e6e3bfdae1ede46670d8a8975927897e8c5a285c07347b511afe8f3369b41277

Resubmissions

27/10/2023, 05:04

231027-fqdwascc9x 10

27/10/2023, 04:40

231027-fawq6scc3w 10

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27/10/2023, 05:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

vat.exe
Size

58.6MB
MD5

6f205fe126a6670fac073cdb71901c0a
SHA1

ad304e9ed1ffbebfbcfc68a6ee3f8b0f133bdf64
SHA256

e6e3bfdae1ede46670d8a8975927897e8c5a285c07347b511afe8f3369b41277
SHA512

f845434aeb01752081d239f2a64f374a2bd122016309fd1cbe212f8ccf8168df4e6e429f74cb63e246bd7f45c9e66b50f2eb6364c22c3c74b6ff8c46df73ccd6
SSDEEP

1572864:LWT1LPDVnpWxq3rYkctmFV1Ga6cbgghbqa9Kbu3bFYF8R0ROt11L9ax8ddBfM7Hv:6T1LP7mlguNLv

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe
1608	vat.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\9fcloq.exe	7zFM.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
732	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	732	7zFM.exe
Token: 35	732	7zFM.exe
Token: 33	2212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2212	AUDIODG.EXE
Token: 33	2212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2212	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
732	7zFM.exe

C:\Users\Admin\AppData\Local\Temp\vat.exe
"C:\Users\Admin\AppData\Local\Temp\vat.exe"
1⤵
- Loads dropped DLL
PID:1608

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\AT_Harvest_Files.dll

Filesize
13KB

MD5
470a0a84a7b9bbbce0ff0dfcbd102798

SHA1
7567c3c55dfcd9c039b7fb7d7f3c30840e9b85a7

SHA256
bef590b278fe2b88652ff3601ab1e057ed0e20ba772ba01763f0b1c644a23aff

SHA512
f86edcb0cc70604f77fe582c7d2a7f71105167ece6d6ef75a0cd0cb7f361dbc3d044e765347d8e98562f1c939ffad350cb04c72efe4cacd9a8c0bf4d9e182122

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.Console.dll

Filesize
134KB

MD5
703aeb587294144a77ebc3790acb04eb

SHA1
3dfdd1d6b168963e0d0b62728247b5f9ced36df7

SHA256
f924eb36009187d3fa311ecb770d778fb146e7d6e4c0605964f2e4d390a4d494

SHA512
a271a55facebf20b6532d98be02aa656d9e8fea5494bf6beaef4162f9a759aeb47de4b34509583c01a8b2fa6a9f66557a123d0fb26af38fe17e894acad3f5362

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.IO.FileSystem.dll

Filesize
189KB

MD5
c3f4320f0fa1d0d2e6e4086041367024

SHA1
580e22959b108f9f3f2b06872342cafb7cbfbf1f

SHA256
118c19a9638bcd981e9e90f42c9ef575399eea815fdb84d7dfd25cfa1b272385

SHA512
b389a57096fc53391ba09d0e15cdad6fc77cd80c0d1753b028251cb8c759ec6fec390df006230f438bf1c1a2bcfbc0b0a9fbf7ff459ed558e0a14fb1339ce024

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.Private.CoreLib.dll

Filesize
8.3MB

MD5
bf94809b9b73ba2565fe5e2d7e701ae8

SHA1
0f4c22034103cdfbdcfe2237d601f0606c3a0701

SHA256
585c9211b231bb991866e0913b54668cd1194a8de0726ce6577bacab53cc7dca

SHA512
6f93b6cc98eb25e9f7bbed8c99853bbda0a9cd5c06efe6ce60a646e70825861839e22e999d7adffcecf9f67574f59840fa3b1033af941e072ef7e400b56bf4ab

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.Runtime.Extensions.dll

Filesize
187KB

MD5
f67946955bb12447c9ed989674167c27

SHA1
6d03fb2032ddd295734a5becbbdcd94ad0b63ece

SHA256
3efc1a8e50642d17d3a69a26ddec611b36e67c9c70e0b672abff55998c635076

SHA512
0729e2dc2bd5aa1621a23be917c91a7e0394f4a985e1998e846fce6c7aaac0204f03f8e488db51adc148de3cd4cc178e5298a420b96206c79c74abf4d275f6e6

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.Runtime.dll

Filesize
50KB

MD5
29b3094c6356e82c08ebab54a960db46

SHA1
85941ec0ab3c28a389f4daf9141660ff9c5eba78

SHA256
06d579d85b76511986ff358db9df70a41eb1e19e647ced3f7811aee5666b349e

SHA512
25cb36a8174a703a18c90cd6eaebd82c61745ccafb3b55a5de1c4e337f2072656bef76621f91344d9a98d06d330eb39a40dfece2f302264c644c98c2b9ef801c

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.Text.Encoding.Extensions.dll

Filesize
13KB

MD5
b772ccf038172b80554f6bc0d2cced55

SHA1
9b81b031b3df90de97772d8a89db310d91da7fa0

SHA256
db24a80f033df89a4fe9536ed97f5f9730b3222259dcb391072a21b05994ca2e

SHA512
d8f6d1e77100bfdd048c5cd38b2b16ddcabe7e2457fe66d50819783836f6c85495478250473e90c5bcf0b592d1b5ad6ea58eede78ac87bb194384ced1f8211db

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\System.Threading.dll

Filesize
70KB

MD5
b16f9f8c31c1a557db8dbaca983a2046

SHA1
ba5948d4e582f98d607a48751277cb75c193613e

SHA256
18065413f7793d66eec596be89540fdbe7a6512aa05868f23758a18b51b7bd46

SHA512
2d0692409409e172e9703051db3ce9a7e020c5390a74a032af06a47f5c6be7a6312f2bb08322ad58c905dfd8ab5c96657fd07ddbfbaccb762dfd1b07577c213a

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
70e9104e743069b573ca12a3cd87ec33

SHA1
4290755b6a49212b2e969200e7a088d1713b84a2

SHA256
7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95

SHA512
e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\clrjit.dll

Filesize
1.1MB

MD5
4d000d78347306d5f34ea42cdadca763

SHA1
ff04beae4eff1871cee3757856aaf2d26bdcd686

SHA256
9bb4d710fe49939b8cf2add63d0854396b893842299403ecf3b21f1ff00b5888

SHA512
002ead2a2b58e1e98cdc5222ed3f7d1ef9245b2224cedb13f698fb4a72efd4a910cec123c54c8783864818a0237fde836d298a4ead35c5ed86edbbd007dc358f

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\coreclr.dll

Filesize
4.1MB

MD5
81a4ca304ec4de3b236882a7b3b3ce2e

SHA1
cdbf0581fe2eb64d83f171a84261b77d13ddb8cb

SHA256
aabce308ce06d3a2f27c7afbdbfd926d19292577d4bb936609281e8176ed9060

SHA512
c40c05ce7fb576b3ad98bfb31993fa65a176b95fea6e41c73bdd4997dd6df640fadad12b4da3c62963af10558a1992197505437eac9973a9c585e17fd6e8066f

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\hostfxr.dll

Filesize
459KB

MD5
7bb69c8054c7bbc474bf9cb0cafd4524

SHA1
86a7d09f1f255a398cfb58b2ef77a72503478953

SHA256
db03988d7cc0675693de31330d7ebbab36af6996b6a4baf437ff23e8275eb1bd

SHA512
a4bc5587a26441c98c1d5b9e2b52fb541eeb4769a8dc527922fd7781daf26bf79459613d7b893d4df1c59ac3e43fb01b4e441747e132c5676194c8639823eafc

Download Submit
\Users\Admin\AppData\Local\Temp\.net\vat\agdxhwyr.a4c\hostpolicy.dll

Filesize
455KB

MD5
ea8e995016f675519e85913ad146ff54

SHA1
2ca1d49062f501b037af8e4135cae153a129382a

SHA256
77aef8f1f8bce8d45e8e6a2dc05795f13c406505ef2d128ec0258bf8e99e76dd

SHA512
1be89f122cda37a6a889240c9f94290d4baa97901c83f5f50018cc2ab8ba50cffbd9e6055b3b53b7f6c1997672ef3c993b99eb8acbc2aaf6c88bf7d154b49c50

Download Submit
memory/732-258-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/732-259-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1608-237-0x0000000074F90000-0x00000000753BF000-memory.dmp

Filesize
4.2MB

Download
memory/1608-257-0x0000000074F90000-0x00000000753BF000-memory.dmp

Filesize
4.2MB

Download
memory/2428-262-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2904-261-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download