Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

88bc7b6a62...00.exe

windows7-x64

7

88bc7b6a62...00.exe

windows10-2004-x64

7

88cdf3a075...59.exe

windows7-x64

10

88cdf3a075...59.exe

windows10-2004-x64

10

89000a0d00...5b.exe

windows7-x64

10

89000a0d00...5b.exe

windows10-2004-x64

10

89270d6b49...b4.exe

windows7-x64

1

89270d6b49...b4.exe

windows10-2004-x64

1

892ac0ac36...51.exe

windows7-x64

8

892ac0ac36...51.exe

windows10-2004-x64

8

894b900bb7...92.exe

windows7-x64

8

894b900bb7...92.exe

windows10-2004-x64

8

896493118e...17.exe

windows7-x64

10

896493118e...17.exe

windows10-2004-x64

10

89652cefa9...84.exe

windows7-x64

3

89652cefa9...84.exe

windows10-2004-x64

10

897255af35...03.exe

windows7-x64

10

897255af35...03.exe

windows10-2004-x64

10

897b60be56...d4.exe

windows7-x64

6

897b60be56...d4.exe

windows10-2004-x64

6

89a1a21003...9d.exe

windows7-x64

3

89a1a21003...9d.exe

windows10-2004-x64

3

89ed231ad6...9a.exe

windows7-x64

10

89ed231ad6...9a.exe

windows10-2004-x64

10

8a4e1b5c29...83.exe

windows7-x64

10

8a4e1b5c29...83.exe

windows10-2004-x64

10

8a7ce080bb...ba.exe

windows7-x64

10

8a7ce080bb...ba.exe

windows10-2004-x64

10

8aa071d8cc...3d.exe

windows7-x64

7

8aa071d8cc...3d.exe

windows10-2004-x64

7

8acb86332d...4c.exe

windows7-x64

10

8acb86332d...4c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_34.zip

  • Size

    41.7MB

  • Sample

    250322-gy6fystjy3

  • MD5

    52863353008c72dd65ead6788ff8a2c8

  • SHA1

    7e54970322d38a9fb2c93e77d7cc4c45c0201f42

  • SHA256

    189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

  • SHA512

    d081b7845e8b4223da2847e39129e9a6532cb09e6465f5abb9d5c37de41fe01a072c7cd0d41ea09325583fc84349d2e26d786fbbc435ed96445eb34421529c61

  • SSDEEP

    786432:2sjaOAUL2PeUzZh0WwWI1lV/z/pDhJfgASJCkmS8//yxNs6cF2mo42sb78L7FCV:7joUieuhjObz/D5N9k4a3cF2L4zoFCV

Score
10/10
dcratimminentnjratquasarxwormh2cked by taksherneufratted igcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

third-gained.gl.at.ply.gg:6498

Mutex

sqpNukyZ801PsE3K

Attributes
  • Install_directory

    %AppData%

  • install_file

    Startup.exe

  • pastebin_url

    https://pastebin.com/raw/7PqSDzWd

aes.plain
aes.plain

Extracted

Family

xworm

C2

document-wonderful.gl.at.ply.gg:40393

xyxviebet-47701.portmap.hos:47701
Mutex

8VHClCx94hFKnvLn

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

H2cKed bY TaKsHeR

C2

z88.ddns.net:5552

Mutex

63836c251750e788af0d3ead7ef4cada

Attributes
  • reg_key

    63836c251750e788af0d3ead7ef4cada

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.5.0

Botnet

ratted ig

C2

skidderonthewaytoskid243-26149.portmap.host:26149

skidderonthewaytoskid243-26149.portmap.host:2560
Mutex

9671ef23-3156-476e-9345-21d9831c36fb

Attributes
  • encryption_key

    005318B10F061A7C11DF9796A527D8C2068CEB10

  • install_name

    skid.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    RuntimeBroker

  • subdirectory

    Iskid

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe

    • Size

      7.9MB

    • MD5

      59a64de403d1bd6e92514201afade29b

    • SHA1

      3a09cadd1bf0ef3c27901c8bf458d9f65a1ac51f

    • SHA256

      88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600

    • SHA512

      573ca82fb7da4bdfc2a5747381191fc9267a49add633c6e5416fa9bd8e22f7f80f0a7b5486377bac73dc9dce806f82e5c444625b81f8e020725ac4529ceed9b9

    • SSDEEP

      196608:J9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZBB:JmqbhrEbn87eZsFmq+d

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe

    • Size

      355KB

    • MD5

      52073cccbed00a62b246288584339736

    • SHA1

      16d354056de40dab60588c18824e589dc119f076

    • SHA256

      88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59

    • SHA512

      5995a2f2fb93f5fb6f1c578437cc077c28c404988f199109266adac735368db1f6a0cdb492356170cda6f243651362088412aea46b7f53ac8d05b2cdf52826b6

    • SSDEEP

      6144:YY6yVbWCcuaag6iZtk5iAy+SIdxs/RFLo6:YY6y1W4aaFgkFyIw9

    Score
    10/10
    imminentdiscoveryspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Imminent family

      imminent

    • Drops desktop.ini file(s)

    behavioral3behavioral4

    • Target

      89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe

    • Size

      2.1MB

    • MD5

      e5ab3ea88a2bc87c9e5b2dc45d2a4dd4

    • SHA1

      2f58fa70410dedf700982f8c7a63e599c98ecff1

    • SHA256

      89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b

    • SHA512

      d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2

    • SSDEEP

      49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N

    Score
    10/10
    dcratdefense_evasiondiscoveryinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Disables Task Manager via registry modification

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      89270d6b49877a5303ff4416c74830b4.exe

    • Size

      472KB

    • MD5

      89270d6b49877a5303ff4416c74830b4

    • SHA1

      9e33495c12b9c1017cebfc40be1fdc7016f1538c

    • SHA256

      529adbcfdf37978d4c9b09f571e2b59d92d074a9c7c033eafcb52a4ca4969cb9

    • SHA512

      ba3e50b616795f109643c959d988cb64bb009b7d3fa801811dccf5264abfb12b097e37ed87be460d576065c359b3a3f6be325741c03d6585e27f22e0c2a110c4

    • SSDEEP

      6144:A/VUwyCKfIeoguR8pLLz3nqKTQP2tXjfS4ysVKjW06my7kr3btmzRqoXeqXq/i5J:chyCo5o7KLLDqK22tOF/05S+X6r6Ic

    Score
    1/10
    behavioral7behavioral8

    • Target

      892ac0ac36d3e692e581bde711ae2651.exe

    • Size

      51KB

    • MD5

      892ac0ac36d3e692e581bde711ae2651

    • SHA1

      4f9784d328d1366a14ad3616ed434a5a37303222

    • SHA256

      bc2eb35fefe924073242d098239d010a41b8d4bc93dcfa505cd3d2a01e66ef99

    • SHA512

      8a2998b191884d83320c410b9663fe2e896085dc8e5a2e8d08900c7e296b113b91dd5cf46df7f96662bcaef724d4209061bb97761532d633a2bbcf2e06f22e9a

    • SSDEEP

      1536:B+FFed0juNpO38EQPuNX22JdmCUO4ELf64Kl7SG91C:Mu0j52uM2JF4Ez64KlGG98

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe

    • Size

      180KB

    • MD5

      a26dfa9f71711828a4e5e3e6857271a7

    • SHA1

      6b6f0282303808f6276f44669a2a4e89d9164fff

    • SHA256

      894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92

    • SHA512

      c753100036a0d2fd21024d5d0f46a237d02f0afdc6b3abe7e80ed539956c96e550e8beb318316c24cf90937bcbc5e33ff9ed4b09aa17794d9fb4d303f6533993

    • SSDEEP

      3072:t2IdZhG5xJJz5cLQ6XyoF1b3CJtblKXhfRoG0U3LHRnfm7OblaUGU:t2ubG5xJJz6XRzCrb8Xhptl3LHRfmCb

    Score
    8/10
    persistenceprivilege_escalation

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

    • Size

      1.9MB

    • MD5

      9f30385fab69f24df7f2e9403fb5465e

    • SHA1

      1f9027f32b0ad3b0783679096649f9941bc7e802

    • SHA256

      896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17

    • SHA512

      3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc

    • SSDEEP

      24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral13behavioral14

    • Target

      89652cefa9366ca2d97d0e0b49525984.exe

    • Size

      63KB

    • MD5

      89652cefa9366ca2d97d0e0b49525984

    • SHA1

      e0772d6580c20883b4dc881ede8b33b10656f2a1

    • SHA256

      9b58de27d8b8b494138d68e51b99ba41e292186dd532a108ac72d0784bf969de

    • SHA512

      2fa7ed6979cb892cbbbf7efa82c3d39deddc3969b7b53195ef7cc5df11b648d571c6bbe9a0525b2f73454a213699d2db7eeed3922400759540faa661fc24dccb

    • SSDEEP

      1536:omQ44/2F3nUeWaiV8M65bfZc9D6nf4R8SwxmrNS6vLlA6KZFaC:oW3fWKZc92nf4R8pxmrQ6vLv8FaC

    Score
    10/10
    discoverycollectiondefense_evasionexecution

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe

    • Size

      652KB

    • MD5

      fa6d422f1f7ef469d1213b6740f88a35

    • SHA1

      07d59af37b9cf1855fac20866c3d3476c896b4d8

    • SHA256

      897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303

    • SHA512

      ad61d80dd673f7c3d6778eaa21bc06bf3127ba1da098f0f75c7a503de5ae2912b7fbf041882e91b47bd982b737cee3f49efc048ebb1092ecd28824f2c4d0bdf6

    • SSDEEP

      6144:xtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rfml7:76u7+487IFjvelQypyfy7fml7

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      897b60be5611091a83c5ceb48f7d2bd4.exe

    • Size

      8.5MB

    • MD5

      897b60be5611091a83c5ceb48f7d2bd4

    • SHA1

      c397499a37f458adc9afd3bb7ecf19d5893202cd

    • SHA256

      79068d9df13cad52bfbafafb7b6caf4207f9b92cb64bb78fefe839e9a73a9162

    • SHA512

      0f1786389bb0d7af71401a4826468a6f2c313fa40a56462aa88dba77f4b3a6bf648dae7a4ce9085be1a9a0ac488558689bb68ac5f978b9b2d70dae8ddefd8404

    • SSDEEP

      196608:UOW/od/SWu0VwCnYuo+JBSe7PS6O3YmOZdgkSI+:ULQMWu0VwCnzo+vSe7PEmgkSB

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral19behavioral20

    • Target

      89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe

    • Size

      16.7MB

    • MD5

      42b33daa54a2b9ebddfc6c8e82b3342c

    • SHA1

      cd1fe5a400d88cfdaff18ef686341816abe9f23a

    • SHA256

      89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d

    • SHA512

      1e71906f8c73f33c18c8c6232929b68c89d9793a6744bef9e7442619d5029d566b42cf28e617411238f1b45467b86caa317bdbcc598b4ff000e65c8f0b55bbed

    • SSDEEP

      196608:SJl/6qmO6QqOyjr2LF3Ye6YmnwqdU142UazXsyFqBm:9qp1cjSLFoBYmn5U1PpXsyFqB

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe

    • Size

      5.9MB

    • MD5

      89ed231ad61a9e5a7fd0ab9f2bd75b9a

    • SHA1

      9fef3b04fdadf7c3bc756603d55d26c6d77a9f9d

    • SHA256

      403dbebad41f7ff4bc9292290673b4dc3cce92f06d0f710c674f315f6e8caae8

    • SHA512

      50ee7cfba3b046d677c9aaa853ec100ed2b4b24c4c045212c2eada4caed628ea7771fd0a8b47cb03c266a300df34b5f3b9714e68fdec6229067cb9b18db4f5ae

    • SSDEEP

      98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw41:hyeU11Rvqmu8TWKnF6N/1wk

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe

    • Size

      115KB

    • MD5

      7d56c9dc9066f6e5f4188bc308f246f8

    • SHA1

      b6143ad19be223a165f2566bb99d2f8d9ad7f317

    • SHA256

      8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83

    • SHA512

      2e16887ecd73d42b3c6d2f041703d9f689bc467b7d12c606c8f76117fb27f433dae5b3b0b2454968991df73b535c187ccce0fb08854b1fb05048f8ef6f8e05ec

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDI4:P5eznsjsguGDFqGZ2rDI4

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      8a7ce080bb43fc3edf2ddf3b300355ba.exe

    • Size

      45KB

    • MD5

      8a7ce080bb43fc3edf2ddf3b300355ba

    • SHA1

      3ec6ff2a02bce64cba006a78eea26a45d6e6069b

    • SHA256

      63effa621775c12ecdc162c446ff991027e7cae0f9c95d072d2b4648e1787611

    • SHA512

      3fad178c4cf054becb8e192c0c9d4286f92fc6b47791c370b1492d4434e6388d47af3617059517ee4c526e9e2a570d79a7c042755511554a45e5d4b4ea99d0c3

    • SSDEEP

      768:XJmGUxoBZyRCi0Vvxf7jCNZsorQF+t9eGIJ6iOChZbVgjT:5mjoBQs/VwWFw9fs6iOCXVG

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      8aa071d8cc2dd74176f041bba8762b3d.exe

    • Size

      509KB

    • MD5

      8aa071d8cc2dd74176f041bba8762b3d

    • SHA1

      600a6b37b8ef0216dbb2a1b0089b47e8e0121f77

    • SHA256

      ac0f2c31139dba2b54497d4c90022629da055b9e9ae49d2eb780bedcf70fe41f

    • SHA512

      a843de8b779c04f884f4faefd7933a9350855c4c15b8865334df08a2d86e51c5785d28c284ab625464de0c69191c1212a2714cb80e888a0c065f3758d5cacded

    • SSDEEP

      1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral29behavioral30

    • Target

      8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe

    • Size

      1.0MB

    • MD5

      47af754fe44aa068cf88a4f43520c54e

    • SHA1

      408d56acf0eecbb9ef42cc4784beb85074292f51

    • SHA256

      8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c

    • SHA512

      29e7744f5bb005d7bde088ef384d91521814cbb61ef7dd878a8ecd26e84a9f0df2db904086a1a12286c8017fb327ba4705ece85f28ce4e1bb7acd898167a4438

    • SSDEEP

      12288:kz7IFjvelQypyfy7z6u7+4DvbMUsIGoHuxOHj:kz0FfMz6TEbMUskHqOD

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

h2cked by taksherratratted igxwormnjratdcratquasar
Score
10/10

behavioral1

Score
7/10

behavioral2

Score
7/10

behavioral3

imminentdiscoveryspywaretrojan
Score
10/10

behavioral4

imminentdiscoveryspywaretrojan
Score
10/10

behavioral5

dcratdefense_evasiondiscoveryinfostealerratspywarestealer
Score
10/10

behavioral6

dcratdefense_evasiondiscoveryinfostealerratspywarestealer
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

discoveryexecutionpersistence
Score
8/10

behavioral10

discoveryexecutionpersistence
Score
8/10

behavioral11

persistenceprivilege_escalation
Score
8/10

behavioral12

persistenceprivilege_escalation
Score
8/10

behavioral13

defense_evasionexecutiontrojan
Score
10/10

behavioral14

defense_evasionexecutiontrojan
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

collectiondefense_evasiondiscoveryexecution
Score
10/10

behavioral17

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral18

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral19

discovery
Score
6/10

behavioral20

discovery
Score
6/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral24

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral25

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral26

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral27

xwormrattrojan
Score
10/10

behavioral28

xwormrattrojan
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

discovery
Score
7/10

behavioral31

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral32

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10