cybergate | dd76ec6f7d5c5c4b5530d1d83819d0976ca4d4538b0a543180c4b74f8da9db89

Analysis

max time kernel
1s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a83432cb29fb7dc1da346544971e420.exe
Size

620KB
MD5

2a83432cb29fb7dc1da346544971e420
SHA1

a4b4b03d20eef8a01659b5dd6aa5f58c6fa741e0
SHA256

dd76ec6f7d5c5c4b5530d1d83819d0976ca4d4538b0a543180c4b74f8da9db89
SHA512

a5ed0b9bfc522b5c6ce83d06c5ac3dd960b7a6b9ee88e06b981132dd1eb95879ea6c382fcc3e73973567e27b20e2be3ec79e3ed071a57188c51db765cdb6bfaa
SSDEEP

12288:AWOD3Y3R1whbHY+Dgd9VvlNU4rtH5IYWszq6LHMP:AnbDg5XU4rBnWs3Q

Score

10^/10

cybergate slysbitch persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

SlysBitch

sly.fcuked.me.uk:2020

Mutex

Y0BB06QWE8BSVP

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ma1lc0

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{QDX4QCOB-UOYZ-QTTQ-PPAD-YHAJFU84MB2W}	2a83432cb29fb7dc1da346544971e420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{QDX4QCOB-UOYZ-QTTQ-PPAD-YHAJFU84MB2W}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	2a83432cb29fb7dc1da346544971e420.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components\{QDX4QCOB-UOYZ-QTTQ-PPAD-YHAJFU84MB2W}	2a83432cb29fb7dc1da346544971e420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{QDX4QCOB-UOYZ-QTTQ-PPAD-YHAJFU84MB2W}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	2a83432cb29fb7dc1da346544971e420.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2a83432cb29fb7dc1da346544971e420.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-14-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4824-74-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4272-80-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3992-149-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/4272-593-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3992-1275-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Display Drivers = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	2a83432cb29fb7dc1da346544971e420.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	4556	WerFault.exe	99

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	2a83432cb29fb7dc1da346544971e420.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4240	2a83432cb29fb7dc1da346544971e420.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 4824	4240	2a83432cb29fb7dc1da346544971e420.exe	89
PID 4240 wrote to memory of 872	4240	2a83432cb29fb7dc1da346544971e420.exe	92
PID 4240 wrote to memory of 872	4240	2a83432cb29fb7dc1da346544971e420.exe	92
PID 4240 wrote to memory of 872	4240	2a83432cb29fb7dc1da346544971e420.exe	92
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52
PID 4824 wrote to memory of 3572	4824	2a83432cb29fb7dc1da346544971e420.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe
  "C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe
    "C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4272
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe
      "C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe"
      4⤵
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe"
        5⤵
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2a83432cb29fb7dc1da346544971e420.exe"
        6⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 548
        7⤵
        Program crash
        
        PID:4768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROxC5H14.bat" "
        6⤵
        
        PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROxC5H14.bat" "
    3⤵
    PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4556 -ip 4556
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
7857b30343eb00d24ff0f1542e1718d8

SHA1
9bb8b81a42b8ec7ee92e8b3f66d1c3eb1b122690

SHA256
4cf7adc908052da4bd07b38793b0f489fc7fc253a96a2770a09500a8d5caff7d

SHA512
7cce50a43dc979106d7ed31d012b9c1d43156881d8b96dee5dd044e7c229e7d219430edd647585ae2b1f1d16700eabc88b1980887f32abef71d169cfb5c0ccd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2dd5c874f1c315ce9d7ccf1af7018815

SHA1
13bbd877396e66891317b3cc39f9b947bd4db2e7

SHA256
926e3ea4d45f7105081c7c2f694bf3a42cd3593746cb592db28d5614d24fdedf

SHA512
8e1e08b9351c123523b789dce58085d7a4369f131127893b902dd7c98923c36387c31b352e73d80f3b5f7a124e368b8ecca8cd9f9c3f1183b4b5a6f0b578e32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4707e266cadf23b8fa174bfeb713ac00

SHA1
e62728b12d293de345df4faf75516e8a3492d6c4

SHA256
ddce6389bd55a5c0031675a22bd92639679c8ce69f1ef578dc3b1d6b676a03c9

SHA512
2d70b80e47c0cc8e530181ce2a57a4769592c91db35246ebe1e0e97646bf9dcaf286d7f1a5115796a39a7fe395f5b98432d248dcb02e51afbf5a75f96c61b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f2afa8301765fff5b4453291c10bf2f7

SHA1
171574dd94b61ec3d9b5db879c78dabcfdf5aa76

SHA256
e4b177adf0bc9fa99e33b7c5701280f09baa41b083fe439791ee07ac0776d166

SHA512
883ea37c5a216f8148981ecf13369bdb2755e3b83a8f804746378052588f4af30c0ac084ea059bb4d265864a496c93b07d3c7f0a10851791b83a8e535513c0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7aea4cc9807b0b401dcfee972c32b546

SHA1
bb50c5a2b8dac252716fff520fd7afff18604027

SHA256
8405e5490337ed3066393245166ce22947153dbe6ec2de4b65fe3d66229226df

SHA512
8f2d73946e1d1b72a5817ecbc20e096e82749c2c3aec89baeb27e932db5c67c0194c8f9db2e1458d9c4bb2fc32d93fb339be8fa736f8e9d90ffa649ca04cd134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fcaec9ebc3b29a1816e9ebec028759fa

SHA1
7d820e510d5c6664b0d9a3aa088533107f6a4c8c

SHA256
4c64675363405e0a7562dbe4836ccde15f25c7eb2e344c4dc92d549730607e97

SHA512
b976ffd0b5307d0d2e600d8270a4bfdc03244493374dc54f799bf334762fcaaf921dde1a887fbabeedda670e2914edcbedbae433fd135e8929a0b2553a574bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4981d6325829f7b03b77d4c29eaf5a1a

SHA1
55c89d623a0a0e734af5c0139a0e276c8d884244

SHA256
6ecdbacbb9b403aef685c6d6516d567c4868eac812b9a15eeeb47cbc4fd62aeb

SHA512
38d6dbcc7d73c2d76c1026c674342b8d4a744da41e4a277f6d80e1329307dee4b3cd6bda2e9ca29e15ddf02450580443c9772484421415e63781a2e0e85b2fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e66668bc4865046cd0c2a4d15470c839

SHA1
3bf217018da64ecc9b02518a6c65be33251fb217

SHA256
499cbd96b423a33e598d073999fe6cfd5c572c13af5f915c2a0f6ca816d54495

SHA512
9fc7afb8dbc82dd7e407ec6d593268619c381f2552ab54fefe3ae27075cae1f7be9084c9f44c0a66aecc466ce87015d7988598da99915d280840fdfe8e661f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
56f33d93cf3f0ec8c9c86075e5051f20

SHA1
4e487c1f7e149f2f999cc6609a6fa90687c96112

SHA256
8f866a9620641ec3e195e1859a0dbb5ad47da479f6038f96fdae2f4fec00eec4

SHA512
1dd5e4d83e3343c410d3310c2b239ae4fde0bfe3b5ddc0097bbc8cea9b2ec896a636a841355fc5fb6484a73cf23b61b9bfb0a22c26108049fed39df9379a4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e526e6822351bb112821b63be592d995

SHA1
48e0583f3ca4fefdfd00a2a645cf3a45017772f2

SHA256
5e27a6e38210901482d689dbd0722c7edb75173c007808e5ef7b758c6929bc9d

SHA512
40e192581090c8dfe0fd3b9e0d86c17ae87577df09960ac280e0778501c8b005400784ee0e2fd640fd59c951dfffccd093d86e5a7f7ee38daf5473a730f64bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1fe5d439af0a73c8401efe19dfbe69e4

SHA1
74fea7bc5fe20299144c21473bcfdbf1f2dd5ddc

SHA256
f21d2185bd0f97478c1f521966c5c65202fee86b5985080d4711d9562295e480

SHA512
a80c48aad56c9bf20e88b8688e3aed35586ee16a6297f22f6cbabc2f1d4327245f99e9d54c597c66067a0564b1b673a10d432d464c8899ffe1cd33ae22ebab82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e3e5f7f3caf1586f111219ba24df8604

SHA1
459c1b843190332eee66ca046d2c48cdd3dacdf2

SHA256
3ac2d7adb13ce032fbe40262462eada53a5bf24c900420f4fa708dce3f8c821d

SHA512
bc501732c2562d97fa1c8aa45a5295b764d17cb66d567751c3902efdbf54f769f54cb8699ab051017e12e0434787f394ccd5ea4ef2381ad50c273f90a7a37128

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6ffb670cbb1148ec142a46f36789dcca

SHA1
52f36f36e47c2b94f2c349a134d9d448845d5900

SHA256
ca6d5e4b29d5bc6b4877cc5279432050cf789f9d3e4d1bff171087060e961117

SHA512
f561044988ef49ec33169dfc2866b7b58cd8133e9542e1be6571db476c7cd889acc375991a65e52ea74cd26af4d9474c4e932fb336454f7a4e46292c16895dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f9ab3f2d29907007b8af00554a174b6

SHA1
b30458932a166232be46bfba0794c5288ab952bf

SHA256
c32ce7e0de40d09cb8f1b5b1f2bdb918ecfae5e347b680404c19a75b73b3b124

SHA512
2a580bfa5cbae3d7c8076d626530ffd610fc2f454116b383adfe4a05af38f70c0f9c444de1327534c035046b48087d520848428ef7eb828839cd691ce7e907d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c41189c066c457b87ce01af953e14f90

SHA1
eb1aa0c595ab62866b984225c74171133012f0b8

SHA256
440ba8a96751651568bd0a4a3f0a31d1ea02569b932934e72ba714c60a61b410

SHA512
add83bbbe4398197b65338685cffae9f1a984a9048af0eac9b159d60f5352956820923fde58bc69d0def218a1dc72ba478c8f6889a016edee6e449af9ad41281

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
39b363dc477945041c5acc0bdab4c5a8

SHA1
0d8ddd172cb9127a7769250dd400dd79374a0c04

SHA256
37cd2362a598672faec74a3607d05b5b53828b0f60233157555723d9f964f93d

SHA512
9801429cc42286b8fc8fb96785fb4d745f02d545331bb9a0f54a38aae734b6a233e2557591d558fe9b9ed1d63daa8da85a237b98a6246d7b951f437a34066f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a1de45122ec6e3c7aaf5ca2a656f53bf

SHA1
9ae51c7c8599f45e0cfaf1a1b681b035c9bb74b4

SHA256
0c858910f55db914ef7798c5e0fd1d7191fb79a1b4482abb2bdb191788330318

SHA512
0c4f6cda0b2803ca5fee3b9d906c26dc65d1504090ee4bab79099c26ca4d45601d4729aea96685874cc7e962c62582e6dd6e4a008c444a0b289e7e3e65dcb989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
c72eb5e78dc51a9e7795a5c59897d2ac

SHA1
763457106ff4555b8d241a48acd06669ef9fc519

SHA256
4aba2e3144232f8390392b97d0eb2b93eeb4de12231caca8447f12a102aeb8e7

SHA512
17af8babd3b10356c20b86450e1e95aec3a72098247a2983bd5d613972805c45dd0615743c2fd2271651b7b0cff232d0728f19bb80153d79ddc5ab9a11a96b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROxC5H14.bat

Filesize
205B

MD5
add704c8e431dd557809dba1f3c53813

SHA1
6a518f906946be7f330b5d134d630c39d80e77e4

SHA256
c9559ee7b60bb1461b6ac132a0d74de7df49bd56ddf72e91ff581dd4855a460b

SHA512
e769483ce17a764f7a05ad41cb2dbbe2af639e8b60e9fd5245a161b688691676b59a06633582abe546da882e447a9fe53edef2a528c0099b52aad5d61c0ad7dc

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
154KB

MD5
2c318beaf4443a4b39f4afa6f536ea3e

SHA1
c479b9478cb272ba15115f4a9ee3b6c684f705c0

SHA256
a8873033d466f6cf2cebb50d485493f5fdf40c2ac058378323425bf8dd9c3df3

SHA512
8df9b9c8b1649ba17128afaee08916c248b7dd14dae2268b1b4e72bc521e4a6fe006504e95a378bb4db8e5991c3a12f43367983ca6eea8e65a04e51355b8b283

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
312KB

MD5
dbce0090c0c369689cd453b7eaad0bbf

SHA1
2816052f9b2718e4c86de4687545591cd3d93cb1

SHA256
104c97edcdaec8364031ad74b748d504abdab4ec587e6c55972c141d27d897bc

SHA512
e2c66e58b82151cfe24612acb6c715e3999363a855014eeab8a8bc4d78f065f718279950b690b1275a51c03bc577a4b056fa73273b1b63d6577d3b27d94e096b

Download Submit
memory/3992-1275-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/3992-149-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4272-19-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/4272-80-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4272-593-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4272-18-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/4556-179-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4556-187-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4824-151-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4824-74-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4824-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4824-14-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4824-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4824-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4824-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads