qakbot | 5d24821c2558cc18b84c341cde0a93dc090c9311864f65e85624b5746eda560d

General

Target

rob.html.dll
Size

846KB
MD5

3283652c1e57afef22993b466cc7440f
SHA1

412262cff6773355f271be7f2a3ebc1a01d73194
SHA256

5d24821c2558cc18b84c341cde0a93dc090c9311864f65e85624b5746eda560d
SHA512

90501854198a1ac9145223cedfb14880ef7507b13ce2cd0ac938c940d572e13e0155fc31f77f50907a01e1787245c3dff2f3f7206bd6dd13844cba4a56d04d80

Score

10^/10

qakbot tr 1633597626 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597626

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

656 regsvr32.exe

pid	process
656	regsvr32.exe

Drops file in System32 directory 12 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\t4[1]	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3632 schtasks.exe

pid	process
3632	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c580e45f00301190c32f15e50f244371563065e98f4df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\4fb2747d = a4046ccc86ad06e1ffb23a6552a67cc8036ffe4f4a67d5af01afb0190e6c2382cebd4596dc7f14cc680674dd7b5c836bc2af620d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c580e45f00301190c32f15e50f24437156306bea8e4df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\32ba3bf7 = a327ba4caa60a5a09b1374f48996c57b60573f588b0c851326b553f6bfedb573a971d68ed2e6867b9b99986dd4263965e42ae683269d9606cd063309b20b8ddfd8de6cd8b738a5d96c8ccada00cc4c18a712776c5f3c33d388efb6176fbd78bd49a9705154ef04a3ab	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c580e9590f301190c32f15e50f244371563069ea864df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\f54f3364 = d3332c6895836c649ed4a350b3c9a3debcc34d0f109905d77daa3d1e	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c580e9590f301190c32f15e50f24437156306bea8e4df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\8a065c92 = 3de546217a793b14bc1132f52ed15daf10e98c6acb643fc3019f0f48eb757ff5055af17d77	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c581eb5202301190c32f15e50f24437156316aee864df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead19e36fe61d471a4d867a4240a5c58ded5d057f159ac72f1be539547ae696bdb4c8b94bee90bad0e92974389eefc8c6521a423b0786638bd7dbdfe32752700dc1b61ba4b8f656e4bbd1dbe8cfa850339882a2ab40981cd7	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c580e45f00301190c32f15e50f24437156316ce1864df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c581e85306301190c32f15e50f244371563168e08f4df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c581e85306301190c32f15e50f24437156316aee864df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\4df35401 = 15c2c948795d9b8d6fe368d1157334221a5c2ff2a7b3fae0c1925773aabaa39b29bf9dda8768985ea3e80b6933ff16a6546e09f046acc8e1266c5f6ec15110460290ca423e0184d008f7a4c7f9c7eae6c66d34ef71873f1ca582ed58823f7ea4c968b30dc5076e57e1f2350dd27da43b096dc424e1e8d667a3833cab0a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\f70e1318 = d2f5b55a7dcec7b01c18b873aa13957cf4e5bffa475a065618f3c331c10fbb4ddd67e5e8eb84d08514b0d062d85b639c0b5886	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c581ed5d05301190c32f15e50f24437156316ce1864df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tryzxhswhz\786c844f = 7ead10e36fe61d471a4d87304248a0c581ed5d05301190c32f15e50f24437156316ee0874df9d878892601ceaf1a6d22d924979aaf56fd10ca8be606011c3771c14a2227cb2e30defe6ffc38d859adb44d58a23568bc657fcb8a71180d24f0cf7d61	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3720 rundll32.exe
3720 rundll32.exe
656 regsvr32.exe
656 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3720 rundll32.exe
656 regsvr32.exe

pid	process
3720	rundll32.exe
3720	rundll32.exe
656	regsvr32.exe
656	regsvr32.exe

pid	process
3720	rundll32.exe
656	regsvr32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 1628 wrote to memory of 3720	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 3720	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 3720	1628	rundll32.exe	rundll32.exe
PID 3720 wrote to memory of 1680	3720	rundll32.exe	explorer.exe
PID 3720 wrote to memory of 1680	3720	rundll32.exe	explorer.exe
PID 3720 wrote to memory of 1680	3720	rundll32.exe	explorer.exe
PID 3720 wrote to memory of 1680	3720	rundll32.exe	explorer.exe
PID 3720 wrote to memory of 1680	3720	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 3632	1680	explorer.exe	schtasks.exe
PID 1680 wrote to memory of 3632	1680	explorer.exe	schtasks.exe
PID 1680 wrote to memory of 3632	1680	explorer.exe	schtasks.exe
PID 708 wrote to memory of 656	708	regsvr32.exe	regsvr32.exe
PID 708 wrote to memory of 656	708	regsvr32.exe	regsvr32.exe
PID 708 wrote to memory of 656	708	regsvr32.exe	regsvr32.exe
PID 656 wrote to memory of 3176	656	regsvr32.exe	explorer.exe
PID 656 wrote to memory of 3176	656	regsvr32.exe	explorer.exe
PID 656 wrote to memory of 3176	656	regsvr32.exe	explorer.exe
PID 656 wrote to memory of 3176	656	regsvr32.exe	explorer.exe
PID 656 wrote to memory of 3176	656	regsvr32.exe	explorer.exe
PID 3176 wrote to memory of 3280	3176	explorer.exe	reg.exe
PID 3176 wrote to memory of 3280	3176	explorer.exe	reg.exe
PID 3176 wrote to memory of 2256	3176	explorer.exe	reg.exe
PID 3176 wrote to memory of 2256	3176	explorer.exe	reg.exe
PID 3312 wrote to memory of 2560	3312	regsvr32.exe	regsvr32.exe
PID 3312 wrote to memory of 2560	3312	regsvr32.exe	regsvr32.exe
PID 3312 wrote to memory of 2560	3312	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rob.html.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rob.html.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qbleyqcjb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\rob.html.dll\"" /SC ONCE /Z /ST 18:02 /ET 18:14
4⤵
- Creates scheduled task(s)
PID:3632

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\rob.html.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\rob.html.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Djiexju" /d "0"
4⤵
PID:3280

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yordcpjcmrsa" /d "0"
4⤵
PID:2256

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\rob.html.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\rob.html.dll"
2⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rob.html.dll
MD5
3283652c1e57afef22993b466cc7440f

SHA1
412262cff6773355f271be7f2a3ebc1a01d73194

SHA256
5d24821c2558cc18b84c341cde0a93dc090c9311864f65e85624b5746eda560d

SHA512
90501854198a1ac9145223cedfb14880ef7507b13ce2cd0ac938c940d572e13e0155fc31f77f50907a01e1787245c3dff2f3f7206bd6dd13844cba4a56d04d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\rob.html.dll
MD5
3b58aa34eb6f17bb84ce8d94d2383034

SHA1
fcea6b6b167f5aba835cafc77e0d4d5d8351e046

SHA256
58e9539f9b119def7e5389ab4d50876572686d6c72b270b8480b39d6554bf42e

SHA512
4184f8d24db51430d78f41d1bd27380ecb58637aa4501c6972fa47b80a57e23ba69c7d3a0a8e1a61a6dc6fc13423db33e2e26f1381babc26873e91b6ed6323f8

Download Submit
\Users\Admin\AppData\Local\Temp\rob.html.dll
MD5
3283652c1e57afef22993b466cc7440f

SHA1
412262cff6773355f271be7f2a3ebc1a01d73194

SHA256
5d24821c2558cc18b84c341cde0a93dc090c9311864f65e85624b5746eda560d

SHA512
90501854198a1ac9145223cedfb14880ef7507b13ce2cd0ac938c940d572e13e0155fc31f77f50907a01e1787245c3dff2f3f7206bd6dd13844cba4a56d04d80

Download Submit
memory/656-131-0x00000000008E0000-0x0000000000A2A000-memory.dmp

Filesize
1.3MB

Download
memory/656-130-0x0000000072660000-0x00000000727D1000-memory.dmp

Filesize
1.4MB

Download
memory/656-129-0x0000000072660000-0x0000000072681000-memory.dmp

Filesize
132KB

Download
memory/656-128-0x0000000072660000-0x00000000727D1000-memory.dmp

Filesize
1.4MB

Download
memory/656-126-0x0000000000000000-mapping.dmp

Download
memory/1680-123-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1680-124-0x0000000000360000-0x0000000000381000-memory.dmp

Filesize
132KB

Download
memory/1680-122-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1680-120-0x0000000000000000-mapping.dmp

Download
memory/2256-134-0x0000000000000000-mapping.dmp

Download
memory/2560-139-0x0000000000000000-mapping.dmp

Download
memory/3176-136-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3176-135-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3176-137-0x0000000000A40000-0x0000000000A61000-memory.dmp

Filesize
132KB

Download
memory/3176-132-0x0000000000000000-mapping.dmp

Download
memory/3280-133-0x0000000000000000-mapping.dmp

Download
memory/3632-121-0x0000000000000000-mapping.dmp

Download
memory/3720-115-0x0000000000000000-mapping.dmp

Download
memory/3720-119-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3720-118-0x0000000073900000-0x0000000073A71000-memory.dmp

Filesize
1.4MB

Download
memory/3720-117-0x0000000073900000-0x0000000073921000-memory.dmp

Filesize
132KB

Download
memory/3720-116-0x0000000073900000-0x0000000073A71000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads