Overview

overview

10

Static

static

10

Hades v1.0...64.exe

windows7-x64

1

Hades v1.0...64.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    60s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2023, 17:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hades v1.0-v1.38 Plus 15 Trainer x64.exe

  • Size

    1.4MB

  • MD5

    d6af8282fe43619a2854dcbb062e5fc5

  • SHA1

    fa2f9972ef8fd64cdbce1764f5846aed1e644973

  • SHA256

    41ce8c8837bc90a3097417346b5e96616a73b34cd00b1d79d90cb9bdeb29c83f

  • SHA512

    db84040f8ee47bc14b00b1690471a1445e09633252894a31116e24b5061450dee687b47e164bdd58f019edaa2b8e233017829b5260d2e0ce7724910f63ba8734

  • SSDEEP

    24576:N9/QSW61N8Lqpgz7R0Ahn5nRQfbJ7MiYPDS/:OeyepURPh5nRQfV7

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Hades v1.0-v1.38 Plus 15 Trainer x64.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2736

Network

  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.3.197.209.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.3.197.209.in-addr.arpa
    IN PTR
    Response
    8.3.197.209.in-addr.arpa
    IN PTR
    vip0x008map2sslhwcdnnet
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    flingtrainer.com
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    Remote address:
    8.8.8.8:53
    Request
    flingtrainer.com
    IN A
    Response
    flingtrainer.com
    IN A
    188.114.96.0
    flingtrainer.com
    IN A
    188.114.97.0
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/hades-trainer
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    Remote address:
    188.114.96.0:443
    Request
    GET /wp-content/check-for-trainer-update/hades-trainer HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 18 Oct 2023 17:49:15 GMT
    Content-Length: 11
    Connection: keep-alive
    last-modified: Fri, 03 Sep 2021 00:43:16 GMT
    etag: "b-5cb0c95c03100"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0EhycDwo0%2FpTJ1Dum5O0wy%2FABAFL0rI2cAxDofODTYIsPI7Uw0naHGgivOZI0ejHR5LbOycofPpTKKXA%2FhamVBr8kfvD3jn7OTFkL6HoeoJWycPUU9hsosOihFsl9olaQ319"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81829deb6b2866b4-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    x2.c.lencr.org
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    23.42.174.147
  • flag-hk
    GET
    http://x2.c.lencr.org/
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    Remote address:
    23.42.174.147:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT
    ETag: "64cd6654-12c"
    Cache-Control: max-age=3600
    Expires: Wed, 18 Oct 2023 18:49:15 GMT
    Date: Wed, 18 Oct 2023 17:49:15 GMT
    Content-Length: 300
    Connection: keep-alive
  • flag-us
    DNS
    0.96.114.188.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.96.114.188.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.174.42.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.174.42.23.in-addr.arpa
    IN PTR
    Response
    147.174.42.23.in-addr.arpa
    IN PTR
    a23-42-174-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    113.208.253.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.208.253.8.in-addr.arpa
    IN PTR
    Response
  • 188.114.96.0:443
    https://flingtrainer.com/wp-content/check-for-trainer-update/hades-trainer
    tls, http
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    962 B
     6.2kB
     12
    9

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/hades-trainer

    HTTP Response

    200
  • 23.42.174.147:80
    http://x2.c.lencr.org/
    http
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    345 B
     721 B
     5
    3

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    8.3.197.209.in-addr.arpa
    dns
    70 B
     111 B
     1
    1

    DNS Request

    8.3.197.209.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    flingtrainer.com
    dns
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    62 B
     94 B
     1
    1

    DNS Request

    flingtrainer.com

    DNS Response

    188.114.96.0
    188.114.97.0

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    Hades v1.0-v1.38 Plus 15 Trainer x64.exe
    60 B
     165 B
     1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    23.42.174.147

  • 8.8.8.8:53
    0.96.114.188.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    0.96.114.188.in-addr.arpa

  • 8.8.8.8:53
    147.174.42.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    147.174.42.23.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    113.208.253.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    113.208.253.8.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2736-0-0x0000022DE4370000-0x0000022DE43A2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2736-1-0x00007FF9C76B0000-0x00007FF9C8171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2736-2-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-3-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-4-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-5-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-6-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-16-0x00007FF9C76B0000-0x00007FF9C8171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2736-17-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-18-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-19-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-20-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-21-0x0000022DFCD30000-0x0000022DFCD40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-25-0x00007FF9C76B0000-0x00007FF9C8171000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.