Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

75e5b5dd81...19.exe

windows7-x64

10

75e5b5dd81...19.exe

windows10-2004-x64

10

76055a2e7a...db.exe

windows7-x64

10

76055a2e7a...db.exe

windows10-2004-x64

10

760a200139...4c.exe

windows7-x64

10

760a200139...4c.exe

windows10-2004-x64

10

7621266dff...17.exe

windows7-x64

7

7621266dff...17.exe

windows10-2004-x64

7

763e7e3720...c3.exe

windows7-x64

10

763e7e3720...c3.exe

windows10-2004-x64

10

764342a8e4...3a.exe

windows7-x64

10

764342a8e4...3a.exe

windows10-2004-x64

10

765922fe83...ca.exe

windows7-x64

10

765922fe83...ca.exe

windows10-2004-x64

10

7666b329e0...6a.exe

windows7-x64

10

7666b329e0...6a.exe

windows10-2004-x64

10

766ad1b216...36.exe

windows7-x64

3

766ad1b216...36.exe

windows10-2004-x64

3

76b5533f09...c1.exe

windows7-x64

10

76b5533f09...c1.exe

windows10-2004-x64

10

76c8afc286...eb.exe

windows7-x64

1

76c8afc286...eb.exe

windows10-2004-x64

1

76c8d5e249...8f.exe

windows7-x64

10

76c8d5e249...8f.exe

windows10-2004-x64

10

76d2a80297...d7.exe

windows7-x64

10

76d2a80297...d7.exe

windows10-2004-x64

10

76dd2ca60d...1a.exe

windows7-x64

10

76dd2ca60d...1a.exe

windows10-2004-x64

10

76f8eeacdb...0d.exe

windows7-x64

7

76f8eeacdb...0d.exe

windows10-2004-x64

10

770f4b8c61...96.exe

windows7-x64

10

770f4b8c61...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_29.zip

  • Size

    91.3MB

  • Sample

    250322-gyqeqsyzhv

  • MD5

    35158a82d6dae44fb46243af53d36de2

  • SHA1

    279e9a2c2303ab287ea8993a879f8e6ef8d97b1b

  • SHA256

    aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

  • SHA512

    96ef81d6d4d5f4514c56440bf5a411e20ca72a5887f9721e147911aebb238d0b3f0ad32b4fabe0cb1deb8e256d078f638974fa8383f840aa422fa4df8bfc5566

  • SSDEEP

    1572864:NFjsyt70U+knDAu6LZbipuosH/fcBMfFl+9e+ancZTTpL8E1vsB40KHEPC6g+:N6y0Pu8ZbfN/fcBYYacfL10elug+

Score
10/10
dcratnanocorenjratquasarremcosxwormhostneufoffice365victimcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

office365

C2

192.168.0.182:4782

Mutex

247cbad3-d2c3-4911-bcea-2ba07f8a24dd

Attributes
  • encryption_key

    B23B358E069C74D3466E9FC1110706C029AADF0D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

127.0.0.1:2035

fixed-uh.gl.at.ply.gg:2035

aboltustimoha-43339.portmap.host:43339
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

ts61.duckdns.org:1604

Mutex

6339cb4b-a4c0-4c70-82d4-4b287a99492d

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    ts61.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-04-14T17:46:09.769761836Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1604

  • default_group

    Default

  • enable_debug_mode

    false

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    6339cb4b-a4c0-4c70-82d4-4b287a99492d

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    ts61.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

5.tcp.eu.ngrok.io:17528

Mutex

797bda321ec5901eee6baaafa48c553a

Attributes
  • reg_key

    797bda321ec5901eee6baaafa48c553a

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    OfficeUpgrade.exe

  • copy_folder

    OfficeUpgrade

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    Upgrader.dat

  • keylog_flag

    false

  • keylog_folder

    Upgrader

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    req_khauflaoyr

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    OfficeUpgrade

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519.exe

    • Size

      502KB

    • MD5

      8a04eeadf3aa212ad8b9ec03750598b5

    • SHA1

      8ecd4c1b9e3f52c8cfb33785b8669d0fe12a67bd

    • SHA256

      75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519

    • SHA512

      e804d6b2530a1239dcd0dc51921841342def20fa97d2f64029f793321fcba343d3bf703fbf7c4e167233c219724364e1e6ca4266f806f5194cfda927f46d8dff

    • SSDEEP

      6144:xTEgdc0YrXAGbgiIN2RSBKnaJm5xGDy5Etqk+yw4sUcEOOb8F9Z2U/iBWcTR3y:xTEgdfYbbgyaJpj4xywyepTcBWcdy

    Score
    10/10
    quasaroffice365spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe

    • Size

      37.3MB

    • MD5

      7c75210de2c558c9050f082e5373ee37

    • SHA1

      a683e20da1195e0e3eacabd19c760ebf9b60768d

    • SHA256

      76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb

    • SHA512

      874201ba98ebb687f05df0e508ff967b61a6b3d28274a986ee31c8e5d7371e1c6fa24f462125ab7c375d6bd96fed18d5640cba962107d546cfca3c6d147dbf20

    • SSDEEP

      786432:5gB5EOyGOlEaoPvuMMXU2o3SIkDhSdKqlH7R32AsKpDW800m70T+eUNH39:8lyHIPvuMwUp3SVMpHldxM80n7Q+xHN

    Score
    10/10
    xwormdefense_evasionexecutionpersistencerattrojanupxcollectioncredential_accessdiscoveryprivilege_escalationspywarestealer

    • Detect Xworm Payload

    • Modifies security service

      defense_evasion

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      defense_evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

    • Target

      760a200139494a0bec4f29f831cde04c.exe

    • Size

      136KB

    • MD5

      760a200139494a0bec4f29f831cde04c

    • SHA1

      1981019ac5677bc5499c11e8c50bd098974afb1f

    • SHA256

      60bd5a161f7e5f3a1ac6538b981822bb8f17293ebefb350b3d62d180d79c4045

    • SHA512

      363d6ccb8ad40e6d8f7a02c9d92e9ea273d0fffef8f488ad6339f6359bf4ffe0904d9b1abcd9a5fda5b27cd438c74bf34b653593f3abd1e68b55a0eee307e7cc

    • SSDEEP

      1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKV:xPd4n/M+WLcilrpgGH/GwY87mVmIXl

    Score
    10/10
    remcoshostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      7621266dff8a6ed77a89bf540aa04817.exe

    • Size

      690KB

    • MD5

      7621266dff8a6ed77a89bf540aa04817

    • SHA1

      667a52b0c561ec9a378706be7d5f556b44516c3c

    • SHA256

      ec8db8b10723987c0e27aed520f12d33fff005271b82660969eabf1bfbbd4441

    • SHA512

      9fe8a982bebb3f9316fdfd24f6d990625f521674e43f0dd5e14d3af18a77320d747565ed803626ef94b055c9a9442d9a36da0eda5daa7fd991f9bf38fad89f90

    • SSDEEP

      12288:n2QRXDD1yed0fsU4GSWgOvPESGj4s32xEdRCSkeA0plGImZV5SAw2izK:n2Q9NXw2/wPOjdGxY4DFwde

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      763e7e37205e869689cbe8e9ba0a36c3.exe

    • Size

      97KB

    • MD5

      763e7e37205e869689cbe8e9ba0a36c3

    • SHA1

      4bf516ad4dd57fbb26657b1436f00478ef762d77

    • SHA256

      deafea3265495b718929607ad1d1ee8ba57a4aa9ecbaceaa88a8d7745924ef35

    • SHA512

      e067f84a3d9cd7fc886a7bd8ed15f764db46e63047ea3b899cb91ed4a1e806e936559dbb211e852175e4295b2d1748bbbb11056391fa8bfb9d82d3eab07d2f11

    • SSDEEP

      1536:MYxlY23kGwgMBUQGum2U8aVCguHEvQEbFeDVC3woFRKpTdeh:DlY23kg3sguGDFaXeh

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      764342a8e44ce10b58eb8db3b885603a.exe

    • Size

      684KB

    • MD5

      764342a8e44ce10b58eb8db3b885603a

    • SHA1

      5adb435a3aa128980f643fc977396266228995bb

    • SHA256

      db77e46cc174d1289ea3441bf86661a821cee2aa686b70a861c92987e51ee542

    • SHA512

      7f797c4dbf623335f925bec47598013b6e55d9910788141e0f345a719c94d318b872cfae39835dd02c3d67b1844706307d5f09f2add1733fce6f681ee356b8de

    • SSDEEP

      6144:4tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rCk:s6u7+487IFjvelQypyfy7Ck

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      765922fe83a63a3538c814a8e7c67fde28ce6f2027af2cc34482b75dae7fcaca.exe

    • Size

      2.0MB

    • MD5

      71bbb2d21aab33cbd1cdead1ad9f4623

    • SHA1

      39f383153e31f8c065f9a758a330d6fd6c9a127f

    • SHA256

      765922fe83a63a3538c814a8e7c67fde28ce6f2027af2cc34482b75dae7fcaca

    • SHA512

      3cb87ea8a079298996337c74aa2abb795e8c8d5b947a1185d1af7b0cf1da73bde14a3c989c51765a4deca6fe30109c6f3bd5ac8ee0daeec234341d77863a2623

    • SSDEEP

      49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral13behavioral14

    • Target

      7666b329e0698fb891dc55b08f935ce978b4accd6b1a688ae315a24d50623d6a.exe

    • Size

      630KB

    • MD5

      c4eeb5af91affc8675dd27816d149463

    • SHA1

      b69fab2993839b8616aa8519fc28dd4843efc281

    • SHA256

      7666b329e0698fb891dc55b08f935ce978b4accd6b1a688ae315a24d50623d6a

    • SHA512

      69f9f0b56031347a85ad0704879c6093b2d022fe277038d034bd7ffe105957406d84bd64b52d3949e68bb204e6903b33daa061aee1edd1e2505241feefb9ef0d

    • SSDEEP

      6144:YtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rfW:M6u7+487IFjvelQypyfy7fW

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      766ad1b216099c4519dda9a9986b8436.exe

    • Size

      333KB

    • MD5

      766ad1b216099c4519dda9a9986b8436

    • SHA1

      8f29475d69feb22d60ee49bacfd5d6a597ed902d

    • SHA256

      5559f44e2d0bf53f4ed8eef5090bce34971c8e078605cd05734fca4c2b67a172

    • SHA512

      c3d8f3a3551e7056c4de119517c331b7b74f6505d89d1a792bb9f4679dee2b97d55553f691957f350617668608568793e7943e58089f2721eb544b947ae778eb

    • SSDEEP

      3072:sgZcEdT8Yks6B2cNUkLsL9FqzoUUr6Vy4abDHlNl9O48YFXCu42OM4JqnMZkEO/x:N+rvB45LeUr0yxDpFCuKJ4MmEepya

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      76b5533f096de0c1b9ecd517e5708429987578b11a0dfd2af98cc53fb6022ac1.exe

    • Size

      222KB

    • MD5

      3358cb9f988d3595cf64c8214444fa93

    • SHA1

      26441012c1d154f267851f27c78558bba6849a82

    • SHA256

      76b5533f096de0c1b9ecd517e5708429987578b11a0dfd2af98cc53fb6022ac1

    • SHA512

      416a5e1044ae314430dd056fd97352a292af627c3099ac5073116615b127335a93d46281d82116217f5ecc4fa0d41bb262d2ad44654da70b01c3408db1e7cf88

    • SSDEEP

      3072:osXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmyx:JR5IuMQoseGk7RZBGxAycKpSPX2Nx

    Score
    10/10
    defense_evasiondiscoverypersistencespywarestealer

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      76c8afc286159014532e7a6a66114eeb.exe

    • Size

      18KB

    • MD5

      76c8afc286159014532e7a6a66114eeb

    • SHA1

      1734c6e854189262fa527b79c7e9c766f83643c6

    • SHA256

      a3e07362695d2d682d335504a20078daa14d31b4b3388f4f357cbc0df4114fee

    • SHA512

      501e0fe5c024a8155616c3bdb5925e764f7065778b7dc9303d1e7858948c4404d8db236a76f9bba0c85104c1454f3aa8caf7928bed093c454dcc666a7f0d63fd

    • SSDEEP

      384:1xJJ5sC/dMKASq7RZrEhglO2x4hmETkK6aHv+O:1xJJlrAZR1Ehglhx4TTp

    Score
    1/10
    behavioral21behavioral22

    • Target

      76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe

    • Size

      2.3MB

    • MD5

      1a434ea125bf9175e6e56f6a47836059

    • SHA1

      eb01f314197d77976e79044686d2065866bde70f

    • SHA256

      76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f

    • SHA512

      7f6fc96d4e9781fcfd711e31901be908eb464977e3b546c71a5362c2bf0618c93d384cc29fb1f123b53bdaa3e64c98a4207b90187e7803bd00311317e502244a

    • SSDEEP

      49152:WSBvjC9Jp6faCaUlQqv76arSehigDHQYdC1M/:WSBv/aCBJS/qHQsj/

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      76d2a80297031a02e7591d8ab858a2d7.exe

    • Size

      2.0MB

    • MD5

      76d2a80297031a02e7591d8ab858a2d7

    • SHA1

      ec00834dc57378e344872434f95a37837241fca0

    • SHA256

      2ce5203e37ddc015f27ec1a3e1fe8b332e383cbaf5ae7e22aaed9b23c609ea6f

    • SHA512

      0a2f318e49ec8e8c32dbc1f028445bc712fc7d06d2eb915c55d80cc5a360a61c045e7778a3c9110c2ab92236cb5870754c1ed9fce5f11f2cc3833edcbb5d2ea7

    • SSDEEP

      49152:8DM6kxEuF98kPO2wjovVRbloub6AKcILOw5MNu/I:8Nba98kPZwSJayUOwku/I

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral25behavioral26

    • Target

      76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

    • Size

      1.6MB

    • MD5

      5c40a0842a538e01695fdfb1b5268840

    • SHA1

      77815adb386d69b1615b318ba20434663a5416bf

    • SHA256

      76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a

    • SHA512

      30ef7616b385e77a350310f7ea4cf193e0bca1107366c51f1808ae8d9277904fce4dfec23e72fc7fffa022b5ad87d2aa7dfa35b140b93ab84d2d87d365237a8d

    • SSDEEP

      24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral27behavioral28

    • Target

      76f8eeacdb7c58c8cc1c9d1538fb6e0d.exe

    • Size

      1.8MB

    • MD5

      76f8eeacdb7c58c8cc1c9d1538fb6e0d

    • SHA1

      23120e28aa762b792a5010d1fc408594c0fc8567

    • SHA256

      7862e6affb9234c99fcac2e28e158311fc815b4ca21fa891a48c55c17bc4383e

    • SHA512

      bde65285febad75355d6d11189c6f061d7c3982fffccf23b3aad3c6bcf25c282ee31f6ece7daf99db4a61825161a560e9eb3da3998c15e9df452b126824521a1

    • SSDEEP

      49152:0D1AQvwhpabw5hEhSzYR7iMW56Zsgu4Me4RF:YZGEbMUSsR7ns0TU

    Score
    10/10
    execution

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      770f4b8c61c658b7b4e9c1bb7d087196.exe

    • Size

      5.9MB

    • MD5

      770f4b8c61c658b7b4e9c1bb7d087196

    • SHA1

      61e9578c90253544c2952ee7788b7516e820f0d3

    • SHA256

      973e19cd948b9d0136c82da54c5b9d27e3f45bf5b77d24a15bc1481537ac0073

    • SHA512

      54b49d42a270f9ff85f25276822cf5dc78a0413e167a3817890eb4cdea0521aff6c33ac0e64ecc9f3777117f26832da33a3d2d817dd81c56a996f6bcfe97a1b4

    • SSDEEP

      98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4S:hyeU11Rvqmu8TWKnF6N/1w7

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

7
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

office365ratvictimquasardcratxwormnanocorenjrat
Score
10/10

behavioral1

quasaroffice365spywaretrojan
Score
10/10

behavioral2

quasaroffice365spywaretrojan
Score
10/10

behavioral3

xwormdefense_evasionexecutionpersistencerattrojanupx
Score
10/10

behavioral4

xwormcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral5

remcoshostdiscoverypersistencerat
Score
10/10

behavioral6

remcoshostdiscoverypersistencerat
Score
10/10

behavioral7

persistence
Score
7/10

behavioral8

persistence
Score
7/10

behavioral9

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral10

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral11

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral12

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral13

dcratinfostealerrat
Score
10/10

behavioral14

dcratinfostealerrat
Score
10/10

behavioral15

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral16

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

defense_evasiondiscoverypersistencespywarestealer
Score
10/10

behavioral20

defense_evasiondiscoverypersistencespywarestealer
Score
10/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

dcratinfostealerrat
Score
10/10

behavioral24

dcratinfostealerrat
Score
10/10

behavioral25

dcratinfostealerrat
Score
10/10

behavioral26

dcratinfostealerrat
Score
10/10

behavioral27

dcratexecutioninfostealerrat
Score
10/10

behavioral28

dcratexecutioninfostealerrat
Score
10/10

behavioral29

Score
7/10

behavioral30

execution
Score
10/10

behavioral31

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral32

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10