revengerat | dba31ba17f5fd314bdaa69df902db653a5b0a6ede5d53459573c7ca6e868095a

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe
Size

56KB
MD5

3a9f0dd8d0645492c815890a76e5ad3e
SHA1

14574fd766bd7257f0dd9616362f6114a97fae24
SHA256

dba31ba17f5fd314bdaa69df902db653a5b0a6ede5d53459573c7ca6e868095a
SHA512

ceeaeecdec572d92bc8e2b69f6d22aeb67eee825c428a7d498cfa48b914d91aa82bcd129084d82e5df81c9029cbabc77434ab1c08ce4936207ff8b0b32187bb1
SSDEEP

768:1KKJQABuxDyQu7btsfP+DANJnZ/T53Qmrd1NoA1DleQ2T:1Z6DjmYgmrdUA+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000d000000012262-6.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	Client.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe
2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\intelCPUdrs = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1996	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2684	2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2684	2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2684	2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2684	2408	3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe	28
PID 2684 wrote to memory of 1996	2684	Client.exe	31
PID 2684 wrote to memory of 1996	2684	Client.exe	31
PID 2684 wrote to memory of 1996	2684	Client.exe	31
PID 2684 wrote to memory of 1996	2684	Client.exe	31
PID 2684 wrote to memory of 2656	2684	Client.exe	33
PID 2684 wrote to memory of 2656	2684	Client.exe	33
PID 2684 wrote to memory of 2656	2684	Client.exe	33
PID 2684 wrote to memory of 2656	2684	Client.exe	33
PID 2656 wrote to memory of 796	2656	vbc.exe	35
PID 2656 wrote to memory of 796	2656	vbc.exe	35
PID 2656 wrote to memory of 796	2656	vbc.exe	35
PID 2656 wrote to memory of 796	2656	vbc.exe	35
PID 2684 wrote to memory of 2864	2684	Client.exe	36
PID 2684 wrote to memory of 2864	2684	Client.exe	36
PID 2684 wrote to memory of 2864	2684	Client.exe	36
PID 2684 wrote to memory of 2864	2684	Client.exe	36
PID 2864 wrote to memory of 2908	2864	vbc.exe	38
PID 2864 wrote to memory of 2908	2864	vbc.exe	38
PID 2864 wrote to memory of 2908	2864	vbc.exe	38
PID 2864 wrote to memory of 2908	2864	vbc.exe	38
PID 2684 wrote to memory of 1812	2684	Client.exe	39
PID 2684 wrote to memory of 1812	2684	Client.exe	39
PID 2684 wrote to memory of 1812	2684	Client.exe	39
PID 2684 wrote to memory of 1812	2684	Client.exe	39
PID 1812 wrote to memory of 628	1812	vbc.exe	41
PID 1812 wrote to memory of 628	1812	vbc.exe	41
PID 1812 wrote to memory of 628	1812	vbc.exe	41
PID 1812 wrote to memory of 628	1812	vbc.exe	41
PID 2684 wrote to memory of 2052	2684	Client.exe	42
PID 2684 wrote to memory of 2052	2684	Client.exe	42
PID 2684 wrote to memory of 2052	2684	Client.exe	42
PID 2684 wrote to memory of 2052	2684	Client.exe	42
PID 2052 wrote to memory of 1220	2052	vbc.exe	44
PID 2052 wrote to memory of 1220	2052	vbc.exe	44
PID 2052 wrote to memory of 1220	2052	vbc.exe	44
PID 2052 wrote to memory of 1220	2052	vbc.exe	44
PID 2684 wrote to memory of 2104	2684	Client.exe	45
PID 2684 wrote to memory of 2104	2684	Client.exe	45
PID 2684 wrote to memory of 2104	2684	Client.exe	45
PID 2684 wrote to memory of 2104	2684	Client.exe	45
PID 2104 wrote to memory of 3012	2104	vbc.exe	47
PID 2104 wrote to memory of 3012	2104	vbc.exe	47
PID 2104 wrote to memory of 3012	2104	vbc.exe	47
PID 2104 wrote to memory of 3012	2104	vbc.exe	47
PID 2684 wrote to memory of 1036	2684	Client.exe	48
PID 2684 wrote to memory of 1036	2684	Client.exe	48
PID 2684 wrote to memory of 1036	2684	Client.exe	48
PID 2684 wrote to memory of 1036	2684	Client.exe	48
PID 1036 wrote to memory of 1752	1036	vbc.exe	50
PID 1036 wrote to memory of 1752	1036	vbc.exe	50
PID 1036 wrote to memory of 1752	1036	vbc.exe	50
PID 1036 wrote to memory of 1752	1036	vbc.exe	50
PID 2684 wrote to memory of 2652	2684	Client.exe	51
PID 2684 wrote to memory of 2652	2684	Client.exe	51
PID 2684 wrote to memory of 2652	2684	Client.exe	51
PID 2684 wrote to memory of 2652	2684	Client.exe	51
PID 2652 wrote to memory of 328	2652	vbc.exe	53
PID 2652 wrote to memory of 328	2652	vbc.exe	53
PID 2652 wrote to memory of 328	2652	vbc.exe	53
PID 2652 wrote to memory of 328	2652	vbc.exe	53

C:\Users\Admin\AppData\Local\Temp\3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a9f0dd8d0645492c815890a76e5ad3e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 4 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eyzkk0ag.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B0D.tmp"
      4⤵
      PID:796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iajkokzt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B8A.tmp"
      4⤵
      PID:2908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uqzjrhtq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BF7.tmp"
      4⤵
      PID:628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmkjfrm7.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C65.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C64.tmp"
      4⤵
      PID:1220
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qoqmgmt1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CD2.tmp"
      4⤵
      PID:3012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-zsfpug.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D3F.tmp"
      4⤵
      PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3jflikpb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DDB.tmp"
      4⤵
      PID:328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hcyn7v3a.cmdline"
    3⤵
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp"
      4⤵
      PID:1656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnaipcgr.cmdline"
    3⤵
    PID:1384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E96.tmp"
      4⤵
      PID:1060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwgyujbt.cmdline"
    3⤵
    PID:640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EE4.tmp"
      4⤵
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3jflikpb.0.vb

Filesize
276B

MD5
f7679dae33cc7cba76ae134efab4ca27

SHA1
ed8c202c43803fd6f4a2b8f1696688ad54d4f5ca

SHA256
fab275ee64ff822b7e7e5089b4499813aa8a1ca44e499906e418e5db142bece6

SHA512
ca866b797ea7f1a2a7c3788e1944d285668f7256512bd7f43fa1302d6b4c5a342fa98b5213d1550685f972060ddc6da5843dfd7ee0151a981eb73e48b0314abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jflikpb.cmdline

Filesize
171B

MD5
b93fc1831f7872d7603bb6bb14c94c3d

SHA1
0af13fe4af5755abd81d08fed3fdd1fe87a228b4

SHA256
cc62e07687566eb63b2e973ad44989a9036a719b8bf85bb9608102060fe3609b

SHA512
01232b6d931231ff4d6b0f8f1570c0a881f8ccfc325fad2991a2ba180647974ad8492ccd867ebb99db065add211392f8c5e694b96f15936452d29946b638cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B0E.tmp

Filesize
1KB

MD5
91d5f1a5a4820cc81f60e6a2b29c13bc

SHA1
5ce946eccb5bf1045325ab1d8b931ef5387d71e1

SHA256
9bc8d2f766106f6ba1241b519d5c323bab99fb5e398133746215a9617ac44304

SHA512
4453b9bd5399828377b758cd1b7efe6525c589eab12ea36b266fc935ae04df989a11a2243533527d6b3a115e8b06ffa680897ce8f16111a7f4cdc607f1daa5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B8B.tmp

Filesize
1KB

MD5
cb43335ecf549b98b9c88dbc39b74ef2

SHA1
2f1a6253a247b8e29bb1366638e8a20fe4f7a294

SHA256
c9cde7bb1fb1dd50a0564353a5e2b679af78e972aae8000b3bcad98764f27eb3

SHA512
bf27d83b50baf50f42265afbfdbd4994f8da47e6ec28e36ded930ae95d75257390066201dd5863a7f233b3922596103f312b2bd3230c39505f13fc2562b784bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C08.tmp

Filesize
1KB

MD5
58ba25598d8ecade3ba18e0989aab87d

SHA1
00607100af021ccf22ea153cab77993406ea1bc1

SHA256
26e27c9647efd1ab1d94043ccacd28aaf000b676230c80821d896e52c7079847

SHA512
e2b383cbe4beebd2b566cb223f591797694c8a11622beb167cf3aca98fb3b6032069e555aec60fdf12b0be070fb922b0f5ae8422b1bcbcde372c3239e07169a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C65.tmp

Filesize
1KB

MD5
289d710890b5ef8093290b727d1613b3

SHA1
1cb05ea9be9f20bb9a9efe12b1fe27982ac5256a

SHA256
c5f2e5135c58c9d12c217a638340f8bc81f5ca7965b98403a9b6f419a7afeab1

SHA512
f3df268fe1c73d8d043f0a066987b6910ef72979e2fbb9fecf1c5b37445aaaa646a05fd64c6a0834850707db3d6159f440ffb490ab51635f9096e62b62e339a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CD3.tmp

Filesize
1KB

MD5
50f6a2a274f2097d388510c2570232ad

SHA1
3770ea92203156346a1fc73a470d57258245aa94

SHA256
f8f79ee5c753c40bc310a585b5ada18d6006bfa3288301ab423e6ea637a013f3

SHA512
c2df68946a5f5f6a9f0e53fb85581a8a3c68aebd101bcbca50be96cd279488e29a889faa044a7d59f92585fde98f8965930671cf97b032dcb244a867c5d08ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D40.tmp

Filesize
1KB

MD5
fae15132101a32c569baa3f88c8582f2

SHA1
250c872e23ac32f415c65725db0c9fb1d2d93a1b

SHA256
8556a05fa7deb207a3fa41f662e8868ba12b3ff86583c76267a96c3141a346ad

SHA512
2e8224c74dbcd47c83362d5ed7ac4076f6c5e9f02c743144614b49c19dcf9f56700241fc04e0ca7af31c403239a5fbe201999de1423ef92b4d29df9cc07dcbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3DDC.tmp

Filesize
1KB

MD5
d27bf5b11a4ae9988f6f3d3bf1966a45

SHA1
6dc33f885ebb212230c393c1525996a05d95905a

SHA256
9e547d5db3125ab16f585f260b331d26536b1e923f4221749fbc56da7e35d61b

SHA512
3d4117ad857d231aae52d55ebe951d38f543448201fd2b9bbd21556f20cb67d69baf9183e3b979dc0970ecbbd2c193c7af76c22dc0ddf0105b5bf1be2a252db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp

Filesize
1KB

MD5
7deb598291135997ab7afac9664300cc

SHA1
d6f9910fd284e2e70058c562aa9b143f8a9cdb54

SHA256
3009023ebf6bc9095478ef4ece1709c5b637c3586e81473ebc5f4a336d63b799

SHA512
f07f95208141b90aa39f7f52162222e9ee0cbf776c03fd2d4f7aedca8648b8ce2b3bed016788af3c26619f3babe0674c4efae7649c22c1ddb9bba84efafd0949

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E97.tmp

Filesize
1KB

MD5
a55bd0f924647c38c7b86596e5c9ab3c

SHA1
28676b3334a5b787e84af9452b8c9437d0318e26

SHA256
c98c6a670abf9f065432063bcf97ff705f5b771d7c5cd71d4987b7e6802616ba

SHA512
2e4051fe050dd472b885b6701a60494b3e5740401a83f8a1c857d929626a949b57a5c51b85f33bdfb17d526448f371659461babd83347e3022d65c66b23eb0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3EE5.tmp

Filesize
1KB

MD5
966869569d74224defa33c9c03f9c99d

SHA1
0258eeff496396a631b2952af2975531323fc4b8

SHA256
c984190e8c0a7c56a3c71c9cd5aa31098c4418c7457d41a745af957dbdb282bc

SHA512
656119c6a499bf06056125903be8f522a8c7f1c74a2ae5ef79bd2a978e9c1be3901a391137017726cfbe6a747e75c2755932a6ae74840ef04113eda89ddd1a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyzkk0ag.0.vb

Filesize
267B

MD5
609a4cd82d67d1ce9aca793b13b42730

SHA1
c7f887785a1b5fa6a5539b6af35312c68faa5a5e

SHA256
bf33f6b6853f80036fbd9341d045d4ff16de08265defd95bf5627ee88b0098bc

SHA512
f225c736217c8b7ce465afe5abb7205f76596dd995ac871e5faa8dab62df2623351c0ed325f8aad20062e34dc76b4be944541e33f97f7ca4079fba314e02f269

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyzkk0ag.cmdline

Filesize
162B

MD5
95ecc6101baf06aaec97facc44528674

SHA1
8c316fe3833483abe8d5e68f53680ab09cec293d

SHA256
1d6b1eb53c05a9edb364e80c158a460cbbacdd35d10670e68ddcf4cad604445d

SHA512
cf793ff09382bbf287bbf0a2fafeb3d5db353e9ac6a3d2d4489c20245ef90417b0fd9ce7d2b917a61e27b582f88c071ffd98a2e6e961e815dfb2ec73e31d4484

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcyn7v3a.0.vb

Filesize
269B

MD5
90d81aed5c4b667da6b922307116b9c4

SHA1
de91efa1470a0c3b58d7f55dbfd24d772940017b

SHA256
1c71d7ee4d6ac941777c876f1fa230e885c583ae88401c58cb33f791de50a623

SHA512
ee90ff2809b8b264772e6c9ada0ccdbc0eb2e88dcd606c0e1bd724e69d4b3d735a55f2b73fd14be1815528a70f6e98a61221af130b4b20cdef4057e98fbc187b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcyn7v3a.cmdline

Filesize
164B

MD5
82cf244ec4e0b080fabb6d733d2a70f7

SHA1
0c691c3d9315c678da90790bf335971185fe1fdb

SHA256
8f6a97667d50c2c3c300d44b752405438de9dad4f72d84c0900f26f56da7fbfc

SHA512
54151658044cfad2034a385dc06dd58d6c2e6c7270a0dd30760ca8b4000402721ab9baaa43cb0aa9329603e2db53c350bb83300b4cd9eedf0ce06175adf18e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\iajkokzt.0.vb

Filesize
271B

MD5
fb997d8a1180a8f99c6c195040b15549

SHA1
08903aa6027362203f949f25b4635eb99b3c431c

SHA256
2590e2fca6f7e18bdbd16be875011383d5911118988883b91cb4b740560388ab

SHA512
e917e6c582633ccd7833af8ac5cdae7c52dc78057a03ed04d01a9adeb20e9eb7c84158558b06e6cb30f2a98ed637913b4b269c53f32842bcbbfe740115e494ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\iajkokzt.cmdline

Filesize
166B

MD5
9495932cdcef294e33e906a13e45e902

SHA1
fcc07686dd5e56d9504057d54b96429e1d0bbe08

SHA256
944575598df00707c56e562513f82d411a22433d3e8361f6f5598ae2db8da91b

SHA512
67948d1906d5292e68163c6c3a8c02aa57e2e0c5354f04b5e1453e799b4bd9e6a44c56bf123d8e238177a63b6636455626f256613d06f70a804ece5b3d06e907

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmkjfrm7.0.vb

Filesize
274B

MD5
3d8bced72590fec617343a53a5cc21da

SHA1
1c8b158dab58e593e92ca2a2a625c60952b7d40e

SHA256
db074cddb8e6ec7352de0fc0f86d508138dd076a904fae6198aa414f618af077

SHA512
b6ea51dad718b2f64d451552fcb02ce69b7c7609c6dfdf2571544d5deae7234eab072c775500f3d271c9440d4b99197fd230b47c8452fc1176a62ff50b8b12ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmkjfrm7.cmdline

Filesize
169B

MD5
e6550f48a7f43007f058236f2fe7e87f

SHA1
e49b9f6da8a2cdeee00613d6c8b8696774f645d6

SHA256
12fef08022906f00d5b767b0dc08d813bb68429955a23cf2f0a828344f531695

SHA512
ac53375240a747e0e3a588bf7f3c14d9195a31ed1eb96ee70b3bb83212a326f2dc39e376fdfab9105b9034ed5674d19fc673b09c1053110dd16f23999422e722

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoqmgmt1.0.vb

Filesize
276B

MD5
1909af250b6678eac754defe533b683a

SHA1
47924abd4aa9802aecf533c8ab43e714c31a82db

SHA256
686c2abe526e8034d124801a8bd2f22faecd1b2af297560c905f3b6ffa3872a6

SHA512
f7014e8f8faea2d1d16654ae4db34bbb5aae8d6dcb6a0e27e60a2905b10bc57d01cc7298626e42702f91d9aade60201a2e54df4992067d2802a8f16fd50cac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoqmgmt1.cmdline

Filesize
171B

MD5
e6497b9623b2852d66660f3913a06916

SHA1
8fbabc027cc518c096956823a2c68830d3cfe834

SHA256
49f876daebe4ae7ca97775cdb68e74594beb35377ce5b06c3b88a8c2abae5633

SHA512
2940c465b671d2bd11593400d0d8a32f65ccc56ee17f6feacebdeb623f04feaf6b8886ca615dee8c25a92f372b21444b6bcfe73ac62f159e2ea63c9363009b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqzjrhtq.0.vb

Filesize
270B

MD5
7edffcfb4e6ab93f89421cc7a8fbd0b5

SHA1
d85f319b7695cd4193246192791a6eb3d12652c4

SHA256
586797ec79b1b8f75ec6d93b15c21c7fddfa005a3072a8a96a56a2b290d69454

SHA512
afa80ad321c55a93a54f54d6cf77fbf9417e0f817f2e112240e37acbbd73992342e59c8caa6e809b8b653db843fea9f09464f28c45e5f6e740b153d8bbc2fe84

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqzjrhtq.cmdline

Filesize
165B

MD5
fa4628d32ccaea68377c1ea9ac2dced2

SHA1
934b07ec109bde7f79e7c083dbd9cd0f77f910d2

SHA256
f9f3d095b651a87e76d5700c4780070a5d7e0fe0fc718c215ff914d8caf62a0f

SHA512
3dc97f71379cec8128b0f5c5db017daa6f53db61d20e7e4c50c8d14d4231e8ff5999db5269c00961bd0c38dadd03a5c712719c16590db66f840d095aa0587b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v-zsfpug.0.vb

Filesize
295B

MD5
48d462e4c54cc205f665fb524963485b

SHA1
e23300cb1fba3d4c5a1dc4a355196e924c3cd557

SHA256
5a1a556ec49339cb8e43281aa4bbe969fa741e39cba84586a39849f25381607a

SHA512
d30670afa8f9c9f006015940314543b4b527eff6a9ca151a9c6498df1688ffde044dfc285d1dc63c72f3663263afdc6fd4982066067c0b1bc1c623e2963e1530

Download Submit
C:\Users\Admin\AppData\Local\Temp\v-zsfpug.cmdline

Filesize
190B

MD5
ff7d93912bf5ce5c1821481c142756f1

SHA1
9fcba6ad36d902b694a643d335916f292331e356

SHA256
688926ec4bacfdc9de930f1c00f91c390e6daa9a48e606f090a82a65ba6a4f7e

SHA512
c9ca099f3436ea7bc844e1098d0441e7b7783fb6e86ff28b10ddd0d6520ba4e36da9be3b077b1c53487088f5e9503d1720688d2a4ce2479bf02fcd69710e41e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3B0D.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3B8A.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3BF7.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C64.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3D3F.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3DDB.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3EE4.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnaipcgr.0.vb

Filesize
275B

MD5
8bbdf77f7fb547c34b1f545d80a0d999

SHA1
7a0d021f50d95e468ed54468f21121a8404dad83

SHA256
f220c2038fa037c3f1f049dbcd2c28b90f23d7cea9eaaa72da5dd2fa20e2d00c

SHA512
11de523e7900a7218ad0b7b74606970a981e445c68c8be1c26213c9a70a4e2617ea1730209a0daa5e255349b098cf00d5546e2473005a873cf3f00d2aeb75fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnaipcgr.cmdline

Filesize
170B

MD5
71009aa190e254b37700b6ce0ea8185d

SHA1
c4dd4560f962cdeeff17358c3c717ae48941b1ad

SHA256
35eb8bc878ab4077dffa97d2d67a67add2e17f57f0c9382f664ff328bf58f68e

SHA512
b0278f7e7e52a48e8d2d4cc71fd123088390579ead56cb9b53def2b79359607e2bb21a7106fc40b5aabf2ae68d5107b3dc4c36284ea8bdf572d36c715b8f969f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwgyujbt.0.vb

Filesize
278B

MD5
a1e445c98559ecb711e61ded02367229

SHA1
02dc3714779ec2058608a2caf87c7b5019c1d9ed

SHA256
4913525539ef3077c8fb17e7d5ba2537ee79ce17179178ca2777f87847010aa6

SHA512
26f0589fc6f579892e0cb53fe5e34b1252b01ef42cb9ab7e9c62ee48e45d71b8814fcbd5b468db7fdd3d62914a0f09e2b3a07261e1ef9acf25db5eaeadeb9ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwgyujbt.cmdline

Filesize
173B

MD5
ab34d70e8358d7f5e9affc984f836cca

SHA1
af20fa98d4a8435cee2ce9ba1b8779bb45987ea0

SHA256
5bd9edb25c3404be004adadca2edb34dae2aab69a7deff33f4e7e6d3194e4500

SHA512
c09440a8b9b6bc8409275d5f9c17e4f6f206172218e8c83f98d6eeac7bcdd0dc084be43287960b32095e0b52701a0563382c33af7c67020f0a1e5d3175ccc664

Download Submit
\Users\Admin\AppData\Roaming\Client.exe

Filesize
56KB

MD5
3a9f0dd8d0645492c815890a76e5ad3e

SHA1
14574fd766bd7257f0dd9616362f6114a97fae24

SHA256
dba31ba17f5fd314bdaa69df902db653a5b0a6ede5d53459573c7ca6e868095a

SHA512
ceeaeecdec572d92bc8e2b69f6d22aeb67eee825c428a7d498cfa48b914d91aa82bcd129084d82e5df81c9029cbabc77434ab1c08ce4936207ff8b0b32187bb1

Download Submit
memory/2408-0-0x0000000074BD1000-0x0000000074BD2000-memory.dmp

Filesize
4KB

Download
memory/2408-3-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-14-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-2-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-1-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-15-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-16-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-17-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-18-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads