agenttesla | 53947cdc6ca591ccc866933e6d69a6861160325956ae0a284bb5d222f933e08e

General

Target

FWREQUEST FOR URGENT QUOTATION (RFQ).doc
Size

628KB
MD5

7040850c5f29b143eebfe32b97a97ddc
SHA1

20c428053d7d83ce23e7d6f3c48c4cd50e606ae3
SHA256

53947cdc6ca591ccc866933e6d69a6861160325956ae0a284bb5d222f933e08e
SHA512

827900885590850a2be455f6cbf6342535359ef2b132a6e12f7892dd038aeff0c80b1a3f08ca59b96ff2b6420372d34683c65d7b264374d0dfb597e5df300cef

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
utari.iixcp.rumahweb.com
Port:
587
Username:
[email protected]
Password:
#t.jTrXnOmWX

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1552-75-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1552-76-0x00000000004374BE-mapping.dmp	family_agenttesla
behavioral1/memory/1552-78-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1812 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ugopound1825258.exeugopound1825258.exeugopound1825258.exe

pid process

904 ugopound1825258.exe
1744 ugopound1825258.exe
1552 ugopound1825258.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1812 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1812	EQNEDT32.EXE

pid	process
904	ugopound1825258.exe
1744	ugopound1825258.exe
1552	ugopound1825258.exe

pid	process
1812	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ugopound1825258.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe"	ugopound1825258.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ugopound1825258.exe

description pid process target process

PID 904 set thread context of 1552 904 ugopound1825258.exe ugopound1825258.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1812 EQNEDT32.EXE

description	pid	process	target process
PID 904 set thread context of 1552	904	ugopound1825258.exe	ugopound1825258.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1812	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ugopound1825258.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ugopound1825258.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ugopound1825258.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ugopound1825258.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ugopound1825258.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1104 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ugopound1825258.exeugopound1825258.exe

pid process

904 ugopound1825258.exe
904 ugopound1825258.exe
1552 ugopound1825258.exe
1552 ugopound1825258.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ugopound1825258.exeugopound1825258.exe

description pid process

Token: SeDebugPrivilege 904 ugopound1825258.exe
Token: SeDebugPrivilege 1552 ugopound1825258.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEugopound1825258.exe

pid process

1104 WINWORD.EXE
1104 WINWORD.EXE
1552 ugopound1825258.exe

pid	process
1104	WINWORD.EXE

pid	process
904	ugopound1825258.exe
904	ugopound1825258.exe
1552	ugopound1825258.exe
1552	ugopound1825258.exe

description	pid	process
Token: SeDebugPrivilege	904	ugopound1825258.exe
Token: SeDebugPrivilege	1552	ugopound1825258.exe

pid	process
1104	WINWORD.EXE
1104	WINWORD.EXE
1552	ugopound1825258.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEugopound1825258.exe

description	pid	process	target process
PID 1812 wrote to memory of 904	1812	EQNEDT32.EXE	ugopound1825258.exe
PID 1812 wrote to memory of 904	1812	EQNEDT32.EXE	ugopound1825258.exe
PID 1812 wrote to memory of 904	1812	EQNEDT32.EXE	ugopound1825258.exe
PID 1812 wrote to memory of 904	1812	EQNEDT32.EXE	ugopound1825258.exe
PID 1104 wrote to memory of 656	1104	WINWORD.EXE	splwow64.exe
PID 1104 wrote to memory of 656	1104	WINWORD.EXE	splwow64.exe
PID 1104 wrote to memory of 656	1104	WINWORD.EXE	splwow64.exe
PID 1104 wrote to memory of 656	1104	WINWORD.EXE	splwow64.exe
PID 904 wrote to memory of 1744	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1744	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1744	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1744	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe
PID 904 wrote to memory of 1552	904	ugopound1825258.exe	ugopound1825258.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FWREQUEST FOR URGENT QUOTATION (RFQ).doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:656

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
"C:\Users\Admin\AppData\Roaming\ugopound1825258.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
"C:\Users\Admin\AppData\Roaming\ugopound1825258.exe"
3⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
"C:\Users\Admin\AppData\Roaming\ugopound1825258.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
MD5
715bd23d518811ec970b9288cfb597c8

SHA1
ac72a4d1740020e2398a8c15e6d701b42a822767

SHA256
56fe9a0f74d14a3992855acd45b0f73f663abecc4066d39838218402a0555f73

SHA512
2c298f27a63cfc53b3f06dbaa28cb4065a99e22b07d2e6fc704ed0a31e6eb52cb774d66d81bfbed3fcb4351a620c8ca1eb108f03d3236685a22efa819d45d716

Download Submit
C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
MD5
715bd23d518811ec970b9288cfb597c8

SHA1
ac72a4d1740020e2398a8c15e6d701b42a822767

SHA256
56fe9a0f74d14a3992855acd45b0f73f663abecc4066d39838218402a0555f73

SHA512
2c298f27a63cfc53b3f06dbaa28cb4065a99e22b07d2e6fc704ed0a31e6eb52cb774d66d81bfbed3fcb4351a620c8ca1eb108f03d3236685a22efa819d45d716

Download Submit
C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
MD5
715bd23d518811ec970b9288cfb597c8

SHA1
ac72a4d1740020e2398a8c15e6d701b42a822767

SHA256
56fe9a0f74d14a3992855acd45b0f73f663abecc4066d39838218402a0555f73

SHA512
2c298f27a63cfc53b3f06dbaa28cb4065a99e22b07d2e6fc704ed0a31e6eb52cb774d66d81bfbed3fcb4351a620c8ca1eb108f03d3236685a22efa819d45d716

Download Submit
C:\Users\Admin\AppData\Roaming\ugopound1825258.exe
MD5
715bd23d518811ec970b9288cfb597c8

SHA1
ac72a4d1740020e2398a8c15e6d701b42a822767

SHA256
56fe9a0f74d14a3992855acd45b0f73f663abecc4066d39838218402a0555f73

SHA512
2c298f27a63cfc53b3f06dbaa28cb4065a99e22b07d2e6fc704ed0a31e6eb52cb774d66d81bfbed3fcb4351a620c8ca1eb108f03d3236685a22efa819d45d716

Download Submit
\Users\Admin\AppData\Roaming\ugopound1825258.exe
MD5
715bd23d518811ec970b9288cfb597c8

SHA1
ac72a4d1740020e2398a8c15e6d701b42a822767

SHA256
56fe9a0f74d14a3992855acd45b0f73f663abecc4066d39838218402a0555f73

SHA512
2c298f27a63cfc53b3f06dbaa28cb4065a99e22b07d2e6fc704ed0a31e6eb52cb774d66d81bfbed3fcb4351a620c8ca1eb108f03d3236685a22efa819d45d716

Download Submit
memory/656-73-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/656-72-0x0000000000000000-mapping.dmp

Download
memory/904-71-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/904-70-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/904-67-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1104-60-0x0000000070A81000-0x0000000070A83000-memory.dmp

Filesize
8KB

Download
memory/1104-59-0x0000000073001000-0x0000000073004000-memory.dmp

Filesize
12KB

Download
memory/1104-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1104-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1552-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-76-0x00000000004374BE-mapping.dmp

Download
memory/1552-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-80-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1552-82-0x0000000004AC1000-0x0000000004AC2000-memory.dmp

Filesize
4KB

Download
memory/1812-62-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads