revengerat | b807888d4cdc5307da585735781aaac9bd46531682c251df4272446f7d1e4555

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe
Size

55KB
MD5

69567405eacc7c342c8f3f056b24b4f2
SHA1

ce513e25c09b32650fb7650180da773dabd21df3
SHA256

b807888d4cdc5307da585735781aaac9bd46531682c251df4272446f7d1e4555
SHA512

d4ec72926a4fc85fe8f3e2c6204f2a90d231b306fa77207726261151a9f5d8adef146072eb91368004ccf56e85b8d6ca7389809c8dfc6f96f901a88a24a8cbaa
SSDEEP

768:cc6mUzhrzqombIcYTMQ9Ti+UwDFUDcyCC2T:c8UzmYTxzDF+c

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0009000000023419-9.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Executes dropped EXE 2 IoCs

pid	Process
3632	Client.exe
4532	Client.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Client.exe"	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1488	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe
Token: SeDebugPrivilege	3632	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3632	4860	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe	96
PID 4860 wrote to memory of 3632	4860	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe	96
PID 4860 wrote to memory of 3632	4860	69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe	96
PID 3632 wrote to memory of 1488	3632	Client.exe	98
PID 3632 wrote to memory of 1488	3632	Client.exe	98
PID 3632 wrote to memory of 1488	3632	Client.exe	98
PID 3632 wrote to memory of 3268	3632	Client.exe	100
PID 3632 wrote to memory of 3268	3632	Client.exe	100
PID 3632 wrote to memory of 3268	3632	Client.exe	100
PID 3268 wrote to memory of 3892	3268	vbc.exe	102
PID 3268 wrote to memory of 3892	3268	vbc.exe	102
PID 3268 wrote to memory of 3892	3268	vbc.exe	102
PID 3632 wrote to memory of 3508	3632	Client.exe	103
PID 3632 wrote to memory of 3508	3632	Client.exe	103
PID 3632 wrote to memory of 3508	3632	Client.exe	103
PID 3508 wrote to memory of 372	3508	vbc.exe	105
PID 3508 wrote to memory of 372	3508	vbc.exe	105
PID 3508 wrote to memory of 372	3508	vbc.exe	105
PID 3632 wrote to memory of 3332	3632	Client.exe	106
PID 3632 wrote to memory of 3332	3632	Client.exe	106
PID 3632 wrote to memory of 3332	3632	Client.exe	106
PID 3332 wrote to memory of 4768	3332	vbc.exe	108
PID 3332 wrote to memory of 4768	3332	vbc.exe	108
PID 3332 wrote to memory of 4768	3332	vbc.exe	108
PID 3632 wrote to memory of 3308	3632	Client.exe	109
PID 3632 wrote to memory of 3308	3632	Client.exe	109
PID 3632 wrote to memory of 3308	3632	Client.exe	109
PID 3308 wrote to memory of 4396	3308	vbc.exe	111
PID 3308 wrote to memory of 4396	3308	vbc.exe	111
PID 3308 wrote to memory of 4396	3308	vbc.exe	111
PID 3632 wrote to memory of 4324	3632	Client.exe	112
PID 3632 wrote to memory of 4324	3632	Client.exe	112
PID 3632 wrote to memory of 4324	3632	Client.exe	112
PID 4324 wrote to memory of 2104	4324	vbc.exe	114
PID 4324 wrote to memory of 2104	4324	vbc.exe	114
PID 4324 wrote to memory of 2104	4324	vbc.exe	114
PID 3632 wrote to memory of 4704	3632	Client.exe	115
PID 3632 wrote to memory of 4704	3632	Client.exe	115
PID 3632 wrote to memory of 4704	3632	Client.exe	115
PID 4704 wrote to memory of 3668	4704	vbc.exe	117
PID 4704 wrote to memory of 3668	4704	vbc.exe	117
PID 4704 wrote to memory of 3668	4704	vbc.exe	117
PID 3632 wrote to memory of 4880	3632	Client.exe	118
PID 3632 wrote to memory of 4880	3632	Client.exe	118
PID 3632 wrote to memory of 4880	3632	Client.exe	118
PID 4880 wrote to memory of 1156	4880	vbc.exe	120
PID 4880 wrote to memory of 1156	4880	vbc.exe	120
PID 4880 wrote to memory of 1156	4880	vbc.exe	120
PID 3632 wrote to memory of 1112	3632	Client.exe	121
PID 3632 wrote to memory of 1112	3632	Client.exe	121
PID 3632 wrote to memory of 1112	3632	Client.exe	121
PID 1112 wrote to memory of 1684	1112	vbc.exe	123
PID 1112 wrote to memory of 1684	1112	vbc.exe	123
PID 1112 wrote to memory of 1684	1112	vbc.exe	123
PID 3632 wrote to memory of 5060	3632	Client.exe	124
PID 3632 wrote to memory of 5060	3632	Client.exe	124
PID 3632 wrote to memory of 5060	3632	Client.exe	124
PID 5060 wrote to memory of 3256	5060	vbc.exe	126
PID 5060 wrote to memory of 3256	5060	vbc.exe	126
PID 5060 wrote to memory of 3256	5060	vbc.exe	126
PID 3632 wrote to memory of 4656	3632	Client.exe	127
PID 3632 wrote to memory of 4656	3632	Client.exe	127
PID 3632 wrote to memory of 4656	3632	Client.exe	127
PID 4656 wrote to memory of 4956	4656	vbc.exe	129

C:\Users\Admin\AppData\Local\Temp\69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69567405eacc7c342c8f3f056b24b4f2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1488
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d1eq5cqo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C75.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64FB9301B8374973999A93581114C786.TMP"
      4⤵
      PID:3892
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ig1htg41.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B65660FC1E94B2FA1A6BB6892557A6.TMP"
      4⤵
      PID:372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\np0g2ihw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DFAA0661D7D45268396D2158B5912CB.TMP"
      4⤵
      PID:4768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oknkj-c4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc793EC6A4DCC24BA5B3C56169DC9A3CD.TMP"
      4⤵
      PID:4396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pribeswq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EA07E518E343C0ABBF7EF89EF2F1.TMP"
      4⤵
      PID:2104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hoiwrife.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90FD05A251B641018FC64BC24FA3F90.TMP"
      4⤵
      PID:3668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ej9ndq08.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES504E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61CBABDB495742A59D4F8F64A28370F9.TMP"
      4⤵
      PID:1156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a2afwsb5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD48EC31DBDA44341AD7DAB567CC1B8.TMP"
      4⤵
      PID:1684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i8xe2eep.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5138.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F33F5C76740434894A5E743773E8FF6.TMP"
      4⤵
      PID:3256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\58ug0pcg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC39BD78CE8E244ECA176BFF631BC508F.TMP"
      4⤵
      PID:4956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"
1⤵
- Drops startup file
- Executes dropped EXE
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58ug0pcg.0.vb

Filesize
279B

MD5
be5ed6e9ca8bacb411cec92247f6e71e

SHA1
9764fb37527194879a3076f044376e17c607f69d

SHA256
0e2cfaeed386f2ad635803a9c2ec6f1dc36d9844163e493438d0e851787d7d8a

SHA512
fff9f7c2dc02abba182368ee17522d664c9454dcda462b70b35118e1b59ea9f75380aef9a834fbf7826dff028ff861fc51db8930dabcbe084597f20ca1e5bb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\58ug0pcg.cmdline

Filesize
173B

MD5
05308341f2fe2ce473c80eee95a40ec5

SHA1
90b590656630a1f24f1bfaeda56631d7dfacd52f

SHA256
973d00e612c4349bdad6ce8a342a594c662536a48d4fcb7ee2d7f99c348d7577

SHA512
c91b31d1c76fc98c31a37c3a1402114f5d199ae405807a51f6ff275e327c6ace0de3654604342c752ae180139b635ff2635e881e371efc8e305999f1945eab4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C75.tmp

Filesize
1KB

MD5
70972532b37c23436da61b9e7aa15d2b

SHA1
5b2b20ccefe769ad540a9cff5e70b3118a904dff

SHA256
29b6e841770e0604e0eaa318cf535497a241b908ee6184e0adc73b3c20999e8f

SHA512
e3e96f6be09ea09196f3aafb153fc0bca42cebaa4c5c3e6b7ad0521a3654bb0ef46ccfcadc9e780395a67f1ad0af356c7c7e01d4f87783c2e87f37e45b2c75ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D31.tmp

Filesize
1KB

MD5
947a56c835a1bc169bed2a672c20de28

SHA1
5cdf184e86f82d8c940157a038377d470f92a8b9

SHA256
1492afee1b67bef4d5a9f054c196c83cefd3a7b8ab60833ad8c443b69921d106

SHA512
5868f0cc9cf00df8d7a77d7630570c99d8ff1688edda1558dd88c4898480195b7bdf92a5e6ec833e0b2967588712ce70aef96a19d3a1e1958a122a34d56018be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D9E.tmp

Filesize
1KB

MD5
41091c838ee66784a48b66afd6fb14d6

SHA1
9f8f687bd3c81c51b5722065290920a547cf2522

SHA256
e57efd5ed14abf01505de5b77d0b42964608af688ca3bdacd1e1ebad969fa2de

SHA512
a16b92a387c91f46d85d717872a7c2993f045c6e22bdf2271079a2f4f33d4a2ad208aa211c48639432d207c4ab3211670d32ed571a915ee716a516bae374bc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E0B.tmp

Filesize
1KB

MD5
12333a069aa9b3831daefc349a7de846

SHA1
fc6fec81ea353024e02ff0c92a4412b62ec32334

SHA256
f656d082aecdf49a62d6cb0baee46a726a43d42a69b7f92ccb9f0f41bd35c552

SHA512
6adb54d230737b7eca916c5c34f1b0e319bc952424e3b7eb4c6e93651525a7cc99d6731d3c3ea3f8e09ff8916a87679265427e0cd37128d69ea5dd164b605b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F05.tmp

Filesize
1KB

MD5
5b60672bebbfca30ef2f2954a59217fe

SHA1
0d9d16797238da4c2951102b4d7d54a77ebd8bd8

SHA256
84b361582e1030f036a080d23b26147baf8b7b495171dafd9a62d2a2e169ba99

SHA512
c01a6e955a15070d60f11f356a531ab3cb68727b797a339ecac334cae3d6c105c2af457644884500d0b9cbc5685ecfed4634f63e367074728cf39284d4f2dad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp

Filesize
1KB

MD5
468a8498f448ce6ec931bc85a897a670

SHA1
08904710e6c03972eb1b1b682a0cf269165ffdcf

SHA256
cc21608e76530acd1122f9dbefbe0d02e563312a775f3df4c4721970b6bc8c78

SHA512
c2c9f1ddd0ba44dd5506d0f2a93db91a950d4793d2de765f7cc2327f7488f204500863c4b5f3be875a7559b23d23a16b266a1138883d77fb4313640f498da088

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES504E.tmp

Filesize
1KB

MD5
7fd39b1626b042a26625ef1e4689f392

SHA1
f62ae551fba71e23d0c7018de513ba8ea36b05f4

SHA256
aeca3dfe34762e47f39452dc6a2fc8d24ba8470f32fcf7f60b0985bdf287bd9f

SHA512
20ae99ac659a6082c96ebe8edbed9f6585a859c301fe7128c1962ae1605ae05f58848999e0034b5e32e11535506ccb5a324b34b5c51be569766a0af376f35373

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50CB.tmp

Filesize
1KB

MD5
15dd23cfd90966baa8c211c9477bfd30

SHA1
0a29b9d4503778317a7f5515241d1520a327fa35

SHA256
023d3f82910cc77481ca56ac2c7a29dc809b544f8410b79364f4cecd3946eadc

SHA512
a5011768eb00eca8f0bd72f2def4d0d312e9b38d6cc7262801a8a14a0f013b9051d81e28426b4af810330226582d3c6b7f8479f5d1feb185671d0c342d843554

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5138.tmp

Filesize
1KB

MD5
dd8b0bba3b62268555b2438ca54034f5

SHA1
6f79468774ad8cdcdc15fe9fa9253f2ff9f749af

SHA256
4d2f250abe6cd93685e1891d23e951be97d23365d1fa0503acbef3b324f098a7

SHA512
99f89040b42ef3a623ebb8e5c7e0f2ffd68b78b773e8d03393fb68099b575e8c952b37e997398d646acffd88afeb0a33ed5cc16373e98a2d6e6338a84305561e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES51B5.tmp

Filesize
1KB

MD5
309595bcaca2648af0573edbe3e8a6d8

SHA1
e71e3a89976adec9a2dd1e5dc94788b7afd64a6f

SHA256
56b0d25ed0e173aabab03e46c4ebf62aac1b6ce9325ecdff0a04ad8c0f298881

SHA512
6e46532358bb3dc1fd22e52de60e9d845256a355cb1610c2c8fe2b2a11e9fbbd4403cdc37eda2efadfa0456ea4308495aa01c186136965519352bf520a0f833b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2afwsb5.0.vb

Filesize
276B

MD5
4e2fbb3c801b865ce8ef1866efeb23a2

SHA1
470d4d4de0fec67c6d7f1c896c36f4107a1b78ec

SHA256
7116fcfb8e662dc34be315cd123f94efcaa696deabe052560be0c06bb017036c

SHA512
403916fbce92f80da7b1809f1c2b77733080adba44d43134994266d4f1f1d39078cc2f06cbc85e48cefaf539325732c25c358545d2df1bef2ea2ea2ff66d9b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2afwsb5.cmdline

Filesize
170B

MD5
e42efacbe3bc951e044dda1c05712999

SHA1
2403843a1eb00f44f43fdbf4f1ccaebbdf55240d

SHA256
207998cfc89d75bc81be01bdbf96eaef41cf99919f245b32f1d909bcb7d56006

SHA512
050e3971c4343d7b551b772c8c2d8419dea3ebe8f492873ae479e4ecc8a35a42398c7de2a549ca20857a94268261445d69de394a5df327f54112e9f622ff094f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1eq5cqo.0.vb

Filesize
262B

MD5
f706c17132078964b5082d45c010fa4e

SHA1
a1716ce3092d5ad9bd537d8b850a389e8fb8a7be

SHA256
584ef30bd602b886cf80f7abe37ebfaf2af292959682bf2257e43309d6145439

SHA512
80c5a95cfc486d85b23c6646458a0195fe4e604205e4a5d2aad56170db65281fb2c358239cf473521a1a2f4904215ccb542e41ea5cc570819c9c4939d2ea72d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1eq5cqo.cmdline

Filesize
156B

MD5
1a1b9aafb8d9ec55a9824ea4df13950c

SHA1
eefc23a7777cc664bcc5f92bd280fa3f877c1d68

SHA256
bc1c7ba97d986bdbae2c851105c73d5a03034da798b9cb08e79f7d01d8fc7540

SHA512
5aa48be7f01d68c4ada80aeb34e34900672d7e41b3871a3d23e9fef24e426522042d76acd40ce92283af6473f122414267c2bda0d07a88fe6a0a7c6cbc6f7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\ej9ndq08.0.vb

Filesize
270B

MD5
b49376e406ca2686686f57f94e03d34e

SHA1
0925732758c898938d72903d0dbb5eb2d27de48a

SHA256
d76642eb777484ce5da6377033e54ac4b27c5af6f100a5bc58f24e87a7db7010

SHA512
378cfe024285e15dd8a1da082c63c2e2b3c3edddbbe64dc32ff7618d122fcb69c38201dd7b9a2c8ca074cff9b66e19aa39e1af49fa2550cfeba20e6a6678ccf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ej9ndq08.cmdline

Filesize
164B

MD5
66d373f47a7713250fd8cc303af539e9

SHA1
050a824f00177ae099c985042274f721865630aa

SHA256
c854c9a5074901c4d1bf91dbb9065e501299edd758c67fdea3b00632db446675

SHA512
1b1f7e70e7ef0c0ef0b5d810b5877a11015cdd3e2bb9d9b9be406b9dd16ad612ab9c4e4b28a844ab5f0fa2b5abef551429ca6d885271a3e71a3a57c62755b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoiwrife.0.vb

Filesize
280B

MD5
87388873c0ba65a7fef073d4006370c9

SHA1
527ca10f3bfe852ff69b46b2ddb5b3d51c75f1a6

SHA256
c25126847d3eb6f3be7e731defa02472bf77a1f7f68ddbcedcc368c1921fc842

SHA512
529d94c704f5130e93a895abce4b3245ebe6a4a164f4d558beb16593da951282e0b208d1d32cf42bbf4f41f5d816c39f538543a623ecb4e4ae6968511a86a730

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoiwrife.cmdline

Filesize
174B

MD5
b3203e697f7f766b3ad8da9cebe5e603

SHA1
4cfbb4169db16c38f444760165827ee11b1a4b88

SHA256
45a099d9a537dcb73c52b5a70ae2e165abbbfeaf1aed55b2a6772e26108fd7be

SHA512
60ae3241d38215294832a4cbf42a759def5ab3b4cd58ae7ba38cba695a3d5b15a2cf0a5c8979acadaa1dd113c03489226d4c9e53c775a4dab6061056b2e67e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8xe2eep.0.vb

Filesize
277B

MD5
505f16d392b62ab958be6f8beb386566

SHA1
ab1c375b085a229c51cb0c99ca6d473dc92faf18

SHA256
277f2f1e09a0b3725770839ad6af8867ea2f0c054a734806cbfb70bdb426be4e

SHA512
9fd335d48d45911418144ae20da241b3c9d9b9a99e2bea8ff0f701b89d540623578bcc479601b47a3e4defe1a02414b0e6ff44d17b119c613f93552904c78ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8xe2eep.cmdline

Filesize
171B

MD5
c477cfce463099043f11837a8749b482

SHA1
e9b40a687b5bd56d186cb5980dda16909aa448df

SHA256
8334f2478765629c58e77db573c0f88c1f7613094e2c0f6473837a31182b4a58

SHA512
cef8bdcb31aa982d2a336a51764730508d875c24b39899d25bdb2c2631240de5d49c431f8393fd6863d0877e2bf345750cc7fc4df357f4c826a7db5535a7ff44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig1htg41.0.vb

Filesize
268B

MD5
828f89f99b554471ed97ab5177674c2c

SHA1
6aab1f0bb4e6f871f17a48fb6710fc1f56a031ae

SHA256
e6b1c4d031d56057f67e6b19a7baf4245ae80b5227e9131f39661a96b2887cf9

SHA512
4db41e2e851ce843b43d2ee9125b8f7cb8f81e3ea7697f7406f1f3e0ac2409fcd44bb620933ed2cc8b09babc81465f3ecf3c8230bd4a702a1dc8ccbf965d1cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig1htg41.cmdline

Filesize
162B

MD5
5e6249b7c368c80b119d718c4f5ea5cf

SHA1
ced695e12a435dd8c4500f86faac3517e9599f69

SHA256
2ed7b249334897826b73ae7e1a77deff6202c4304d44f762ad02a28cb8f7ef67

SHA512
718ec2c26331d22745720899a469f406315d82b64831026f4ce27a17924c7b76d40d2f9ba7dc70a1db72d7f7a4467a1504c1730167dd4ce4488eb253f4fb7bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\np0g2ihw.0.vb

Filesize
269B

MD5
e6c4f85caded1562723c1c4c5e3e863a

SHA1
82e92e4950c14ddf71b94728ee6f47f0eccaf137

SHA256
dd52c421f9385693877ef613771c758c79bf3aa87ecb8b64a1c1bd9df9cb1e70

SHA512
ed0d94334ae176614454f54d78346c5da5db33f09f231c98c0f5a1d9dab6d9093a1361ad8dfb9ee9986a77228b8b1eefd51e8f1d59444af6539cead88df0ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\np0g2ihw.cmdline

Filesize
163B

MD5
b0367d7ea019ab117386b74c953bd6ad

SHA1
2f00a229d0650482aea431d0cd30543dd1dfadd7

SHA256
0014834814c60c76a50be55f4a9a4fe3e0d975e5926aadd6cbe3358ef7e8b503

SHA512
0f6cc9406f623f119920c67c1ba68fa5f74d95123656bfe1b16a045801a908a59e8f3dde6317b769f17bf7eefc7f23416dda4d572386173c4d75b38a6a6734fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oknkj-c4.0.vb

Filesize
277B

MD5
1ffb61b8c2f14232ddeef43bac674ee2

SHA1
8c76106d91fe356c614e836d4e59353085e1303b

SHA256
1e6efb298d70471ae2afae0f396a0f70fc245be4d7500e12ff8505d293c7acd8

SHA512
770911bfee1a10b06242f468faba8f13d860c01fab2321da5d50caa5bf7444f8b426a6dc92c8dd61fdd14e63706a38f2ddb35de2db696f89178f672301827931

Download Submit
C:\Users\Admin\AppData\Local\Temp\oknkj-c4.cmdline

Filesize
171B

MD5
73f4f99d9db44e2f66be281c05cbd831

SHA1
912acabbd7d4de0becd2d8a60b7c2cd1af7e137f

SHA256
69e9666bec1f4a69eb892b17a33ce28362a46ef96b4e0b88d15fc67fce486f83

SHA512
ff718af1e1bcc471242ae62f368ada5b09571454daeb4ff3059c379b9af2b87e61af417b7b4c1b1b08512d64aa1242a5b7a4349e6f74a244d0c67af2fa7860ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\pribeswq.0.vb

Filesize
278B

MD5
759a12e1190b2114d51ea6909432e635

SHA1
243f2f21730968e18317f19eea7a742d55b34b4f

SHA256
dfe3074a2b3fcf4d293a93eb6482146494122e37d8595d6538a278793707e353

SHA512
070d3e2546fad163aa2688e9192410cb1164f5de9eb039d697c21859619c414884874c9281bca9923bfb678eaf1c8c77969c803302a9c1e30237ab0423567131

Download Submit
C:\Users\Admin\AppData\Local\Temp\pribeswq.cmdline

Filesize
172B

MD5
70bf47bf718a0921b93a51a598fdeb54

SHA1
6cc089984ab9ca267f39e27953d52ff91ce367d7

SHA256
779920996510d4593108c4b7c9ef78b4b6ff755078838c46fed06d8f74673764

SHA512
50313729af4e15406d1bd9624d4405a9f5da588956ede0a7d0c8a42c6d5cd6274f7f4aa688caf55fe849586381239c4faa2a4db5b273eccea4daed61d23b7f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3DFAA0661D7D45268396D2158B5912CB.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64FB9301B8374973999A93581114C786.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6B65660FC1E94B2FA1A6BB6892557A6.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc90FD05A251B641018FC64BC24FA3F90.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC39BD78CE8E244ECA176BFF631BC508F.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe

Filesize
55KB

MD5
69567405eacc7c342c8f3f056b24b4f2

SHA1
ce513e25c09b32650fb7650180da773dabd21df3

SHA256
b807888d4cdc5307da585735781aaac9bd46531682c251df4272446f7d1e4555

SHA512
d4ec72926a4fc85fe8f3e2c6204f2a90d231b306fa77207726261151a9f5d8adef146072eb91368004ccf56e85b8d6ca7389809c8dfc6f96f901a88a24a8cbaa

Download Submit
memory/3268-33-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3268-25-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3632-16-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3632-15-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3632-17-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-14-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/4860-4-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-3-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/4860-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4860-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads