Malware Analysis Report

2025-03-15 03:52

Sample ID 230806-g8zfdsgc25
Target u9.exe
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
Tags
fatalrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a

Threat Level: Known bad

The file u9.exe was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer persistence rat

FatalRat

Fatal Rat payload

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-06 06:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-06 06:29

Reported

2023-08-06 06:31

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\u9.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2600 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2600 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2600 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2600 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2600 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\u9.exe

"C:\Users\Admin\AppData\Local\Temp\u9.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
N/A 127.0.0.1:57960 tcp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.38:80 xfer.10jqka.com.cn tcp
CN 175.6.25.17:80 xfer.10jqka.com.cn tcp
US 8.8.8.8:53 huanpy.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp

Files

memory/2600-54-0x0000000000400000-0x000000000087A000-memory.dmp

memory/2600-55-0x0000000075AD0000-0x0000000075B17000-memory.dmp

memory/2600-865-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-866-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-868-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-870-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-872-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-874-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-876-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-878-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-880-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-882-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-884-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-886-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-888-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-890-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-892-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-894-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-896-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-898-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-900-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-902-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-904-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-906-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-908-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-910-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-912-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-914-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-916-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-918-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-920-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-922-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-924-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-926-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-2601-0x0000000002230000-0x0000000002330000-memory.dmp

memory/2600-2602-0x0000000002370000-0x00000000024F1000-memory.dmp

memory/2600-4390-0x0000000002230000-0x0000000002330000-memory.dmp

memory/2600-8742-0x0000000002620000-0x0000000002731000-memory.dmp

memory/2600-8743-0x0000000002740000-0x0000000002841000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Admin\AppData\Local\Temp\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

C:\Users\Admin\Documents\robot\switch.json

MD5 362b8707494a5c175ec27ee577aaa133
SHA1 ec913a4fe073a776b33518af87e21669adb8bbe6
SHA256 c8412f15d564f5f6b972f0146db1797119414c7c363b697610ee360a34b4f8bd
SHA512 00c78d4d74c8225bcd214d8b005a4d5abde1b353fc8bf18b520c4fcc9603a8671a5d4fa0e98a1c54dd9c20f247cb3d22eb9b479fed9b84d6c41f7a6e0144bb49

C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

memory/2600-8857-0x0000000000400000-0x000000000087A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-06 06:29

Reported

2023-08-06 06:31

Platform

win10-20230703-en

Max time kernel

124s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\u9.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxrobot = "C:\\Users\\Admin\\Documents\\robot\\elf.exe" C:\Users\Admin\Documents\robot\elf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4692 set thread context of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4692 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4692 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4692 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4692 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\u9.exe

"C:\Users\Admin\AppData\Local\Temp\u9.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 99.29.249.43.in-addr.arpa udp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.37:80 xfer.10jqka.com.cn tcp
US 8.8.8.8:53 37.25.6.175.in-addr.arpa udp
N/A 127.0.0.1:62194 tcp
US 8.8.8.8:53 huanpy.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 161.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4692-122-0x0000000000400000-0x000000000087A000-memory.dmp

memory/4692-123-0x0000000075200000-0x00000000753C2000-memory.dmp

memory/4692-3851-0x0000000002A70000-0x0000000002C3D000-memory.dmp

memory/4692-3852-0x00000000028D0000-0x0000000002A66000-memory.dmp

memory/4692-3853-0x0000000075F60000-0x000000007609C000-memory.dmp

memory/4692-5642-0x0000000075690000-0x0000000075707000-memory.dmp

memory/4692-11440-0x0000000002A70000-0x0000000002C3D000-memory.dmp

memory/4692-12508-0x00000000028D0000-0x0000000002A66000-memory.dmp

memory/4692-12509-0x00000000026D0000-0x00000000027AA000-memory.dmp

memory/4692-12510-0x0000000002D90000-0x0000000002ED3000-memory.dmp

memory/4752-12513-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4752-12514-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4752-12515-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4752-12519-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4752-12520-0x0000000010000000-0x000000001002A000-memory.dmp

\Users\Admin\AppData\Local\Temp\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

C:\Users\Admin\Documents\robot\skin\Robot\icon_wnd.xml

MD5 f74ff1f559d4f5a7af7b09b00d17a3f7
SHA1 7ae57ae206977eb874cf1037e7dedb37cb464e4b
SHA256 1ebba2b9a0d222642016121ca19ee5cd6d1b32f40b43bd57aed165dc8dcdf781
SHA512 fc26f6af3c8e0d642a91e31e5060db94d7ed2cce33619a4d8e9b78c68b95b397db15863165ce536fbc364f2e361772ffb86be61e3d9a921011f167ca9c9d9c51

C:\Users\Admin\Documents\robot\skin\Robot\push_wnd.xml

MD5 ee58358ad4380ad0da672cdb49247454
SHA1 e99376e5eaa92538221789ff8f25768d83f0cf1e
SHA256 633b462f98038aa0f9ab302d3cd0def8352fde79990af747b3c97b49ebab2103
SHA512 eded6474a11deb02292682e3354b2d7d17ac898348f533fc13a74451fb5a312ec25a0de69bd40d2b9a4159e2284834277b47072b2e8990780f6783519b0dfda3

C:\Users\Admin\Documents\robot\skin\Robot\Robot.xml

MD5 2fdb0ba1aa4f2088d10468757490b3fc
SHA1 3757f286d6fa2585747bf6135eb8c927bc3145b8
SHA256 6f1d5abe5173cab5a5d5553d6ebf4c78f0b0d587337c8c942c170acf24d9f02a
SHA512 aba55dd158a645d76c05c5b4e226547b42619f123de30050963cced626b914dce7c79574eca4f222b6eaae3a0acfd737818a423fc4bdf1402a31979f859fdaaa

C:\Users\Admin\Documents\robot\switch.json

MD5 2084f8639c21c2b3a325173000175f41
SHA1 59e3b758d3557d5e005ce1be3e9bd60691925085
SHA256 a95d5440caac07a22200206fac2e7c79eb2873684f685fe8200bda7875ce6ac9
SHA512 3c9df2fc83e360f1a37577f6bc1a3ee2f2f17cb8ffdd378b097fc35f5eff843f20c22f743cb0448b8afeacc7f545005ffc09b5220f54934b92dcb36e2dd0ba5d

memory/4692-12585-0x0000000000400000-0x000000000087A000-memory.dmp

memory/4692-12594-0x00000000026D0000-0x00000000027AA000-memory.dmp

memory/4692-12599-0x0000000002D90000-0x0000000002ED3000-memory.dmp

memory/4692-12602-0x0000000000400000-0x000000000087A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-06 06:29

Reported

2023-08-06 06:31

Platform

win10v2004-20230703-en

Max time kernel

137s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\u9.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxrobot = "C:\\Users\\Admin\\Documents\\robot\\elf.exe" C:\Users\Admin\Documents\robot\elf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2080 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2080 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2080 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2080 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\u9.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\u9.exe

"C:\Users\Admin\AppData\Local\Temp\u9.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.137.241.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 99.29.249.43.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.15:80 xfer.10jqka.com.cn tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 15.25.6.175.in-addr.arpa udp
N/A 127.0.0.1:64914 tcp
US 8.8.8.8:53 huanpy.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 161.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/2080-133-0x0000000000400000-0x000000000087A000-memory.dmp

memory/2080-134-0x0000000076E60000-0x0000000077075000-memory.dmp

memory/2080-4008-0x0000000077160000-0x0000000077300000-memory.dmp

memory/2080-6017-0x00000000774F0000-0x000000007756A000-memory.dmp

memory/3720-13204-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3720-13205-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3720-13206-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/3720-13210-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3720-13213-0x0000000010000000-0x000000001002A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

memory/2080-13265-0x0000000000400000-0x000000000087A000-memory.dmp

C:\Users\Admin\Documents\robot\skin\Robot\icon_wnd.xml

MD5 f74ff1f559d4f5a7af7b09b00d17a3f7
SHA1 7ae57ae206977eb874cf1037e7dedb37cb464e4b
SHA256 1ebba2b9a0d222642016121ca19ee5cd6d1b32f40b43bd57aed165dc8dcdf781
SHA512 fc26f6af3c8e0d642a91e31e5060db94d7ed2cce33619a4d8e9b78c68b95b397db15863165ce536fbc364f2e361772ffb86be61e3d9a921011f167ca9c9d9c51

C:\Users\Admin\Documents\robot\skin\Robot\push_wnd.xml

MD5 ee58358ad4380ad0da672cdb49247454
SHA1 e99376e5eaa92538221789ff8f25768d83f0cf1e
SHA256 633b462f98038aa0f9ab302d3cd0def8352fde79990af747b3c97b49ebab2103
SHA512 eded6474a11deb02292682e3354b2d7d17ac898348f533fc13a74451fb5a312ec25a0de69bd40d2b9a4159e2284834277b47072b2e8990780f6783519b0dfda3

C:\Users\Admin\Documents\robot\skin\Robot\Robot.xml

MD5 2fdb0ba1aa4f2088d10468757490b3fc
SHA1 3757f286d6fa2585747bf6135eb8c927bc3145b8
SHA256 6f1d5abe5173cab5a5d5553d6ebf4c78f0b0d587337c8c942c170acf24d9f02a
SHA512 aba55dd158a645d76c05c5b4e226547b42619f123de30050963cced626b914dce7c79574eca4f222b6eaae3a0acfd737818a423fc4bdf1402a31979f859fdaaa

C:\Users\Admin\Documents\robot\switch.json

MD5 08fb3a0f403c967af37d1db1a3764fa8
SHA1 7cbe156d55ecb43a0956fca7d21a28e6526caeee
SHA256 5e0bc36efc862716939431367cf2a370348c97b0ab5c87b177d665dd80f2ef52
SHA512 49211ee927761cdd1c800802d277d183c8b8a36e9c2d44e28ed64a55e78e20732a343553aa5df81d7bd919d5da6e87a93c2ff90eaf192621410aa19d9eb38a4f

memory/2080-13290-0x0000000000400000-0x000000000087A000-memory.dmp