njrat | f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3

Analysis

max time kernel
154s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
Size

852KB
MD5

9316bd73a66f56b9f4f64e34d0467e8d
SHA1

aeadf91b918546388e1a0995a29d09cf1ae766a7
SHA256

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3
SHA512

1eb2535f2c6bf4b71fcd0efa345b9b04b5d77f391762967243282cb4908de4b67a05d8101e07bbc26fe66997169aec3beb0e3133a94e9b65a2e95f8077c4fb7b
SSDEEP

12288:zK2mhAMJ/cPl+tIQYVc5LWAg6rY9geN8h7UZYE82Y5UKUL4n4y3Xp3SbSl8g:22O/Gl+TnJW1h67g6zwm4m53Sb28g

Score

10^/10

njrat billy evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BILLY

yorkiepet.ddns.net:770

Mutex

76a35d262af152d236ee0f24e2916b15

Attributes

reg_key
76a35d262af152d236ee0f24e2916b15
splitter
|'|'|

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msvoht.exemsvoht.exemsvoht.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msvoht.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msvoht.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msvoht.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 6 IoCs

Processes:

msvoht.exemsvoht.exesvchost.exemsvoht.exesvchost.exemsvoht.exe

pid process

1292 msvoht.exe
560 msvoht.exe
320 svchost.exe
1056 msvoht.exe
1604 svchost.exe
1928 msvoht.exe

Loads dropped DLL 9 IoCs

Processes:

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exeWScript.exeRegSvcs.exeWScript.exeRegSvcs.exeWScript.exe

pid	process
1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
1740	WScript.exe
696	RegSvcs.exe
748	WScript.exe
1348	RegSvcs.exe
1556	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msvoht.exemsvoht.exemsvoht.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	msvoht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs"	msvoht.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	msvoht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs"	msvoht.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	msvoht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs"	msvoht.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msvoht.exemsvoht.exemsvoht.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msvoht.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msvoht.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msvoht.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msvoht.exemsvoht.exemsvoht.exe

description	pid	process	target process
PID 1292 set thread context of 964	1292	msvoht.exe	RegSvcs.exe
PID 560 set thread context of 696	560	msvoht.exe	RegSvcs.exe
PID 1056 set thread context of 1348	1056	msvoht.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msvoht.exemsvoht.exemsvoht.exe

pid	process
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
1292	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
560	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe
1056	msvoht.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

msvoht.exemsvoht.exemsvoht.exe

description	pid	process
Token: SeDebugPrivilege	1292	msvoht.exe
Token: SeDebugPrivilege	1292	msvoht.exe
Token: SeDebugPrivilege	1292	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	560	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe
Token: SeDebugPrivilege	1056	msvoht.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exemsvoht.exeWScript.exemsvoht.exeRegSvcs.exeWScript.exemsvoht.exe

description	pid	process	target process
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1948 wrote to memory of 1292	1948	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 964	1292	msvoht.exe	RegSvcs.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1292 wrote to memory of 1740	1292	msvoht.exe	WScript.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 1740 wrote to memory of 560	1740	WScript.exe	msvoht.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 560 wrote to memory of 696	560	msvoht.exe	RegSvcs.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 696 wrote to memory of 320	696	RegSvcs.exe	svchost.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 560 wrote to memory of 748	560	msvoht.exe	WScript.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 748 wrote to memory of 1056	748	WScript.exe	msvoht.exe
PID 1056 wrote to memory of 1348	1056	msvoht.exe	RegSvcs.exe
PID 1056 wrote to memory of 1348	1056	msvoht.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
"C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Executes dropped EXE
PID:320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc
6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
7⤵
- Loads dropped DLL
PID:1348

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
8⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"
7⤵
- Loads dropped DLL
PID:1556

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc
8⤵
- Executes dropped EXE
PID:1928

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\8G8MD9~1\jshvp.UNT
Filesize
230B

MD5
35b3cf90cee61304ff309c20704eb422

SHA1
72b771a97d39fdab15a70bc24fa31e25eeb0ab56

SHA256
e0eb8480787194877b9d8c0dea59400af9c41a3d99c9909ede2076f5596b1808

SHA512
f73df96afc8a40e8dbb2759c4c012596486e37159f0cb6b866d49d179422e4446a5dd62ce30596cccb0a50b3c558d8f17c081907d42c7c55577a9478e5a94d05

Download Submit
C:\Users\Admin\8G8MD9~1\run.vbs
Filesize
85B

MD5
8de0d4e88d228dda91d024620c17a867

SHA1
d3a3bdbd922c17abd92d2a9bd3da09935689f884

SHA256
7c8ce594f9d4626c553f7caa972245fd9e6ccf4c380ca132c71c90ff647a9e7e

SHA512
034c0358bd509cd24410afac8e11b829eb1c3f6897452b63590b76fee9610c10aaeede2e60856eff58fa05d45ce4fed7f1e429e683f98d75dc9670be7ea0e589

Download Submit
C:\Users\Admin\8G8MD9~1\yyiuyaz.UKC
Filesize
23KB

MD5
cbbf6902528ee0709dad67d3838ac5bd

SHA1
6f5f3739da42afdd55265d44e6f224fea75db0ce

SHA256
13f22712b2458f01efc9351368e980bc073a072d825eedcb2f2aa43f9be4cc11

SHA512
da8faace526c59a1706a3ad6d402752f2909fe110fe52cfc58f75d19743e3c4def5303a520b582e6b7985768a69f93e8171dc5f90df473d4ee0aebe207414e7c

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\nzlmuc
Filesize
306.6MB

MD5
efccb25c461589f0fadb76d7decc4416

SHA1
72331e72388f985888efc98dad7cf05baca91762

SHA256
cfdb033efffb350639d73017b61dd28f58e3b96e89a384c84cde35b015eb42d0

SHA512
6edd3d53a27e00b22f4a98e368731e1c3a431762e5f52f2e839f0a9fa1e6c3edd86d7c8aa922ebedaf6ce707834bc55859f43805d751c713d99d58973f31a396

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
memory/320-94-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/320-89-0x0000000000000000-mapping.dmp

Download
memory/560-72-0x0000000000000000-mapping.dmp

Download
memory/696-85-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/696-75-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/696-87-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/696-83-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/696-81-0x000000000040748E-mapping.dmp

Download
memory/696-93-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/696-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/696-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/696-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/696-78-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/748-95-0x0000000000000000-mapping.dmp

Download
memory/964-66-0x000000000040748E-mapping.dmp

Download
memory/1056-98-0x0000000000000000-mapping.dmp

Download
memory/1292-59-0x0000000000000000-mapping.dmp

Download
memory/1348-111-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1348-113-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-109-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1348-117-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-107-0x000000000040748E-mapping.dmp

Download
memory/1556-121-0x0000000000000000-mapping.dmp

Download
memory/1604-115-0x0000000000000000-mapping.dmp

Download
memory/1604-120-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-67-0x0000000000000000-mapping.dmp

Download
memory/1928-124-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads