Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a200ccdf59...cb.exe

windows7-x64

1

a200ccdf59...cb.exe

windows10-2004-x64

1

a24432a439...39.exe

windows7-x64

1

a24432a439...39.exe

windows10-2004-x64

1

a261b01eac...35.exe

windows7-x64

10

a261b01eac...35.exe

windows10-2004-x64

10

a277e4ef19...9e.exe

windows7-x64

10

a277e4ef19...9e.exe

windows10-2004-x64

10

a2c94b5453...64.exe

windows7-x64

7

a2c94b5453...64.exe

windows10-2004-x64

7

a2e433f395...34.exe

windows7-x64

10

a2e433f395...34.exe

windows10-2004-x64

10

a2fad1a052...95.exe

windows7-x64

10

a2fad1a052...95.exe

windows10-2004-x64

10

a30ce01ad9...4d.exe

windows7-x64

7

a30ce01ad9...4d.exe

windows10-2004-x64

7

a31ba0b291...4c.exe

windows7-x64

10

a31ba0b291...4c.exe

windows10-2004-x64

10

a340d849cc...86.exe

windows7-x64

10

a340d849cc...86.exe

windows10-2004-x64

10

a34ed8c989...d1.exe

windows7-x64

10

a34ed8c989...d1.exe

windows10-2004-x64

10

a39a36bdb6...eb.exe

windows7-x64

10

a39a36bdb6...eb.exe

windows10-2004-x64

10

a3a42aeb37...7f.exe

windows7-x64

10

a3a42aeb37...7f.exe

windows10-2004-x64

10

a3a62b600d...4c.exe

windows7-x64

10

a3a62b600d...4c.exe

windows10-2004-x64

10

a3bf76de64...be.exe

windows7-x64

10

a3bf76de64...be.exe

windows10-2004-x64

10

a3d1683844...56.exe

windows7-x64

10

a3d1683844...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_40.zip

  • Size

    79.4MB

  • Sample

    250322-gzw9nstjz2

  • MD5

    6591087e80d04595967163bca4a5b00f

  • SHA1

    7135ed4ee1b485f89696336815bbe8d96d227a0a

  • SHA256

    400c24bdb9b7dabfcd9a8a2f137550f338014d833d169c6e6f4252910fb95feb

  • SHA512

    c847d9ebe642c273e4e53b097dd628bf892c895aee26403ef286884bfe9db5b5a3e5e6130fb8b326338d1ea51ff509d353204240794d40bf01047cefd08942c8

  • SSDEEP

    1572864:0beQOGclQtMC+Ksv3wlpVSoJf4ZnKEiIxenPwb36DceldoNaqsGEBelPR6TmmjOQ:0iQOnQL+KsvAlpZf4ZKfIxenY3XCFqs7

Score
10/10
asyncratchaosdcratmetamorpherratnanocorenjratxwormdefaulthackedvenom clientscollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3230

are-typing.gl.at.ply.gg:3875
Attributes
  • delay

    1

  • install

    true

  • install_file

    Serial_checker.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

147.185.221.27:3368

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    Update.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.12.5:5552

Mutex

4631b9043838855d15e94d65a5dddc5b

Attributes
  • reg_key

    4631b9043838855d15e94d65a5dddc5b

  • splitter

    |'|'|

Extracted

Family

nanocore

Version

1.2.2.0

C2

googlehost-main.onthewifi.com:1604

lilytest1.ddns.net:1604
Mutex

07c7cd9f-9d77-4de5-a0d8-2f67b21cf007

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    lilytest1.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-12-30T17:55:27.534639236Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1604

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    07c7cd9f-9d77-4de5-a0d8-2f67b21cf007

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    googlehost-main.onthewifi.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

xworm

Version

5.0

C2

tcp://makasin123-34642.portmap.host:34642

Mutex

CPMaL5z0Q3BBFjUJ

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

aes.plain

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Targets

    • Target

      a200ccdf59ff84f5065f7d978cedcb7cc882fa0480f3e5738183e732111353cb.exe

    • Size

      391KB

    • MD5

      cb665657a3869ae70a3c5efaac453a12

    • SHA1

      b7979b97b7b95d82067dd51543cd0dd7778a6665

    • SHA256

      a200ccdf59ff84f5065f7d978cedcb7cc882fa0480f3e5738183e732111353cb

    • SHA512

      3c2a182a6900ba092445bd89835e4d1f53c45d54613aceb93543f204effa9efedfe4f86422199ee7c5444240d1d0e60d071f2e6d478a3da250e73373933395a1

    • SSDEEP

      6144:aQxR8ifcCpIe6VlWT8b9gqcr+k1QWvpqIbWRIwWJ:JxRJfcDPVle8+3r40pq6

    Score
    1/10
    behavioral1behavioral2

    • Target

      a24432a43960cdb6f6f7f18467006139.exe

    • Size

      6KB

    • MD5

      a24432a43960cdb6f6f7f18467006139

    • SHA1

      fad0c86b81c532ba6bb7b4f03b982bb31c2b346c

    • SHA256

      66d11e312209af785ae2369dd9455e0e18c8600a4516cf83c41b21cea938d912

    • SHA512

      964fc963968c9a9a4ad10f31b7e4b7af64ad0c55056b5dc38197d6e4832914d0f2b95a5929b89461adc42540135a33ff0ba08ddb392e175d81763b33ea88598b

    • SSDEEP

      96:XEp183UrouurLSDgmcKW+XJqT+DhpuzNt:XE/83zuTgmfRqTco

    Score
    1/10
    behavioral3behavioral4

    • Target

      a261b01eacf8494cec58f0a20d573d35.exe

    • Size

      26KB

    • MD5

      a261b01eacf8494cec58f0a20d573d35

    • SHA1

      b0fd7110500b3b8e78514dc7c024b5e4c0d2329c

    • SHA256

      33139f448f54b18034b40fa25ff8b8e068d790f40d038c37cf6a410be948fc3e

    • SHA512

      a6fa275542ab0eb1e036f9a62f7ac6f613cfce813fe72c30223b69b5c404ab713d357529fe4bb7c1ce9999aa92e3aebd78ff31282387b277f622cca339e8c03e

    • SSDEEP

      384:AftWZPzzxAm1vmHZVJ2s3HlMDwX9YNlIOy5o91ih082vX:L7zxAmyZTnce9Dho9QO82v

    Score
    10/10
    chaospersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral5behavioral6

    • Target

      a277e4ef1921464c0cfaec6401b3189e.exe

    • Size

      1.9MB

    • MD5

      a277e4ef1921464c0cfaec6401b3189e

    • SHA1

      9799231c048b98a296f50ed54f8e476d494243f1

    • SHA256

      d50231e7365521c9292cc1a1a08f7f5a3931097ee03607fb2f7e1a6ca6ed1643

    • SHA512

      e539ea5e9c36227b18ca8196290d50d898a9e1dcc242a590f57ccf3d534fc137fc88174f47348b0098f392c19280e10f79af4e453ffca344ca8dcc4f9afa3aa4

    • SSDEEP

      24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral7behavioral8

    • Target

      a2c94b545313da9045688c2829942864.exe

    • Size

      490KB

    • MD5

      a2c94b545313da9045688c2829942864

    • SHA1

      58e891fef526b56e14e9a00410314f29ed2adbf2

    • SHA256

      3d0625dd449a820fe8bcc1d9d941ebf7ca64e8ada2f2dda1493e31fad8f9ce67

    • SHA512

      11a76466143dcd1b0e075c1ceb43eac72910e423807f2da5e35071e207d2fdec312156ea36aacd6f72865adc4e69de549cc48185282c7c5b7803aeb27c5e7b09

    • SSDEEP

      6144:Y/bEd8CMqRmP+lFxOKKIrX4svtTGUrsQsKE9khDf5Wgy0R/E2Sq1eYh8IvA:OevMqwWlDmHQJ5HyaEDq5iIvA

    Score
    7/10
    spywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      a2e433f395cc3b1c1ccf0cc50a676434.exe

    • Size

      1.6MB

    • MD5

      a2e433f395cc3b1c1ccf0cc50a676434

    • SHA1

      1995c6f844060333376d1cbf7a20bacbc8d713ef

    • SHA256

      259c93890754af6391901806acbdf6215a3f5210cb9a27fa6852f5c0aa73435b

    • SHA512

      a5433232b4cd34e56ead2e7c04ab3290545e7dd93504ceac92b7ce5b090298b31245ac336cae789ec5419abc5d4e00bf6c0111456f5b772aca5e8deeb346be81

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral11behavioral12

    • Target

      a2fad1a0523c112ac6e3c50f6d52a6e6f095ed7b92c1471cd01014a46686d495.exe

    • Size

      588KB

    • MD5

      05260b132406733a531bcc13f51df6c7

    • SHA1

      9fb646c8902603698afa1889751a244276586845

    • SHA256

      a2fad1a0523c112ac6e3c50f6d52a6e6f095ed7b92c1471cd01014a46686d495

    • SHA512

      210063f3bbdffd415175278cc5049c06d8c63f1aab294761a2d2c6e1190c3cf0b33e7270130a841fd3895a2c9d5cdd84779712d69258abfbe972c48e3bd33eb8

    • SSDEEP

      6144:PtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rc:Z6u7+487IFjvelQypyfy7c

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      a30ce01ad9f6493d46ac928557bcdd4d.exe

    • Size

      373KB

    • MD5

      a30ce01ad9f6493d46ac928557bcdd4d

    • SHA1

      2c97797dac7e4139bc56c0374886c78cb1f1e2ea

    • SHA256

      6d6bcd0687dea7214a7de4e162276b1505893f54fc1594fa917b20710f4234b5

    • SHA512

      9101a89bad9b1a6f3c789526ea1a02ca04fd84188027979b192c720664ad5dcfff224cdfb8c3e4f7dbddf74d34fb37d751e2a544d286210c1e6940a2f7474459

    • SSDEEP

      6144:tyMIULPy/x3xUArN62f7GU7njrbma/3LaQURrM2TuP6zJcN:XDy/xhUAtf7tjrbma7OJxuSz2

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      a31ba0b291554684b4a097371669bc4c.exe

    • Size

      1.9MB

    • MD5

      a31ba0b291554684b4a097371669bc4c

    • SHA1

      0a5034d116b71c1a99879ef632962026b5b774aa

    • SHA256

      0bfce2cf34dbbf853a1171acf4ac9e2802d3e67285222bcf8d43dffec50b6593

    • SHA512

      8d8c96ad82f63aa8f7f3345d3905f5eff42cc3d8b50822036e128b9f886777cf475962161c3c308ee4867b05a5ef05b52d68be3e317b6a9505029c4f03547c67

    • SSDEEP

      24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral17behavioral18

    • Target

      a340d849cc988d5d06f7e30143d62c86.exe

    • Size

      63KB

    • MD5

      a340d849cc988d5d06f7e30143d62c86

    • SHA1

      3bf172f21f8291c408e34ec8cedb2aa3db55861a

    • SHA256

      0ec25e2bfb539e7fd9445ea617597e6e6d64f8c49c54f105091fc0763cc154b4

    • SHA512

      96abc6657b576bddd6bc46d7344dc2d033cd120e8b7a569c7949f98251c7b688274f747a94f978d3d06130d9ae9fc3c72e88b265fb85be2093029d06580a2baa

    • SSDEEP

      1536:lUFBzZBVrhJPkYUbjh9oM/JlXup4pqKmY7:l0VBV4YUbjE8JlMjz

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      a34ed8c9896cc074e235b2c4116871d1.exe

    • Size

      78KB

    • MD5

      a34ed8c9896cc074e235b2c4116871d1

    • SHA1

      48fe165883c1de2bedfc07518ac2115b1a2c991e

    • SHA256

      02a52e9110db06f80b86eaa21c0de7cbfbc484c97986634bd8ba74854d839a52

    • SHA512

      375b6da19078fb908ba6ce6d8d11b36d360bf7f6daba622a068c21a18eb3714244086958a8d7cef4f905848b5a360d940b87f2c2a54ec582b294603c8f2d323c

    • SSDEEP

      1536:lPy58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/G1dS:lPy58An7N041Qqhgz9/X

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      a39a36bdb616e78fd52282d03b4a53eb.exe

    • Size

      565KB

    • MD5

      a39a36bdb616e78fd52282d03b4a53eb

    • SHA1

      87d644ac292ff75990b53a9f887e04dffdb62884

    • SHA256

      ea1cc37fb109e783d59d50c015e423e4b7fdd5b3d262f769b49a5240b3bf1354

    • SHA512

      31e72a07ddf3ed84b37f1723cb2db30b15c2bb85ff879b31802b299a4949082773fe558bc8c97650aecd7acbfda897328df3cac66d40d60a2c59ff7dda107724

    • SSDEEP

      6144:jtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rigZc:l6u7+487IFjvelQypyfy7igZc

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      a3a42aeb37eef56ad6d6e839ecf90e7f.exe

    • Size

      771KB

    • MD5

      a3a42aeb37eef56ad6d6e839ecf90e7f

    • SHA1

      9f5ade0a3c14c48be3f2cb2e70b1d8c802b66f94

    • SHA256

      eb9e4be2a79a9c4bcb60bd1595d9215b6cd3353470fa7c89ab93dcf4ea260da0

    • SHA512

      edf56ff173ec9b19aae5ed6ce89e79e7b809f901119214047196ff0e9e9a87fe18bc8bc6275fe22dede3f0b1e4cefe42c6d166fed32def1de9d9c80437e6f0ac

    • SSDEEP

      6144:mtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKA:K6u7+487IFjvelQypyfy7cnKA

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      a3a62b600d751eaaf32c95c6c03ea74c.exe

    • Size

      63KB

    • MD5

      a3a62b600d751eaaf32c95c6c03ea74c

    • SHA1

      34e91af8d3b9c2e8ebb66704ed49d7105fa2927a

    • SHA256

      7ea212ddfba458eeb29a6db1956cf60868ab4e8b6c57596634c1d272c3b61259

    • SHA512

      768d9241cc1af5a697a45f6622f1344ccb3723a0353dbde5629f2c7ca45d8c106f1c2ee9410cebb6629d406fef898a080c71012ff1b3b22c3456ab7d3572d356

    • SSDEEP

      1536:uh0JL7VQky47k8FJeeiIVrGbbXwp3aG4QpqKmY7:uh0JL7VQky4nFceXGbbXYKLz

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral27behavioral28

    • Target

      a3bf76de6495ca8e41bd7204f50b00be.exe

    • Size

      23KB

    • MD5

      a3bf76de6495ca8e41bd7204f50b00be

    • SHA1

      343f912c9bda0aa4bf471a851af48ffd90af1782

    • SHA256

      51ca941c0fd4f1b9de7bbeabce565bc966fb9c37cafc74ab2b5a9c301f4c30df

    • SHA512

      0c30731d26ae612725a78dc63f21a5fbde96901f4f1ef7102f9da61c9b6c90a9c5c417854991562b2baa601d8c52e74ece95d6e7b571af73d97e86e5f62a29a4

    • SSDEEP

      384:Dwz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZgU:oTbC81NgRpcnu+

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral29behavioral30

    • Target

      a3d1683844f5211b303b529b3dfa6c87d9ecc37f8806097d5792dd394d52eb56.exe

    • Size

      220KB

    • MD5

      485d26faa5a5e191362df89c3705d130

    • SHA1

      414705f6c6fd08671a9e8a9134242f4f0b177497

    • SHA256

      a3d1683844f5211b303b529b3dfa6c87d9ecc37f8806097d5792dd394d52eb56

    • SHA512

      daf726b29167875dfcebe4c1ec91e39fb81936c27548d995a417a9101891fc16f21a49ea81ede606d5529b0950bfbc6306ab8866ba0c97a9a20dc7f42aef092a

    • SSDEEP

      3072:TzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIyCYMFPAGTwjgaxODOeSQcY/Up:TLV6Bta6dtJmakIM52Nr8PxtPY/1K

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratdefaultvenom clientshackedchaosdcratasyncratnjratnanocorexworm
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

chaospersistenceransomwarespywarestealer
Score
10/10

behavioral6

chaospersistenceransomwarespywarestealer
Score
10/10

behavioral7

defense_evasionexecutiontrojan
Score
10/10

behavioral8

defense_evasionexecutiontrojan
Score
10/10

behavioral9

spywarestealer
Score
7/10

behavioral10

spywarestealer
Score
7/10

behavioral11

dcratexecutioninfostealerrat
Score
10/10

behavioral12

dcratexecutioninfostealerrat
Score
10/10

behavioral13

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral14

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral15

discoverypersistence
Score
7/10

behavioral16

discoverypersistence
Score
7/10

behavioral17

defense_evasionexecutiontrojan
Score
10/10

behavioral18

defense_evasionexecutiontrojan
Score
10/10

behavioral19

asyncratdefaultrat
Score
10/10

behavioral20

asyncratdefaultrat
Score
10/10

behavioral21

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral22

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral23

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral24

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral25

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral26

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral27

asyncratvenom clientsrat
Score
10/10

behavioral28

asyncratvenom clientsrat
Score
10/10

behavioral29

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral30

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral31

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral32

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10