quasar | b8e6b01b8e7598bd8b01bedfe1232eb936a12f852a90a3a545bc2af7e4667c43

Analysis

max time kernel
283s
max time network
286s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-12-2022 01:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

FINAL.exe
Size

13.2MB
MD5

8c9180cfa2862e68b9beaf9b9e14a1c2
SHA1

09011f6b0b5d48e9bb61e65f10872fe4b344f66a
SHA256

b8e6b01b8e7598bd8b01bedfe1232eb936a12f852a90a3a545bc2af7e4667c43
SHA512

4657b171e3594370a8c9086bd2436b5ec7deaba73975856baafce4391582c6ce45d0820922706e0de3346bb85ffe8854fe419baa88a6cca83b94d67214bdf6c3
SSDEEP

196608:7+ww4z5xjkyIte8YHX0QoLPT7M18ZKhib/sV83V+Uj3iI9NeTA4cxXD4JF:7+x4FSyI88Ekprw1/f8R3roTAY

Score

10^/10

quasar revengerat windowsfirewall spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

windowsfirewall

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

hMAbT9pppBWPnLDPSK

Attributes

encryption_key
iZ94RsK8uKM1BvRnYlBk
install_name
wfmsc.exe
log_directory
Logs
reconnect_delay
1
startup_key
windowsdefender
subdirectory
windowsfirewall

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-80-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1680-81-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1680-84-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1680-85-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/1680-87-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1680-89-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Executes dropped EXE 2 IoCs

Processes:

Blank Grabber.exeBlank Grabber.exe

pid process

1740 Blank Grabber.exe
548 Blank Grabber.exe
Drops startup file 1 IoCs

Processes:

FINAL.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe FINAL.exe
Loads dropped DLL 3 IoCs

Processes:

FINAL.exeBlank Grabber.exe

pid process

2004 FINAL.exe
548 Blank Grabber.exe
1284
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

FINAL.exe

description pid process target process

PID 2004 set thread context of 1680 2004 FINAL.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1740	Blank Grabber.exe
548	Blank Grabber.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe	FINAL.exe

pid	process
2004	FINAL.exe
548	Blank Grabber.exe
1284

flow	ioc
6	ip-api.com

description	pid	process	target process
PID 2004 set thread context of 1680	2004	FINAL.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe

pid	process
1292	schtasks.exe

Modifies registry class 2 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

FINAL.exe

pid process

2004 FINAL.exe
2004 FINAL.exe

pid	process
2004	FINAL.exe
2004	FINAL.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

FINAL.exeMSBuild.exefirefox.exeshutdown.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2004	FINAL.exe
Token: SeDebugPrivilege	1680	MSBuild.exe
Token: SeDebugPrivilege	2004	firefox.exe
Token: SeDebugPrivilege	2004	firefox.exe
Token: SeShutdownPrivilege	2880	shutdown.exe
Token: SeRemoteShutdownPrivilege	2880	shutdown.exe
Token: 33	3004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3004	AUDIODG.EXE
Token: 33	3004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3004	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

DllHost.exefirefox.exe

pid	process
1704	DllHost.exe
1704	DllHost.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

firefox.exe

pid process

2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
2004 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1796 AcroRd32.exe
1796 AcroRd32.exe
1796 AcroRd32.exe

pid	process
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe
2004	firefox.exe

pid	process
1796	AcroRd32.exe
1796	AcroRd32.exe
1796	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FINAL.exeBlank Grabber.exeMSBuild.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2004 wrote to memory of 1740	2004	FINAL.exe	Blank Grabber.exe
PID 2004 wrote to memory of 1740	2004	FINAL.exe	Blank Grabber.exe
PID 2004 wrote to memory of 1740	2004	FINAL.exe	Blank Grabber.exe
PID 2004 wrote to memory of 1740	2004	FINAL.exe	Blank Grabber.exe
PID 2004 wrote to memory of 1796	2004	FINAL.exe	AcroRd32.exe
PID 2004 wrote to memory of 1796	2004	FINAL.exe	AcroRd32.exe
PID 2004 wrote to memory of 1796	2004	FINAL.exe	AcroRd32.exe
PID 2004 wrote to memory of 1796	2004	FINAL.exe	AcroRd32.exe
PID 1740 wrote to memory of 548	1740	Blank Grabber.exe	Blank Grabber.exe
PID 1740 wrote to memory of 548	1740	Blank Grabber.exe	Blank Grabber.exe
PID 1740 wrote to memory of 548	1740	Blank Grabber.exe	Blank Grabber.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 2004 wrote to memory of 1680	2004	FINAL.exe	MSBuild.exe
PID 1680 wrote to memory of 1292	1680	MSBuild.exe	schtasks.exe
PID 1680 wrote to memory of 1292	1680	MSBuild.exe	schtasks.exe
PID 1680 wrote to memory of 1292	1680	MSBuild.exe	schtasks.exe
PID 1680 wrote to memory of 1292	1680	MSBuild.exe	schtasks.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 680	1528	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1592 wrote to memory of 2004	1592	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 1772 wrote to memory of 1236	1772	firefox.exe	firefox.exe
PID 2004 wrote to memory of 1728	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 1728	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 1728	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe
PID 2004 wrote to memory of 284	2004	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\FINAL.exe
"C:\Users\Admin\AppData\Local\Temp\FINAL.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\CPN BIBLE.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "windowsdefender" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1704

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1512

C:\Windows\system32\net.exe
net user
2⤵
PID:2676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:2688

C:\Windows\system32\net.exe
net user Admin Winter$123445
2⤵
PID:2736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin Winter$123445
3⤵
PID:2748

C:\Windows\system32\net.exe
net user Administrator Winter$12345
2⤵
PID:2800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Administrator Winter$12345
3⤵
PID:2812

C:\Windows\system32\shutdown.exe
shutdown /r /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2004.0.1678663413\792799942" -parentBuildID 20200403170909 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2004 "\\.\pipe\gecko-crash-server-pipe.2004" 1256 gpu
3⤵
PID:1728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2004.3.687810588\880232974" -childID 1 -isForBrowser -prefsHandle 1652 -prefMapHandle 1648 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2004 "\\.\pipe\gecko-crash-server-pipe.2004" 1800 tab
3⤵
PID:284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2004.13.1122570857\679799414" -childID 2 -isForBrowser -prefsHandle 2608 -prefMapHandle 2460 -prefsLen 6938 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2004 "\\.\pipe\gecko-crash-server-pipe.2004" 2624 tab
3⤵
PID:2228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:1236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_github.com..Blank_c17402\python311.dll
Filesize
1.6MB

MD5
8534c15a4eb10120c60c9233d2693dec

SHA1
126a52080ecaec660bfd56f8e3c76fb0f8b664c8

SHA256
fd6e6c75180af0d08c9e78831229468c7047003dd995303004f66891fccec392

SHA512
1064b385a5d5f7e8061913321bca64865ed5569b4629b6a2728852ade84857f6f370d823b86542fa5943d1548ec55e65029eba7a94285a6d3c00d106c0e868a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
C:\Users\Admin\Desktop\CPN BIBLE.pdf
Filesize
437KB

MD5
072bde13a5776d6b4e9872f7abce20c2

SHA1
257fe039b6eaa22b094269833cd96e9c38179046

SHA256
a2661e745c48a2ad8d6ad29490dfbf08f34a6fe00ae878325f5a1fdc1195c4ed

SHA512
cfca93a53717ffb5b9d918893f6b143b5d22c9cd4a56150649788f00b9d0d1849606034644c06bdf84700ad064292afeba56a1e7eaab76b6fe061ef678359a54

Download Submit
C:\Users\Admin\Desktop\Federal Reserve.jpg
Filesize
48KB

MD5
8b515a483fb8addfa245c4eef208719e

SHA1
c2d4a921ff4b9717a13780e84b6f24cce7c98274

SHA256
6daa510f4f587955e07a728dd75fb63d591fae136686dc73381fc62d54771096

SHA512
0b7f4c97835a1db3017937b6224f9e38ab0a938de77b26d723a16662fa8d455376a03ce52ded91ed9b106f27c481074d2e1c5b30271fdcc23b3f0b152c7183dd

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_github.com..Blank_c17402\python311.dll
Filesize
1.6MB

MD5
8534c15a4eb10120c60c9233d2693dec

SHA1
126a52080ecaec660bfd56f8e3c76fb0f8b664c8

SHA256
fd6e6c75180af0d08c9e78831229468c7047003dd995303004f66891fccec392

SHA512
1064b385a5d5f7e8061913321bca64865ed5569b4629b6a2728852ade84857f6f370d823b86542fa5943d1548ec55e65029eba7a94285a6d3c00d106c0e868a0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
memory/548-70-0x000007FEF6420000-0x000007FEF6A07000-memory.dmp

Filesize
5.9MB

Download
memory/548-64-0x0000000000000000-mapping.dmp

Download
memory/1292-91-0x0000000000000000-mapping.dmp

Download
memory/1680-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1680-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1680-87-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1680-85-0x000000000044943E-mapping.dmp

Download
memory/1680-84-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1680-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1680-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1680-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1740-61-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1740-59-0x0000000000000000-mapping.dmp

Download
memory/1796-63-0x0000000000000000-mapping.dmp

Download
memory/1796-82-0x0000000002880000-0x00000000028F6000-memory.dmp

Filesize
472KB

Download
memory/2004-56-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/2004-74-0x0000000002C80000-0x0000000002C9A000-memory.dmp

Filesize
104KB

Download
memory/2004-54-0x0000000000B20000-0x000000000185C000-memory.dmp

Filesize
13.2MB

Download
memory/2004-57-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/2004-75-0x0000000002C60000-0x0000000002C66000-memory.dmp

Filesize
24KB

Download
memory/2004-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/2676-92-0x0000000000000000-mapping.dmp

Download
memory/2688-93-0x0000000000000000-mapping.dmp

Download
memory/2736-94-0x0000000000000000-mapping.dmp

Download
memory/2748-95-0x0000000000000000-mapping.dmp

Download
memory/2800-97-0x0000000000000000-mapping.dmp

Download
memory/2812-98-0x0000000000000000-mapping.dmp

Download
memory/2880-100-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads