cybergate | f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

General

Target

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Size

482KB
MD5

2d677ed795661959e60196d2892256b0
SHA1

684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512

eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9
SSDEEP

12288:9t2qQ7T6HFn3oRI2h11WoUXuTiN8FhNlJo2:OvyHFn4PBSYRFhny2

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

C2

kbchorizo.no-ip.org:81

infeccioneszc.no-ip.org:81

Mutex

infeccion

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Win32
install_file
winloader.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Your windows is not compatibility! error 503
message_box_title
título da mensagem
password
zc
regkey_hkcu
Placa mother
regkey_hklm
Tarjeta de video

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

Executes dropped EXE 2 IoCs

Processes:

winloader.exewinloader.exe

pid process

1156 winloader.exe
1308 winloader.exe

pid	process
1156	winloader.exe
1308	winloader.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe Restart"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe"	explorer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1296-56-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/1296-60-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/1296-61-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/1296-62-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/1296-64-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1296-73-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1104-78-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1104-81-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1296-86-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1040-92-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1296-91-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/1040-93-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1040-100-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

explorer.exe

pid process

1040 explorer.exe
1040 explorer.exe

pid	process
1040	explorer.exe
1040	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tarjeta de video = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Placa mother = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	pid	process	target process
PID 1560 set thread context of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

pid process

1296 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1040 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1040 explorer.exe
Token: SeDebugPrivilege 1040 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exeexplorer.exe

pid process

1296 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
1040 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

1040 explorer.exe

pid	process
1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

pid	process
1040	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1040	explorer.exe
Token: SeDebugPrivilege	1040	explorer.exe

pid	process
1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
1040	explorer.exe

pid	process
1040	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exef8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	pid	process	target process
PID 1560 wrote to memory of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296	1560	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 1296 wrote to memory of 1404	1296	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
"C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1104

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1040

C:\Win32\winloader.exe
"C:\Win32\winloader.exe"
5⤵
- Executes dropped EXE
PID:1156

C:\Win32\winloader.exe
C:\Win32\winloader.exe
6⤵
- Executes dropped EXE
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
0d636aa26187398d0858250cc1c4c4fa

SHA1
b2ccf76344d2d9ad769898e66fa45616466f6527

SHA256
b087ceee417c34a825f52c98bba9b3a5eaa828ed5f5074e3750f6b7e76ab106d

SHA512
237cc3d0514b75e79b894ccbd24cdfa170850203b9dfe8cb79fc194c797c5fc2db138380e65e44a5a026f849137ec612832b208e8c3ba4db63807d5daa6a6010

Download Submit
C:\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
C:\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
C:\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
memory/1040-100-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1040-93-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1040-92-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1040-83-0x0000000000000000-mapping.dmp

Download
memory/1104-78-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1104-81-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1104-72-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1104-70-0x0000000000000000-mapping.dmp

Download
memory/1156-96-0x0000000000000000-mapping.dmp

Download
memory/1296-91-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1296-86-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1296-64-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1296-73-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1296-62-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1296-61-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1296-54-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1296-60-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1296-59-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1296-56-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1296-57-0x00000000004B3F40-mapping.dmp

Download
memory/1404-67-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads