dcrat | 3a25f273c5c69615a17a5e9764846b1f44d1ade939602ec4da7e81229f9cc955

General

Target

fixnoblackmail.exe
Size

1.2MB
MD5

990b093e34cd09a232f0e2228f3b126b
SHA1

a37a9b18ceb0f8bc6916cda25c851999d9859251
SHA256

3a25f273c5c69615a17a5e9764846b1f44d1ade939602ec4da7e81229f9cc955
SHA512

ebc2cd9e994fcce1a80259bbfc001d5700eaf035f6ee7ec5dd8d433fa4fa1899f7ffb3e52e0ba94de24beeae839574a6968387f72905a88d618e0222555f358a
SSDEEP

24576:ijn9b91W4uOh3hmm6CpJQeBolPwRq9gFgBOv5eQuBFidboDBg:a9jW4uuRm/G3BoOgBKruBMlo

Score

10^/10

dcrat xworm execution infostealer persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

rooms-belkin.gl.at.ply.gg:48066

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

DcRat 16 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeContainerRuntime.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1724	schtasks.exe
3028	schtasks.exe
2012	schtasks.exe
1616	schtasks.exe
588	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\e978f868350d50	ContainerRuntime.exe
2224	schtasks.exe
1472	schtasks.exe
1776	schtasks.exe
360	schtasks.exe
File created	C:\Windows\Branding\Basebrd\088424020bedd6	ContainerRuntime.exe
2748	schtasks.exe
2064	powershell.exe
1552	schtasks.exe
1120	schtasks.exe
2232	schtasks.exe

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\vamicheatloader.exe	family_xworm
behavioral1/memory/2620-12-0x0000000000D80000-0x0000000000D9A000-memory.dmp	family_xworm
behavioral1/memory/1864-78-0x0000000000BB0000-0x0000000000BCA000-memory.dmp	family_xworm
behavioral1/memory/2972-81-0x0000000000C50000-0x0000000000C6A000-memory.dmp	family_xworm

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	2412	schtasks.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\antivirus.exe	dcrat
\hyperagentWebSession\ContainerRuntime.exe	dcrat
behavioral1/memory/1896-46-0x0000000000A10000-0x0000000000AF2000-memory.dmp	dcrat
behavioral1/memory/696-69-0x0000000000160000-0x0000000000242000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2064 powershell.exe
2788 powershell.exe
1708 powershell.exe
1600 powershell.exe

Drops startup file 2 IoCs

Processes:

vamicheatloader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe

Executes dropped EXE 6 IoCs

Processes:

antivirus.exevamicheatloader.exeContainerRuntime.exepowershell.exesvchost.exesvchost.exe

pid process

3060 antivirus.exe
2620 vamicheatloader.exe
1896 ContainerRuntime.exe
696 powershell.exe
1864 svchost.exe
2972 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

344 cmd.exe
344 cmd.exe

pid	process
3060	antivirus.exe
2620	vamicheatloader.exe
1896	ContainerRuntime.exe
696	powershell.exe
1864	svchost.exe
2972	svchost.exe

pid	process
344	cmd.exe
344	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vamicheatloader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	vamicheatloader.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

ContainerRuntime.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\powershell.exe	ContainerRuntime.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\e978f868350d50	ContainerRuntime.exe

Drops file in Windows directory 2 IoCs

Processes:

ContainerRuntime.exe

description	ioc	process
File created	C:\Windows\Branding\Basebrd\conhost.exe	ContainerRuntime.exe
File created	C:\Windows\Branding\Basebrd\088424020bedd6	ContainerRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2012	schtasks.exe
1552	schtasks.exe
1776	schtasks.exe
2748	schtasks.exe
2232	schtasks.exe
588	schtasks.exe
1472	schtasks.exe
2224	schtasks.exe
3028	schtasks.exe
1616	schtasks.exe
1120	schtasks.exe
1724	schtasks.exe
360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeContainerRuntime.exepowershell.exevamicheatloader.exe

pid	process
2064	powershell.exe
2788	powershell.exe
1708	powershell.exe
1600	powershell.exe
1896	ContainerRuntime.exe
696	powershell.exe
2620	vamicheatloader.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

powershell.exe

pid process

696 powershell.exe

pid	process
696	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

vamicheatloader.exepowershell.exepowershell.exepowershell.exeContainerRuntime.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2620	vamicheatloader.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1896	ContainerRuntime.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	2620	vamicheatloader.exe
Token: SeDebugPrivilege	1864	svchost.exe
Token: SeDebugPrivilege	2972	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vamicheatloader.exe

pid process

2620 vamicheatloader.exe

pid	process
2620	vamicheatloader.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

fixnoblackmail.exeantivirus.exevamicheatloader.exeWScript.execmd.exeContainerRuntime.exetaskeng.exe

description	pid	process	target process
PID 2972 wrote to memory of 3060	2972	fixnoblackmail.exe	antivirus.exe
PID 2972 wrote to memory of 3060	2972	fixnoblackmail.exe	antivirus.exe
PID 2972 wrote to memory of 3060	2972	fixnoblackmail.exe	antivirus.exe
PID 2972 wrote to memory of 3060	2972	fixnoblackmail.exe	antivirus.exe
PID 2972 wrote to memory of 2620	2972	fixnoblackmail.exe	vamicheatloader.exe
PID 2972 wrote to memory of 2620	2972	fixnoblackmail.exe	vamicheatloader.exe
PID 2972 wrote to memory of 2620	2972	fixnoblackmail.exe	vamicheatloader.exe
PID 3060 wrote to memory of 2824	3060	antivirus.exe	WScript.exe
PID 3060 wrote to memory of 2824	3060	antivirus.exe	WScript.exe
PID 3060 wrote to memory of 2824	3060	antivirus.exe	WScript.exe
PID 3060 wrote to memory of 2824	3060	antivirus.exe	WScript.exe
PID 2620 wrote to memory of 2064	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 2064	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 2064	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 2788	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 2788	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 2788	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 1708	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 1708	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 1708	2620	vamicheatloader.exe	powershell.exe
PID 2824 wrote to memory of 344	2824	WScript.exe	cmd.exe
PID 2824 wrote to memory of 344	2824	WScript.exe	cmd.exe
PID 2824 wrote to memory of 344	2824	WScript.exe	cmd.exe
PID 2824 wrote to memory of 344	2824	WScript.exe	cmd.exe
PID 344 wrote to memory of 1896	344	cmd.exe	ContainerRuntime.exe
PID 344 wrote to memory of 1896	344	cmd.exe	ContainerRuntime.exe
PID 344 wrote to memory of 1896	344	cmd.exe	ContainerRuntime.exe
PID 344 wrote to memory of 1896	344	cmd.exe	ContainerRuntime.exe
PID 2620 wrote to memory of 1600	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 1600	2620	vamicheatloader.exe	powershell.exe
PID 2620 wrote to memory of 1600	2620	vamicheatloader.exe	powershell.exe
PID 1896 wrote to memory of 696	1896	ContainerRuntime.exe	powershell.exe
PID 1896 wrote to memory of 696	1896	ContainerRuntime.exe	powershell.exe
PID 1896 wrote to memory of 696	1896	ContainerRuntime.exe	powershell.exe
PID 2620 wrote to memory of 1472	2620	vamicheatloader.exe	schtasks.exe
PID 2620 wrote to memory of 1472	2620	vamicheatloader.exe	schtasks.exe
PID 2620 wrote to memory of 1472	2620	vamicheatloader.exe	schtasks.exe
PID 2008 wrote to memory of 1864	2008	taskeng.exe	svchost.exe
PID 2008 wrote to memory of 1864	2008	taskeng.exe	svchost.exe
PID 2008 wrote to memory of 1864	2008	taskeng.exe	svchost.exe
PID 2008 wrote to memory of 2972	2008	taskeng.exe	svchost.exe
PID 2008 wrote to memory of 2972	2008	taskeng.exe	svchost.exe
PID 2008 wrote to memory of 2972	2008	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fixnoblackmail.exe
"C:\Users\Admin\AppData\Local\Temp\fixnoblackmail.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Roaming\antivirus.exe
"C:\Users\Admin\AppData\Roaming\antivirus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hyperagentWebSession\Zb1jHmnmFVc9HP.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hyperagentWebSession\yuP5unmniJ9kfmlaGKdL27GgoApcI.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344

C:\hyperagentWebSession\ContainerRuntime.exe
"C:\hyperagentWebSession\ContainerRuntime.exe"
5⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Windows NT\Accessories\ja-JP\powershell.exe
"C:\Program Files (x86)\Windows NT\Accessories\ja-JP\powershell.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Users\Admin\AppData\Roaming\vamicheatloader.exe
"C:\Users\Admin\AppData\Roaming\vamicheatloader.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vamicheatloader.exe'
3⤵
- DcRat
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\hyperagentWebSession\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\hyperagentWebSession\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\hyperagentWebSession\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\taskeng.exe
taskeng.exe {1463AF96-D76E-48E3-A5C6-EB0834225E6F} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d32d133f73eb8270fdbb19c686c8f865

SHA1
7482734ef756038341fdbe421a721f40a6d42483

SHA256
a8c25b52d0326b702ba88551314b04fb27606c30f18c9335338a3ec0d29b4af5

SHA512
d3fc00698ca0779a2ca79f7d1081a05787ffcd353cabd687fc71cd910c14a4608f178328fa55b7e1987ba82cdae6c07df439e9ddf1c89a0d20d5b26696db47a1

Download Submit
C:\Users\Admin\AppData\Roaming\antivirus.exe

Filesize
1.2MB

MD5
7ede07ce5ef82a5930fd2da3b84a268a

SHA1
95629d6e699ac50645f655a22d9fdb3f64317088

SHA256
11a6c027d3beb5a7404dd344856d710761ab30601561cb7f401bcbbeff758fc9

SHA512
60451ae02a7be75b30ca099d51734731a97d095c8a16c3f4ce3746176ca5fd9993e1f5068ad32a551b406660fa319a0ac0a2eead4ddb8d1bd8382bbb87db7b7f

Download Submit
C:\Users\Admin\AppData\Roaming\vamicheatloader.exe

Filesize
77KB

MD5
b074da06d9857ac5261d62b2446774a4

SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e

SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

Download Submit
C:\hyperagentWebSession\Zb1jHmnmFVc9HP.vbe

Filesize
226B

MD5
0e4d9c16f89f0638a049d72ac22dc9fc

SHA1
efeffd5164b5295101a330c861d82657e3a3a00c

SHA256
a99a63bb00634e77e267410195fb98da4084206875dbd2bb6f89ae5a9358030f

SHA512
87539a1e28b5aef81d14653fb81c9f153fc7e69fb92967e38f867c8436f2d05751d86cfb8dd705697ed950b99bc73451ac5350058299121da40ce3bcb4f7e82a

Download Submit
C:\hyperagentWebSession\yuP5unmniJ9kfmlaGKdL27GgoApcI.bat

Filesize
46B

MD5
f4d4ecd293d644fbf8da9ce1a1888d53

SHA1
75133a217b7a0e9bb53b8825d3bae8269a90bd17

SHA256
4ec831b8a011a0df05c11c99af0ca887b47f70b0638588d32e7c2bec869ffff6

SHA512
b4c1219ee39f187117ebaac5a70e2bd536c9555342cdab874b553dddde528719e7ac59c51f8a42be567c032b1bf79a375856d05269905371b997793dc19f43a2

Download Submit
\hyperagentWebSession\ContainerRuntime.exe

Filesize
877KB

MD5
5f06823c87329157368dc1bebbbc39ef

SHA1
3fc404f0511b687e5e997a4ec4209c81eef93195

SHA256
ced4800fdbfb4303f7f9d9566d2bee35368de23e7b6a6c58d39a19e6d5ef7d05

SHA512
fcd03d048f94767dc2ef73a5f8b428cc75c9f2c02da25cf697dab391232e00a8ba3a92779f382b5924e105cf5b938cc20071955f4ad1829fd7b4d1d643af8ff7

Download Submit
memory/696-69-0x0000000000160000-0x0000000000242000-memory.dmp

Filesize
904KB

Download
memory/1600-54-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1600-52-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1864-78-0x0000000000BB0000-0x0000000000BCA000-memory.dmp

Filesize
104KB

Download
memory/1896-46-0x0000000000A10000-0x0000000000AF2000-memory.dmp

Filesize
904KB

Download
memory/1896-53-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/2064-27-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2064-28-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2620-21-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-12-0x0000000000D80000-0x0000000000D9A000-memory.dmp

Filesize
104KB

Download
memory/2620-74-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-35-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2788-34-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2972-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x0000000000210000-0x0000000000356000-memory.dmp

Filesize
1.3MB

Download
memory/2972-81-0x0000000000C50000-0x0000000000C6A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads