bitrat | 7069126ab12c5a8b542c10a6e0e60c78d9b3c4150b5caf947b0420c50520cbea

General

Target

Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
Size

683KB
MD5

c96702f31575539b3439478d14983329
SHA1

e1a6e2a14be3d49c89e3768e64c751ba9b959f85
SHA256

7069126ab12c5a8b542c10a6e0e60c78d9b3c4150b5caf947b0420c50520cbea
SHA512

99b8ae29eef8528ff91e7f13a3a298f2d96902fa857c18f94f27fb97aca5fc15280e5f6d1805bf3ef955189b04b8edd1496062bc124ffee35017059745521fda

Score

10^/10

bitrat modiloader persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

oka.nerdpol.ovh:2223

Attributes

communication_password
b6c6e855edf908ec7c12ce8c8e628a5c
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1488-78-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral1/memory/1488-79-0x0000000010410000-0x00000000107F4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Punlolv = "C:\\Users\\Public\\Libraries\\vlolnuP.url"	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

DpiScaling.exe

pid process

1488 DpiScaling.exe
1488 DpiScaling.exe
1488 DpiScaling.exe
1488 DpiScaling.exe
1488 DpiScaling.exe

pid	process
1488	DpiScaling.exe
1488	DpiScaling.exe
1488	DpiScaling.exe
1488	DpiScaling.exe
1488	DpiScaling.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D20DDF91CA75F2EC5DED50322993C4600DAE92DD\Blob = 1900000001000000100000007ccb8a1d72d18d5c1b905b4d62e0774e0f0000000100000020000000b0b7ed23ad5a0a5feec7287b297b67b29bd45685af16cf62562173d45c991249030000000100000014000000d20ddf91ca75f2ec5ded50322993c4600dae92dd1400000001000000140000001a5c7243eac618646b412f9f278adbf8690225b62000000001000000f9020000308202f5308201dda00302010202101e4fc741f199477931a26d07bda41bf8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393133303030305a170d3237303432383133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c6587ea278a5977f08b2e1db6bfe881638ff4953d7c7a8fa33fe6baa1eb9793101c9f5e7599fbc90d96011611c501766b0a82bace39c98fbf5d066fe35b84527782f43d9a94bef19ec28100733991f86c665f269843228183bfa3e624955c2ab31e7554bbf974732829d4db90e2edd5220c627627204a09401d9c5e16306b4f1bd65b853f0a01d11270d8e9317ffb791f802872092e988c23fb608af80e15d1765c16c9429071a22c275b2f4de11169b0a76d28fec6ba98563459c8483510aefa8013e15b37c23874ca07361877e2e80287bbe8ea85cf23d84106960d1282d9ea5256c94872dccb0ee49f17a0fea0267e5bd2adfc625d48d3e623ad250c264b70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604141a5c7243eac618646b412f9f278adbf8690225b6300d06092a864886f70d01010b0500038201010061e79800e238e7cc9d13c261a54533c32a06a0c72f81c14f5207feebef4da29d201564fdcc18c133f5e3ba6c29ceea58dcb4bc11657cc1cca5a5d332f3d1f69e1b2883cfe7298b1d802cfdd34dcd5097a7151e9fdad8d0b74aae70426e505970bf2019b39dbd0c7bd6bbb701a42a1bc638c361fb49dfd031bb4142e8e92c2aa6b1e36c528e1895709509bd85198389fac89f395f24de54cb413ac2051441cb41dfc321efd1994a9cec6b45dffc4ceea20f82134d157ee9e2c85cf9d3ce4f882927b2937cd94abbfa31a654057ef940da9dc70493aa3d713101e8ec01ac778875c965bc56c4940e04b5680856cf5c6d8d5d8fe7597b4ab1494e4b93130c03f1ff	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D20DDF91CA75F2EC5DED50322993C4600DAE92DD	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D20DDF91CA75F2EC5DED50322993C4600DAE92DD\Blob = 0f0000000100000020000000b0b7ed23ad5a0a5feec7287b297b67b29bd45685af16cf62562173d45c991249030000000100000014000000d20ddf91ca75f2ec5ded50322993c4600dae92dd2000000001000000f9020000308202f5308201dda00302010202101e4fc741f199477931a26d07bda41bf8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393133303030305a170d3237303432383133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c6587ea278a5977f08b2e1db6bfe881638ff4953d7c7a8fa33fe6baa1eb9793101c9f5e7599fbc90d96011611c501766b0a82bace39c98fbf5d066fe35b84527782f43d9a94bef19ec28100733991f86c665f269843228183bfa3e624955c2ab31e7554bbf974732829d4db90e2edd5220c627627204a09401d9c5e16306b4f1bd65b853f0a01d11270d8e9317ffb791f802872092e988c23fb608af80e15d1765c16c9429071a22c275b2f4de11169b0a76d28fec6ba98563459c8483510aefa8013e15b37c23874ca07361877e2e80287bbe8ea85cf23d84106960d1282d9ea5256c94872dccb0ee49f17a0fea0267e5bd2adfc625d48d3e623ad250c264b70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604141a5c7243eac618646b412f9f278adbf8690225b6300d06092a864886f70d01010b0500038201010061e79800e238e7cc9d13c261a54533c32a06a0c72f81c14f5207feebef4da29d201564fdcc18c133f5e3ba6c29ceea58dcb4bc11657cc1cca5a5d332f3d1f69e1b2883cfe7298b1d802cfdd34dcd5097a7151e9fdad8d0b74aae70426e505970bf2019b39dbd0c7bd6bbb701a42a1bc638c361fb49dfd031bb4142e8e92c2aa6b1e36c528e1895709509bd85198389fac89f395f24de54cb413ac2051441cb41dfc321efd1994a9cec6b45dffc4ceea20f82134d157ee9e2c85cf9d3ce4f882927b2937cd94abbfa31a654057ef940da9dc70493aa3d713101e8ec01ac778875c965bc56c4940e04b5680856cf5c6d8d5d8fe7597b4ab1494e4b93130c03f1ff	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D20DDF91CA75F2EC5DED50322993C4600DAE92DD\Blob = 1400000001000000140000001a5c7243eac618646b412f9f278adbf8690225b6030000000100000014000000d20ddf91ca75f2ec5ded50322993c4600dae92dd0f0000000100000020000000b0b7ed23ad5a0a5feec7287b297b67b29bd45685af16cf62562173d45c9912492000000001000000f9020000308202f5308201dda00302010202101e4fc741f199477931a26d07bda41bf8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393133303030305a170d3237303432383133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c6587ea278a5977f08b2e1db6bfe881638ff4953d7c7a8fa33fe6baa1eb9793101c9f5e7599fbc90d96011611c501766b0a82bace39c98fbf5d066fe35b84527782f43d9a94bef19ec28100733991f86c665f269843228183bfa3e624955c2ab31e7554bbf974732829d4db90e2edd5220c627627204a09401d9c5e16306b4f1bd65b853f0a01d11270d8e9317ffb791f802872092e988c23fb608af80e15d1765c16c9429071a22c275b2f4de11169b0a76d28fec6ba98563459c8483510aefa8013e15b37c23874ca07361877e2e80287bbe8ea85cf23d84106960d1282d9ea5256c94872dccb0ee49f17a0fea0267e5bd2adfc625d48d3e623ad250c264b70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604141a5c7243eac618646b412f9f278adbf8690225b6300d06092a864886f70d01010b0500038201010061e79800e238e7cc9d13c261a54533c32a06a0c72f81c14f5207feebef4da29d201564fdcc18c133f5e3ba6c29ceea58dcb4bc11657cc1cca5a5d332f3d1f69e1b2883cfe7298b1d802cfdd34dcd5097a7151e9fdad8d0b74aae70426e505970bf2019b39dbd0c7bd6bbb701a42a1bc638c361fb49dfd031bb4142e8e92c2aa6b1e36c528e1895709509bd85198389fac89f395f24de54cb413ac2051441cb41dfc321efd1994a9cec6b45dffc4ceea20f82134d157ee9e2c85cf9d3ce4f882927b2937cd94abbfa31a654057ef940da9dc70493aa3d713101e8ec01ac778875c965bc56c4940e04b5680856cf5c6d8d5d8fe7597b4ab1494e4b93130c03f1ff	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1644 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeDpiScaling.exe

description pid process

Token: SeDebugPrivilege 1644 powershell.exe
Token: SeDebugPrivilege 1488 DpiScaling.exe
Token: SeShutdownPrivilege 1488 DpiScaling.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DpiScaling.exe

pid process

1488 DpiScaling.exe
1488 DpiScaling.exe

pid	process
1644	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1488	DpiScaling.exe
Token: SeShutdownPrivilege	1488	DpiScaling.exe

pid	process
1488	DpiScaling.exe
1488	DpiScaling.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Punlolvwclwfqtzbjkukzofgyrkizbvbvb.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1472 wrote to memory of 1332	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	cmd.exe
PID 1472 wrote to memory of 1332	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	cmd.exe
PID 1472 wrote to memory of 1332	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	cmd.exe
PID 1472 wrote to memory of 1332	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	cmd.exe
PID 1332 wrote to memory of 1816	1332	cmd.exe	cmd.exe
PID 1332 wrote to memory of 1816	1332	cmd.exe	cmd.exe
PID 1332 wrote to memory of 1816	1332	cmd.exe	cmd.exe
PID 1332 wrote to memory of 1816	1332	cmd.exe	cmd.exe
PID 1816 wrote to memory of 684	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 684	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 684	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 684	1816	cmd.exe	net.exe
PID 684 wrote to memory of 1940	684	net.exe	net1.exe
PID 684 wrote to memory of 1940	684	net.exe	net1.exe
PID 684 wrote to memory of 1940	684	net.exe	net1.exe
PID 684 wrote to memory of 1940	684	net.exe	net1.exe
PID 1816 wrote to memory of 1644	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 1644	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 1644	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 1644	1816	cmd.exe	powershell.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe
PID 1472 wrote to memory of 1488	1472	Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe
"C:\Users\Admin\AppData\Local\Temp\Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\Punlolvt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\PunlolvO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\PunlolvO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Punlolvt.bat
Filesize
56B

MD5
fbb7fb25789d4742161b8d28ff8e92be

SHA1
90fd89aab00363f69e1451ceaabe766abe9c476d

SHA256
9a2576494874948f979d1c979802d4f43a3d9472abecce00c4cfc41198acf9ea

SHA512
e9f3a8150802a4cd2bbb10073daa4f3357f8d5873262eb448cb052f25900241f48118ad49fce2d2ebe6cdd674864647fea2a21fcc787ec96f7fcbd892c44e830

Download Submit
memory/684-68-0x0000000000000000-mapping.dmp

Download
memory/1332-64-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1488-78-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1488-79-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1488-74-0x0000000000000000-mapping.dmp

Download
memory/1488-76-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1644-71-0x0000000000000000-mapping.dmp

Download
memory/1644-73-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-66-0x0000000000000000-mapping.dmp

Download
memory/1940-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads