Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6ea09dc024...bf.exe

windows7-x64

1

6ea09dc024...bf.exe

windows10-2004-x64

1

6ea800eee1...83.exe

windows7-x64

3

6ea800eee1...83.exe

windows10-2004-x64

3

6ec1c209b1...da.exe

windows7-x64

10

6ec1c209b1...da.exe

windows10-2004-x64

10

6f0c3386f1...bf.exe

windows7-x64

9

6f0c3386f1...bf.exe

windows10-2004-x64

7

6f456ca531...05.exe

windows7-x64

7

6f456ca531...05.exe

windows10-2004-x64

8

6f46a58808...0c.exe

windows7-x64

10

6f46a58808...0c.exe

windows10-2004-x64

10

6f6b7ee9a4...db.exe

windows7-x64

10

6f6b7ee9a4...db.exe

windows10-2004-x64

10

6f723cd900...bc.exe

windows7-x64

10

6f723cd900...bc.exe

windows10-2004-x64

10

6f7e5a7572...05.exe

windows7-x64

10

6f7e5a7572...05.exe

windows10-2004-x64

10

6f8921f285...3e.exe

windows7-x64

10

6f8921f285...3e.exe

windows10-2004-x64

10

6f8a4cd4e0...0e.exe

windows7-x64

10

6f8a4cd4e0...0e.exe

windows10-2004-x64

10

6f9568a7c5...ba.exe

windows7-x64

10

6f9568a7c5...ba.exe

windows10-2004-x64

10

6f9d1b3820...e0.exe

windows7-x64

3

6f9d1b3820...e0.exe

windows10-2004-x64

3

6faa2d85ae...9b.exe

windows7-x64

10

6faa2d85ae...9b.exe

windows10-2004-x64

10

6fd711c9c2...c6.exe

windows7-x64

10

6fd711c9c2...c6.exe

windows10-2004-x64

10

6fe5c591a1...4a.exe

windows7-x64

10

6fe5c591a1...4a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_27.zip

  • Size

    82.5MB

  • Sample

    250322-gyggtsyzgy

  • MD5

    a0a31d79f5a5d0effe760a1067d7380d

  • SHA1

    f89716a4a3b125389fd5316dfe439295d059236b

  • SHA256

    f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

  • SHA512

    5a3624677fe54791d63d15fc2d79d676e531156dc710e25064297274831c55a96849cda957cffd9c4c32832a1418b81be1b4f0874b917b8223865b3118cf75f4

  • SSDEEP

    1572864:MEa84yWS9ADl00oDoLSs/L02EEECyM798l2NNTSfJMJRREfjLjvKKE9:MEa8DWnDhoD8SKEELWl2TShMJROfbvz8

Score
10/10
asyncratdcratdiscordratmetamorpherratnjratrevengeratsnakekeyloggerumbralxwormdefaulthackedvikasdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1349737650407604295/kN2hdyzALgg9c2Ia6GKF0wNZZml2dtdpO2NAdLBn8XrNbrC2Y1pvYHXcPUZNzIXn4Pna

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:5574

sets-fatty.gl.at.ply.gg:5574

127.0.0.1:1603

morning-ultimately.gl.at.ply.gg:1603

ring-staffing.gl.at.ply.gg:32707
Mutex

b3PIGP4IGis5HwSz

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

C2

26.ip.gl.ply.gg:14526

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:6522

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    |Ghost|

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

38.49.43.182:8848

Mutex

DcRatMutex

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchostdc.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM1MjIzMTcwOTc2ODE1OTI4Mg.GP5l5j.qzedntLWXWCJWJMhOo_A7sCtEVYSNyef7zauDM

  • server_id

    1352231905797476362

Extracted

Family

revengerat

Botnet

vikas

C2

192.168.43.133:4040

Mutex

RV_MUTEX-eawrHJfWfhaR

Extracted

Family

snakekeylogger

Credentials

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      6ea09dc024349dc98b36f4ace0dd0fbf.exe

    • Size

      23KB

    • MD5

      6ea09dc024349dc98b36f4ace0dd0fbf

    • SHA1

      ee2d57531115ae5605a6e8390271b42045d51b43

    • SHA256

      89decabc7d563a393d3b74831b6b1fffdbf44bfd8f039067b701c6042a497c3b

    • SHA512

      4cca6589559e23d0d2febd5340bf10fe2439cf92fd2188fdeacaf203175ef2e3ec2af8270a59d9973519a4858b842a7ca6b045bda2ee8b6895f1f6392e2bc28b

    • SSDEEP

      384:z1bbjWRHaxIBP10OfuBuF6Y+ELHWxIE/KgN0ULocmfY4eemHdd+Gx/anxiWk:z1yR6yHF6NDP/K6M8HflsnxA

    Score
    1/10
    behavioral1behavioral2

    • Target

      6ea800eee1fc82ad358d35a7fde8ccd12b93a783300c4a97f7b8a7abcc7d7383.exe

    • Size

      361KB

    • MD5

      b27553eeb4f200d61f0ea3381f310e4c

    • SHA1

      13d9707d6ed0d0edfb2f3b34fcd18510caa8b057

    • SHA256

      6ea800eee1fc82ad358d35a7fde8ccd12b93a783300c4a97f7b8a7abcc7d7383

    • SHA512

      f20bd15b903473cd09ebec25ebeaf3373378100184012086345cf8dbb429ce7206541a11b8e2abb29c6e56983b3583e2d3894608093d69242a9a886872fa2d58

    • SSDEEP

      6144:kXsRdbHTDOBCyP7/layXEnRxdMXIsPw936XlkFP75bQ9p6H6azoP6ft4kyVbx:kGJWB3P7/0cERvM3uEGFz5blawv4ld

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      6ec1c209b158ca6a09569dab997a10da.exe

    • Size

      5.9MB

    • MD5

      6ec1c209b158ca6a09569dab997a10da

    • SHA1

      1edc7c6f32e6b4ebc5faf5a522ed5992fc73bedf

    • SHA256

      44c8df0ee91d3ab2825961ab81fed1370c75c034ef717b2baa192c2430eb65a3

    • SHA512

      821d17198941051e5bd354fe5ea3fded5e196cd41b900714f9d68bb25baecca306160c695790649d7f3a48bdacb2ec7d9eebd6a184e756501dcdc726d98fd857

    • SSDEEP

      98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4v:RyeU11Rvqmu8TWKnF6N/1wq

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      6f0c3386f12f5dee87b51bce9d5ac5500d5f173dd6c541b97aaac3bcd4abb9bf.exe

    • Size

      311KB

    • MD5

      1e47fa765a3ba96e50fb204baf7c2e8d

    • SHA1

      fe03cbd4b95fae338ca7686c6e5e5a1309f54713

    • SHA256

      6f0c3386f12f5dee87b51bce9d5ac5500d5f173dd6c541b97aaac3bcd4abb9bf

    • SHA512

      b76ec98f006ab559331ee1c76e8285e489dbdcca16756c64b7820e4374958fe9d110a888425e39d3353291c17024fcef6b398c68a28d953685224f68656618a0

    • SSDEEP

      6144:h7Z5ZJygGwy4HZocAZHzdjFnfB12/b1i2gySW:p7iLV55nfB124NW

    Score
    9/10
    discoveryspywarestealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe

    • Size

      6.3MB

    • MD5

      0e4a9a7f552ee8b6f3b47b82e70df7ff

    • SHA1

      8a90ff94fd3be60c05ad054bde587cf10673bab1

    • SHA256

      6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05

    • SHA512

      ea9cf61d684f6903bbdd15c5e15a5b8f2ee9271cf8f1dfc993f6d276f7e9167b076dcaca46b265eadfc0575e650b76442b665998ba41556c76d9579946c39621

    • SSDEEP

      98304:J10zXFg9bxfI3oZvBNHf72B6Rwxk7WN3Oo7Yb0QjY2ye8i2ylpPxh:kzXS9RI3cNHaB6X7S7bwHydev

    Score
    8/10
    discoverypersistenceprivilege_escalation

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral10behavioral9

    • Target

      6f46a588081210caf9fc5f69f68daa1eb869bfb5658baaa201c7d9f466e3a00c.exe

    • Size

      228KB

    • MD5

      f0528ae31fc25783b362c035adf8f3e3

    • SHA1

      df94b2ec593862065aadcab27d04f132414c5b47

    • SHA256

      6f46a588081210caf9fc5f69f68daa1eb869bfb5658baaa201c7d9f466e3a00c

    • SHA512

      bf6e13c32904d4d1ee41dfe526ae68dae02e19f9ca6fcd147b8ccbf41b1bc5bc61dcd38b598dd94641c17226f48b887622fd1ac7ef4b9a2c0390c9b0097c4d6c

    • SSDEEP

      6144:xloZM+rIkd8g+EtXHkv/iD4jEh/t74szVKrd4UBG8Kb8e1mpi:DoZtL+EP8jEh/t74szVKrd4UBcT

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      6f6b7ee9a4b8c657931ecaacd04849db.exe

    • Size

      78KB

    • MD5

      6f6b7ee9a4b8c657931ecaacd04849db

    • SHA1

      aadc1272891324493ad099c65e72a7bff8b2fd0b

    • SHA256

      11fb7846090fb2e23cba8a66b1e5e605072aab6580cb9103f9d3e89205826a1a

    • SHA512

      3c64218ed10eec552f198b17289aced5feaefec0c6ca8b1f25ed7f7e2cc1cab3fa98202f8bf0590810131c0cf12c38e5e9cd772170b5eb73873af7d8b12e7074

    • SSDEEP

      1536:NPWtHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/q1zv:NPWtHFo53Ln7N041QqhgD9/o

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      6f723cd9002531ad31487e588d1132bc.exe

    • Size

      1.1MB

    • MD5

      6f723cd9002531ad31487e588d1132bc

    • SHA1

      c794aab74ea0c76d1c077ca87d175014bc76f0f5

    • SHA256

      c9206100b2d07324c79a83cb515893a79d39a1de3a6dac7a72a7b167c41b6910

    • SHA512

      198154faa272369a965747852699d562c43622f9fbe94daf2cd4d62c63e64f7c542904e582f074f57843fb35e5db500149ee58c1826d733688e54eb6da6ad5a2

    • SSDEEP

      12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      6f7e5a757226029c4770683df8125105.exe

    • Size

      32KB

    • MD5

      6f7e5a757226029c4770683df8125105

    • SHA1

      a02af7730ecfa6e29cb084d4540684f8f03eddd0

    • SHA256

      20e2cc8b8326e1050bec8103b99c08c89982555c6731fa4b06e0ba6c4789e53f

    • SHA512

      b93f60d1ed745df8774b81285da2d3a857a46b3a177253a314d583f74fcc62a1d1bfd4f4d2fd549a977c9dd375d75aa5aa45f2f3c0df9794aff55a3a4412627d

    • SSDEEP

      384:EcmKc71F3BUaMbGf/JLbFt63Tm2eaFOYKdRApkFTBLTsOZwpGd2v99Ikuis1izV+:5a1LxMC1Jt63Tw4xKdVFE9jVOjhIbw

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm
    behavioral17behavioral18

    • Target

      6f8921f28520259dde636ae0740e643e.exe

    • Size

      83KB

    • MD5

      6f8921f28520259dde636ae0740e643e

    • SHA1

      7ef37a82084aab44a4244686caab989782fe6429

    • SHA256

      6227c2875367575c19077a8862756f5fc68e4d6b3d927141a53b754ac92b6b96

    • SHA512

      662fbf92d10fc3be43db9696e6c3b3d070006ec0aed2fd0839eee953e7b0967fd13b6a3c14a19540225fb7839c076716f7ebb74ec99c7a74d9117e462aba447a

    • SSDEEP

      1536:77triqtB0GeR5d1DXi/nRlacAXoLvo+b4dB/jwpV2ooVZ2HsFz+V6HyKpOamqVsC:9ri1DXYRnAYM+b4P/4oz2Mca1OaDKC

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe

    • Size

      1.6MB

    • MD5

      072d2202b56c22e2f03d6d9f20daf3d4

    • SHA1

      0ab55b346a913174a29e2fdc4f27e9d75894706e

    • SHA256

      6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e

    • SHA512

      c641638b944a9c57f1127a67a5afbf961498e72900fad69d720b778922823434baf8d2843333d761ae6f5516a3d03427a550d0a4b9eabb39ee7dd102d681e47e

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      6f9568a7c563f84e4331fd0954d9ad321f41199035067dca004e1c927c1989ba.exe

    • Size

      577KB

    • MD5

      1d435c0e47862012d228133e01368343

    • SHA1

      4e9d2237e0ea2bce04ed8e29ae50c5775e714890

    • SHA256

      6f9568a7c563f84e4331fd0954d9ad321f41199035067dca004e1c927c1989ba

    • SHA512

      c9db84d8e1bbdadc57850e5fba127fefb89489b46b8e8c2a3ffb2d3701c6ed4d35195859813bf05f469b5d89f7b36dfe6c69944d45fd6ef45f98a0eaa47f6de6

    • SSDEEP

      12288:ZbRKjP7nesYuGmI3PzBgoriXT1AP7ARXPgMe:DKjP7esYuGmGPz6xqTGe

    Score
    10/10
    snakekeyloggerdiscoverykeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      6f9d1b3820144f3c5df2673cd155bfe0.exe

    • Size

      65KB

    • MD5

      6f9d1b3820144f3c5df2673cd155bfe0

    • SHA1

      0de390fc681a70a1c4fe025cb8ac2d932c6f9d74

    • SHA256

      1d03f958e13355dee8ee5596085311b50fbc63c466411a1106e06b80cdfc7832

    • SHA512

      d260eebe56dbdbcee8673457af7a79afa28165100decb56231086beee1d8cd661799c4c3ac735e697dcb5bd55fac75c4de85f819d82b2976bdb78f08d2c45077

    • SSDEEP

      1536:Ek1KqboN36twQviFw1b3kEBnvbgfLteF3nLrB9z3nHaF9biS9vM:EqKqboN36twQviFCzpBnMfWl9zXaF9bK

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      6faa2d85ae06f7888287bec8ae3e079b.exe

    • Size

      273KB

    • MD5

      6faa2d85ae06f7888287bec8ae3e079b

    • SHA1

      ccc4103d8d5a042b5f4b99b82363444d3e7e3dc0

    • SHA256

      7cb82f034c8469abb8eefc94fa1eb6b802a64489b4de6824dd21677b0113dd72

    • SHA512

      99483fce6dad21ca189ed9dfe4631fc91145d199788fd6670c40acfb93220c109fff5cffd47b8074cf464f54931293ce4849134711e6a37f8ac5760dc5c9726c

    • SSDEEP

      3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdTi:WFzDqa86hV6uRRqX1evPlwAEdm

    Score
    10/10
    asyncratdiscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      6fd711c9c2d9499442df85e477e670c6.exe

    • Size

      91KB

    • MD5

      6fd711c9c2d9499442df85e477e670c6

    • SHA1

      b0060d9847183d79246b89105f93ade22c030723

    • SHA256

      4b0643e246975f409a05d1f660b078de4b828b18cce4c70ae21906d0308cd9d6

    • SHA512

      012abb90437ef84d8871263197a4c27083e208bfde48192803928bb3c37aa558aced546eefd56aade51a64d4d1097523df5ad55fc99a356a2cf4039a9bbfdb45

    • SSDEEP

      1536:atk185fIMs/fmejKu6jHGd2nD3gKvxiBGmgkGPIqXin0i4FcXVQ:atkK5fIMs/fmejKuivz9vxa4kGPIqXG2

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral29behavioral30

    • Target

      6fe5c591a1fbdd543b030912700b164a.exe

    • Size

      47KB

    • MD5

      6fe5c591a1fbdd543b030912700b164a

    • SHA1

      9667d52bec1f5257efb9b42b20a53500bd307aff

    • SHA256

      5fee1b46ab28ddd6ac8f46e819b5340e10084660686f0d0e415ab4a7105c465a

    • SHA512

      a3215288599e11f40e96fd4c63d14388e1c061cdbbe3d5e9e80c3d7e083a3e700c51d35058785534dd3d510072d09086863ef04534aac184765a7acdcc5b1a53

    • SSDEEP

      768:QSQcFILSC+e+bibovnBIPRHoibzYbyged3FyGMa92w10AHEgK/J7BpqKYhY7:QSQMyUnB4Fncb12YGMI2q0AfkJ7BpqKX

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

rathackeddefaultstealervikasumbralxwormdcratnjratasyncratdiscordratrevengerat
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral6

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral7

discoveryspywarestealer
Score
9/10

behavioral8

discovery
Score
7/10

behavioral9

discovery
Score
7/10

behavioral10

discoverypersistenceprivilege_escalation
Score
8/10

behavioral11

umbralstealer
Score
10/10

behavioral12

umbralstealer
Score
10/10

behavioral13

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral14

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral15

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral16

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral17

xwormrattrojan
Score
10/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

xwormexecutionpersistencerattrojan
Score
10/10

behavioral20

xwormexecutionpersistencerattrojan
Score
10/10

behavioral21

dcratexecutioninfostealerrat
Score
10/10

behavioral22

dcratexecutioninfostealerrat
Score
10/10

behavioral23

snakekeyloggerdiscoverykeyloggerstealer
Score
10/10

behavioral24

snakekeyloggerdiscoverykeyloggerstealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

asyncratdiscoverypersistencerat
Score
10/10

behavioral28

asyncratdiscoverypersistencerat
Score
10/10

behavioral29

xwormrattrojan
Score
10/10

behavioral30

xwormrattrojan
Score
10/10

behavioral31

asyncratdefaultrat
Score
10/10

behavioral32

asyncratdefaultrat
Score
10/10