formbook | 3a7dc3212715f3b446582cd50ae64325cfbb7e52ff909f29d8848cc2ce01ec97

Analysis

max time kernel
300s
max time network
264s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 09:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment_Advice.exe
Size

1.0MB
MD5

add709d038a82c079c278675fdeb601e
SHA1

79b66e80396e26b4d4dbf7d091dc3c24a65d9e69
SHA256

deb20efb8b69c1261327f9d75eb26d41338f447cacfa439c69a1e7dc3272e69e
SHA512

8cbc6b8ca79a52541eb9711f05952e151eb106548281c6ced261c64953302513db05961b74b2f5790c76f2a5383710093a49d70a8ded195a82bc6a0cbf3839c2
SSDEEP

24576:VN/BUBb+tYjBFHFNiy6FI9Dh7wESIuy8EY7X1zJ54D+q0lPBzkFwIW:/pUlRhFQynRSLy8EY7X1zJ5w+JPBAwIW

Score

10^/10

formbook o52o discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o52o

Decoy

ckroom.xyz

apanstock.online

6dtd8.vip

phone-in-installment-kz.today

ichaellee.info

mpresamkt38.online

ivein.today

78cx465vo.autos

avannahholcomb.shop

eochen008.top

rcraft.net

eth-saaae.buzz

ifxz.info

flegendarycap50.online

reon-network.xyz

ee.zone

ameralife.net

5en4.shop

eal-delivery-34026.bond

anion.app

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3012-181-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1404-190-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 3 IoCs

pid	Process
2476	gqepvj.dll
3012	RegSvcs.exe
904	RegSvcs.exe

Loads dropped DLL 3 IoCs

pid	Process
1184	cmd.exe
2476	gqepvj.dll
2476	gqepvj.dll

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lnux\\GQEPVJ~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\lnux\\unob.xls"	gqepvj.dll

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 3012	2476	gqepvj.dll	42
PID 3012 set thread context of 1192	3012	RegSvcs.exe	21
PID 1404 set thread context of 1192	1404	raserver.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqepvj.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment_Advice.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2652	ipconfig.exe
2104	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	gqepvj.dll
2476	gqepvj.dll
2476	gqepvj.dll
2476	gqepvj.dll
2476	gqepvj.dll
2476	gqepvj.dll
2476	gqepvj.dll
2476	gqepvj.dll
3012	RegSvcs.exe
3012	RegSvcs.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe
1404	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3012	RegSvcs.exe
3012	RegSvcs.exe
3012	RegSvcs.exe
1404	raserver.exe
1404	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	RegSvcs.exe
Token: SeDebugPrivilege	1404	raserver.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2632	1984	Payment_Advice.exe	30
PID 1984 wrote to memory of 2632	1984	Payment_Advice.exe	30
PID 1984 wrote to memory of 2632	1984	Payment_Advice.exe	30
PID 1984 wrote to memory of 2632	1984	Payment_Advice.exe	30
PID 2632 wrote to memory of 2636	2632	WScript.exe	31
PID 2632 wrote to memory of 2636	2632	WScript.exe	31
PID 2632 wrote to memory of 2636	2632	WScript.exe	31
PID 2632 wrote to memory of 2636	2632	WScript.exe	31
PID 2632 wrote to memory of 1184	2632	WScript.exe	33
PID 2632 wrote to memory of 1184	2632	WScript.exe	33
PID 2632 wrote to memory of 1184	2632	WScript.exe	33
PID 2632 wrote to memory of 1184	2632	WScript.exe	33
PID 2636 wrote to memory of 2652	2636	cmd.exe	35
PID 2636 wrote to memory of 2652	2636	cmd.exe	35
PID 2636 wrote to memory of 2652	2636	cmd.exe	35
PID 2636 wrote to memory of 2652	2636	cmd.exe	35
PID 1184 wrote to memory of 2476	1184	cmd.exe	36
PID 1184 wrote to memory of 2476	1184	cmd.exe	36
PID 1184 wrote to memory of 2476	1184	cmd.exe	36
PID 1184 wrote to memory of 2476	1184	cmd.exe	36
PID 2632 wrote to memory of 1588	2632	WScript.exe	38
PID 2632 wrote to memory of 1588	2632	WScript.exe	38
PID 2632 wrote to memory of 1588	2632	WScript.exe	38
PID 2632 wrote to memory of 1588	2632	WScript.exe	38
PID 1588 wrote to memory of 2104	1588	cmd.exe	40
PID 1588 wrote to memory of 2104	1588	cmd.exe	40
PID 1588 wrote to memory of 2104	1588	cmd.exe	40
PID 1588 wrote to memory of 2104	1588	cmd.exe	40
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 904	2476	gqepvj.dll	41
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 2476 wrote to memory of 3012	2476	gqepvj.dll	42
PID 1192 wrote to memory of 1404	1192	Explorer.EXE	43
PID 1192 wrote to memory of 1404	1192	Explorer.EXE	43
PID 1192 wrote to memory of 1404	1192	Explorer.EXE	43
PID 1192 wrote to memory of 1404	1192	Explorer.EXE	43
PID 1404 wrote to memory of 548	1404	raserver.exe	44
PID 1404 wrote to memory of 548	1404	raserver.exe	44
PID 1404 wrote to memory of 548	1404	raserver.exe	44
PID 1404 wrote to memory of 548	1404	raserver.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jfnx.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c gqepvj.dll unob.xls
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\gqepvj.dll
        
        gqepvj.dll unob.xls
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        6⤵
        Executes dropped EXE
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2104
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548

Network

DNS

www.lush-diamond.info

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.lush-diamond.info

IN A

Response
DNS

www.lush-diamond.info

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.lush-diamond.info

IN A

Response
DNS

www.opesclosetyork.net

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.opesclosetyork.net

IN A

Response
DNS

www.eal-estate-90767.bond

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.eal-estate-90767.bond

IN A

Response
DNS

www.infeng01.xyz

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.infeng01.xyz

IN A

Response
DNS

www.inecraftpuro.net

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.inecraftpuro.net

IN A

Response
DNS

www.eusvexk.shop

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.eusvexk.shop

IN A

Response
DNS

www.eusvexk.shop

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.eusvexk.shop

IN A

Response
DNS

www.martdataclient.sbs

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.martdataclient.sbs

IN A

Response
DNS

www.uratool.net

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.uratool.net

IN A

Response

www.uratool.net

IN CNAME

uratool.net

uratool.net

IN A

15.197.148.33

uratool.net

IN A

3.33.130.190
GET

http://www.uratool.net/o52o/?MBZTev=XeVHocXkWhHSA6fM+xPE9HIfFmLS+MMQvSiyNttEog8ZbU1keZgAxVu3YdHA8+CE&kjm41=7nzd9LV

Explorer.EXE

Remote address:

15.197.148.33:80

Request

GET /o52o/?MBZTev=XeVHocXkWhHSA6fM+xPE9HIfFmLS+MMQvSiyNttEog8ZbU1keZgAxVu3YdHA8+CE&kjm41=7nzd9LV HTTP/1.1
Host: www.uratool.net
Connection: close

Response

HTTP/1.1 200 OK

Server: openresty
Date: Thu, 19 Sep 2024 10:01:18 GMT
Content-Type: text/html
Content-Length: 200
Connection: close
DNS

www.ybokiesite.online

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.ybokiesite.online

IN A

Response
DNS

www.ome-decor-10002.bond

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.ome-decor-10002.bond

IN A

Response
DNS

www.uantumcircles.world

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.uantumcircles.world

IN A

Response
DNS

www.jg-bw.app

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.jg-bw.app

IN A

Response

15.197.148.33:80

http://www.uratool.net/o52o/?MBZTev=XeVHocXkWhHSA6fM+xPE9HIfFmLS+MMQvSiyNttEog8ZbU1keZgAxVu3YdHA8+CE&kjm41=7nzd9LV

http

Explorer.EXE

434 B
592 B
6
6

HTTP Request

GET http://www.uratool.net/o52o/?MBZTev=XeVHocXkWhHSA6fM+xPE9HIfFmLS+MMQvSiyNttEog8ZbU1keZgAxVu3YdHA8+CE&kjm41=7nzd9LV

HTTP Response

200

8.8.8.8:53

www.lush-diamond.info

dns

Explorer.EXE

134 B
292 B
2
2

DNS Request

www.lush-diamond.info

DNS Request

www.lush-diamond.info
8.8.8.8:53

www.opesclosetyork.net

dns

Explorer.EXE

68 B
141 B
1
1

DNS Request

www.opesclosetyork.net
8.8.8.8:53

www.eal-estate-90767.bond

dns

Explorer.EXE

71 B
136 B
1
1

DNS Request

www.eal-estate-90767.bond
8.8.8.8:53

www.infeng01.xyz

dns

Explorer.EXE

62 B
127 B
1
1

DNS Request

www.infeng01.xyz
8.8.8.8:53

www.inecraftpuro.net

dns

Explorer.EXE

66 B
139 B
1
1

DNS Request

www.inecraftpuro.net
8.8.8.8:53

www.eusvexk.shop

dns

Explorer.EXE

124 B
238 B
2
2

DNS Request

www.eusvexk.shop

DNS Request

www.eusvexk.shop
8.8.8.8:53

www.martdataclient.sbs

dns

Explorer.EXE

68 B
133 B
1
1

DNS Request

www.martdataclient.sbs
8.8.8.8:53

www.uratool.net

dns

Explorer.EXE

61 B
107 B
1
1

DNS Request

www.uratool.net

DNS Response

15.197.148.33

3.33.130.190
8.8.8.8:53

www.ybokiesite.online

dns

Explorer.EXE

67 B
132 B
1
1

DNS Request

www.ybokiesite.online
8.8.8.8:53

www.ome-decor-10002.bond

dns

Explorer.EXE

70 B
135 B
1
1

DNS Request

www.ome-decor-10002.bond
8.8.8.8:53

www.uantumcircles.world

dns

Explorer.EXE

69 B
137 B
1
1

DNS Request

www.uantumcircles.world
8.8.8.8:53

www.jg-bw.app

dns

Explorer.EXE

59 B
157 B
1
1

DNS Request

www.jg-bw.app
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\afrwoxxhlh.jpg

Filesize
525B

MD5
3a24d486031c7620f991e6d0fd0192c8

SHA1
a3ac53b34226fd7335eeaa60f258b02244190787

SHA256
9e5af713bbcc8171f6326413d2f816229c97ed772e405f2253a17c8bc01be94d

SHA512
bb9837b3c86a1433f36e26b11ad32a6d1f7503dd9784ffc25805c6f2aadb8ad3ca443a28d471d58341449c1994a0232003b54c92050c96b6fcce7d89c561d4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ahnwgoff.ppt

Filesize
547B

MD5
b7616d98f14c1e805f38b599d045e69d

SHA1
19afddedd54985a88dd5309019d2a7a6d7b545be

SHA256
37698849104e058802402217ae46feb10cb7f5b7c2b90a63b79ab92433d31172

SHA512
644f3c468daaba991541452bfad63f92d967385b7053b67137b4b603a88919bcdccfd5b8463881a07c50b590624e8510abbd21465fbca4d83cc677047cf88425

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ascfxidefd.das

Filesize
31KB

MD5
4c02a7926c5757ef562d98e4b47df1d1

SHA1
be551eaea53a1cabea722f8e1065ef4444e9105a

SHA256
047cf19fedc6796a9ac4c13fc33c1adaf0230aca6c513130d11f16530354cf1b

SHA512
62342d5c12415c98d77ac594595c05affdbfa3809b7b031c19daf3dd1f1a26f065ed8bb2640002f1af39d1a083707e2a07e91ebb6ac1c28a7a36dde02a18d7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ascfxidefd.das

Filesize
31KB

MD5
36737a23145a6b898d6eb0b0f1bdfd2d

SHA1
683307bddf98d255a35b8824703b7fc1b66ea97f

SHA256
e5a3f7d86f6d60421510297d8836efb40cdb4eea45782d0f1aec9c10f11ed120

SHA512
045c64f1341d18d56e95e1f4df5fa579f1a4f6c05f1a6b59ccdce42d069ab77f34c281a8af64210d8edf142feb86c6efdc598c516cfaa180965afef9b87324ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\btmglht.jpg

Filesize
587B

MD5
369b27d7396f96688b81b2f5468c4af2

SHA1
b2c13f4d495d49a4e6535808b6c9b802cd2a654f

SHA256
384d54c61a6eefd7f7ec31d1520331d37e4cd29abf140742ad6bbb886ce95276

SHA512
0f28ea0a4988b81240833b3ff75ea2d69ddbe28b09523ca6add5d0e46a379954d755586ac56b53ddbd51b0fe9efcb7daa80e893f6ca75faf2685bffd17e5ffcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dguf.jpg

Filesize
536B

MD5
fdb8c81f15244d49914e9d5987686249

SHA1
b185d39341dedebc4a20ca6e2d223e1e61098223

SHA256
13b7a779f1d10bc508f830cda808338d87a7b57e3ffd026631b7ffecafc66e8a

SHA512
37c7f007186eb8a5634d96ee72be3573724d13de87a2908e382f934f09e02aa9e749357d8d3795d98c2cb5663530246f98ca20163d3c507c7a53811b66f1084e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eixowr.bin

Filesize
541B

MD5
f2453e0f05f7cc3833aa30aac553a8ef

SHA1
4b086a1f19129620acb5e3c415cb8b079a5fed0e

SHA256
2460b750ba0e4eca41dbd797a686abf5e3da9e78872ac2d7787fd95422ce7cdf

SHA512
2973de3f288572099eea19c22e10b29eb79086c6df14096966d41492c00024aeaa6c461186086223d838904c80ee385d16a2a80c3d8b3a138d0cf78a728deaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\emkssfilo.mp2

Filesize
555B

MD5
c4eb64d5367dbbdcbb878f5fd08e4f69

SHA1
a634e887362e83c2932a247d823ae72a8ba10a17

SHA256
a7744be604a826c09502435a5f6342def6266c200cb7cc3a96f88a1b5200974f

SHA512
113832d9cf65477d3cb1de62c1319127fcfaff2b04faa5e92c655a7dd9848d3002610b617ec73fe3bce77a338db2da62b2462a0e896f1826d936e1702d130e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\etobeehst.bmp

Filesize
643B

MD5
50c4bb62b8f081b643418d037e1cc979

SHA1
5ff62558c77fcc69943aff3750d89a0458dc66b0

SHA256
ca2a268cbebee28b0312572496058ac807aa72420927d8d7f14d0038c5c6f629

SHA512
075d90e937bd901ab58f28a3fd6d81000109ed60fd4bbb39c4be2339223af61f176178b7795ebf6d8d24395f0a1cfa6763037d439d2cd8a6f5463a53b6071ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggmmaaa.ppt

Filesize
586B

MD5
f5c23a77ac09bb9d5aa660e0aca4e1b8

SHA1
caacf52c2e098261a3d93eca59cf62e8417d63b3

SHA256
aa6d9cc069025ca4249a98dba47bfdf65f2a25121f98ff326150619ef4fdb52a

SHA512
500e70afc8d16b67db8a262ab2343aed56d300ad3e2f2ac1c2af865498cc2375752db02991f5c480d05181c6c0daaaed2df5933c36e9e590dbfcf39830e11272

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gmltfdrj.mp3

Filesize
559B

MD5
5b916d72c78230846f29650bd3c4a4a1

SHA1
2958f3035fee3cd45521f27a865cb6aa74bcdb6f

SHA256
4d941d0b808bc17336b8370ccf0397616e3906bdf058f16f489e0aab6f692c7d

SHA512
155468f6bd504320c082ef052e5534a647629b951ff24793bc0dd713dd91cfff8d90357f06092804a61900ab0d699053222b2e2591586a55173d937a2e15dcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gqepvj.dll

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iirdwfck.msc

Filesize
686B

MD5
b6a0c93d96b81d0605aa67a9c5d057a6

SHA1
fb85fb73beb77925b1c2fed5c0e61e371286f36b

SHA256
f4c51eca710804aa04b7889b307600e6d5dd616cb7aaf1d303a0e7433862636e

SHA512
42082a74223eaac56b6f0143866b7ad0ca4f906deef3a0524acee8638d093a0aeb52d6e4498858f9e2f29617d6b96fd376a22c1e5081ba044eab039ad90d8063

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jaepprsjw.mp3

Filesize
511B

MD5
7b00eadb2adc1517d3abc24a65234c94

SHA1
36e0e501ddc55913e2ab877bdce05415c0e4a15a

SHA256
75bb208a2ff4ef86eb74ab84ac4f8199d0cd879f5d1d3e56629a3c138be3de9b

SHA512
4b0824caaadda8ab014ff6e95c904b0b24ab711345ba8d6b9a4ebfc8e14a70e6cd5e774ce7d29f28f7deb7e825e4e2473d1b469011b43cadc729e40cb73bf1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jfnx.vbe

Filesize
53KB

MD5
266d0dd214a8efa1f6ab866057a3f822

SHA1
ec75828a41f4a9588391426305684345ff6adf68

SHA256
5689160023258e90d0bd7026a6a6fcfa297d5291752062d13c1933f9bad516ff

SHA512
9b0d1e6d4912f69b4db6d16b9af958079a1464edcb1dbb09c9a55ba88eaf43490594c7d055ffb7a2ab5f891aff75020b7f3c03829c417e3511b844c4d2597d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kkrhngg.dll

Filesize
666B

MD5
bb013c6c3ade9efedb718f9401a9d4c9

SHA1
84e2ef30204a84da116a285c4a99ad169815418a

SHA256
d000478d80f70601639c8102f353638ec2b1847e9cfa097a47249f87fd0e9ec9

SHA512
204ac31cf38c5a7fd24152bd3342c48cd42a30d7e079bab3514675ac1e5f92e1dc38716eec14b6deb869c0f868a34128f38506b671af447c09b3b6a9f6d72861

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrwf.icm

Filesize
550B

MD5
dd3d3c84480c83da749c78ca38f3eec6

SHA1
e1867757d32c8504f2e89bb8f83168d4933fa105

SHA256
24697abf3508f63e84f8ce8f478bd74d967ecf41b491eb6e4d334ba167d64c0c

SHA512
88849f0163bd800ad9b13cc83a9827f55ae7104119424983587aeb9a8565ecab8c3f2667d412fcd5ea29401e1e286e7fda294170d4c8fe399fe2a8454430ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nhvwiavlvw.mp3

Filesize
527B

MD5
d9fd75614d7026ff68a76b9fa0131d30

SHA1
5336bd53b70531d7f3aa1bb2bdb53057fc899a9e

SHA256
51a290cc70f2f7b64f279541137bc6f57eee986ba15e35c47778a27722f43ddc

SHA512
e6885c810de605cbd90a57adb2d4883859b87491a28c1bf99d4dbae541665cf733b483f451e7366a8a8084babfd663f26fe8a7ffae87c58046288751272343a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\omswttrkb.xl

Filesize
543B

MD5
41a1a1769e4ed54964fe190d47a56c8b

SHA1
1991100c31dc8c62a2156b381b5d7b529ab44e00

SHA256
deca4403bba576bea7b3df5d12ec3b3d84097cd37895c871d25820e8d00ab39a

SHA512
7ffc979ece9e26e67b4f6f021b03f039fd1ffc9c464baaa8989fc91db7e4c90a0ae7d0400f20e48227fb653e57ce804b3125be86a87797b0e53aa16cc553a0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\piorlf.exe

Filesize
554B

MD5
6eeaa91ab123c6b7119bc80533f1a537

SHA1
f29702c27b1f945bb38e29d1a514795635627907

SHA256
5b5b53cbfdd9b12a4d7cba4718a7be7b9495dbc93e6401f5558e4195ab060d37

SHA512
54cb2f6aca4bfe3f4ec2e694c5eb39ceb5dd8e2de6e0daef4d25b2db639c4f9fd9cabe08a0aee69726e12040feb392af76df104aa3775fb125c6b9d3453bbc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pkggvwlrqu.lbt

Filesize
351KB

MD5
fae6ee35c0f5ac2dc4885c0de8e88032

SHA1
587bf6f4105d4420762c463ba33e9e3ba677e85f

SHA256
4db090b6f1cd2501c929b31c2e29d4d0a4ddf1e81be6800e763d8c45bea8744d

SHA512
1ce62d900017dd4545023acc3ca32daee7eb454a6144c99958d57e88838402013854f410b8be1fb5d607819c48ba72fefecc11d2c78a81408855bf3899e04b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rsax.msc

Filesize
558B

MD5
a7e7e0380d83ddee2938716c3f7fb78f

SHA1
65bb122b16dd27fb48067231f2a236542e705b8c

SHA256
a7bb2eb1a438d1fe2cf0a79a0557cf982e2dd2cbf1161d6b8979e3631bfebc14

SHA512
a9df0b619605566de52323c0f8f17b2f006a0e2ed412ee61d65c659c4fbada0d9f4e2e3632b4f3b6841ab21fb3db8dca0cb7989bffeea58c6aa3e4ea1f0375cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvtshedh.msc

Filesize
611B

MD5
9fdb95b78ea29f6d5359ad3280837b50

SHA1
559560985a6ab92f1a6c2d1f4034bd9c57a1210c

SHA256
06afdb51cc670ca9a5bf3d6167ede7ed3e4dbb6ec455d588c9a5933ab5c16391

SHA512
177ee7166977d2d8f7ded9bc95634b391cb8b4245e1fea3752f5be43fb305f0dad457faa650f397fe0b6a190bad411d11b56b1aed9e7be40686bcbbe1d7407a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\shbf.mp3

Filesize
576B

MD5
2f59bb8b42b854a5aadb528171cf55f5

SHA1
30bfcab8af34e1197551c2f307cc13ee6afe3479

SHA256
e5e92f1bb548bd3715e683b0038c7c181b84920a90655b76e7096bdfb9beb76f

SHA512
0339032e6019f33d678d230ad07b44cb032c3eb1ae2f724356e21570b48a99f27be8f4edfef9457991a5691db98d52a2fee9b899bb4ccea0601c1b14501d9d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\snsgkb.docx

Filesize
626B

MD5
9272c884bb45d965d8383fbeeb08abe9

SHA1
b06cb9090e10ea9b3be11eb92d19c6345561d863

SHA256
3f379a6c79a1a45dc15c9d550782236a07749093a499311e3b8c0f20d6dbd9fe

SHA512
851524d22dde5d8c3896bce7c50fb34a8dfa3219218e28f8781eb1fefb823c309562fece86ae48c1de8e48986134ac7df6fd38a38756a41d7a2c18a3b0ae3cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spkatitam.xl

Filesize
541B

MD5
0f366da8eb72e7a2e68479f211ea032f

SHA1
9236e3ac7530f2e981472bc5ec2a7b8ecfefab2f

SHA256
c4531b1859c4797215b5b41551dbba75acf10e9967bcdc93209cb8f1f39c2b0e

SHA512
e326df9d86c4ab72d1588c33466f01efdfab5d62d0d349cf0cfd25b0a405e033dfbe89bf097bd89b2d42a145d45dd35c9e77f1659b6007d95769950470ceea5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\thkt.txt

Filesize
544B

MD5
b2f8e56d54a94a0a7908e9a521b871c7

SHA1
af799df11ccc046252b6281549f9580477001a26

SHA256
dfff77662736d1d11f99d25db102b137aadeb3c92ff9128520dfcfed80d293a4

SHA512
6cc558a383f6a7ac8d76f5f4affcfa1661a4517eb1f9f3d59775f05f6a5648674d56f9e1a94bd1fa177419865c4a81b7dad7896a08b94a2b3766c3fb58702ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\usotai.ppt

Filesize
513B

MD5
ffa71023957c1952d2389b3cdfa435bf

SHA1
0b4bdc9ba8027d83d6e1d186babfb21f1e29867a

SHA256
5186b608334ffe34d26a52d374293f3b7164a9c5178a07a734da745d0a9611d1

SHA512
f035195b47a4605efdb9b320d58b8f527541176e612f7dbcd1d77f439241b9c0b72f37149cf739a93a7f48ba1b1086c4ccdaa724b5822bf788aae242aa0f8b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsdnp.dll

Filesize
662B

MD5
f08bcd3587986920891f80142fd26cca

SHA1
d9835761899d177d4aa26176ce5de069091a2a8b

SHA256
7f9f748678029ecc98000c03f7ad7c25d3740b8ecf173e08aa0c5a43686d1d53

SHA512
56fb4572a9fc619c53254bf182289770dd39fb386d80492dc721ec8eaae165c18ff5f9c234a65cdaaf861697ee689e8c2f785180379d6d5a3b6539ae528941d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xrkj.3gp

Filesize
530B

MD5
49fa1bd44ca4f5b74f544f67202c068b

SHA1
f1d9fe5f33312f0a7aa79c56562efd529cc42834

SHA256
d44e3da4c77ae1ac4ef315b2334876364ce6ed9fbf6eb7ef69ae4a0767bdf20f

SHA512
4682074a9d820f8a25917b41c6d3eeda261df7e08c5305ccdb83b66c274e1f5e1459b63fd2c9ab0584ee8d9c99dbb7bab9aa03c81cc98f96db1e63e19fa84ea9

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1192-193-0x0000000007630000-0x0000000007791000-memory.dmp

Filesize
1.4MB

Download
memory/1404-186-0x0000000000C80000-0x0000000000C9C000-memory.dmp

Filesize
112KB

Download
memory/1404-190-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/3012-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-180-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.