bitrat | caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub_tor.exe
Size

7.8MB
MD5

c76390d9e1052d9e708940d67b5c135d
SHA1

a370a73a9dd746584428e8a939288ecffd3c80f7
SHA256

caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
SHA512

4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
SSDEEP

196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes

communication_password
4124bc0a9335c27f086f24ba207a4912
install_dir
Minecraft
install_file
Runtime_Broker
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x000a000000023111-18.dat	acprotect
behavioral3/files/0x0007000000023211-21.dat	acprotect
behavioral3/files/0x000800000002320e-20.dat	acprotect
behavioral3/files/0x000800000002320d-31.dat	acprotect
behavioral3/files/0x0007000000023212-30.dat	acprotect
behavioral3/files/0x0007000000023214-28.dat	acprotect
behavioral3/files/0x000a000000023112-25.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	stub_tor.exe

Executes dropped EXE 12 IoCs

pid	Process
1236	tor.exe
704	tor.exe
4568	tor.exe
1292	tor.exe
2644	tor.exe
3044	tor.exe
3552	tor.exe
3396	tor.exe
2260	tor.exe
1876	tor.exe
1816	tor.exe
4216	tor.exe

Loads dropped DLL 64 IoCs

pid	Process
1236	tor.exe
1236	tor.exe
1236	tor.exe
1236	tor.exe
1236	tor.exe
1236	tor.exe
1236	tor.exe
1236	tor.exe
704	tor.exe
704	tor.exe
704	tor.exe
704	tor.exe
704	tor.exe
704	tor.exe
704	tor.exe
4568	tor.exe
4568	tor.exe
4568	tor.exe
4568	tor.exe
4568	tor.exe
4568	tor.exe
4568	tor.exe
1292	tor.exe
1292	tor.exe
1292	tor.exe
1292	tor.exe
1292	tor.exe
1292	tor.exe
1292	tor.exe
2644	tor.exe
2644	tor.exe
2644	tor.exe
2644	tor.exe
2644	tor.exe
2644	tor.exe
2644	tor.exe
2644	tor.exe
3044	tor.exe
3044	tor.exe
3044	tor.exe
3044	tor.exe
3044	tor.exe
3044	tor.exe
3044	tor.exe
3552	tor.exe
3552	tor.exe
3552	tor.exe
3552	tor.exe
3552	tor.exe
3552	tor.exe
3552	tor.exe
3396	tor.exe
3396	tor.exe
3396	tor.exe
3396	tor.exe
3396	tor.exe
3396	tor.exe
3396	tor.exe
2260	tor.exe
2260	tor.exe
2260	tor.exe
2260	tor.exe
2260	tor.exe
2260	tor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0007000000023213-14.dat	upx
behavioral3/files/0x000a000000023111-18.dat	upx
behavioral3/files/0x0007000000023211-21.dat	upx
behavioral3/files/0x000800000002320e-20.dat	upx
behavioral3/files/0x000800000002320d-31.dat	upx
behavioral3/memory/1236-33-0x00000000741F0000-0x00000000742BE000-memory.dmp	upx
behavioral3/memory/1236-34-0x0000000074120000-0x00000000741E8000-memory.dmp	upx
behavioral3/memory/1236-36-0x00000000740F0000-0x0000000074114000-memory.dmp	upx
behavioral3/memory/1236-37-0x0000000073F50000-0x0000000073FD8000-memory.dmp	upx
behavioral3/memory/1236-38-0x0000000073FE0000-0x00000000740EA000-memory.dmp	upx
behavioral3/files/0x0007000000023212-30.dat	upx
behavioral3/files/0x0007000000023214-28.dat	upx
behavioral3/memory/1236-27-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/files/0x000a000000023112-25.dat	upx
behavioral3/memory/1236-43-0x00000000742C0000-0x0000000074309000-memory.dmp	upx
behavioral3/memory/1236-40-0x0000000073C80000-0x0000000073F4F000-memory.dmp	upx
behavioral3/memory/1236-54-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-56-0x00000000741F0000-0x00000000742BE000-memory.dmp	upx
behavioral3/memory/1236-57-0x0000000074120000-0x00000000741E8000-memory.dmp	upx
behavioral3/memory/1236-58-0x00000000740F0000-0x0000000074114000-memory.dmp	upx
behavioral3/memory/1236-59-0x0000000073F50000-0x0000000073FD8000-memory.dmp	upx
behavioral3/memory/1236-60-0x0000000073FE0000-0x00000000740EA000-memory.dmp	upx
behavioral3/memory/1236-61-0x0000000073C80000-0x0000000073F4F000-memory.dmp	upx
behavioral3/memory/1236-62-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-63-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-80-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-95-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-103-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-111-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1236-120-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/704-135-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/704-138-0x0000000074120000-0x00000000741E8000-memory.dmp	upx
behavioral3/memory/704-141-0x00000000742C0000-0x0000000074309000-memory.dmp	upx
behavioral3/memory/704-142-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/704-144-0x0000000073C80000-0x0000000073F4F000-memory.dmp	upx
behavioral3/memory/704-146-0x0000000073FE0000-0x00000000740EA000-memory.dmp	upx
behavioral3/memory/704-148-0x00000000741F0000-0x00000000742BE000-memory.dmp	upx
behavioral3/memory/704-147-0x0000000073F50000-0x0000000073FD8000-memory.dmp	upx
behavioral3/memory/704-145-0x0000000074120000-0x00000000741E8000-memory.dmp	upx
behavioral3/memory/704-143-0x00000000740F0000-0x0000000074114000-memory.dmp	upx
behavioral3/memory/704-140-0x00000000741F0000-0x00000000742BE000-memory.dmp	upx
behavioral3/memory/704-137-0x0000000073C80000-0x0000000073F4F000-memory.dmp	upx
behavioral3/memory/4568-168-0x0000000073EC0000-0x0000000073EE4000-memory.dmp	upx
behavioral3/memory/4568-175-0x00000000740E0000-0x00000000743AF000-memory.dmp	upx
behavioral3/memory/4568-174-0x0000000073D20000-0x0000000073DA8000-memory.dmp	upx
behavioral3/memory/4568-169-0x0000000073DB0000-0x0000000073EBA000-memory.dmp	upx
behavioral3/memory/4568-167-0x0000000073EF0000-0x0000000073F39000-memory.dmp	upx
behavioral3/memory/4568-166-0x0000000073F40000-0x000000007400E000-memory.dmp	upx
behavioral3/memory/4568-165-0x0000000074010000-0x00000000740D8000-memory.dmp	upx
behavioral3/memory/4568-160-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/4568-192-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/4568-201-0x0000000074010000-0x00000000740D8000-memory.dmp	upx
behavioral3/memory/4568-202-0x0000000073F40000-0x000000007400E000-memory.dmp	upx
behavioral3/memory/1292-233-0x00000000740E0000-0x00000000743AF000-memory.dmp	upx
behavioral3/memory/1292-231-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1292-234-0x0000000074010000-0x00000000740D8000-memory.dmp	upx
behavioral3/memory/1292-237-0x0000000073F40000-0x000000007400E000-memory.dmp	upx
behavioral3/memory/1292-243-0x0000000073EC0000-0x0000000073EE4000-memory.dmp	upx
behavioral3/memory/1292-240-0x0000000073EF0000-0x0000000073F39000-memory.dmp	upx
behavioral3/memory/4568-242-0x0000000000AD0000-0x0000000000ED4000-memory.dmp	upx
behavioral3/memory/1292-246-0x0000000073DB0000-0x0000000073EBA000-memory.dmp	upx
behavioral3/memory/1292-249-0x0000000073D20000-0x0000000073DA8000-memory.dmp	upx
behavioral3/memory/1292-254-0x0000000074010000-0x00000000740D8000-memory.dmp	upx
behavioral3/memory/1292-253-0x00000000740E0000-0x00000000743AF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker⸀"	stub_tor.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	myexternalip.com
65	myexternalip.com
79	myexternalip.com
90	myexternalip.com
98	myexternalip.com
106	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 53 IoCs

pid	Process
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe
1156	stub_tor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1156	stub_tor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1156	stub_tor.exe
1156	stub_tor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1236	1156	stub_tor.exe	91
PID 1156 wrote to memory of 1236	1156	stub_tor.exe	91
PID 1156 wrote to memory of 1236	1156	stub_tor.exe	91
PID 1156 wrote to memory of 704	1156	stub_tor.exe	98
PID 1156 wrote to memory of 704	1156	stub_tor.exe	98
PID 1156 wrote to memory of 704	1156	stub_tor.exe	98
PID 1156 wrote to memory of 4568	1156	stub_tor.exe	99
PID 1156 wrote to memory of 4568	1156	stub_tor.exe	99
PID 1156 wrote to memory of 4568	1156	stub_tor.exe	99
PID 1156 wrote to memory of 1292	1156	stub_tor.exe	100
PID 1156 wrote to memory of 1292	1156	stub_tor.exe	100
PID 1156 wrote to memory of 1292	1156	stub_tor.exe	100
PID 1156 wrote to memory of 2644	1156	stub_tor.exe	101
PID 1156 wrote to memory of 2644	1156	stub_tor.exe	101
PID 1156 wrote to memory of 2644	1156	stub_tor.exe	101
PID 1156 wrote to memory of 3044	1156	stub_tor.exe	102
PID 1156 wrote to memory of 3044	1156	stub_tor.exe	102
PID 1156 wrote to memory of 3044	1156	stub_tor.exe	102
PID 1156 wrote to memory of 3552	1156	stub_tor.exe	103
PID 1156 wrote to memory of 3552	1156	stub_tor.exe	103
PID 1156 wrote to memory of 3552	1156	stub_tor.exe	103
PID 1156 wrote to memory of 3396	1156	stub_tor.exe	104
PID 1156 wrote to memory of 3396	1156	stub_tor.exe	104
PID 1156 wrote to memory of 3396	1156	stub_tor.exe	104
PID 1156 wrote to memory of 2260	1156	stub_tor.exe	105
PID 1156 wrote to memory of 2260	1156	stub_tor.exe	105
PID 1156 wrote to memory of 2260	1156	stub_tor.exe	105
PID 1156 wrote to memory of 1876	1156	stub_tor.exe	106
PID 1156 wrote to memory of 1876	1156	stub_tor.exe	106
PID 1156 wrote to memory of 1876	1156	stub_tor.exe	106
PID 1156 wrote to memory of 1816	1156	stub_tor.exe	107
PID 1156 wrote to memory of 1816	1156	stub_tor.exe	107
PID 1156 wrote to memory of 1816	1156	stub_tor.exe	107
PID 1156 wrote to memory of 4216	1156	stub_tor.exe	108
PID 1156 wrote to memory of 4216	1156	stub_tor.exe	108
PID 1156 wrote to memory of 4216	1156	stub_tor.exe	108

C:\Users\Admin\AppData\Local\Temp\stub_tor.exe
"C:\Users\Admin\AppData\Local\Temp\stub_tor.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1236
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:704
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4568
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1292
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2644
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3044
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3552
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3396
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2260
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-certs

Filesize
20KB

MD5
ebaf0dae7d5e4ed6ed18c1f636fd4262

SHA1
0ba18f289d7d053951f9d6772e8802e5f34be7eb

SHA256
2354976994145d42c1656f78d306a1df79e9ccfde9cb47dd2ac7df7cadf9efd5

SHA512
e27de01072fe36eeec52e091dc54851655199caf2df7b5ffad303ff89ac43c808d9b72c3f1d8102a5fc1e3234d031626f62944e62951fa48970fd03b3b8fc2f7

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
d4dfff132a935ecda7a5a6a32522a37f

SHA1
339a56e3e87ff64e3d956f1523b40087de3c4910

SHA256
1994d6d7b4f22815ab1b58cd593049f5139e9339de08f38cf152e546b2e329c2

SHA512
9d2aa6ff53076a59855e26076e75bcd802ad14b3791d8c57b9fa715d24d2decf76bd0cdbb0a25dd3616217a4419a12780914cdbf615c90084f86fbcc69ea130f

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs

Filesize
20.4MB

MD5
2d5cb1c324783540f879fed1b8501ffe

SHA1
29a7eb0b8a52fd9a6042a6a7f9ce25bc899745ab

SHA256
6a9033e984079534260c4bbf83c5fc6ac2c440cf88b6619f8a52b8659a5f3ca8

SHA512
0d76af0e87d3e1757198cb76bb3f51c68db3923a724a2dda0f0c7e5e0b48d3cc8bc5d448c5df687a045e0746b26be777b496f640d5ae7abdbeea4a61db251f60

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new

Filesize
20.4MB

MD5
6a49864e1bd52b2a4e65e8640f1aaf13

SHA1
f486369b11d73a379453ae11eb2788863dd572ef

SHA256
0c25fa937151897e161cdd1b5ea0d291dbd002e50ace2c1a597675b0871290ff

SHA512
1f7c6290d3c20381b83527bba03f791f904db29a261b09d5b4e6164a4503fcd1115f1f1ec98757487f5f14293e651e27d0b52f5e779a2eaf34432c194ee5a714

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new

Filesize
9.8MB

MD5
2c968bca2b44b9cc983ca7d5022aec3d

SHA1
8ecc5f1bc133b058e83f6afc6110dd2f115e5c6e

SHA256
e8e35dc6efa5582b10d7f30c543099f65b89856350dda12e2beec67eb7b54f99

SHA512
4750d11c4bab3fbd30388dd0691948ff9f4f55b6a929b6eba6a93c28655a8aba21cf84d4612ed3d1b7af84567037786e68ebebc977c1ac3f7fcf7eeb0cc4687d

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state

Filesize
232B

MD5
1f91a1f19c2bdf7b3b1db00adb52391e

SHA1
12f6872c634f0c3543daeb9842198d4c470e1f0b

SHA256
c50fb8fd5510da03c5ded9f85d103c1c1337c1a8136ee3bdff7fc4a232a0c57e

SHA512
b8daacdc26a3b04c3cbbea7c49f7bd6cfea4cd461dd180ff5ed8638c429d34ca0092daf00526d2fea28272fa9576b73fa27a6bd01f0a85e93d46c6fde1e0444d

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state

Filesize
3KB

MD5
5b0a4a3d508c316194484de60f3409be

SHA1
2f2f5dd8d9b8c161f682b725e5ebed67ba080ba0

SHA256
cbef39411f155fa620e06b8247a9180e97a2d1be62b1199af62656b71048bded

SHA512
56c4efeccc24d093086f9cd9189067c2ba5d1dc31e24d7bef91d9a26ae8670def88042be3b3a3eac2ba18d6deffc75252d28d47af152a3ad24732a8a534c7fee

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\torrc

Filesize
157B

MD5
8ea874223f853aac5ea469ccc164a8f9

SHA1
70d31011547870c9f930496dbf9fb7ec296a8c28

SHA256
95e134044f370b2a96408d581f3c0381fe95388dae27c6d9598f44dc7d72b9ed

SHA512
fd1dc20219fbf4863926d90b5a2127b65e165656eac4493a80288d0c57fc309ed998b5d30fe8ce313987ee367fc4fe9b6026ff32d4391950d7f26ca7b6fdcdf2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/704-147-0x0000000073F50000-0x0000000073FD8000-memory.dmp

Filesize
544KB

Download
memory/704-146-0x0000000073FE0000-0x00000000740EA000-memory.dmp

Filesize
1.0MB

Download
memory/704-140-0x00000000741F0000-0x00000000742BE000-memory.dmp

Filesize
824KB

Download
memory/704-143-0x00000000740F0000-0x0000000074114000-memory.dmp

Filesize
144KB

Download
memory/704-138-0x0000000074120000-0x00000000741E8000-memory.dmp

Filesize
800KB

Download
memory/704-141-0x00000000742C0000-0x0000000074309000-memory.dmp

Filesize
292KB

Download
memory/704-137-0x0000000073C80000-0x0000000073F4F000-memory.dmp

Filesize
2.8MB

Download
memory/704-148-0x00000000741F0000-0x00000000742BE000-memory.dmp

Filesize
824KB

Download
memory/704-142-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/704-135-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/704-145-0x0000000074120000-0x00000000741E8000-memory.dmp

Filesize
800KB

Download
memory/704-144-0x0000000073C80000-0x0000000073F4F000-memory.dmp

Filesize
2.8MB

Download
memory/1156-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1156-191-0x0000000073AE0000-0x0000000073B19000-memory.dmp

Filesize
228KB

Download
memory/1156-45-0x0000000073870000-0x00000000738A9000-memory.dmp

Filesize
228KB

Download
memory/1156-1-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

Filesize
228KB

Download
memory/1236-57-0x0000000074120000-0x00000000741E8000-memory.dmp

Filesize
800KB

Download
memory/1236-37-0x0000000073F50000-0x0000000073FD8000-memory.dmp

Filesize
544KB

Download
memory/1236-103-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-111-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-120-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-80-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-63-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-62-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-61-0x0000000073C80000-0x0000000073F4F000-memory.dmp

Filesize
2.8MB

Download
memory/1236-60-0x0000000073FE0000-0x00000000740EA000-memory.dmp

Filesize
1.0MB

Download
memory/1236-59-0x0000000073F50000-0x0000000073FD8000-memory.dmp

Filesize
544KB

Download
memory/1236-58-0x00000000740F0000-0x0000000074114000-memory.dmp

Filesize
144KB

Download
memory/1236-56-0x00000000741F0000-0x00000000742BE000-memory.dmp

Filesize
824KB

Download
memory/1236-54-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-44-0x00000000015B0000-0x000000000187F000-memory.dmp

Filesize
2.8MB

Download
memory/1236-40-0x0000000073C80000-0x0000000073F4F000-memory.dmp

Filesize
2.8MB

Download
memory/1236-43-0x00000000742C0000-0x0000000074309000-memory.dmp

Filesize
292KB

Download
memory/1236-33-0x00000000741F0000-0x00000000742BE000-memory.dmp

Filesize
824KB

Download
memory/1236-27-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-38-0x0000000073FE0000-0x00000000740EA000-memory.dmp

Filesize
1.0MB

Download
memory/1236-34-0x0000000074120000-0x00000000741E8000-memory.dmp

Filesize
800KB

Download
memory/1236-95-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1236-36-0x00000000740F0000-0x0000000074114000-memory.dmp

Filesize
144KB

Download
memory/1292-231-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1292-234-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/1292-252-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/1292-253-0x00000000740E0000-0x00000000743AF000-memory.dmp

Filesize
2.8MB

Download
memory/1292-254-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/1292-249-0x0000000073D20000-0x0000000073DA8000-memory.dmp

Filesize
544KB

Download
memory/1292-246-0x0000000073DB0000-0x0000000073EBA000-memory.dmp

Filesize
1.0MB

Download
memory/1292-240-0x0000000073EF0000-0x0000000073F39000-memory.dmp

Filesize
292KB

Download
memory/1292-243-0x0000000073EC0000-0x0000000073EE4000-memory.dmp

Filesize
144KB

Download
memory/1292-233-0x00000000740E0000-0x00000000743AF000-memory.dmp

Filesize
2.8MB

Download
memory/1292-237-0x0000000073F40000-0x000000007400E000-memory.dmp

Filesize
824KB

Download
memory/2644-267-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2644-298-0x00000000740E0000-0x00000000743AF000-memory.dmp

Filesize
2.8MB

Download
memory/2644-324-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2644-300-0x0000000001AD0000-0x0000000001B58000-memory.dmp

Filesize
544KB

Download
memory/2644-299-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/2644-297-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2644-268-0x00000000740E0000-0x00000000743AF000-memory.dmp

Filesize
2.8MB

Download
memory/2644-269-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/2644-276-0x0000000073D20000-0x0000000073DA8000-memory.dmp

Filesize
544KB

Download
memory/2644-277-0x0000000001AD0000-0x0000000001B58000-memory.dmp

Filesize
544KB

Download
memory/2644-271-0x0000000073F90000-0x0000000073FB4000-memory.dmp

Filesize
144KB

Download
memory/2644-270-0x0000000073FC0000-0x0000000074009000-memory.dmp

Filesize
292KB

Download
memory/2644-275-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

Filesize
824KB

Download
memory/2644-274-0x0000000073E80000-0x0000000073F8A000-memory.dmp

Filesize
1.0MB

Download
memory/3044-316-0x00000000740E0000-0x00000000743AF000-memory.dmp

Filesize
2.8MB

Download
memory/3044-323-0x0000000073F90000-0x0000000073FB4000-memory.dmp

Filesize
144KB

Download
memory/3044-321-0x0000000073FC0000-0x0000000074009000-memory.dmp

Filesize
292KB

Download
memory/3044-319-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

Filesize
824KB

Download
memory/3044-318-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/3044-314-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/4568-160-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/4568-192-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/4568-174-0x0000000073D20000-0x0000000073DA8000-memory.dmp

Filesize
544KB

Download
memory/4568-242-0x0000000000AD0000-0x0000000000ED4000-memory.dmp

Filesize
4.0MB

Download
memory/4568-201-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/4568-169-0x0000000073DB0000-0x0000000073EBA000-memory.dmp

Filesize
1.0MB

Download
memory/4568-168-0x0000000073EC0000-0x0000000073EE4000-memory.dmp

Filesize
144KB

Download
memory/4568-175-0x00000000740E0000-0x00000000743AF000-memory.dmp

Filesize
2.8MB

Download
memory/4568-167-0x0000000073EF0000-0x0000000073F39000-memory.dmp

Filesize
292KB

Download
memory/4568-165-0x0000000074010000-0x00000000740D8000-memory.dmp

Filesize
800KB

Download
memory/4568-202-0x0000000073F40000-0x000000007400E000-memory.dmp

Filesize
824KB

Download
memory/4568-166-0x0000000073F40000-0x000000007400E000-memory.dmp

Filesize
824KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads