Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 17:12
Static task
static1
Behavioral task
behavioral1
Sample
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Resource
win10v2004-20220414-en
General
-
Target
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
-
Size
3.7MB
-
MD5
a202bac1697b6255bf5bfdf0cce9aaa6
-
SHA1
fe0327a7a122a1086ed8cfc288e9c6716affbf69
-
SHA256
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5
-
SHA512
5f553747bc52a8b5e55d146f9731ecd606147c7d8f3c03ac9a5903728c2c8af26f8987e9defaa67e743346eaa1aefc14df2c5e2b03b341966c38f51cb32964f7
Malware Config
Extracted
bitrat
1.33
qwerty:4444
-
communication_password
827ccb0eea8a706c4c34a16891f84e7b
-
install_dir
dfgh
-
install_file
rftgh.exe
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe" 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exepid process 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe -
Suspicious behavior: RenamesItself 25 IoCs
Processes:
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exepid process 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exedescription pid process Token: SeDebugPrivilege 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe Token: SeShutdownPrivilege 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exepid process 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe 1788 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe"C:\Users\Admin\AppData\Local\Temp\6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx