3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811

General

Target

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
Size

1.3MB
MD5

1d779d40600de25a3e0bcf6953d2716e
SHA1

56c59c5f0cf6a074c4d2830b4475c3fd0b1ce2d1
SHA256

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811
SHA512

7bb58f0cc67dba7dd8b33e06f6a775eba649680f104c5d097870bea88b108fa221891339cad1f8c4c1dfaf894380e65dd9d728aacbd4c0c0575ac8af949accff
SSDEEP

24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aJUv3K/nmmUcgy+R+q:6TvC/MTQYxsWR7aJRnzUTzR

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

antholite.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs antholite.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs	antholite.exe

Executes dropped EXE 20 IoCs

Processes:

antholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exe

pid	process
3012	antholite.exe
2680	antholite.exe
2536	antholite.exe
584	antholite.exe
2640	antholite.exe
624	antholite.exe
1596	antholite.exe
1824	antholite.exe
1724	antholite.exe
2800	antholite.exe
2880	antholite.exe
3004	antholite.exe
840	antholite.exe
932	antholite.exe
608	antholite.exe
3048	antholite.exe
1524	antholite.exe
2356	antholite.exe
2044	antholite.exe
2604	antholite.exe

Loads dropped DLL 1 IoCs

Processes:

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe

pid process

2240 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Archimago\antholite.exe	autoit_exe
C:\Users\Admin\AppData\Local\Archimago\antholite.exe	autoit_exe
C:\Users\Admin\AppData\Local\Archimago\antholite.exe	autoit_exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exe

pid	process
2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
3012	antholite.exe
3012	antholite.exe
3012	antholite.exe
2680	antholite.exe
2680	antholite.exe
2536	antholite.exe
2536	antholite.exe
584	antholite.exe
584	antholite.exe
2640	antholite.exe
2640	antholite.exe
624	antholite.exe
624	antholite.exe
1596	antholite.exe
1596	antholite.exe
1824	antholite.exe
1824	antholite.exe
1724	antholite.exe
1724	antholite.exe
2800	antholite.exe
2800	antholite.exe
2880	antholite.exe
2880	antholite.exe
3004	antholite.exe
3004	antholite.exe
840	antholite.exe
840	antholite.exe
932	antholite.exe
932	antholite.exe
608	antholite.exe
608	antholite.exe
608	antholite.exe
3048	antholite.exe
3048	antholite.exe
1524	antholite.exe
1524	antholite.exe
1524	antholite.exe
2356	antholite.exe
2356	antholite.exe
2044	antholite.exe
2044	antholite.exe
2604	antholite.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exe

pid	process
2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
3012	antholite.exe
3012	antholite.exe
3012	antholite.exe
2680	antholite.exe
2680	antholite.exe
2536	antholite.exe
2536	antholite.exe
584	antholite.exe
584	antholite.exe
2640	antholite.exe
2640	antholite.exe
624	antholite.exe
624	antholite.exe
1596	antholite.exe
1596	antholite.exe
1824	antholite.exe
1824	antholite.exe
1724	antholite.exe
1724	antholite.exe
2800	antholite.exe
2800	antholite.exe
2880	antholite.exe
2880	antholite.exe
3004	antholite.exe
3004	antholite.exe
840	antholite.exe
840	antholite.exe
932	antholite.exe
932	antholite.exe
608	antholite.exe
608	antholite.exe
608	antholite.exe
3048	antholite.exe
3048	antholite.exe
1524	antholite.exe
1524	antholite.exe
1524	antholite.exe
2356	antholite.exe
2356	antholite.exe
2044	antholite.exe
2044	antholite.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exeantholite.exe

description	pid	process	target process
PID 2240 wrote to memory of 3012	2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe	antholite.exe
PID 2240 wrote to memory of 3012	2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe	antholite.exe
PID 2240 wrote to memory of 3012	2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe	antholite.exe
PID 2240 wrote to memory of 3012	2240	3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe	antholite.exe
PID 3012 wrote to memory of 2680	3012	antholite.exe	antholite.exe
PID 3012 wrote to memory of 2680	3012	antholite.exe	antholite.exe
PID 3012 wrote to memory of 2680	3012	antholite.exe	antholite.exe
PID 3012 wrote to memory of 2680	3012	antholite.exe	antholite.exe
PID 2680 wrote to memory of 2536	2680	antholite.exe	antholite.exe
PID 2680 wrote to memory of 2536	2680	antholite.exe	antholite.exe
PID 2680 wrote to memory of 2536	2680	antholite.exe	antholite.exe
PID 2680 wrote to memory of 2536	2680	antholite.exe	antholite.exe
PID 2536 wrote to memory of 584	2536	antholite.exe	antholite.exe
PID 2536 wrote to memory of 584	2536	antholite.exe	antholite.exe
PID 2536 wrote to memory of 584	2536	antholite.exe	antholite.exe
PID 2536 wrote to memory of 584	2536	antholite.exe	antholite.exe
PID 584 wrote to memory of 2640	584	antholite.exe	antholite.exe
PID 584 wrote to memory of 2640	584	antholite.exe	antholite.exe
PID 584 wrote to memory of 2640	584	antholite.exe	antholite.exe
PID 584 wrote to memory of 2640	584	antholite.exe	antholite.exe
PID 2640 wrote to memory of 624	2640	antholite.exe	antholite.exe
PID 2640 wrote to memory of 624	2640	antholite.exe	antholite.exe
PID 2640 wrote to memory of 624	2640	antholite.exe	antholite.exe
PID 2640 wrote to memory of 624	2640	antholite.exe	antholite.exe
PID 624 wrote to memory of 1596	624	antholite.exe	antholite.exe
PID 624 wrote to memory of 1596	624	antholite.exe	antholite.exe
PID 624 wrote to memory of 1596	624	antholite.exe	antholite.exe
PID 624 wrote to memory of 1596	624	antholite.exe	antholite.exe
PID 1596 wrote to memory of 1824	1596	antholite.exe	antholite.exe
PID 1596 wrote to memory of 1824	1596	antholite.exe	antholite.exe
PID 1596 wrote to memory of 1824	1596	antholite.exe	antholite.exe
PID 1596 wrote to memory of 1824	1596	antholite.exe	antholite.exe
PID 1824 wrote to memory of 1724	1824	antholite.exe	antholite.exe
PID 1824 wrote to memory of 1724	1824	antholite.exe	antholite.exe
PID 1824 wrote to memory of 1724	1824	antholite.exe	antholite.exe
PID 1824 wrote to memory of 1724	1824	antholite.exe	antholite.exe
PID 1724 wrote to memory of 2800	1724	antholite.exe	antholite.exe
PID 1724 wrote to memory of 2800	1724	antholite.exe	antholite.exe
PID 1724 wrote to memory of 2800	1724	antholite.exe	antholite.exe
PID 1724 wrote to memory of 2800	1724	antholite.exe	antholite.exe
PID 2800 wrote to memory of 2880	2800	antholite.exe	antholite.exe
PID 2800 wrote to memory of 2880	2800	antholite.exe	antholite.exe
PID 2800 wrote to memory of 2880	2800	antholite.exe	antholite.exe
PID 2800 wrote to memory of 2880	2800	antholite.exe	antholite.exe
PID 2880 wrote to memory of 3004	2880	antholite.exe	antholite.exe
PID 2880 wrote to memory of 3004	2880	antholite.exe	antholite.exe
PID 2880 wrote to memory of 3004	2880	antholite.exe	antholite.exe
PID 2880 wrote to memory of 3004	2880	antholite.exe	antholite.exe
PID 3004 wrote to memory of 840	3004	antholite.exe	antholite.exe
PID 3004 wrote to memory of 840	3004	antholite.exe	antholite.exe
PID 3004 wrote to memory of 840	3004	antholite.exe	antholite.exe
PID 3004 wrote to memory of 840	3004	antholite.exe	antholite.exe
PID 840 wrote to memory of 932	840	antholite.exe	antholite.exe
PID 840 wrote to memory of 932	840	antholite.exe	antholite.exe
PID 840 wrote to memory of 932	840	antholite.exe	antholite.exe
PID 840 wrote to memory of 932	840	antholite.exe	antholite.exe
PID 932 wrote to memory of 608	932	antholite.exe	antholite.exe
PID 932 wrote to memory of 608	932	antholite.exe	antholite.exe
PID 932 wrote to memory of 608	932	antholite.exe	antholite.exe
PID 932 wrote to memory of 608	932	antholite.exe	antholite.exe
PID 608 wrote to memory of 3048	608	antholite.exe	antholite.exe
PID 608 wrote to memory of 3048	608	antholite.exe	antholite.exe
PID 608 wrote to memory of 3048	608	antholite.exe	antholite.exe
PID 608 wrote to memory of 3048	608	antholite.exe	antholite.exe

C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
14⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
17⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044

C:\Users\Admin\AppData\Local\Archimago\antholite.exe
"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"
21⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

Filesize
81.9MB

MD5
5e9ef25c39a7771c5abc4176456c185f

SHA1
994d4a28d053c8f2392328ff24e68a16c8c51a78

SHA256
2b5a8fb6767fd9388e3ff964fab9c80a9605f09788c1c4998e6716b2eee6daab

SHA512
4fedfa32095c1a47baeec731621643f2313edd8679659194704f5c88d867478c4f062bcff705d0ed09176b70a1cedcde2d1c33cb3d97d26e3b956796506c1a1a

Download Submit
C:\Users\Admin\AppData\Local\Archimago\antholite.exe

Filesize
8.4MB

MD5
24bd52c92412cef9d7f862d419de5a5b

SHA1
7eeab8a87c19c00afb90dce855ee88f44fb06ccd

SHA256
c427bbee44762d17c274375044e267f4a001071763e897f8dd5fc196d85cecc4

SHA512
f022fa4d8d0bde9ba7322eeda1651a236d99f49b468182266838c944d2e78e25128275b902c611cc645429ea1223586e3339820b27cd68d2a0ceb8be099bad72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Archimago

Filesize
29KB

MD5
6ab1c336cc31c275489f031d8d48e74b

SHA1
fd0a211434df571099c5e6387f446f87b9e71a9d

SHA256
ac04026bf644efd9ad1d3c939624d3a0394a22726a730e3c3250d0d10cda5898

SHA512
ce19f57c86b62955f7049d8479f43584fecea46bfbd7e554d502dbf89a51b9676376e1678292c1aa4eec1bcb555670f34b34dfa20b63ebb9b80a918cdbc55861

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bactris

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bactris

Filesize
482KB

MD5
7116dd94279c33e80b987344d27b53e4

SHA1
78c3aa04a477f17b2e9c157663ceb99765690986

SHA256
b747286ea89931d724a30cbc007400f956a76bedc1b61c4213b97d1fa4dc29e0

SHA512
64698773a5961c70e74dfe432a569c756d6c4868080ea95c0dd14f3c90878643626439d6dc411de879fab84dd2ee0a415666143fb1c3b0cb7f9281b161dc5773

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA5FF.tmp

Filesize
407KB

MD5
448647e1e62fa723b9d510d77dd1ea69

SHA1
0928f5cd7d5a33885fea044fbb226ef7f9b69e52

SHA256
c6b28b9c9398c5a6ffccd11f35c13f53ba3fec610ab67f42f1af322f60ee9052

SHA512
b059a3300542c145894591340d99cc3c5f0301a2fd88ccc2b759b794891fb4fc56e7a3b9b83ab202b9d988f30a473c573c20904f99e4d7fa227e6158e05baf45

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA62F.tmp

Filesize
9KB

MD5
8d36b56c267c27772ce6a15b42b90350

SHA1
5a987d525639f4db6ce5d0b634381010dd7b8d74

SHA256
0ac2294060c8dd64ae6d64030ae38f69aaa59127a6b2ad6b7f3e18fe053e4ae1

SHA512
95e84f3acdc07f28c07e947b6c3ebc604cbe8dd5f061e6c86a61dff972e9d31892ff12ff52dd49570f7af65b87bda6af65f4da44ef16b8ebb07ed30033307bd8

Download Submit
\Users\Admin\AppData\Local\Archimago\antholite.exe

Filesize
101.3MB

MD5
7bfe31b6c816c141615af2264b53289a

SHA1
3eac86735396e6efa9bb5acf6eba800201c36b41

SHA256
f060e0438738c21a2ce289d750841f2fe6368a9dddf5d4bdb8f4df1608fc8644

SHA512
a6ca51a450083480a3b3dc5ea6c4afafd1db92b3f417368d4480a4ceed57201a14f4b7d76dc509d561d38f33cc823e9f58724e9973e520117392a70d1906ea31

Download Submit
memory/2240-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads