHbgvB+JoPKd/UsuNN09UHrLZnHKi00+CvmHjkgCbx0dJdSF:0vUZWoPKRANmmn9HKi3BvmHYN00

    Score
    10/10
    redlinenoudiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      833aad3410b30a9ec5214be9fe616e327c813883502cfa1a0b597de784106c1f.exe

    • Size

      231KB

    • MD5

      e3720cc15117291c5c96d88546c2da1f

    • SHA1

      04a4577f2b96829be6706d08baf7c6013ce94b3c

    • SHA256

      833aad3410b30a9ec5214be9fe616e327c813883502cfa1a0b597de784106c1f

    • SHA512

      a642e269e86e8856eb5b5864a1b75833f3f769aedc4d6e83338e3ee5b71b571f78301b8bf0b9ce5b2570d2def6c0a279018a83180e934cce8a001dc0221f2362

    • SSDEEP

      3072:kvZlKu5E1r1Z2E6o237o7g0e1MIwdvuDFQJjCG4NdBmZK0T/:kvZlKe+BKo23ygPzhQhCNwK0T

    Score
    8/10
    defense_evasiondiscoverypersistenceprivilege_escalation

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral29behavioral30

    • Target

      834458e6efa75273db3e9a2c5c4c3293.exe

    • Size

      866KB

    • MD5

      834458e6efa75273db3e9a2c5c4c3293

    • SHA1

      bb378bd95e1703b97c04e718eec1ff2450d5d05c

    • SHA256

      333538bef9583fb942047c9f004540af1f6c56b6f09083b27272459aab610b6d

    • SHA512

      6a3574a333680f62f5047f4f2acdc2d1f93cb3f30405f986748212e62e58e1b024fe96d0b44759ccc563e91e97bd6cf0cb854041ee9541c6b2249ae04430bf55

    • SSDEEP

      6144:ztT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rT7/:V6u7+487IFjvelQypyfy7T7/

    Score
    10/10
    discoverypersistencecollectioncredential_accessspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

hacked by ; wswsh.office04hackedratnulltest conexionnjratquasarxwormasyncratdcratstormkitty44caliberxenorat
Score
10/10

behavioral1

discovery
Score
7/10

behavioral2

discovery
Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

njrathacked by ; wswsh.defense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral6

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral7

quasaroffice04spywaretrojan
Score
10/10

behavioral8

quasaroffice04spywaretrojan
Score
10/10

behavioral9

xwormpersistencerattrojan
Score
10/10

behavioral10

xwormpersistencerattrojan
Score
10/10

behavioral11

discoverypersistence
Score
7/10

behavioral12

discoverypersistence
Score
7/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

asyncratnullrat
Score
10/10

behavioral16

asyncratnullrat
Score
10/10

behavioral17

defense_evasionexecutiontrojan
Score
10/10

behavioral18

defense_evasionexecutiontrojan
Score
10/10

behavioral19

defense_evasionexecutiontrojan
Score
10/10

behavioral20

defense_evasionexecutiontrojan
Score
10/10

behavioral21

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral22

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

dcratexecutioninfostealerrat
Score
10/10

behavioral26

dcratexecutioninfostealerrat
Score
10/10

behavioral27

redlinenoudiscoveryinfostealerspywarestealer
Score
10/10

behavioral28

redlinenoudiscoveryinfostealerspywarestealer
Score
10/10

behavioral29

defense_evasiondiscovery
Score
8/10

behavioral30

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral31

discoverypersistence
Score
7/10

behavioral32

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10