Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

84b12442aa...e4.exe

windows7-x64

10

84b12442aa...e4.exe

windows10-2004-x64

10

84c3944913...92.exe

windows7-x64

1

84c3944913...92.exe

windows10-2004-x64

1

84debf79f2...ff.exe

windows7-x64

1

84debf79f2...ff.exe

windows10-2004-x64

1

84f75ab85b...fd.exe

windows7-x64

10

84f75ab85b...fd.exe

windows10-2004-x64

10

855deb7775...d7.exe

windows7-x64

10

855deb7775...d7.exe

windows10-2004-x64

10

85744dd3f6...0b.exe

windows7-x64

7

85744dd3f6...0b.exe

windows10-2004-x64

7

85c94c7c76...5f.exe

windows7-x64

10

85c94c7c76...5f.exe

windows10-2004-x64

10

85d0793219...96.exe

windows7-x64

10

85d0793219...96.exe

windows10-2004-x64

10

85da941cd1...86.exe

windows7-x64

7

85da941cd1...86.exe

windows10-2004-x64

7

85edcd8fbc...42.exe

windows7-x64

10

85edcd8fbc...42.exe

windows10-2004-x64

10

8601303574...8e.exe

windows7-x64

10

8601303574...8e.exe

windows10-2004-x64

10

86513494c7...6d.exe

windows7-x64

10

86513494c7...6d.exe

windows10-2004-x64

10

86700eca73...12.exe

windows7-x64

10

86700eca73...12.exe

windows10-2004-x64

10

867e002192...1f.exe

windows7-x64

10

867e002192...1f.exe

windows10-2004-x64

10

86c8fa2e13...a0.exe

windows7-x64

10

86c8fa2e13...a0.exe

windows10-2004-x64

10

86ca2f06f1...26.exe

windows7-x64

10

86ca2f06f1...26.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_33.zip

  • Size

    32.5MB

  • Sample

    250322-gy4x5ay1av

  • MD5

    18d8d9b657ea6c1dc27c03a1e9984a04

  • SHA1

    da4fe63e6cef6fb590e58b8ebadc3a72df06433c

  • SHA256

    3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

  • SHA512

    84c924cf7803ece91e9f36fc1311d5cee80c83fb9b5d6e73a2278b99165bef2a0cc231f4a2a55add2aa5e9af193ea3628457c67e5fcba0d8663e5a29b48e610f

  • SSDEEP

    786432:kaB0LOkfUPaivAzjmdaQa41PagnyQ37XuV1ha:kEGfUdvKTuMQS1ha

Score
10/10
44caliberdcratnjratquasarxwormhackedkrnloffice04collectioncredential_accessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

free.svipss.top:37263

Mutex

499e1307-c938-406c-8031-c021ba04640f

Attributes
  • encryption_key

    4111EB4E3452F3046C6F5DFE90F84F08D3E1BB9C

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

pa-force.gl.at.ply.gg:12214

Mutex

ffecbda9-25fa-4e3c-a5ea-37cd0d0376aa

Attributes
  • encryption_key

    197572FC97D91919662FC0B14F52E41F83A2F651

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Modded Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

185.246.113.135:1604

Mutex

QSR_MUTEX_1lwMeXPloe4D54kA3Z

Attributes
  • encryption_key

    DlSDsTT8uMyBbPq2Olp2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

krnl

C2

127.0.0.1:1234

Mutex

62cfd7a2-713f-44be-bf60-f71392c34930

Attributes
  • encryption_key

    34F17DCAB06146593170B498E9E1F2F58CD66C91

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

984559f52d4087243e95e5ad9bb48e8d

Attributes
  • reg_key

    984559f52d4087243e95e5ad9bb48e8d

  • splitter

    |'|'|

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1352254322221649931/9VnbDu0akm8arI6xlajkT0gkPnHkBzZWO058bsU_Yyp9VyZke9bmFbbu_YrR7edIBNKH

Extracted

Family

xworm

Version

5.0

C2

cartomen-43567.portmap.host:53000

Mutex

gBThbP58fxOMpNHC

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      84b12442aac5bc73f568e7fa4d5d958ba9edc5bdc504d16f499a30ce549965e4.exe

    • Size

      521KB

    • MD5

      ad94009dbf24192d8ddb026e6d183702

    • SHA1

      5dc5b6aad743f5573bd3a73208789687f06854a9

    • SHA256

      84b12442aac5bc73f568e7fa4d5d958ba9edc5bdc504d16f499a30ce549965e4

    • SHA512

      9a65b2539e03d41fbe7b37c51db0b5520f079c56d16e8f64241ccc812d01387ae2253554fc1a195e85fbad216acc346889d7bfcadb11267869c468e61272889a

    • SSDEEP

      6144:mtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3r/+:K6u7+487IFjvelQypyfy7/+

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      84c3944913d37db4d64ab41d8ceb266686cc28048d92b7aad2e15467adf75092.exe

    • Size

      10KB

    • MD5

      be4469ad2fc0139f5224aa5abaca7309

    • SHA1

      f04bf42efe6db379aa53c15f4448747a9d558ee9

    • SHA256

      84c3944913d37db4d64ab41d8ceb266686cc28048d92b7aad2e15467adf75092

    • SHA512

      cc86d386f8ac416da6148cfac0da73981aa43749e690435e97eabe4fb8d614822b90dfa0d144a9ca5b6bd2dbb92f653eeab1ef77d5d0f2a3d9e02675f08d1ee2

    • SSDEEP

      96:LBURYC7oW4qISQdD91Ne4M/v+msicLo3RAJ3AexnF3cQmgP75hP3F/UaRo/vJnkQ:iRevdZ1A4MH+ms7FvN1o/hkqh

    Score
    1/10
    behavioral3behavioral4

    • Target

      84debf79f2864b51cf49de435c5fc2ff.exe

    • Size

      16.3MB

    • MD5

      84debf79f2864b51cf49de435c5fc2ff

    • SHA1

      fdf0328f9950d271dda14901ce1c82dd28851be7

    • SHA256

      4561a799e74e351767e1dbfa63ce81110d7a42b8a1ed1ab2f19ba353dc7944fa

    • SHA512

      f2c397df55ae9bd3b56407050494432f0ce4a026b688a6e1171f1843c6282bc06caee21598882b69c26fbf92e4f31488483285c5b1a873b9bcb08aab3e9aaf4e

    • SSDEEP

      196608:fawGh8x7b6QqOyjr2LF3Ye6YmnwqdU142Uk/X9Z/yhYsOEi4Gsq4G8rF4:fGk1cjSLFoBYmn5U1Pb/X9tuG

    Score
    1/10
    behavioral5behavioral6

    • Target

      84f75ab85b7776371d89c84d47ac58fd.exe

    • Size

      2.0MB

    • MD5

      84f75ab85b7776371d89c84d47ac58fd

    • SHA1

      eaed14d10608efc9851b82500f0b0f5bfc0fe0ed

    • SHA256

      e1cf18320c276bb0e5049efcaa0c9d33e19238cea8e7a0f6822e7b9c07e82872

    • SHA512

      441e9e4015937c4f5fe959cd158d4bce9684c66dd80c218f4fb2e831b2f3d3d4c2b1986dc6ffb3e4130b874c75fa889e83e8f95becc247e676dbd8c796a4f5c0

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral7behavioral8

    • Target

      855deb7775f714f1fc46d29fea8008d7.exe

    • Size

      1.6MB

    • MD5

      855deb7775f714f1fc46d29fea8008d7

    • SHA1

      421d56096458fc456190f7c8d13fa3435c051264

    • SHA256

      795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf

    • SHA512

      7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99

    • SSDEEP

      24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe

    • Size

      251KB

    • MD5

      541d40acfed529f53816f8974634d875

    • SHA1

      801444be5fb8efafd8a92dcb51a480cbb6039666

    • SHA256

      85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b

    • SHA512

      e7e653dbbf778533b244808001b7fa440e350c9c2c7fd2c45b52d46cc2f249cbc2a049bc023e4d350484a63b9d3b78b4ca378f7d0e883dcbbc6324c0a3b14c2d

    • SSDEEP

      3072:+Cm3/jdYiAScDuYOr5rfaAP7K7yGzAMVb168yiJXNgfz798beFnHrAnlUwKV:SCiJ8uYOBfaAYyqhe8ZJda98beFnLAl2

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

    • Size

      1.6MB

    • MD5

      c87ae2c7c0c0a77294bdf61219b952f5

    • SHA1

      009d29952e3cec0966402de8b8ffeb264c78a956

    • SHA256

      85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

    • SHA512

      b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral13behavioral14

    • Target

      85d0793219eb0fac73bf85eade28e6ed1d676ec16ff8c01eacf13994f3267896.exe

    • Size

      502KB

    • MD5

      30a029d32d632ebd5938260e3e941c12

    • SHA1

      26ee839be698c18d24becfc0102400435ccf039b

    • SHA256

      85d0793219eb0fac73bf85eade28e6ed1d676ec16ff8c01eacf13994f3267896

    • SHA512

      e0cc40d1615485ada96eb3958a07ddee5e1ce895036437403fbd898682b29fb5a7d35d958abecad23ea5f97bc8e8ef6492ce4563811e318254594243afd608ee

    • SSDEEP

      6144:kTEgdc0YkXAGbgiIN2RSBEnxEkmf5MNJO5Etqi+yw4lUcEgOb8F9WwQAZD8GcTRi:kTEgdfYubgAxEk3P4rywVwpvQm5cdy

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral15behavioral16

    • Target

      85da941cd1a122ad907ea9a637c620517ddd1e21857a01f6244dfa3ec0d3c286.exe

    • Size

      580KB

    • MD5

      b747e046e2e395a2fe5ac28533a02fbc

    • SHA1

      b044b266c4d095ec36cbb957ecaea6fefee1c700

    • SHA256

      85da941cd1a122ad907ea9a637c620517ddd1e21857a01f6244dfa3ec0d3c286

    • SHA512

      1a1a7215331a2e7ae64230b34b801a63b440ad444de2d17cda61e32eca09cd4c67697e7f803c4204ee1edca1f3609de46b2785b42a5e982b6861d3aefa90e521

    • SSDEEP

      12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7a:rBJwdhMJ6ZzHrfcsMGTfZ5Pa

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      85edcd8fbc445760ff0796aa459e3c42.exe

    • Size

      999KB

    • MD5

      85edcd8fbc445760ff0796aa459e3c42

    • SHA1

      bc63d62de0f20bee25246b808bf512371e9aa875

    • SHA256

      8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292

    • SHA512

      a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c

    • SSDEEP

      12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe

    • Size

      827KB

    • MD5

      7d14c283441fdefcf681cc58017bb841

    • SHA1

      cdfe7ca961f11fd078a314335ce8c19f3acf2409

    • SHA256

      8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e

    • SHA512

      413f00a1c2dc19c43bf1a61738ac605c405f4834095a0e410091cfbb10085d56afe8bd99928477b5dec24c3b323c387da1e3bc6680409681a1d66a7318d3eb9f

    • SSDEEP

      12288:sNtD0qKiyhtFrXketHevYS6Rc/OOi1GuHQiEHRu3oDK:snKiyhXket+vYNSi+iEE3oO

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      86513494c7861a5a0c9f1c0fb478e36d.exe

    • Size

      2.5MB

    • MD5

      86513494c7861a5a0c9f1c0fb478e36d

    • SHA1

      0e7ef50b5b4d51bda8789151b444505e4fdec51f

    • SHA256

      80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794

    • SHA512

      e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff

    • SSDEEP

      49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn

    Score
    10/10
    dcratexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe

    • Size

      1.6MB

    • MD5

      522b3cc9b8e0565c5a2eb2d40b7a9513

    • SHA1

      86d71ba007afecc0f28e9815086992099a13f2c4

    • SHA256

      86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12

    • SHA512

      a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral25behavioral26

    • Target

      867e002192bde08a346a10ca74cc4a611293f0e312a048bc63b7dfa0f87cfc1f.exe

    • Size

      555KB

    • MD5

      04c25605f640412aa0be2abecda263df

    • SHA1

      b90b4a69730917fb57bfa4238ff506d1db536703

    • SHA256

      867e002192bde08a346a10ca74cc4a611293f0e312a048bc63b7dfa0f87cfc1f

    • SHA512

      65ebd7fca6fe0f4c7a069226a2dda2bb3c68489c8e363cc73be6b4dff208da96cf1c8a3ea6c532e4c2d1a75e9d6c3582ce132c9c2c2672370cd86a1262f9d177

    • SSDEEP

      12288:OusTy3x2mU/iLYStKT7yFPb2bNR/SN4UY1lc6VA:Oq3nUfStKHIPbcNRf3fc6W

    Score
    10/10
    quasaroffice04spywaretrojan
    behavioral27behavioral28

    • Target

      86c8fa2e136e29f51a3670f440b9f0a0.exe

    • Size

      2.5MB

    • MD5

      86c8fa2e136e29f51a3670f440b9f0a0

    • SHA1

      103d45983c01fc861cb7390afe5db10ff2892fc0

    • SHA256

      da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb

    • SHA512

      7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb

    • SSDEEP

      49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

    Score
    10/10
    dcratexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

    • Size

      2.5MB

    • MD5

      3dbf7d9fdfd5a0151f1003095ba9655c

    • SHA1

      4f5de06a720298a5e32660fd0f56733ad611060f

    • SHA256

      86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26

    • SHA512

      3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef

    • SSDEEP

      49152:qGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:qGVyWNGGN2sqWs+fz+pVZTYp

    Score
    10/10
    dcratexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratoffice04krnlhackeddcratquasarnjratxworm44caliber
Score
10/10

behavioral1

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral2

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

dcratinfostealerrat
Score
10/10

behavioral8

dcratinfostealerrat
Score
10/10

behavioral9

dcratexecutioninfostealerrat
Score
10/10

behavioral10

dcratexecutioninfostealerrat
Score
10/10

behavioral11

Score
7/10

behavioral12

Score
7/10

behavioral13

dcratexecutioninfostealerrat
Score
10/10

behavioral14

dcratexecutioninfostealerrat
Score
10/10

behavioral15

quasaroffice04spywaretrojan
Score
10/10

behavioral16

quasaroffice04spywaretrojan
Score
10/10

behavioral17

discoverypersistence
Score
7/10

behavioral18

discoverypersistence
Score
7/10

behavioral19

dcratinfostealerpersistencerat
Score
10/10

behavioral20

dcratinfostealerpersistencerat
Score
10/10

behavioral21

dcratinfostealerrat
Score
10/10

behavioral22

dcratinfostealerrat
Score
10/10

behavioral23

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral24

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral25

dcratexecutioninfostealerrat
Score
10/10

behavioral26

dcratexecutioninfostealerrat
Score
10/10

behavioral27

quasaroffice04spywaretrojan
Score
10/10

behavioral28

quasaroffice04spywaretrojan
Score
10/10

behavioral29

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral30

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral31

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral32

dcratexecutioninfostealerpersistencerat
Score
10/10