cybergate | 79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Size

520KB
MD5

791f8102ea9510491562193f3bb238a2
SHA1

3ac5ae41ba89e830299b2d78e2f0993cff23690b
SHA256

79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed
SHA512

14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c
SSDEEP

6144:wmcD66RRju5JGmrpQsK3RD2u270jupCJsCxCz5JGmrpQsK3RD2u270jupCJsCxCp:5cD6633Z2zkPaCxfZ2zkPaCx2

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

127.0.0.1:81

Mutex

Newx32

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
ftp_password
pikaloka
ftp_port
21
ftp_server
6te.net
ftp_username
xikoloko.6te.net
injected_process
explorer.exe
install_dir
winx32
install_file
netsys.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
voce eh gay????????
message_box_title
KLEBER
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "c:\\dir\\install\\winx32\\netsys.exe"	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "c:\\dir\\install\\winx32\\netsys.exe"	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe

Executes dropped EXE 1 IoCs

pid	Process
848	netsys.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y7381306-F0T7-1WF8-4X4H-RHI7U8GNDG80}	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y7381306-F0T7-1WF8-4X4H-RHI7U8GNDG80}\StubPath = "c:\\dir\\install\\winx32\\netsys.exe Restart"	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y7381306-F0T7-1WF8-4X4H-RHI7U8GNDG80}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y7381306-F0T7-1WF8-4X4H-RHI7U8GNDG80}\StubPath = "c:\\dir\\install\\winx32\\netsys.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-56-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2008-65-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1020-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1020-73-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2008-75-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/2008-81-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1560-86-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1560-92-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1560-93-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1560	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
1560	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\winx32\\netsys.exe"	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\winx32\\netsys.exe"	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
Token: SeDebugPrivilege	1560	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13
PID 2008 wrote to memory of 1392	2008	79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
  "C:\Users\Admin\AppData\Local\Temp\79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    PID:1020
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe
    "C:\Users\Admin\AppData\Local\Temp\79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
  - - C:\dir\install\winx32\netsys.exe
      "C:\dir\install\winx32\netsys.exe"
      4⤵
      Executes dropped EXE
      PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
29f76f93fb716038abf8a32c2ab66321

SHA1
c24f4f2dae269677305ae6da56c6a662ab7a5d97

SHA256
9f3380e2f7dd1c32b11d34aff15120f54c9224585041cd1f5b9891f750e97b3d

SHA512
6996ce2ef04cc30872f77db9f6cd171b2e2ae9d5d0b725cdf619988a85a2647dfdaf63b86c23636bdbd5d1a0a993fa9529676c6d1acc3f2e1fab3efcc722c6a5

Download Submit
C:\dir\install\winx32\netsys.exe

Filesize
520KB

MD5
791f8102ea9510491562193f3bb238a2

SHA1
3ac5ae41ba89e830299b2d78e2f0993cff23690b

SHA256
79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

SHA512
14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

Download Submit
\??\c:\dir\install\winx32\netsys.exe

Filesize
520KB

MD5
791f8102ea9510491562193f3bb238a2

SHA1
3ac5ae41ba89e830299b2d78e2f0993cff23690b

SHA256
79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

SHA512
14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

Download Submit
\dir\install\winx32\netsys.exe

Filesize
520KB

MD5
791f8102ea9510491562193f3bb238a2

SHA1
3ac5ae41ba89e830299b2d78e2f0993cff23690b

SHA256
79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

SHA512
14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

Download Submit
\dir\install\winx32\netsys.exe

Filesize
520KB

MD5
791f8102ea9510491562193f3bb238a2

SHA1
3ac5ae41ba89e830299b2d78e2f0993cff23690b

SHA256
79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

SHA512
14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

Download Submit
memory/1020-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1020-64-0x00000000749F1000-0x00000000749F3000-memory.dmp

Filesize
8KB

Download
memory/1020-73-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1392-59-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1560-92-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1560-86-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1560-93-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2008-65-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2008-81-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2008-75-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/2008-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads