Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6b5428dd82...c1.exe

windows7-x64

10

6b5428dd82...c1.exe

windows10-2004-x64

10

6b6755ca1b...7b.exe

windows7-x64

10

6b6755ca1b...7b.exe

windows10-2004-x64

10

6b96951c0d...e8.exe

windows7-x64

10

6b96951c0d...e8.exe

windows10-2004-x64

10

6b990bdc11...15.exe

windows7-x64

3

6b990bdc11...15.exe

windows10-2004-x64

3

6bcf962809...67.exe

windows7-x64

10

6bcf962809...67.exe

windows10-2004-x64

10

6bf4d95191...d6.exe

windows7-x64

10

6bf4d95191...d6.exe

windows10-2004-x64

10

6c17f80a5a...33.exe

windows7-x64

10

6c17f80a5a...33.exe

windows10-2004-x64

7

6c25a9ad3a...ff.exe

windows7-x64

10

6c25a9ad3a...ff.exe

windows10-2004-x64

10

6c46d70788...18.exe

windows7-x64

10

6c46d70788...18.exe

windows10-2004-x64

10

6c5038f87e...dc.exe

windows7-x64

10

6c5038f87e...dc.exe

windows10-2004-x64

10

6c53fda3cb...65.exe

windows7-x64

10

6c53fda3cb...65.exe

windows10-2004-x64

10

6c79c2f450...b4.exe

windows7-x64

10

6c79c2f450...b4.exe

windows10-2004-x64

10

6ca3cb8c05...9a.exe

windows7-x64

10

6ca3cb8c05...9a.exe

windows10-2004-x64

10

6cb59f599a...bf.exe

windows7-x64

10

6cb59f599a...bf.exe

windows10-2004-x64

10

6ccb172e66...df.exe

windows7-x64

10

6ccb172e66...df.exe

windows10-2004-x64

10

6cdf89e8d2...1d.exe

windows7-x64

10

6cdf89e8d2...1d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_26.zip

  • Size

    20.4MB

  • Sample

    250322-gydqyatjx5

  • MD5

    117e1b4d97ed28b842d06ec232abbaaa

  • SHA1

    d8823d801df272026b992073afcba5b6e0c3fc73

  • SHA256

    525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

  • SHA512

    134fdfe1345917dc081b5703515c555b36c0cb508585ba8a19a1e7feb80fab9b17f8daefbf1ae1b893b4b934920d866c259922737c9024bf1b534974cfe82c2f

  • SSDEEP

    393216:psNpZIyhuAs7AgWNfsNp+33gWNfsNpZgme5OyhuAs71dHTS3j6RsBWTGjedGBg/Y:wqyQ37APa+33PaZg9OyQ373zSz6uIwl

Score
10/10
asyncratdcratnanocorenjratquasarumbralxwormhackedoffice04collectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

karar.zapto.org:5552

aali13212.ddns.net:1177
Mutex

3dbbe2f6f55a97d83ab7d4bc110d85ae

Attributes
  • reg_key

    3dbbe2f6f55a97d83ab7d4bc110d85ae

  • splitter

    |'|'|

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351627813622382762/XO-i9V99ZfT3bor00mzvZutTgvituXMW9diuoaaE_eCCEjHsOQbLe6frJYhtkL-Xi2cM

Extracted

Family

xworm

C2

necessary-sit.gl.at.ply.gg:64980

127.0.0.1:5800

floor-steam.gl.at.ply.gg:58684
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/e8sX6uF7

Extracted

Family

xworm

Version

3.1

C2

127.0.0.1:305

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.183:4782

Mutex

b9f5ebb9-1d21-4817-9b2d-b875e3c921a9

Attributes
  • encryption_key

    C7562C2DA4E62FA9B3C65168CC2EBA463DFC7C34

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Settings

  • subdirectory

    SubDir

Extracted

Family

nanocore

Version

1.2.2.0

C2

[email protected]:46218

178.32.224.116:46218
Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    178.32.224.116

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2018-07-28T12:59:38.488799236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    46218

  • default_group

    tourex

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4af74541-e3f1-469c-8af7-efe4071b81cf

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    [email protected]

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      6b5428dd828c35d7783578dcbf39f9c1.exe

    • Size

      23KB

    • MD5

      6b5428dd828c35d7783578dcbf39f9c1

    • SHA1

      c0b92a72a6c1640e29d1705fc5533b75bb2a2220

    • SHA256

      8f55442c491081691e0a713840813490aee9e3fb62a2d2d24c1c98f879dc7610

    • SHA512

      e62049e6d4ce1dac983978b01fe2224fd0959f6fca08dd04024fe688da26bdd9301ebd0c86e8cde08169d786b33932815359078660cad49eab6a89216e5f28e7

    • SSDEEP

      384:AsqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZIiF:Xf65K2Yf1jKRpcnuy

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      6b6755ca1bb4486fb7501572a580e96343181ff957605ea150f7d94beabef27b.exe

    • Size

      401KB

    • MD5

      5caa4902ecea464d3d96da57af2945bd

    • SHA1

      530d15e868487a82c345e9dda60e5465894834c0

    • SHA256

      6b6755ca1bb4486fb7501572a580e96343181ff957605ea150f7d94beabef27b

    • SHA512

      f4370bd4c9d4909099427ddbf9b500d65c701289040a16dd56e1cb79a8407bff86b22d566c94adc01f24773edc2b26dcd21bd8f64cde32e19b79f8bf36d49259

    • SSDEEP

      6144:FsEM9IugZckJLDWVAUGk3WMg/NpM3/2X0cIQL3nUt+xa98beFqLAjk04:3LDWebk3WMsNpM3/26QL32wOqL70

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral
    behavioral3behavioral4

    • Target

      6b96951c0d2a6e97c54c030298a7eee8.exe

    • Size

      2.0MB

    • MD5

      6b96951c0d2a6e97c54c030298a7eee8

    • SHA1

      b45a1dccfd3fd08ac1da5c07e1a99325bd065b04

    • SHA256

      2a3a882623b0d348b21d49896b7a2cbad63b13954eca283f3251607b83aea999

    • SHA512

      47db06283115aad1f78195e98971987f2c12634327fdeb3e48f56fdfece729567af5ef47010b718f42949f270127cb2f603c91bb25af3790cc55f3879123e61b

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral5behavioral6

    • Target

      6b990bdc11976a009c1a3ccda05849bebff003ab1a3c6096c0603249d7374c15.exe

    • Size

      95KB

    • MD5

      fe0a5b7680fe0aa9817d90944bbca7ab

    • SHA1

      064614065deb46d85fe6ddf816a0ccc404065fb9

    • SHA256

      6b990bdc11976a009c1a3ccda05849bebff003ab1a3c6096c0603249d7374c15

    • SHA512

      12bb0ac392735ff3804c9424e9317f5250073c32498d76f654d19e9bdacf3793598e1c9fdbcab99df09dfab112e288a372e3e5aefa47c46a6406461f0d04202f

    • SSDEEP

      1536:ndKcfHO9lxXtN7aOx+p1C4oLXD6/OZR3hFvjeuKst/HZDPEPX3:5fqvXtO+zQgHZUX3

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe

    • Size

      229KB

    • MD5

      c43fa6e8e418363f5b9bd2bac94e03ac

    • SHA1

      4e557326d845f150c37e71d23f2e816942f6f53c

    • SHA256

      6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867

    • SHA512

      1535626a7d98e33546f04623c7a405ded146a273422934d47c15f6862dc988212776b27270cf25434704dbf31a22dea5049e0b735b1861645e54510aa1f103ac

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD4qCslEKtFucr20VJgqAb8e1mND8i:noZtL+EP8qCslEKtFucr20VJgDYx

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      6bf4d95191becc3a5f28dc233d702cd6.exe

    • Size

      76KB

    • MD5

      6bf4d95191becc3a5f28dc233d702cd6

    • SHA1

      125de49ff0b005dec68cd38685509627d951da38

    • SHA256

      55096b58d57b4f1dd2ac3e51993f4fd4e674dd014f55a214c59ea3cebeecc8c1

    • SHA512

      287347132de904e3e1d217773de69e9a445b570d2de277bdd134843c735b5b1b9927f412429cda9868fccde2b9fc8deb958ba8744788434d006da87421f3f5c6

    • SSDEEP

      1536:OveMR3U1PXkxJm3cIGt/xCLWbXGfEuiITW6B9eOvrGpnkKW:O2TBBpGt/aWbXXareOvrGpkKW

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      6c17f80a5a74741689d6145a1e7dca2a7ba13e52fab6e37e2c3240bb47ac7133.exe

    • Size

      418KB

    • MD5

      552b5d6980369b3c7b29fc25cd763251

    • SHA1

      4743845b971bb5003d6f30741f61171243ff5c75

    • SHA256

      6c17f80a5a74741689d6145a1e7dca2a7ba13e52fab6e37e2c3240bb47ac7133

    • SHA512

      22fcaa454e979ff01b979d8d3845d0bb771615313a9fbc3cc062a332c9743b00bdba977dc6ddd247a0832a62fe0bc4ec064f0b68a6d9713751e2eb6688263710

    • SSDEEP

      6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwbvk:ITNYrnE3bm/CiejewY5vX8

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      6c25a9ad3a7149deae7bb50429c9fefe20b60a59914bd7b63174796b640adfff.exe

    • Size

      359KB

    • MD5

      940f934bbb0f83a1565250113e0b6bb5

    • SHA1

      9de96f718f5fb4e0f9da17ca7c9a235244063e88

    • SHA256

      6c25a9ad3a7149deae7bb50429c9fefe20b60a59914bd7b63174796b640adfff

    • SHA512

      7a010a7621b71036f271f4fcb7d9b84d1162e45109931d5c27d2ed8a4aab0d21477e012a6c54eaea31b7aefaa6803209b79aaedae3f01f31c560d9bbc3b75e13

    • SSDEEP

      6144:IUEkEIkj1Osfi2Owt0wJBzxmywv82bsmnEzeyZIxW/QwoBikWbz+/shAJhUI+dD:RXVYi2Om0kWywv82bsmse6KW/QwoBikN

    Score
    10/10
    asyncratdiscoveryexecutionrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      6c46d70788b60ff0ba7ea4c5f0549f18.exe

    • Size

      1.9MB

    • MD5

      6c46d70788b60ff0ba7ea4c5f0549f18

    • SHA1

      10cd8b050891004ca06c2be54d55e38a243be162

    • SHA256

      f4b884338e802040f828153f0a161ab18205ee0a90b8f778831900c7ae97c465

    • SHA512

      c156dfae670696f766ef3672e3513f7c0f66460674cb78c4419b876f36128e593fc9a8be6923d752116f855d3334df65bbc8f26010aee9d8c8d6e4db430ee81a

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral17behavioral18

    • Target

      6c5038f87e96a5799d1221ec35527d35fb454d450bff95dc0bf5b0b813183edc.exe

    • Size

      2.0MB

    • MD5

      c93b34043bcbac0c9fe8449ec0195a62

    • SHA1

      711c89581f4cefa1c4cb2a26714bdd32bbbb675c

    • SHA256

      6c5038f87e96a5799d1221ec35527d35fb454d450bff95dc0bf5b0b813183edc

    • SHA512

      1a522d161cb7c7f4dfbf66c508f92af7de9f99015042363a116a411ff27b02c39d714ad77ad22dd01e0d24b100407a124be0a1f7d67cee25b6bfd70df25ec1e9

    • SSDEEP

      49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral19behavioral20

    • Target

      6c53fda3cb5c0cb93d53eff2fa6433a8679aedcdccf5b8487f4294e897bd2365.exe

    • Size

      764KB

    • MD5

      0a76d68bea5929f73e9eb1bb40eb2aa6

    • SHA1

      04e6c1b66b67c381f4cdaf7574a40e7c1c4a4da7

    • SHA256

      6c53fda3cb5c0cb93d53eff2fa6433a8679aedcdccf5b8487f4294e897bd2365

    • SHA512

      0c941c61355dd0ba7cc8bfe4a5e367685d0adc8082def183e6d9202c766bcb4394447d3ea7f17e83e1b170df66e9d0ddeb7c54adb578031bab0da37e5be129a6

    • SSDEEP

      6144:RtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKHr:b6u7+487IFjvelQypyfy7cnKHr

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      6c79c2f450da5e97631c33ddce170bb4.exe

    • Size

      999KB

    • MD5

      6c79c2f450da5e97631c33ddce170bb4

    • SHA1

      b0356c1821709ae9a5fd99e6573125fc8b58f2b4

    • SHA256

      152965f868c6784be4f3845d34c32e9159566067bd8a7265d57c7a7003c24c75

    • SHA512

      1372d8e9aced9e4f6e1ae0f7ec503e7e956028f59ec3ee7b9e5109938e8683d8eaae2a82b729640d21164a12b2cbeed2cf991d5c1feaa8bda2ece21887b1a757

    • SSDEEP

      12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      6ca3cb8c056b4e81c7a8a885e150b7efb068a36f38a023cb6e07f5640a62ad9a.exe

    • Size

      2.0MB

    • MD5

      0671fb2e25b5550c73a99fef148dcffc

    • SHA1

      f5d82c36648dd1f6581f9496651c3193cbba9831

    • SHA256

      6ca3cb8c056b4e81c7a8a885e150b7efb068a36f38a023cb6e07f5640a62ad9a

    • SHA512

      0785b23e6c79d72e9de9bb22770b82fa53f31c814683eaa64ed3469301a6878a7dead9dcecb79b32e73f6fdf6fcd853a3586e6dc8b346e13b068599189b92232

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral25behavioral26

    • Target

      6cb59f599a4d87e0a3e34f264f3d87e410ab436afadcd02e1fe516ac8e4534bf.exe

    • Size

      947KB

    • MD5

      71be25bbab9c0b3aa327bb9f3295f64a

    • SHA1

      bb60b8263a3c45397f48730b0b2283b5e8a144e2

    • SHA256

      6cb59f599a4d87e0a3e34f264f3d87e410ab436afadcd02e1fe516ac8e4534bf

    • SHA512

      44e5fcb1c0827df4a422d88e724c701662d94ed9169d2b8cf5f1547b2f3000c94eb99243bdb6a4395690213e4245bc3c3374d4331d2f9284f50c20f1bc0d575f

    • SSDEEP

      12288:8z7IFjvelQypyfy7z6u7+4DvbMUsIvOc2:8z0FfMz6TEbMUs8OD

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      6ccb172e6696a44a0b3a581df57d89df.exe

    • Size

      81KB

    • MD5

      6ccb172e6696a44a0b3a581df57d89df

    • SHA1

      a825c4935c099c2e1156b30f515eb5d259ea4b45

    • SHA256

      6e176afe39f0f0b1fd80c209b377e51b034cd4dc2a0c14e45383f6df9ac654bd

    • SHA512

      f31fa90bab909e3ecfc6467cb2b9974537e381ff02e1dae86d66f42eafcb482fae3a25c8edb9fa64e58d0912c61a4f353d25c226b582a1981e2080d4b99dd4a3

    • SSDEEP

      1536:VBL8NxWydtYKAJ0SRGbSuvXnbMa6Mi3Oi2lNJrh:3Ymze9bSuvrxi3OiKJ9

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral29behavioral30

    • Target

      6cdf89e8d2c2fb9a5db53881f501181d.exe

    • Size

      1.9MB

    • MD5

      6cdf89e8d2c2fb9a5db53881f501181d

    • SHA1

      558eda84922e9824a2554414f5f049658d742575

    • SHA256

      d3f54d4b32b7125991bc4a5543f24c536e16c8ac77eba12aad61256817d7ea97

    • SHA512

      65f11caefff09248fef65676f439dc665fb9a540dc6faf90d7b318859c4f4b7cffe7e74de8f57296420a9e051cc929aecf55c509f6c933f5d53c0af43bf61cfd

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

hackedratoffice04njratumbraldcratxwormquasar
Score
10/10

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral2

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral3

umbralstealer
Score
10/10

behavioral4

umbralstealer
Score
10/10

behavioral5

dcratinfostealerrat
Score
10/10

behavioral6

dcratinfostealerrat
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

umbralstealer
Score
10/10

behavioral10

umbralstealer
Score
10/10

behavioral11

xwormrattrojan
Score
10/10

behavioral12

xwormrattrojan
Score
10/10

behavioral13

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral14

discoverypersistence
Score
7/10

behavioral15

asyncratdiscoveryexecutionrat
Score
10/10

behavioral16

asyncratdiscoveryexecutionrat
Score
10/10

behavioral17

defense_evasionexecutiontrojan
Score
10/10

behavioral18

defense_evasionexecutiontrojan
Score
10/10

behavioral19

dcratinfostealerrat
Score
10/10

behavioral20

dcratinfostealerrat
Score
10/10

behavioral21

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral22

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral23

dcratinfostealerpersistencerat
Score
10/10

behavioral24

dcratinfostealerpersistencerat
Score
10/10

behavioral25

dcratinfostealerrat
Score
10/10

behavioral26

dcratinfostealerrat
Score
10/10

behavioral27

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral28

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral29

xwormrattrojan
Score
10/10

behavioral30

xwormrattrojan
Score
10/10

behavioral31

defense_evasionexecutiontrojan
Score
10/10

behavioral32

defense_evasionexecutiontrojan
Score
10/10