Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7ea3b64868...cf.exe

windows7-x64

10

7ea3b64868...cf.exe

windows10-2004-x64

10

7ebaf99c04...24.exe

windows7-x64

6

7ebaf99c04...24.exe

windows10-2004-x64

6

7ee13560bd...12.exe

windows7-x64

10

7ee13560bd...12.exe

windows10-2004-x64

10

7ef695e2eb...8f.exe

windows7-x64

10

7ef695e2eb...8f.exe

windows10-2004-x64

10

7f08f6ad11...70.exe

windows7-x64

10

7f08f6ad11...70.exe

windows10-2004-x64

10

7f0a89c07b...88.exe

windows7-x64

1

7f0a89c07b...88.exe

windows10-2004-x64

1

7f4990caad...07.exe

windows7-x64

10

7f4990caad...07.exe

windows10-2004-x64

10

7f584766e9...23.exe

windows7-x64

10

7f584766e9...23.exe

windows10-2004-x64

10

7f653aa47f...d4.exe

windows7-x64

10

7f653aa47f...d4.exe

windows10-2004-x64

10

7f99ce9b97...e0.exe

windows7-x64

10

7f99ce9b97...e0.exe

windows10-2004-x64

10

7fa6bf4f19...ab.exe

windows7-x64

10

7fa6bf4f19...ab.exe

windows10-2004-x64

10

7fb245795f...72.exe

windows7-x64

10

7fb245795f...72.exe

windows10-2004-x64

10

7fb519a181...1c.exe

windows7-x64

10

7fb519a181...1c.exe

windows10-2004-x64

10

8017678d87...da.exe

windows7-x64

10

8017678d87...da.exe

windows10-2004-x64

10

8032ddd614...62.exe

windows7-x64

9

8032ddd614...62.exe

windows10-2004-x64

9

805bf5f6bd...de.exe

windows7-x64

10

805bf5f6bd...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_31.zip

  • Size

    103.7MB

  • Sample

    250322-gyyq4sy1as

  • MD5

    f8b53963321f39a2e52d3343a43fcbca

  • SHA1

    a9f016fea5d102a7f58d196730950c9784dfcda5

  • SHA256

    5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

  • SHA512

    1e7ba854ca0d7c90adde09386e007611e5488b8ce704680bbf4ef7c866329d74da8d8b92ee63b62150ad0755a142eff9c271f25d8d981fbd01997c59d4b743fc

  • SSDEEP

    3145728:MftqvoD87wiQBQxvOQ8ZlW/MXN2eCnEaLCEa+Zi9jhA:atmoDbIpx0XYenaLRaKiXA

Score
10/10
asyncratdcratmetamorpherratnjratorcusquasarvipkeyloggerxwormhackedoffice04venom clientscollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationpyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

103.125.217.116:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

orcus

C2

h0metowgh0svi3ws.servequake.com:10114

Mutex

f4a241c2356f470581f678498d8553bb

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\winupdate\Winupdates.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\WinupdateWatchdog.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

FotisDouk-31684.portmap.io:31684

Mutex

4ada209f-7853-4e85-9f70-1904ada388a9

Attributes
  • encryption_key

    55D0EB59899AFE080D81B04BC39BBD2B990D988E

  • install_name

    Windows Mainframe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Mainframe

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:5592

church-converted.gl.at.ply.gg:5592
Mutex

nitAcN6co0nK84gF

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.vayabattery.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    H@123456

Extracted

Family

vipkeylogger

Credentials

Extracted

Family

xworm

C2

77.83.242.113:2020

Mutex

miZU0rMm5DElS6cq

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.1.3:1177

Mutex

d2dc16a9135398a3915a035274a224da

Attributes
  • reg_key

    d2dc16a9135398a3915a035274a224da

  • splitter

    |'|'|

Targets

    • Target

      7ea3b6486807ad0e5d5a6a107de8eb0a27457170ebb23b480f566e125f0a1dcf.exe

    • Size

      866KB

    • MD5

      06bc901a5a455cd5a1312e7daf3c6cb5

    • SHA1

      15330557ca280eb56548dffaef8b70d513b74681

    • SHA256

      7ea3b6486807ad0e5d5a6a107de8eb0a27457170ebb23b480f566e125f0a1dcf

    • SHA512

      c6a43e4a2f4985621234a3bd86748f531adfaac00e3f9ccdd6ac833d8b66bd635c6cc993966ff73a4d02632ddf9955018d9bc13c5ecdc408b8a769e860667aa6

    • SSDEEP

      6144:TtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rT77:16u7+487IFjvelQypyfy7T77

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      7ebaf99c04948dfae45c2a85cbd1b9e4620aa618976501eb0b984ceabb223d24.exe

    • Size

      496KB

    • MD5

      1e23be4333abb1de4a0db86efb256d26

    • SHA1

      91e35f97f46e784144c5f75c650052fbb8f97434

    • SHA256

      7ebaf99c04948dfae45c2a85cbd1b9e4620aa618976501eb0b984ceabb223d24

    • SHA512

      672c737312aa24bf3155b1f593971174e59b307569cf8dabbfb76c6c1f9a60a0d9ac87e15966ffdbc9cfeaa3c99c7b65c497ba55501989fb5ebc00a80f428b71

    • SSDEEP

      12288:l1203e4jHFDSirC2iLYSuUuisXC9HMriYfNHaLSHm:G03eGHFDS+SyOuaLS

    Score
    6/10
    discoverypersistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      7ee13560bd2ed5c9f36e497acfc28012.exe

    • Size

      63KB

    • MD5

      7ee13560bd2ed5c9f36e497acfc28012

    • SHA1

      f596627f670de23007796b8d3397191da6637dac

    • SHA256

      677933cd9ff1648ec904a9f621dd671418f56f9258f860e9dae5fe1d48f343ed

    • SHA512

      efd7051a86f3d8e36f198be1c56dc2f9e0ddd546177a5c94a9f0d9113cdac2bbed901ff9bf3bf2ff3b14c489ce3ffe9b9327056c7f479c796b07bc85d125b177

    • SSDEEP

      1536:OhB5LrUwk4XO01V5eeiIVrGbbXwoQcZDDG6HpqKmY7:OhB5LrUwk4XVVseXGbbXQGfUz

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral5behavioral6

    • Target

      7ef695e2eb00583acd7c520cf107188f.exe

    • Size

      78KB

    • MD5

      7ef695e2eb00583acd7c520cf107188f

    • SHA1

      81b07c6a5b9ff127044492483e978d0aa3c709a7

    • SHA256

      198f7e8e6e6b9f8d60ef722311078e085ccd7f3034176c4cb39db6d43be50451

    • SHA512

      1a8329294fc2f46a7012ebd374a0b2e7731fd840b471654ecd7ab9aa7d1f56fdd99cca1a001373d70117ead83fe5c9c6bbfe7866a63d413a13bcdd8e39368a58

    • SSDEEP

      1536:XV586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6ox9/M1RT:XV581n7N041Qqhg9x9/E

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      7f08f6ad11231c5a9fe72a1c6cc9cbb44affebd845449fcd79be82945de53170.exe

    • Size

      778KB

    • MD5

      2d95abc037ed55be3073fab1a7f713b0

    • SHA1

      cafb685b0bdecef5a72116299b5bd0eca7fb7326

    • SHA256

      7f08f6ad11231c5a9fe72a1c6cc9cbb44affebd845449fcd79be82945de53170

    • SHA512

      6bd03043ff804b5ea33297295737269169d35b932bbd76861c9b6eb0257c7db91683d30956155db357928bb3a15e853f13603b1f241eb2053f0b520cffe6ecb3

    • SSDEEP

      12288:sqAJ/W7aHBYz0QGhRYJfozf7orV/DCGzZqOAOm0J5t7gYhn/wyMVDZfDrElDOlpE:sBtQYTHorVbrm0ddBxMnf

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      7f0a89c07b9469213af04a10fe708088.exe

    • Size

      18KB

    • MD5

      7f0a89c07b9469213af04a10fe708088

    • SHA1

      7685d07deda4a01a8f321297e3c80665d583f008

    • SHA256

      b2d8642a5af12e05830c92b8aa92cd7656a7bb9da69ce5f29b6af5bb3b250ad4

    • SHA512

      9258bf8057fb1e8fa5e901f5e08f327ece6b3f903cf3a0d0e9c25377bd58ed0a83b62defdeaac1814c905a9dae9a03e64b3db3233569fd1eb653bf8f9c5f5065

    • SSDEEP

      384:6PTjhUiZtSPbFBwFIcNcxSRcL9IXBUdhmfTkK6aHv+q:66i+Pb9xSRcZwUdQTF

    Score
    1/10
    behavioral11behavioral12

    • Target

      7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907.exe

    • Size

      8.6MB

    • MD5

      22852f82d88f9583ff3f02d8dd9e2987

    • SHA1

      12584d0de1d2c7a74677969075c93cad2124edc0

    • SHA256

      7f4990caad41dd3228d704682f251b6144a6e406233c1e3003548230e2243907

    • SHA512

      247e76e070b196aab063951c5635a1bb4193af70e5aec88bb82b8865a2b91d7f3095d8e64320f66e654241185a3c61610dff987a0f47db6277cde43996fb9ff5

    • SSDEEP

      196608:3/8c9MdCTp3PWQ7iaa+8G5KQHqUPpWPMZkJE9CHGxxL5HIJ64pEWEVci5:0c9NkCT75Kwq+WPMZk8hN/

    Score
    10/10
    xwormpyinstallerrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral13behavioral14

    • Target

      7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23.exe

    • Size

      1.6MB

    • MD5

      ec20848f83db3017eaf15c4f841fddc5

    • SHA1

      3f46877c232c250f7538c26b863497d7c0ffd538

    • SHA256

      7f584766e94303d6696bd25553d1af482a2c92f9a51dceb6a4159f9c82d06c23

    • SHA512

      d00d7f760f5966860a0eb4233c9d5b0bcdd2c28ccc64099e5fd728b15c08b524aed4f897244415815d31526a4ca8e5779bf137522610d9565abed8cf9fafa03e

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral15behavioral16

    • Target

      7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

    • Size

      885KB

    • MD5

      7f653aa47f3ef4d091f38ed9e5dcc6d4

    • SHA1

      68ec9ab071cd6429ff3da60901ca80b283a7943a

    • SHA256

      91e17c8d5d7f65ef395f929f499b1d53eeabdc4cb909a3bb5eeeea0e470214c1

    • SHA512

      3622e31c5d688dbb7b247a0d43d7ea0f06b7710a1b92ef176c7c0a137b08bbb3b976ac7aced4bec393107c88a8d851d4073d793d56b3c4b6d69dd028265f357d

    • SSDEEP

      12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral17behavioral18

    • Target

      7f99ce9b97f5e577b97470637c426ee0.exe

    • Size

      1.1MB

    • MD5

      7f99ce9b97f5e577b97470637c426ee0

    • SHA1

      c16808d9fc554b1d04ab03d52d83efeabd2cba6c

    • SHA256

      ded649aab619195cd663469dcb4078dcf02c1e1aebd42cdc5e189fb8242a463b

    • SHA512

      f13faf3eb02b844dfa2c78c7f84aecc13721d3fc9632ba25c14e69b59af7c78910a084007c857510859a5e08f4fa8ab177bdf13aa9e2be205df5756d5aa0daeb

    • SSDEEP

      24576:f7R4MROxnFl3czErrcI0AilFEvxHPgook/IRx1FPDRyRAVy5p:fSMir1rrcI0AilFEvxHP7/IRx1FPDRyZ

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral19behavioral20

    • Target

      7fa6bf4f199a845715d9f5807a98d9ab.exe

    • Size

      885KB

    • MD5

      7fa6bf4f199a845715d9f5807a98d9ab

    • SHA1

      25652948f2c3d400323873cb41bbc6b2b609d96a

    • SHA256

      06198c97d0afdc17232dc3ffc8d5b23b5b97d82cf01bcdf8ef1236f08812e702

    • SHA512

      99a56b7ddd2ff25d220e25c2ae1b0b92d8ee68313b54a23a937587e2677a9a776b8e55593c9b9dbd3b01c7365d006bba81066c747398afa6f23a53f9530b276c

    • SSDEEP

      12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      7fb245795f7540f7ab7dbf23fdb5ee72.exe

    • Size

      55KB

    • MD5

      7fb245795f7540f7ab7dbf23fdb5ee72

    • SHA1

      01c1864b8c4f7c49913d799712f54f44507ddccb

    • SHA256

      9da84a7949153a0962b62d09651c229ce2edf4ab4d21a2397a76572cba3c3550

    • SHA512

      135e929fc40b5d759352731d20ba54fb20e09c20d7cd51b544668883f2a4be69b08cae77c194fa4a169d60023a210b7b161721d30f4d4dc624702995be5a3397

    • SSDEEP

      768:gQveeHj9vyO3j1WocuJS2Iro2X6W0rkKeGcjOYR5:dvfjJyO3ZWocsS2ev0IKeFzT

    Score
    10/10
    njrathackeddefense_evasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      7fb519a181f51d55be0957d1753891e1071649a1689db7752d9d0c64707f031c.exe

    • Size

      183KB

    • MD5

      e4c82a17f7fdd8fdaa1d22b2dfb13015

    • SHA1

      311e63512d52f64e4a2d6bf00c5b0c10dc3ee548

    • SHA256

      7fb519a181f51d55be0957d1753891e1071649a1689db7752d9d0c64707f031c

    • SHA512

      cd2f4e5422200e8f2449d495ab8d87385a142506509a3f799778def0955967a5c4551f7edb68de5fc3021bf8b60740e6068857111248fc6602f8f652c536c1a4

    • SSDEEP

      3072:yx+a6Cn3qwPkyAe3+rQN9qjYeuPD0yA3uWljCDtF5U5C6gHls/59b/nd:op3qwxveQJeb5eWlB5C/6zbf

    Score
    10/10
    persistenceprivilege_escalation

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral25behavioral26

    • Target

      8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe

    • Size

      28.7MB

    • MD5

      e1fab30f7a0dfbdc2a055e46529c46c0

    • SHA1

      d582f641b44910227d748ae07e4ffc2a096a65ea

    • SHA256

      8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda

    • SHA512

      0bf8882961deb2876aa86ffe409c3f0e459bd5a8b4020273e39c51c1b790a29db9a8af87305c79eb71241019de5b5643c7afb8c12325e24d4d35a494cb7a657e

    • SSDEEP

      6144:78AVcrit0NZuJl1e6VlWT8b9vb+zE1P78doDbG5/4/1V1hQ:78A+GhPVle8Ezbdoup4tV1hQ

    Score
    10/10
    persistenceprivilege_escalation

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral27behavioral28

    • Target

      8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe

    • Size

      8.8MB

    • MD5

      81b063116bb27dc9ce34885c7e52536f

    • SHA1

      596f067c80e5bb03298c90529b0890236c936130

    • SHA256

      8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262

    • SHA512

      7bc8d106498dfbe1f1679c94e0ab0fc112bdced14cb690deb2a1c8cb69e414a252e1cf70a902711ec03bab037520ce3bca9da3f57c16e1c9faa2f56f44632b86

    • SSDEEP

      196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUJ9quict4Z6XfspX:jxSZrxSZExSZfU+2aJDSgJnmqukY4ZoO

    Score
    9/10
    defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral29behavioral30

    • Target

      805bf5f6bd7c02b7949531ed13029fde.exe

    • Size

      1.9MB

    • MD5

      805bf5f6bd7c02b7949531ed13029fde

    • SHA1

      5b05c1ba4b97b104772e683a75fe25ff527b6f57

    • SHA256

      6a208a1038733f97141f540e04a2cd5a2f364191c341ef5c5bfdaa7e39f995f1

    • SHA512

      bef22c52bc45b96377bdaaaacba0f623bf1b505fb75bd8c1352f873a30da76e78fb90ccd693a4f184365ff2818857ca386acbccd367318fd9063d188e52b3a69

    • SSDEEP

      24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratvenom clientsoffice04asyncratdcratorcusquasarxworm
Score
10/10

behavioral1

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral2

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral3

discoverypersistence
Score
6/10

behavioral4

discoverypersistence
Score
6/10

behavioral5

asyncratvenom clientsrat
Score
10/10

behavioral6

asyncratvenom clientsrat
Score
10/10

behavioral7

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral8

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral9

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral10

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

xwormpyinstallerrattrojan
Score
10/10

behavioral14

xwormpyinstallerrattrojan
Score
10/10

behavioral15

dcratexecutioninfostealerrat
Score
10/10

behavioral16

dcratexecutioninfostealerrat
Score
10/10

behavioral17

dcratinfostealerrat
Score
10/10

behavioral18

dcratinfostealerrat
Score
10/10

behavioral19

orcusdiscoveryratspywarestealer
Score
10/10

behavioral20

orcusdiscoveryratspywarestealer
Score
10/10

behavioral21

dcratinfostealerrat
Score
10/10

behavioral22

dcratinfostealerrat
Score
10/10

behavioral23

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral24

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral25

persistenceprivilege_escalation
Score
10/10

behavioral26

persistenceprivilege_escalation
Score
10/10

behavioral27

persistenceprivilege_escalation
Score
10/10

behavioral28

persistenceprivilege_escalation
Score
10/10

behavioral29

defense_evasion
Score
9/10

behavioral30

defense_evasion
Score
9/10

behavioral31

defense_evasionexecutiontrojan
Score
10/10

behavioral32

defense_evasionexecutiontrojan
Score
10/10