revengerat | e214f08d95ac7a1ef1b9b99283723d17deb663eaf5f5fe5625bb81e88cff37d6

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe
Size

111KB
MD5

2e3037f15c76457e5390a7c5b540153f
SHA1

0c4cc2dff8d70af9280b3f8c79e693313e5f6d81
SHA256

e214f08d95ac7a1ef1b9b99283723d17deb663eaf5f5fe5625bb81e88cff37d6
SHA512

9a526b7aa2a8b9ae0f68acab920de652a7e6f9e85757683b80560bf3b5aa18f01c49f1468648476eaf53e3fc6a5b928457915a696d6c69f6af6eeec0368b1ca5
SSDEEP

1536:OsVeuQ+fKE+Q2zvjd0ty9ZWWbLMpTnz1rAWXM4AAhrkSqyIt5vtdVZHMBpkGE:poEYzbdgy9ZWWbIh2AM4AgrBLIXJZJ

Score

10^/10

revengerat trampo_csharp persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Trampo_csharp

queda2122.ddns.net:333

Mutex

RV_MUTEX-swUnoWrUUgHR

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1544-2-0x0000000000160000-0x000000000016A000-memory.dmp	revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfkjkfjwwwwwwwwwwwwwkfjlfee.lnk	operadebor.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	operadebor.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\Documents\\operadebor.exe"	operadebor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	operadebor.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2604	1544	2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2604	1544	2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2604	1544	2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2424	2604	operadebor.exe	32
PID 2604 wrote to memory of 2424	2604	operadebor.exe	32
PID 2604 wrote to memory of 2424	2604	operadebor.exe	32
PID 2424 wrote to memory of 2288	2424	vbc.exe	34
PID 2424 wrote to memory of 2288	2424	vbc.exe	34
PID 2424 wrote to memory of 2288	2424	vbc.exe	34
PID 2604 wrote to memory of 1480	2604	operadebor.exe	35
PID 2604 wrote to memory of 1480	2604	operadebor.exe	35
PID 2604 wrote to memory of 1480	2604	operadebor.exe	35
PID 1480 wrote to memory of 1832	1480	vbc.exe	37
PID 1480 wrote to memory of 1832	1480	vbc.exe	37
PID 1480 wrote to memory of 1832	1480	vbc.exe	37
PID 2604 wrote to memory of 2868	2604	operadebor.exe	38
PID 2604 wrote to memory of 2868	2604	operadebor.exe	38
PID 2604 wrote to memory of 2868	2604	operadebor.exe	38
PID 2868 wrote to memory of 1968	2868	vbc.exe	40
PID 2868 wrote to memory of 1968	2868	vbc.exe	40
PID 2868 wrote to memory of 1968	2868	vbc.exe	40
PID 2604 wrote to memory of 316	2604	operadebor.exe	41
PID 2604 wrote to memory of 316	2604	operadebor.exe	41
PID 2604 wrote to memory of 316	2604	operadebor.exe	41
PID 316 wrote to memory of 1612	316	vbc.exe	43
PID 316 wrote to memory of 1612	316	vbc.exe	43
PID 316 wrote to memory of 1612	316	vbc.exe	43
PID 2604 wrote to memory of 788	2604	operadebor.exe	44
PID 2604 wrote to memory of 788	2604	operadebor.exe	44
PID 2604 wrote to memory of 788	2604	operadebor.exe	44
PID 788 wrote to memory of 2128	788	vbc.exe	46
PID 788 wrote to memory of 2128	788	vbc.exe	46
PID 788 wrote to memory of 2128	788	vbc.exe	46
PID 2604 wrote to memory of 2244	2604	operadebor.exe	47
PID 2604 wrote to memory of 2244	2604	operadebor.exe	47
PID 2604 wrote to memory of 2244	2604	operadebor.exe	47
PID 2244 wrote to memory of 1620	2244	vbc.exe	49
PID 2244 wrote to memory of 1620	2244	vbc.exe	49
PID 2244 wrote to memory of 1620	2244	vbc.exe	49
PID 2604 wrote to memory of 1368	2604	operadebor.exe	50
PID 2604 wrote to memory of 1368	2604	operadebor.exe	50
PID 2604 wrote to memory of 1368	2604	operadebor.exe	50
PID 1368 wrote to memory of 396	1368	vbc.exe	52
PID 1368 wrote to memory of 396	1368	vbc.exe	52
PID 1368 wrote to memory of 396	1368	vbc.exe	52
PID 2604 wrote to memory of 2496	2604	operadebor.exe	53
PID 2604 wrote to memory of 2496	2604	operadebor.exe	53
PID 2604 wrote to memory of 2496	2604	operadebor.exe	53
PID 2496 wrote to memory of 1784	2496	vbc.exe	55
PID 2496 wrote to memory of 1784	2496	vbc.exe	55
PID 2496 wrote to memory of 1784	2496	vbc.exe	55
PID 2604 wrote to memory of 836	2604	operadebor.exe	56
PID 2604 wrote to memory of 836	2604	operadebor.exe	56
PID 2604 wrote to memory of 836	2604	operadebor.exe	56
PID 836 wrote to memory of 688	836	vbc.exe	58
PID 836 wrote to memory of 688	836	vbc.exe	58
PID 836 wrote to memory of 688	836	vbc.exe	58
PID 2604 wrote to memory of 2276	2604	operadebor.exe	59
PID 2604 wrote to memory of 2276	2604	operadebor.exe	59
PID 2604 wrote to memory of 2276	2604	operadebor.exe	59
PID 2276 wrote to memory of 1040	2276	vbc.exe	61
PID 2276 wrote to memory of 1040	2276	vbc.exe	61
PID 2276 wrote to memory of 1040	2276	vbc.exe	61

C:\Users\Admin\AppData\Local\Temp\2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e3037f15c76457e5390a7c5b540153f_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\Documents\operadebor.exe
  "C:\Users\Admin\Documents\operadebor.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yoxeeud9.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp"
      4⤵
      PID:2288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ff0sfjt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCE5.tmp"
      4⤵
      PID:1832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fb6hsabs.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD24.tmp"
      4⤵
      PID:1968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d9c70sz_.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD62.tmp"
      4⤵
      PID:1612
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k5oznqzy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDA0.tmp"
      4⤵
      PID:2128
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1gwnwf9e.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDDF.tmp"
      4⤵
      PID:1620
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r9d5dion.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE3C.tmp"
      4⤵
      PID:396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndjlwtyu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE7B.tmp"
      4⤵
      PID:1784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y3vrdoav.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFECA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEC9.tmp"
      4⤵
      PID:688
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-fdyjvf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF07.tmp"
      4⤵
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1gwnwf9e.0.vb

Filesize
307B

MD5
066d888b9a390fc07be7051c107527fd

SHA1
d7340dc9f39d0db0b5d2d613a80f194edd8a3a2e

SHA256
ddca490df116b6ab217221c857b713abd756572306f4553537239ca585fa8b57

SHA512
9b33c7713222c61dffb661fb96297f6f0ff0511968f6812c911d88a33d53497dd3ae9935ea4df09d208f2e94505b76ff1998c6d113e426da598b62a4be3e56b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1gwnwf9e.cmdline

Filesize
199B

MD5
79758d0c4c9c97f6a1d1c8656b20197b

SHA1
988b73d79dcc9dd9e7d9af1194c62601dda1521b

SHA256
ad65a4c678d67bc4699968c97a2caf0bc10a43748d380a10e640f8d8cbc15829

SHA512
53070d0686c71121ae72c3cb1eb970c387402057ef4fc48fc692dc2634855ea4e954f6ba07fab418cc091cf7b5a89512df913b6f205e7047c29ea09623ba8352

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ff0sfjt.0.vb

Filesize
279B

MD5
fd1c88405c96d29492e940623570392a

SHA1
4932a24b62feb28041395aa27fb04d81425137fc

SHA256
04e91956965e357a4dac0a5ab371c77579409ac85b18f65dce8ba4981340f1d9

SHA512
edb8878f678bf35b1e9901897ecfc25ea85f175aab11c1694d61d50d4a079a4cbf217b8b42904596a116b7864c4ec696d7b1924fa5bfd734ff39aaa5ff8a0b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ff0sfjt.cmdline

Filesize
171B

MD5
794c63ab2c01617d977d62350254bd52

SHA1
1add8f963bac750cbad02870a24702287c4d83b3

SHA256
f94b75c44e7546875990f8db341302c6cf1cec65fe7b8daa859546f4664e020f

SHA512
f224b38d5d8ff5291a504cdbae4b526c9a6e5b1e38aa187153f5db68f1c34b07fb2461df4f4ffd2fe7cc231f568ef4111368c6434c73ff5df4e0df1544829428

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp

Filesize
1KB

MD5
55d9c1606d004d6ed48c9a7c049d1528

SHA1
fd245f7000f3d55bc57e5c00b5eb3976ff1456c6

SHA256
060b507c09710f5a6782e0efd7de8b9d6c9c895055aad36b00863d4b52e6aa3f

SHA512
c9e6496052cd2ef73a238f5a425b80b6e53368aab2cd09f3805c87762813bd0edb5a0463684000fc763869d48681ad4cee0279ac61a440a84412a13ad12ce09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCE6.tmp

Filesize
1KB

MD5
9ee59f0f4a9b78e461ed384ee280c617

SHA1
af633cdd4246b53c67dee01094e9c1faed966996

SHA256
0eac123ea9e579ac809768b4f06bdfdedc6c43381c87b9f5feffdd835c7ee756

SHA512
13c9f308331b3f089ae6e3c49af98ad741931853c1f6b510ec6d8a8fb07b0d9dab61303b4a05f7ee5c66660ec4cb9376fd6faf133ae70020204719633015fd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD25.tmp

Filesize
1KB

MD5
a095a2a8c0246e55e8567c11322ea2a0

SHA1
e3b96b2f83f96ee371303f0f673ee94bfa354d27

SHA256
2428999daa73d466b0feb97aa23e2199ed9395fca0b5f7f49ce1e6293ec4c3c5

SHA512
a1735e810af1882cd848f6aa039b986ac2c070e21315f7f464b5f355ea991631490e3671cb57121062e35c2296e862578fb1f34a6f03f8683ce4276984e164e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD63.tmp

Filesize
1KB

MD5
ca54bb9bd21dd8b2a6a32613f47e4b7b

SHA1
7e22976302ebf37740f148f3e6c07128f780e569

SHA256
d65bbae93c67c83d5ec3d087fa47cc05fdfa7fd532ec156afccf5333db101806

SHA512
104b47f6f7944adfb12ef39f7c52c530940fa7fcb6242899ef674612a7d4c072a4d2a0f83565a02249e65cd70f031340be3cd8aa2541d9dcfcd495c34b45a26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDA1.tmp

Filesize
1KB

MD5
b9c2d3d976dbd25c15a30cc0d63be971

SHA1
1c0bdaa608266db2d604f90cbf5e2867740692de

SHA256
b70986c8eddff0e10f7c8eec7f7ced99e63a0f9cb29170a2afba145f5c02956e

SHA512
9d24d74579fc19ec5c8a66bcdd202c894bea335a3a9d978ff9f7dbdc40339c3593d3988caf980fe95c28163034e74b2d2cbf653d0d85da0d5d12afb061ceef08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDE0.tmp

Filesize
1KB

MD5
e0d0b3845b8fe09236849966eb9ee710

SHA1
3ba86d8a6795c526393efeafa13ddd1adf1ee466

SHA256
84b0c4ff099c28e6446c286a63059cd76c55b343b96ebde7e36cbcceb466445b

SHA512
125c327c600ed743d3e69043973ca33a4ef5238639379baa0bfa0c65c4c6df02c394de1761f3da906ac682d4bd943c24e1a1a561cd1416da135f0197b73c606b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE3D.tmp

Filesize
1KB

MD5
60c1fb468b8655367be1827c968d006f

SHA1
dd5b31a1da4123bcea5b49885bb011488bb0bbf3

SHA256
fef9ff856629bd372aa48649519cdd425838cc3907aee195cd5e1562c5a1d921

SHA512
ad5e7c197a92881a2dd80be61a5b1af0dca40ab195e9155cb5b3786ec60aaf44b541a0a83c14b6f57c4f3b467c8bcd30f3e003454d88ca7744327f18496c5c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE7C.tmp

Filesize
1KB

MD5
47ffffe4a9dead95424d819e07573e47

SHA1
23da6a8f4de89f478f0fff72d3ea460d410297d5

SHA256
0c512626803232bd41afd3e381582822dc3ca026a2df2469920d971812beae29

SHA512
4d492b236fa1d162119ea862c5b3a7139f0aea003ee95d5dd056276ca69046eb3c55046a54b79ab01379311bfea51c6c8e6b6687c4db2c1df4f23bc1228d1a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFECA.tmp

Filesize
1KB

MD5
55d4f3df3c326b991effeca11e6dd3b0

SHA1
ce2a6be09e6d9edb0f8ef5e53ad8c58abdaa7bd9

SHA256
ec4aac7b50bf860ac5915f5a16366d1e7e14102bb531e6594ca33c6614642f4b

SHA512
4a8f15097bc4f47ee269291193227e3afdc793adc04ae3eaa68dd090852d0da942761644361cb1d4f61943eb43f012a537d1e5ccf0cb6732f4aee37bb6b371ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp

Filesize
1KB

MD5
b2d665b12a774606d5163e7ab5f7ba1e

SHA1
a1bbdbea9239d6b1e471962553e474fb828253d4

SHA256
e03a5e38fcadbac6dee5bea1627343ac0634f4ebebd777087f73616a99f82d1c

SHA512
baf25a16f5eb268b5ff15b67ce26b47410b0ed32788f044cb2d9d721d696952fdae8ec18e92355a27e5d1d5515f4a4e2d342e8e9725dc2e1111ccdcab23a7597

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9c70sz_.0.vb

Filesize
282B

MD5
679ef8997b022342756fdd140b23affe

SHA1
39ab186f5e16eb6cce10a6a18af9ec0e68d89b7a

SHA256
4647089ba0159c8715f0b19e53395d06d8f8db989306021f18f3806565bfdbdc

SHA512
2cf6626fa1095796ae91b9e4c2bc76705f9d480e6dcfec42da28a01f6997c370ccb9de7443de92a5ea77559854b8d7a917c9bb3a2c9d29ef97a691ecf0a89e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9c70sz_.cmdline

Filesize
174B

MD5
2f05950b1c619b92779a5c4e23e497a3

SHA1
149fd65df0293d91f8c717fca5278d45d8846465

SHA256
609f405eb94a278d6e8dc39e2927169413d20a86dc242474ccf5eb523a778c80

SHA512
d6645f813fb5e58f38d370ada3a5bca50a659299835b04839b0bc9f170551025b8387cda0930f45d27991eb3e3a25a53f3912166f712a3034055d16eddb8672d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb6hsabs.0.vb

Filesize
278B

MD5
a5e4078557e5de9c8dcd8ec6b8820900

SHA1
58a54f243b9edef4300ec8b603fe6afac077c4ab

SHA256
2fdfd4a2c0e66a88f192c19c7325d901804b2683a6682f1871e3199299614ec1

SHA512
180dfda6e69602196dc45b203a6c1c3087992545bd3e4469a8ceb86e01b74b66e46257ad69b639351510197eb5f8b32d2888879dc21aaea927581a58595fd6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb6hsabs.cmdline

Filesize
170B

MD5
c42bb5238a6f66e4815d000c66d0ca98

SHA1
fd932475fcf1aef7cbf2ec31b58091fac3b2de57

SHA256
a00b39bb2c57a0ff56bddbeaa628270af9cb817c3f4de469c8f3b0dacac0ba9a

SHA512
2e5bc66666f3373e8b9de7136ff17c0dcd63bce69617357094090340d2cd76e7b77c28358803504f5acc3e13db82d62446d4846dd4092e998430553f61a3a1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-fdyjvf.0.vb

Filesize
291B

MD5
2608adf0ec1b1cfcddac6f242b60bf34

SHA1
ec63206bf58c820e8a73c44571b97bfe0a1a16e5

SHA256
86102b30a8c984e2be11df050267bcc1ff7ac8f5496699195783b783b896df62

SHA512
573ef64a64738c069d936d7a7e92a7acb983e3c2fe53a6e77c1eb06b634e6c9ba0289ab1c2b3608f66ba10a7e962f9f4dbbbff8354c5aa868359564e726df2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-fdyjvf.cmdline

Filesize
183B

MD5
221b6bac9b3346709bc500fcd32cde5d

SHA1
8c5e7e8ea279fa474a4357ea8e53d7d6ab901dc3

SHA256
f2a9c96935add63fc59e997dc25d43f9cbcbe0c5671ceb09531ddcab82869e1a

SHA512
b25b3285ba50811abda87802171e741a1935e451ec57b3398a73cc2a50496e83d3eb87a3ee47ca4457855e794f9d27957bf26a6a3ecd357dd04cfca74efe27d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5oznqzy.0.vb

Filesize
288B

MD5
d9ac56cd0e428b228f6c8d134d4f1968

SHA1
e9799abb9ba7391748f19c31e24805d0cb79fbb8

SHA256
458f9f69ef54512e6159ee080ffd45a4c1486d7ce68e557f15da9312a16e58d7

SHA512
d50ceba3a299f70ca84fc0804fbe6272612ab630869a83265617e8a598a122b1c4d44507184eb7f7e04fc34cfa12c9040259b90e0a1de37b3b2e716ebf2dae53

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5oznqzy.cmdline

Filesize
180B

MD5
6ae8dc93e86e56ae5b3604d366d99858

SHA1
b531f17aaa9b3d31318d96021b664827432af43a

SHA256
d6edbbe3745fb80c1ad9cb7253cdadc30eb5f8d3c79750efeaf41b17e2b330ab

SHA512
1f7f9b49e5a446c4ea7a3e962aabd2063c4bc260489850301fb1abe797afd55d0fd3ab55ac63fd456eaf6d0a875626ba10553e7c7757102e023d7d97fdfd1632

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndjlwtyu.0.vb

Filesize
282B

MD5
fe984f600d54a5111936ab8fc94cbd7d

SHA1
1446a029859e2e49ff058f8d534c6773e69aab98

SHA256
68341e860a2925fb28d983d313e6314eeb1b8cd2b801feeaecaf651648dbb8b2

SHA512
c65a45af045a3ce26209e71a0ff4e10f9892a115371593e3c18d8a3d563c2bf6018bf48de7307305a5f931797d7319c7ffe7401946f237c2994ec2147b726bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndjlwtyu.cmdline

Filesize
174B

MD5
ba2b18a5004a7c2d02e6ed7d7007ab93

SHA1
affcdeb3a39d897c0f85e4a7c838f55334d6b341

SHA256
ec397fd00d1820ab7f898c22b5e963ee51452a417b7390f973e349b13f6190ac

SHA512
9fa8d51dceb9d36c89a8da584115fbb8110ee3f9e557b05ff54815b8ac861a0b668cdbdc2dc373e1b3b4ad867d3955b38e320f5a30bd933884c87acb7df47545

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9d5dion.0.vb

Filesize
289B

MD5
259a9d4d7813d6b7ecf9063498df5f82

SHA1
9cf22ac846d3192a96a61bae2e7da2f3877b7fd3

SHA256
0772828accf923ac5865ca678134ff6c4873463a571cea8945d0cd35aba72f57

SHA512
ba3859ad63b00c92f774bde7a4ee02cca2cf4cbd670dd639b7b4c6f5f9aed6f9be49112c0307314347a317559105d1cbcc375536e11943ca21d7f1eaac15a409

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9d5dion.cmdline

Filesize
181B

MD5
8439bdff3b27ac6397b74ef5c66009c6

SHA1
4e66422af4f39e92a6d8e35ddf18b3276b47696e

SHA256
307ece32165885f979cc22461508c8d0c057f41e310076ec497d5ffb0058e3d4

SHA512
686c34794ca01bd9b4ac5a5bc608994bea42d7576a6215969cb45f08b1fb55f7f2e1dd87aaf334b4ef931e5985c0cf594b524c176cf06e4704c5e8e4105a6365

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFCE5.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD24.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD62.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFDDF.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE3C.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE7B.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF07.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3vrdoav.0.vb

Filesize
288B

MD5
d3694b6e582ea560351b2ad385d78fcd

SHA1
b56f1f04702e3140231a7e0fee60184441249833

SHA256
f62f75f8780d60e09195ba636e7bc475cb2bc9d3ee50fc43c16b60797fec2eae

SHA512
3c0cf6ca3d4bdcc80da08be80f79d20d6c224ff57ddd2fb2e7b16a704cde377ebb8b41cdc4e1d4fbd121c58290149c25e8f4cb998cfa216c764ca380d3efd9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3vrdoav.cmdline

Filesize
180B

MD5
db0cc596021e8bdad228afdb191002a9

SHA1
cb0a075c9c80e407dd4995c9d1ff7fcf69d04fcb

SHA256
b92946094d806eea942a40fe1e16674d2a20f2942cce3e8d39b962fd01f4a582

SHA512
e7999cb10ef7b855ef29e035fa77d3ce598c31c885fdf2ab2683cf7a6f68305263c4aede95e460a6a393c230a602924c9f008147e3438b80b8d4d4747110dc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoxeeud9.0.vb

Filesize
275B

MD5
25df4fadde1de1173e199dbdc0cbe4b5

SHA1
50d3668b19ad8e74f673e210752f65aff3c8bdc5

SHA256
c13eecb5cd2d7c906d6c86f7e417ac97f6e3b221e448318c962c6c1a7813634c

SHA512
de5e1a3bd5f5c9559e621cda8023301384c0200d365e052539fdd46327eb7454a578984f100335c59bc530365d42a5d747524a86c051e9ea5fb15f27ac695e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoxeeud9.cmdline

Filesize
167B

MD5
b9693d31093eabaf29ff12b4be46e984

SHA1
6e99eef428d0500804a1ae29615d55aab9f2cf96

SHA256
ce588ee6bd2c5910b07a7876f3ff97aa669e7d41cd745e32668fd3589bd66f48

SHA512
0fb4bdc1bfdf408df1b8ac5acaa8761353010d03ecb1582159625dff794d4e091a2dfe176fdb46f1863fabb1579a05cebe91a0657456e49182f2f5a2dc742b58

Download Submit
C:\Users\Admin\Documents\operadebor.exe

Filesize
111KB

MD5
2e3037f15c76457e5390a7c5b540153f

SHA1
0c4cc2dff8d70af9280b3f8c79e693313e5f6d81

SHA256
e214f08d95ac7a1ef1b9b99283723d17deb663eaf5f5fe5625bb81e88cff37d6

SHA512
9a526b7aa2a8b9ae0f68acab920de652a7e6f9e85757683b80560bf3b5aa18f01c49f1468648476eaf53e3fc6a5b928457915a696d6c69f6af6eeec0368b1ca5

Download Submit
memory/1544-11-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-3-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-2-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1544-0-0x000007FEF586E000-0x000007FEF586F000-memory.dmp

Filesize
4KB

Download
memory/1544-1-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-13-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-14-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-12-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads