Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7282a7060d...a7.exe

windows7-x64

10

7282a7060d...a7.exe

windows10-2004-x64

10

7286d086dc...6f.exe

windows7-x64

10

7286d086dc...6f.exe

windows10-2004-x64

10

729c059086...ed.exe

windows7-x64

10

729c059086...ed.exe

windows10-2004-x64

10

72f303c648...1a.exe

windows7-x64

7

72f303c648...1a.exe

windows10-2004-x64

7

72f4a85245...cc.exe

windows7-x64

10

72f4a85245...cc.exe

windows10-2004-x64

10

72ff89c7cd...9f.exe

windows7-x64

10

72ff89c7cd...9f.exe

windows10-2004-x64

10

7307a761db...38.exe

windows7-x64

10

7307a761db...38.exe

windows10-2004-x64

10

7309f93555...28.exe

windows7-x64

3

7309f93555...28.exe

windows10-2004-x64

10

730efb97bd...a1.exe

windows7-x64

7

730efb97bd...a1.exe

windows10-2004-x64

7

732ab0ac86...7a.exe

windows7-x64

10

732ab0ac86...7a.exe

windows10-2004-x64

10

73522a2d41...71.exe

windows7-x64

10

73522a2d41...71.exe

windows10-2004-x64

8

7355fddf5e...6e.exe

windows7-x64

10

7355fddf5e...6e.exe

windows10-2004-x64

10

736e4ed229...93.exe

windows7-x64

7

736e4ed229...93.exe

windows10-2004-x64

10

73bc8a93cd...07.exe

windows7-x64

10

73bc8a93cd...07.exe

windows10-2004-x64

10

73d6911ed2...07.exe

windows7-x64

10

73d6911ed2...07.exe

windows10-2004-x64

10

73eb32431f...ff.exe

windows7-x64

7

73eb32431f...ff.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_28.zip

  • Size

    97.0MB

  • Sample

    250322-gylfsayzhs

  • MD5

    943aa1a744111aae97d70b5406cbd36f

  • SHA1

    a04dc31d1927c79e1e8d8e3a2191e587c65a4ede

  • SHA256

    56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

  • SHA512

    af6e4051bd91c305d325ae0afc76dbb95fc3f3172a9e2697746fb7ca511db4caaaea0c90730503b4087f9865e7905f615affd910970f803b524f807356c29bf6

  • SSDEEP

    1572864:vs1JUZ+dYMj9xQuC1LaShPMK5jW+dFJADWui0PM/jDq5QwZ11C95enHfn:01JU+d3ULaShPdFdFitiiZ11Cof

Score
10/10
asyncratdcratmetamorpherratnanocorenjratquasarstormkittyxwormdefaultاسد الموصلcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4966

looking-page.gl.at.ply.gg:4966

27.ip.gl.ply.gg:3174
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Extracted

Family

njrat

Version

0.6.4

Botnet

اسد الموصل

C2

ssssss.ddns.net:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes
  • reg_key

    5cd8f17f4086744065eb0992a09e05a2

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:29707

proposed-madagascar.gl.at.ply.gg:8848

proposed-madagascar.gl.at.ply.gg:29707
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

192.168.1.214:44060

127.0.0.1:44060
Mutex

y49LqARGywqVhfPi

Attributes
  • Install_directory

    %AppData%

  • install_file

    Xclient.exe

aes.plain

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      7282a7060d25903b0e631d894251e21fb6c82756ff630ea2493f184bc3687ea7.exe

    • Size

      613KB

    • MD5

      dd5a1f2078d15f32af4db9785a2e2386

    • SHA1

      f26bafb7dea803ad4ab852f87c0c5b8e89db98c1

    • SHA256

      7282a7060d25903b0e631d894251e21fb6c82756ff630ea2493f184bc3687ea7

    • SHA512

      eed5bbd611dc02e05fb6a58d52ad85380f84d9df845f0356f1dc3f865e9e6f7e68c3699cc39d78fac27a6954cd5727bae48118799d56fa3db3e7f38ef1007a2f

    • SSDEEP

      6144:GtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3ri51:q6u7+487IFjvelQypyfy7i51

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      7286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f.exe

    • Size

      3.3MB

    • MD5

      eb76f554fb6b7b172e6042096d7a42c4

    • SHA1

      54249e327afe53b67e76569f622100b532c3f794

    • SHA256

      7286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f

    • SHA512

      2a972d9b2237da9ac53140d5f32d18235a1a8e22a7c8c21f2b8472b5e9a00a2134f1db67231331f42b427925b760def2c9e54bf6d62bffaf06d509460154d063

    • SSDEEP

      49152:7s51kZEsvhP4KUYTMb5C1JyWdLQqFxLCobXK45p4aE:7s5eaKhgKUFCo2LP15s

    Score
    10/10
    dcratdefense_evasioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral3behavioral4

    • Target

      729c059086bce232a39d74a0b680bfed.exe

    • Size

      885KB

    • MD5

      729c059086bce232a39d74a0b680bfed

    • SHA1

      832281677409fc0e150bdf6132be849824a265ea

    • SHA256

      7a7f0076056b3e2b93a330a8af8df9d43f43a83b50931f2888f0db411c8e2024

    • SHA512

      ca3f47323cc5018608c1c466f4805569df73523a6dcc6367f77bfd6d6a36393937222c0f0dfa89a748dc0406f40fc385761cef432aac1a9cd8d41857b6136c0d

    • SSDEEP

      12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      72f303c6485d038f4cfbf6150660f36e3de8818fe65d3451573dd1f8722ec11a.exe

    • Size

      68.0MB

    • MD5

      301ab254348c4beb03c43663c51b8c8b

    • SHA1

      e6c668de0c643232b01c86fd8060ea2caacfca99

    • SHA256

      72f303c6485d038f4cfbf6150660f36e3de8818fe65d3451573dd1f8722ec11a

    • SHA512

      8d8c39a1280683c1d05d71f8c49bd22679463ffa64ecbd60319832d3de6e209473d748d72a81e0cb2a5d71823ea70c9edd273afb488ab9a625222483914ad46b

    • SSDEEP

      1572864:+1YnA7A8R7tqEwTDYKJbQ0JxcgjnrUBOO8CPOLJreZq+hhXcI:+10A7B+DYKJbndjnoH8MhhXcI

    Score
    7/10

    • Executes dropped EXE

    behavioral7behavioral8

    • Target

      72f4a85245337b0fcdb662a2cbf0b9a59edbf1208e4a2840c09c7d4fbb6012cc.exe

    • Size

      2.0MB

    • MD5

      eddb08faf6a2faf503e3fadcc0179639

    • SHA1

      e3654dd0665231e3c610b5f8d56c4fb60ef7fa3d

    • SHA256

      72f4a85245337b0fcdb662a2cbf0b9a59edbf1208e4a2840c09c7d4fbb6012cc

    • SHA512

      a9c0455ce5bbc68e13009c3c39b6c7f75d5ea57bc7652a4a8f297d286a25ba4b9d224ac713215f724c9b1b1fed9d485d5b4203c494baeb652b780b5196cb46b9

    • SSDEEP

      49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral10behavioral9

    • Target

      72ff89c7cdaac70515ac184accbd4c9f.exe

    • Size

      1.6MB

    • MD5

      72ff89c7cdaac70515ac184accbd4c9f

    • SHA1

      e6306a7c6d40ae9036ced594b938a12f8ab57b1c

    • SHA256

      5db5b45d3fbb3a20e8fb589356e8c5ad9cfe79cbe2f9ba46a3d5c1d312f72504

    • SHA512

      aacbc1a9ea04889d3d1552ccf9d4634eb0baaf57715dfc7686922058a485eedd868c0578cf8b438187cf8b3b2ebf3d32dcd963ef77ec1de278231ab19f584be4

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral11behavioral12

    • Target

      7307a761db7cdc6093352c9942350f8b7fa9836822750ab63efb80a3e58e6938.exe

    • Size

      223KB

    • MD5

      e86618c8518df150346cc07120f83b6d

    • SHA1

      d37b644e11348c50f88d1d799330e1c5b60915c2

    • SHA256

      7307a761db7cdc6093352c9942350f8b7fa9836822750ab63efb80a3e58e6938

    • SHA512

      134dd15ec7f368269dcbac36878a5eea7c62afa38a5e90fb91440cd685b250a9e2c4f7cdaef57506060db6fdd082eb7b3527188a495afd5eccf71bfaf40e3150

    • SSDEEP

      6144:y5KrTbFWewUhcX7elbKTua9bfF/H9d9n:y5KRWN3X3u+

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      7309f9355589e2cc6fcc0b43174b8c28.exe

    • Size

      565KB

    • MD5

      7309f9355589e2cc6fcc0b43174b8c28

    • SHA1

      a6078cd5f1315b13d098a55ca9d67c2474628056

    • SHA256

      504fd67a1d270c15ef99af799be3905277ad14531858bb2ed0f67f4089185e44

    • SHA512

      eb0501cced3bef09d1759baca40c97d9e551b01e73bf2cbde0ae802a7d89e7d73b22855c30eddb4ac6561f0b693a290a6044af6cb46fe6acb9520e1a9d2adf80

    • SSDEEP

      12288:qmmO5pyJZghm45vQXy0kSHMg1pPDbFsEqID:qmj5pyIhm45v8y0TFhq0

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      730efb97bdfa1760333c3ab9323de9a1.exe

    • Size

      2.1MB

    • MD5

      730efb97bdfa1760333c3ab9323de9a1

    • SHA1

      c5ebb5fbf59dd9d79d6e573fd493f72434372612

    • SHA256

      4f4cde6b4437ff31686c3496b2f80e0402bf87ccdcbe1caca68d38f5034fb89d

    • SHA512

      ce6dd9c0ec5c0c970750e97ba07ac79e9b09edad4e7ec1f00c01d0790d6bba07465227fcc3bcff124e7d3e7c0df35f7d5611a0090732d090e0bf671565358c3f

    • SSDEEP

      49152:q/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf:

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral17behavioral18

    • Target

      732ab0ac86cc174dcf4d86a03d83e27a.exe

    • Size

      281KB

    • MD5

      732ab0ac86cc174dcf4d86a03d83e27a

    • SHA1

      8f020cfa83b0e5887dc6ef8121adea54eebd36d2

    • SHA256

      0584d41c371f1400ae92579fdfaac9f8603bde05ec05200d4ee5e53e3ec99664

    • SHA512

      51a2adb0d9293a1cb6b7f153e5a21883fb7646020dea192796a36dbbc1e92575ca30efb7a5f71fd4235d9418a1649a878bee6d8f2090872a6998c88e75a02460

    • SSDEEP

      6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fe:boSeGUA5YZazpXUmZhZ6m

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      73522a2d4140ec446c401c39d07eec71.exe

    • Size

      29KB

    • MD5

      73522a2d4140ec446c401c39d07eec71

    • SHA1

      7c2358aac3d7793ac5c524e8a85385d57e8c353b

    • SHA256

      128f50594c4b548b4b0131a395d152ba7cc6edd8c5b2ee44162371956963b8dc

    • SHA512

      c0ff298600074559e21208ee7a8ddb5c1b6bd71f8e8364cfdb9925baf48920b0687ca4dbc7f4e3e77dd5e71378d19241f1554899b56d8f54cdc0d8ec2fc43eec

    • SSDEEP

      384:BmCftl7ndJoc8e9v55Do7mmmqDspHe4qGBsbh0w4wlAokw9OhgOL1vYRGOZzmyP+:PD7zoc86xi74q8HeoBKh0p29SgReyx0

    Score
    10/10
    njratاسد الموصلdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      7355fddf5edf9713b4450982937bca6e.exe

    • Size

      762KB

    • MD5

      7355fddf5edf9713b4450982937bca6e

    • SHA1

      fd1fbc71728fd7adc310b7ee74fdde59577010f4

    • SHA256

      4e844cff9da913e15f2d6346c97e9a6598cd512dde1e34d98b55f71e76e138a8

    • SHA512

      73030b32969d3d87512b71a8e77ebf30ed29ff360d627b4770980da87a5ed664afa3d7855eb02e0ceffb45b9b1b24c7aba93db24b55b9a0b64360cc6f9bb9576

    • SSDEEP

      12288:LiHyqAJB5a5P9Fie9OvbiaChmfwqQaXqoVYlZRFnx48KWc2SJCOaWGh4B9393Fm7:LMyDa5tEuzdq5GZRFx4ZWJSJiW5Bh2BM

    Score
    10/10
    quasardefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Modifies security service

      defense_evasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • UAC bypass

      defense_evasiontrojan

    • Windows security bypass

      defense_evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Security services

      Modifies the startup behavior of a security service.

      defense_evasion

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      736e4ed2299f5ec127d8f98265dc5a93.exe

    • Size

      78KB

    • MD5

      736e4ed2299f5ec127d8f98265dc5a93

    • SHA1

      2874662d53902e4712fba6e70eb57b4989ad581a

    • SHA256

      29f4e4c8d63c893a79a2136b7bd550e446d53f0f3295d686af51798bf1f985dd

    • SHA512

      886db800a10586d6142f6d6cdbb64fb22109c65a42fe2c13b54cf96d3f5d777224deb1e9dfc94232ec25a4d63ceb741f2a973831231064fab2e16b46273f7068

    • SSDEEP

      1536:gHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtu9/p1X/:gHFo53Ln7N041Qqhgu9/j

    Score
    10/10
    discoverypersistencemetamorpherratratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral25behavioral26

    • Target

      73bc8a93cdbba019a429afa403b8ab07.exe

    • Size

      47KB

    • MD5

      73bc8a93cdbba019a429afa403b8ab07

    • SHA1

      a98f37cd190893cad2f6a436d36c9113166a46a9

    • SHA256

      41744a3e6de2de39130b8a2f731392730e3f832444498bb59d9f66bdd8ee738e

    • SHA512

      7fc13ba92ea2d34a17355a9ffcc51846b6e87a34f7214ec1678c85c748920cf7574c9cc4aa80f4ba081dc329fefa3a9acdf2e3ca95ebffd081906538be70e80e

    • SSDEEP

      768:p9umxLiIL1CaS+DiMtelDSN+iV08YbygeOyBMRxpvEgK/JnZVc6KN:p9uAPWMtKDs4zb1juMRfnkJnZVclN

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral27behavioral28

    • Target

      73d6911ed247a840f2f372a605a99407.exe

    • Size

      1.1MB

    • MD5

      73d6911ed247a840f2f372a605a99407

    • SHA1

      595953dd65ceb6ce48af99d0e4533ac711681733

    • SHA256

      e1dacd883b37c7e481b4fc643b5628e061155f7c4f37874907ac2c8a5e66d7c0

    • SHA512

      ba7b325ca5ff67273ebe485904d7981f8d70b3b2e9647c2f702bb0e6f3058faf35d4fab1351deaadf8fb126517595766d7039ee56b97c21fff36a43026696544

    • SSDEEP

      12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      73eb32431f602f42759a38c5eab47eff.exe

    • Size

      220KB

    • MD5

      73eb32431f602f42759a38c5eab47eff

    • SHA1

      91a96c20d061045188cc0536ee698f58293dd314

    • SHA256

      b81ac7df79d0575b92c6793db9ebab3e90ff09dabf6eef8c56ab3b6bd19fff9a

    • SHA512

      f0be2833d56d671a6f51f1503ff2b70196c0a217c3913b23f2994b7f42a82fa3a5e45b525a575eceb5a260224781a756fcd6bb0f2b90ead7aa6082a6d1009dd5

    • SSDEEP

      3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmh:ZR5IuMQoseGk7RZBGxAycKpSPX2q

    Score
    10/10
    persistencedefense_evasiondiscoveryspywarestealer

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

8
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

6
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

12
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

static1

ratاسد الموصلdefaultvmprotectdcratxwormnjratasyncratstormkitty
Score
10/10

behavioral1

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral2

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral3

dcratdefense_evasioninfostealerrattrojan
Score
10/10

behavioral4

dcratdefense_evasioninfostealerrattrojan
Score
10/10

behavioral5

dcratinfostealerrat
Score
10/10

behavioral6

dcratinfostealerrat
Score
10/10

behavioral7

Score
7/10

behavioral8

Score
7/10

behavioral9

dcratinfostealerrat
Score
10/10

behavioral10

dcratinfostealerrat
Score
10/10

behavioral11

dcratexecutioninfostealerrat
Score
10/10

behavioral12

dcratexecutioninfostealerrat
Score
10/10

behavioral13

xwormexecutionpersistencerattrojan
Score
10/10

behavioral14

xwormexecutionpersistencerattrojan
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

discoverypersistence
Score
10/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral20

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral21

njratاسد الموصلdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral22

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral23

quasardefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywaretrojan
Score
10/10

behavioral24

quasardefense_evasiondiscoveryevasionpersistencespywaretrojan
Score
10/10

behavioral25

discoverypersistence
Score
7/10

behavioral26

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral27

asyncratdefaultrat
Score
10/10

behavioral28

asyncratdefaultrat
Score
10/10

behavioral29

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral30

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral31

persistence
Score
7/10

behavioral32

defense_evasiondiscoverypersistencespywarestealer
Score
10/10