qakbot | 7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

General

Target

c8f1fdd8_by_Libranalysis.exe
Size

673KB
MD5

c8f1fdd8dd3724f89cef6d9ea9ec85fd
SHA1

30d5e006337e17b512ff5ed878cc1beb1664abb0
SHA256

7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
SHA512

0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Score

10^/10

qakbot spx125 1590138228 banker cryptone evasion packer stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.141

Botnet

spx125

Campaign

1590138228

C2

190.75.168.108:2078

93.114.192.211:2222

47.39.76.74:443

182.56.134.44:995

24.201.79.208:2078

207.246.71.122:443

50.244.112.10:443

88.207.27.144:443

72.204.242.138:443

72.204.242.138:2078

72.204.242.138:990

76.187.8.160:443

220.135.31.140:2222

86.126.97.183:2222

86.126.112.153:995

68.49.120.179:443

101.108.125.44:443

203.101.163.187:443

197.165.212.10:443

207.255.161.8:2078

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

CryptOne packer 5 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe	cryptone

Executes dropped EXE 4 IoCs

Processes:

nalit.exenalit.exenalit.exenalit.exe

pid process

3144 nalit.exe
3160 nalit.exe
1872 nalit.exe
2488 nalit.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3144	nalit.exe
3160	nalit.exe
1872	nalit.exe
2488	nalit.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c8f1fdd8_by_Libranalysis.exenalit.exenalit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	c8f1fdd8_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	nalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	nalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	nalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	c8f1fdd8_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	c8f1fdd8_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	nalit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	c8f1fdd8_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	c8f1fdd8_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	nalit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	c8f1fdd8_by_Libranalysis.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2052 schtasks.exe

pid	process
2052	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

c8f1fdd8_by_Libranalysis.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	c8f1fdd8_by_Libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	c8f1fdd8_by_Libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	c8f1fdd8_by_Libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	c8f1fdd8_by_Libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	c8f1fdd8_by_Libranalysis.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2428 PING.EXE

pid	process
2428	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

c8f1fdd8_by_Libranalysis.exec8f1fdd8_by_Libranalysis.exenalit.exenalit.exeexplorer.exec8f1fdd8_by_Libranalysis.exenalit.exenalit.exe

pid	process
1456	c8f1fdd8_by_Libranalysis.exe
1456	c8f1fdd8_by_Libranalysis.exe
2952	c8f1fdd8_by_Libranalysis.exe
2952	c8f1fdd8_by_Libranalysis.exe
2952	c8f1fdd8_by_Libranalysis.exe
2952	c8f1fdd8_by_Libranalysis.exe
3144	nalit.exe
3144	nalit.exe
3160	nalit.exe
3160	nalit.exe
3160	nalit.exe
3160	nalit.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
988	c8f1fdd8_by_Libranalysis.exe
988	c8f1fdd8_by_Libranalysis.exe
1872	nalit.exe
1872	nalit.exe
2488	nalit.exe
2488	nalit.exe
2488	nalit.exe
2488	nalit.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nalit.exe

pid process

3144 nalit.exe

pid	process
3144	nalit.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

c8f1fdd8_by_Libranalysis.exenalit.exec8f1fdd8_by_Libranalysis.execmd.exenalit.exe

description	pid	process	target process
PID 1456 wrote to memory of 2952	1456	c8f1fdd8_by_Libranalysis.exe	c8f1fdd8_by_Libranalysis.exe
PID 1456 wrote to memory of 2952	1456	c8f1fdd8_by_Libranalysis.exe	c8f1fdd8_by_Libranalysis.exe
PID 1456 wrote to memory of 2952	1456	c8f1fdd8_by_Libranalysis.exe	c8f1fdd8_by_Libranalysis.exe
PID 1456 wrote to memory of 3144	1456	c8f1fdd8_by_Libranalysis.exe	nalit.exe
PID 1456 wrote to memory of 3144	1456	c8f1fdd8_by_Libranalysis.exe	nalit.exe
PID 1456 wrote to memory of 3144	1456	c8f1fdd8_by_Libranalysis.exe	nalit.exe
PID 1456 wrote to memory of 2052	1456	c8f1fdd8_by_Libranalysis.exe	schtasks.exe
PID 1456 wrote to memory of 2052	1456	c8f1fdd8_by_Libranalysis.exe	schtasks.exe
PID 1456 wrote to memory of 2052	1456	c8f1fdd8_by_Libranalysis.exe	schtasks.exe
PID 3144 wrote to memory of 3160	3144	nalit.exe	nalit.exe
PID 3144 wrote to memory of 3160	3144	nalit.exe	nalit.exe
PID 3144 wrote to memory of 3160	3144	nalit.exe	nalit.exe
PID 3144 wrote to memory of 3940	3144	nalit.exe	explorer.exe
PID 3144 wrote to memory of 3940	3144	nalit.exe	explorer.exe
PID 3144 wrote to memory of 3940	3144	nalit.exe	explorer.exe
PID 3144 wrote to memory of 3940	3144	nalit.exe	explorer.exe
PID 988 wrote to memory of 3524	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 3524	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 920	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 920	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2452	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2452	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2912	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2912	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 1508	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 1508	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 508	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 508	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2252	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2252	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2112	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 2112	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 1152	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 1152	988	c8f1fdd8_by_Libranalysis.exe	reg.exe
PID 988 wrote to memory of 1872	988	c8f1fdd8_by_Libranalysis.exe	nalit.exe
PID 988 wrote to memory of 1872	988	c8f1fdd8_by_Libranalysis.exe	nalit.exe
PID 988 wrote to memory of 1872	988	c8f1fdd8_by_Libranalysis.exe	nalit.exe
PID 988 wrote to memory of 4080	988	c8f1fdd8_by_Libranalysis.exe	cmd.exe
PID 988 wrote to memory of 4080	988	c8f1fdd8_by_Libranalysis.exe	cmd.exe
PID 988 wrote to memory of 3868	988	c8f1fdd8_by_Libranalysis.exe	schtasks.exe
PID 988 wrote to memory of 3868	988	c8f1fdd8_by_Libranalysis.exe	schtasks.exe
PID 4080 wrote to memory of 2428	4080	cmd.exe	PING.EXE
PID 4080 wrote to memory of 2428	4080	cmd.exe	PING.EXE
PID 1872 wrote to memory of 2488	1872	nalit.exe	nalit.exe
PID 1872 wrote to memory of 2488	1872	nalit.exe	nalit.exe
PID 1872 wrote to memory of 2488	1872	nalit.exe	nalit.exe

C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hyvxrbmn /tr "\"C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe\" /I hyvxrbmn" /SC ONCE /Z /ST 17:06 /ET 17:18
2⤵
- Creates scheduled task(s)
PID:2052

C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe /I hyvxrbmn
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:3524

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:920

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:2452

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:2912

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:1508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:2252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:2112

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq" /d "0"
2⤵
PID:1152

C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:2428

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN hyvxrbmn
2⤵
PID:3868

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.dat
MD5
50e946a0120e5a0cdf48574e8fa3cf26

SHA1
660f9d36e2dde3defd141997626274552be915e1

SHA256
aba81573d4b41944b928db355617fe9505cac473b05257a9f26b87cbd3bf2b3c

SHA512
ec2c481ca009c20c68d913a3c876c867ac1efced18c7af53c5accbfa3c2d8f18dc875a8e7b67c473c7b9792cc2f82e2ede49c2176285cfba58f91ea7373913c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
MD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd

SHA1
30d5e006337e17b512ff5ed878cc1beb1664abb0

SHA256
7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

SHA512
0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
MD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd

SHA1
30d5e006337e17b512ff5ed878cc1beb1664abb0

SHA256
7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

SHA512
0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
MD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd

SHA1
30d5e006337e17b512ff5ed878cc1beb1664abb0

SHA256
7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

SHA512
0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
MD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd

SHA1
30d5e006337e17b512ff5ed878cc1beb1664abb0

SHA256
7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

SHA512
0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe
MD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd

SHA1
30d5e006337e17b512ff5ed878cc1beb1664abb0

SHA256
7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

SHA512
0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Download Submit
memory/508-140-0x0000000000000000-mapping.dmp

Download
memory/920-136-0x0000000000000000-mapping.dmp

Download
memory/988-134-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1152-143-0x0000000000000000-mapping.dmp

Download
memory/1456-114-0x0000000002210000-0x0000000002247000-memory.dmp

Filesize
220KB

Download
memory/1456-115-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1508-139-0x0000000000000000-mapping.dmp

Download
memory/1872-149-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1872-144-0x0000000000000000-mapping.dmp

Download
memory/2052-122-0x0000000000000000-mapping.dmp

Download
memory/2112-142-0x0000000000000000-mapping.dmp

Download
memory/2252-141-0x0000000000000000-mapping.dmp

Download
memory/2428-150-0x0000000000000000-mapping.dmp

Download
memory/2452-137-0x0000000000000000-mapping.dmp

Download
memory/2488-154-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2488-151-0x0000000000000000-mapping.dmp

Download
memory/2488-153-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/2912-138-0x0000000000000000-mapping.dmp

Download
memory/2952-116-0x0000000000000000-mapping.dmp

Download
memory/2952-118-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2952-117-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/3144-124-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3144-119-0x0000000000000000-mapping.dmp

Download
memory/3160-128-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3160-125-0x0000000000000000-mapping.dmp

Download
memory/3524-135-0x0000000000000000-mapping.dmp

Download
memory/3868-147-0x0000000000000000-mapping.dmp

Download
memory/3940-131-0x0000000000B50000-0x0000000000C86000-memory.dmp

Filesize
1.2MB

Download
memory/3940-130-0x00000000005B0000-0x00000000005EA000-memory.dmp

Filesize
232KB

Download
memory/3940-129-0x0000000000000000-mapping.dmp

Download
memory/4080-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads