Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

90ed1454b8...38.exe

windows7-x64

10

90ed1454b8...38.exe

windows10-2004-x64

10

91570920da...cf.exe

windows7-x64

10

91570920da...cf.exe

windows10-2004-x64

7

915c452bf2...b6.exe

windows7-x64

10

915c452bf2...b6.exe

windows10-2004-x64

10

916cd92d3a...38.exe

windows7-x64

10

916cd92d3a...38.exe

windows10-2004-x64

10

916fbe67a7...e3.exe

windows7-x64

10

916fbe67a7...e3.exe

windows10-2004-x64

10

91cce1a9f4...6a.exe

windows7-x64

10

91cce1a9f4...6a.exe

windows10-2004-x64

10

91d2e3f758...f6.exe

windows7-x64

10

91d2e3f758...f6.exe

windows10-2004-x64

10

91d7fa8d89...52.exe

windows7-x64

10

91d7fa8d89...52.exe

windows10-2004-x64

10

91e6d47bd8...cc.exe

windows7-x64

7

91e6d47bd8...cc.exe

windows10-2004-x64

7

92105c7a3b...24.exe

windows7-x64

7

92105c7a3b...24.exe

windows10-2004-x64

7

921421b7f5...09.exe

windows7-x64

10

921421b7f5...09.exe

windows10-2004-x64

10

9221b9eea3...3c.exe

windows7-x64

1

9221b9eea3...3c.exe

windows10-2004-x64

10

92324d5776...05.exe

windows7-x64

1

92324d5776...05.exe

windows10-2004-x64

1

927cd0bd1a...b8.exe

windows7-x64

3

927cd0bd1a...b8.exe

windows10-2004-x64

3

92efd55895...78.exe

windows7-x64

10

92efd55895...78.exe

windows10-2004-x64

10

932a9096cd...eb.exe

windows7-x64

10

932a9096cd...eb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_36.zip

  • Size

    43.5MB

  • Sample

    250322-gzcv2ay1a1

  • MD5

    052f3f0f8dc33f830c33c669f501eb89

  • SHA1

    4798b5d67f11066ae072b4697838ca7fa5f10c6e

  • SHA256

    5307ce2390d7c4bfba56c3f519dfcf29d7a5e1752150847c43b6d94d5a9e0ffb

  • SHA512

    ff44a445bcc47eecf7605b71f004e1ccf27c5c241fbc5cdec0de0f9dba8844f212fe7819ee4ba2642df392e0ef9d449661171480ef58bcfb7e28100519e61161

  • SSDEEP

    786432:NayQ37eoEMsjaOAU8EfZlg//yxNrPal07//yxNKyfHd+54J2U/i:HQrEtjoU8DaHVrazK

Score
10/10
asyncratdcratimminentlimeratmetamorpherratnjratxwormdefaulthackedcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

design-shipped.gl.at.ply.gg:2938

Mutex

v6oCqftosMfufC9R

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4444

Mutex

wexjwwmjkm

Attributes
  • delay

    1

  • install

    true

  • install_file

    g.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

3.0

Mutex

Cr8HKuApCXnXgH6p

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/jV6dpDfD

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.1.3:1177

hakim32.ddns.net:2000

127.0.0.1:7777
Mutex

d2dc16a9135398a3915a035274a224da

Attributes
  • reg_key

    d2dc16a9135398a3915a035274a224da

  • splitter

    |'|'|

Extracted

Family

xworm

C2

127.0.0.1:2980

consider-sensors.gl.at.ply.gg:2980
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svhost.exe

Extracted

Family

limerat

Attributes
  • aes_key

    1234

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/euvvTAtq

  • delay

    6

  • download_payload

    false

  • install

    true

  • install_name

    csrss.exe

  • main_folder

    Temp

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      90ed1454b881cba4ecd9b651325d4638.exe

    • Size

      78KB

    • MD5

      90ed1454b881cba4ecd9b651325d4638

    • SHA1

      26bbba7eac5362ddc6298af80061c885f1c9b2e7

    • SHA256

      62ac8026e108b28ce691b285d53374e0434ae08dea0fd8837f239c6858b40be0

    • SHA512

      bad4b9e2b79f8894c5ffdf943d2bbee79e42b25bcb42515bd50c7fd46d7de8c129571f285a5c0823399b85d1edf99966e775aad82c71c20be7406198823a845b

    • SSDEEP

      1536:i5jS6dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6e9/Hp13l:i5jS1n7N041Qqhgl9/H5

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      91570920daa6ee3c5d03da7664cb620ac5be5038ac64a295811ed8349b5d3dcf.exe

    • Size

      579KB

    • MD5

      38f3e0dd8421dbfd12de577c02ae99f3

    • SHA1

      5b35e3629e60e952e9ec4910a9ced8bf24d3f06e

    • SHA256

      91570920daa6ee3c5d03da7664cb620ac5be5038ac64a295811ed8349b5d3dcf

    • SHA512

      efc2829b526f19600a3153297ef204b2820ba3117391a8b33760f39e180c5782b94c6b2dfbb16a9ca0416cb9b91302176f0f0c6f5f184be9584308f62c54dfd8

    • SSDEEP

      12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7M:rBJwdhMJ6ZzHrfcsMGTfZ5PM

    Score
    10/10
    imminentdiscoverypersistencespywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Imminent family

      imminent

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      915c452bf258459048ef8813fe2586a7b3c85ae7438fcd9bfa6da3a4017a08b6.exe

    • Size

      2.0MB

    • MD5

      36d39f96697aecd3fc5a465d4db663b8

    • SHA1

      2a2201725368c253784a4d05f6e676ac5c10aa9e

    • SHA256

      915c452bf258459048ef8813fe2586a7b3c85ae7438fcd9bfa6da3a4017a08b6

    • SHA512

      75b6de4d9d2461821f2e313572f28163254ce9eb6456d5c4cac91efc7ca96ba60087bbcd69dfe8ba382f4c2fd3d25a567309a4881890e781bd9867dc6006b309

    • SSDEEP

      49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral5behavioral6

    • Target

      916cd92d3ac28dded1335ac06764e138.exe

    • Size

      39KB

    • MD5

      916cd92d3ac28dded1335ac06764e138

    • SHA1

      723a0815fe64380ccb2d5b3cc8dd4715cd0167cd

    • SHA256

      328d960f3c75b7870f97ade069315809dd1649966cce248d85d64f191147da96

    • SHA512

      349bee4b9192224122943633908dab1478ef8014202155b1be53115c291b480d3021af69f16623a8683b09bb3b680548b4ee751f90e90330b2baf8f9acd53195

    • SSDEEP

      768:3F0D8dYqSKMY69IUGBhOq2MGoi4QX6U0XkdIyFZ89slrXJ6KOhhbu2:3Fw8dYqkY69IU4h4b8Q6U0XUFq9s5Z6D

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      916fbe67a7968d2b65d54ae3ce72f3e3.exe

    • Size

      78KB

    • MD5

      916fbe67a7968d2b65d54ae3ce72f3e3

    • SHA1

      c27a2635f22db2401953554e9b958499c850ab23

    • SHA256

      720b0f321e77a1ab8e5bec4f33644e9cdd97f571a3bc2468b327ee85d4bca09b

    • SHA512

      a1db5956ecaf3ea4550e890a604753d04587761d09de54d3682cc5f79433dfb29d49f499d85904c7c14a20650d7443385ee8d7c2ddfbc0ffeab0936a34247444

    • SSDEEP

      1536:+Ry5jEdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6HM9/O1Gl:+Ry5jzn7N041QqhgUM9/9

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      91cce1a9f4562b0cd73d60203cebb76a.exe

    • Size

      74KB

    • MD5

      91cce1a9f4562b0cd73d60203cebb76a

    • SHA1

      7c292b693357b1e6d33754b2ffb2130d9dbc7941

    • SHA256

      b529dd5db79c9860acbf6e87056e8e8f9fbc298b66e2b4cb8d4e495d9c61178a

    • SHA512

      72bd1d4dd8f5512110afab35782915b9b99fcbd80c254fe5034fc724001a12e29e88313d9eb8cdc458931676123119f886d3afbcfc401027e6af21892639768b

    • SSDEEP

      1536:aUNccxRFxCSjPMVGDvUWMI/H1bX/tQsCYV1QzcaLVclN:aUOcxR39jPMVGDvzH1bXv1QLBY

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral11behavioral12

    • Target

      91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

    • Size

      1.9MB

    • MD5

      98666af3ef6ab2bcc4a5b3153a2e8d78

    • SHA1

      b936c266aa4b4b85c113321fead31164955b8fa9

    • SHA256

      91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6

    • SHA512

      29ac1f9ad8331924e8fc7cb964b5e417d957b7597347103196739b520dd7523c2f5836830cb98976ccd1af298809bf1a5529c46f879f4dd563a91d215d67d238

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral13behavioral14

    • Target

      91d7fa8d891f603b35c77da7fcc4c552.exe

    • Size

      1.1MB

    • MD5

      91d7fa8d891f603b35c77da7fcc4c552

    • SHA1

      1b241b597c2d0b386e42f25e1e22372265ff06c6

    • SHA256

      2ff54b9f6860a5d362ef776360ed7a7f3c4da0f1dfce7493caa631e50c87722c

    • SHA512

      27cb44233fed4fd6aadd8f1100501ced417614a80a3e74bec5e3ff6d9c73bb7ed85b1885dc129a4f633738e489a85aac980b7238abef0ea10bdcb0df59d0a735

    • SSDEEP

      12288:Z49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:ZngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      91e6d47bd804e58a4e160993dfdfc3cc.exe

    • Size

      7.9MB

    • MD5

      91e6d47bd804e58a4e160993dfdfc3cc

    • SHA1

      c273d38db777c882addc54c595e392b587aaa980

    • SHA256

      7480338642edf06769bc62a28e084eb5cd9487868f95543337ebe8a9c32c7093

    • SHA512

      ae0663df09766e33194f844d101f072ecf8af8af4081897256dea24bbce1b3ff38473dbf80d23e7eaf74930f0d42a6b45a80930425cbd43e3e8daade219a2a62

    • SSDEEP

      196608:G9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZB2:GmqbhrEbn87eZsFmq+6

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral17behavioral18

    • Target

      92105c7a3b72655063939b49b38e6567d6703ed95f694cab2247bd9832706524.exe

    • Size

      580KB

    • MD5

      14a1d1d1f278cf5a9328b85042a7b53e

    • SHA1

      02f07febcec2e624af7fd716163cc2575390487b

    • SHA256

      92105c7a3b72655063939b49b38e6567d6703ed95f694cab2247bd9832706524

    • SHA512

      1dbaa9036168f7438a146323b4e481eb52d922de35e61c1c1366cdd6ba39a67e5abd0fc1a7c6161e77c559ba3b6f5c6ea8656e51c8b2812e20f49bb203a17e33

    • SSDEEP

      12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7Aj:rBJwdhMJ6ZzHrfcsMGTfZ5PAj

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      921421b7f5be88eb661517835c090cd8a2fdcdfc69154d129c70ffa36da54809.exe

    • Size

      760KB

    • MD5

      053986350cb339771876565d97721fbc

    • SHA1

      cb7f1385290a6d61cf998aa54e04ebec91d6632f

    • SHA256

      921421b7f5be88eb661517835c090cd8a2fdcdfc69154d129c70ffa36da54809

    • SHA512

      b9cd9a3b32f6484fdfb488625fc5c16ce44df1addccda372cfd91eaa3e6f3be920866df8572985ce14c8e4e5768bdb7467a1b206c3c22379b82c109e32622c9f

    • SSDEEP

      6144:3tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKHe7:R6u7+487IFjvelQypyfy7cnKHe7

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      9221b9eea367a2434dacd850f7b30b3c.exe

    • Size

      44KB

    • MD5

      9221b9eea367a2434dacd850f7b30b3c

    • SHA1

      27e3744c79b246b4fe2cf9c360bc47673c069603

    • SHA256

      753d2498922e1be3c44270f548307720c6b645a74a8c40a801ce789493cd8684

    • SHA512

      628295449f91fbd4eb478336f16eb5d999899ef1709b67d71873c8d95f35e2dfa088d04050786e80a7d65c4d644f91986deecaa516ff43d5b7e067073c196974

    • SSDEEP

      768:dX1g7W5yeUxFjFUCRvTUQBj0FbC1+wA0NChqaw5:dXKWo9xFpUIwFbq5A0Q3w5

    Score
    10/10
    limeratrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Limerat family

      limerat
    behavioral23behavioral24

    • Target

      92324d5776518f262a2ce8bfd8c6856500a9c454b9a8b688810f604111532e05.exe

    • Size

      349KB

    • MD5

      85757ffee213bc22964e3e7892e3bb66

    • SHA1

      72e5d7570a5a3490f7d04a0f350bdbedc20ab66e

    • SHA256

      92324d5776518f262a2ce8bfd8c6856500a9c454b9a8b688810f604111532e05

    • SHA512

      0dc3ed25fb61352d5f66611b410ff56ebac5172233419ab2f16c0052713e0ccc61fcf877f77f2db9078ad0e888dee559dcef55cc42361e0056e6ed48c068e6c3

    • SSDEEP

      6144:UOa9ozD9wI5fEae6VlWT8b9cMwaDeiXpXbqog4uV:baazZw8bPVle8W1iXp6V

    Score
    1/10
    behavioral25behavioral26

    • Target

      927cd0bd1a26a2158a18e48e682ba3b8.exe

    • Size

      3.8MB

    • MD5

      927cd0bd1a26a2158a18e48e682ba3b8

    • SHA1

      72be67b2403ae98b1ac7e497440bef17adcae955

    • SHA256

      e2ec608c43888cca3cf32dce6e0d04790216b6c3f728cee20f4dff84d6ea5752

    • SHA512

      647d81651cd008929b4a6e5ce01929d813979625b21c84fe8ddbbb43dd3c1777cfc2c0c9a0bf658d1a2236b7de948fd5e60bfafd49305483097557f948291589

    • SSDEEP

      49152:8X+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+FX+:866666666666666666666

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      92efd55895cd60b5057f3fb06ad84c78.exe

    • Size

      1.6MB

    • MD5

      92efd55895cd60b5057f3fb06ad84c78

    • SHA1

      b3217c713b801276d98065e1eca81868545ebd02

    • SHA256

      fd4af6cd1bb01129d61f2bb85c6f0e5dcb3c9cac02229988589ff93666be273c

    • SHA512

      5cf3918370d98a5492496f82e69bef529fb426879e3293808ead5bb2f97e0bdcd30d288b25438a8b2009f58fd8eee522d0f1bb46ce359518a09a50a47794ae5c

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral29behavioral30

    • Target

      932a9096cd16630970f2bdc5e6cb9aeb.exe

    • Size

      5.9MB

    • MD5

      932a9096cd16630970f2bdc5e6cb9aeb

    • SHA1

      52d4a032ac5cbdbb8bed5b401283c1b49201ca92

    • SHA256

      79edf19412f95a9de108ec3ccdbaa450eab559c421768ff53a184da9563fc190

    • SHA512

      5fd9f0de72eb989d27c3a46a6ff1e79a61576bf24089437d73e0c2eead05f3a14a326966d9176a993f2b7289bbfe70206ea001742517e24e23e108577694aaeb

    • SSDEEP

      98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4y:xyeU11Rvqmu8TWKnF6N/1wX

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratdefaulthackeddcratxwormasyncratnjratlimerat
Score
10/10

behavioral1

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral2

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral3

imminentdiscoverypersistencespywaretrojan
Score
10/10

behavioral4

discoverypersistence
Score
7/10

behavioral5

dcratinfostealerrat
Score
10/10

behavioral6

dcratinfostealerrat
Score
10/10

behavioral7

xwormexecutionpersistencerattrojan
Score
10/10

behavioral8

xwormexecutionpersistencerattrojan
Score
10/10

behavioral9

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral10

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral11

asyncratdefaultrat
Score
10/10

behavioral12

asyncratdefaultrat
Score
10/10

behavioral13

defense_evasionexecutiontrojan
Score
10/10

behavioral14

defense_evasionexecutiontrojan
Score
10/10

behavioral15

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral16

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

discoverypersistence
Score
7/10

behavioral20

discoverypersistence
Score
7/10

behavioral21

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral22

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral23

Score
1/10

behavioral24

limeratrat
Score
10/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

dcratexecutioninfostealerrat
Score
10/10

behavioral30

dcratexecutioninfostealerrat
Score
10/10

behavioral31

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral32

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10