cybergate | 9af18aa4448b21611d8b94b0387cbf4515cd873e87e95877def7f7a0c47ce1dc

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Size

868KB
MD5

510d994ef4db4b278d4f4a1a54424d19
SHA1

3daed1b23e4a0781747d833729ea82360809974f
SHA256

9af18aa4448b21611d8b94b0387cbf4515cd873e87e95877def7f7a0c47ce1dc
SHA512

ad3d38c01123444d167c862dce2ecdfdcdbbb2e16115c89547db8b5c9966d240004271d31f4710438e11af5ec7197ab3a6bcabec28f0ca37d86c37088325f902
SSDEEP

24576:MI1M2vXNmoRf0boQr8jNKoRXLx6b+BsFeOZAv0j:Ms18o+z8jNKoRl6C2F/f

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

127.0.0.1:288

win7.sytes.net :288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2220	server.exe
2108	server.exe

Loads dropped DLL 3 IoCs

pid	Process
1376	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
1376	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
2220	server.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2220 set thread context of 2108	2220	server.exe	34

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3044-6-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3044-8-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3044-9-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3044-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3044-15-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/3044-18-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/3044-31-0x0000000001DA0000-0x0000000002060000-memory.dmp	upx
behavioral1/memory/3044-72-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3044-315-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2108-349-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2108-352-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
Token: SeDebugPrivilege	1376	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
2220	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3044	2700	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	30
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1856	3044	510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\510d994ef4db4b278d4f4a1a54424d19_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2220
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
3beccf3915f2003d07028b77d4f14ac3

SHA1
d35e7a8fa47b37edba68c2a779e06aacb773dcfc

SHA256
595dc3d6d18f7d2a4f9247095af639c7885a4bd25d25ed29900c1ec21f98b292

SHA512
f62a19722f5dbbf52a988588d35e9608b1a14a8ff43c7deabc7c5d4286097b59177adba7ff6de44156b983923b0f434f039f030a3a048308114050887e498220

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
22bdc574a941ea9b440c981494e5522e

SHA1
7e8138f0a6e6b0466abe38418b5e46911f817600

SHA256
7b691ea48f1973f34cdd71d74d176ff793b674a18c71061b096b68083afb38e3

SHA512
9c71f00c14b9ffd7f218722b71f2ccc9985dd34bd9082c939542eef4a1f5387eb53681b8c192ae4d0851a86db53c9fa828d55178d5df09e8cb4af25b63a5be33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f382a79b57d709782038867d7ce2c400

SHA1
0bf497e130f87ac5bda26c5d73a6ff21b57abe31

SHA256
8a0ed9bfbcc21a7c1e7e641061cdf3951c80467839e8dd24bf468ead53c31be6

SHA512
2bdfe115ed27a07f155c48e1c295b5ce26657521a67024449e7dda051cdc3bf31f1354c40af09a8cac0e0c75f51cdb59bd7bc5dc9a7a4d6087a79d8a521fbff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0cb22580eeac23f7650673dec990b58d

SHA1
95cc1be2fb7f0dbbd956118c95dd4514f4565d2e

SHA256
0d5298dcb9643da610daad1e0cb2ff141638cd4790b4e02f1382297da77b81e2

SHA512
fb7df9b8b7b2acd0dce81aeb7dd7708eb7fac37ba745001a2b0fd38bce851c4b617b8891a1fd23157af41219c3f84172ad4dbc49c1858f2568622efabde5fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26513e28839dd91eae73661d6b63c7a5

SHA1
461862286671e1c65a2066ffe8a84850f4433a87

SHA256
11fbcce5836547ef88ad97a0e84bfffe8f98fd7345aef52082df81f7c27d6163

SHA512
86f8071d8e26e4447813d49a9ee5b92d9085562fa8e1ec9562967c04d29d764069c4072213cb95bef732157ded2a1aae3a5fab47d211ef8d65e4e1903a09108c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
526344ef842ff3fe5bd943c46ff7b3a7

SHA1
45aea5bb05af755734793393f0ca567306d62631

SHA256
289569f1da05958117f5b0797425b0029fda610860d4f8ec485b5f2c1d060498

SHA512
c581b18192b7e3bf032ec2df3fa1a5be260a2d36e43fa2b13b610f1a17471898e98b117a33ff8c619b5c7cab5f3b214ba84987754d321d65f5d1d107c8ea7374

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
699b3339d6cfb921837d33c92cb0b56a

SHA1
f493363c243f3bc0641389d7773d744f4ed53f60

SHA256
414d5eb9cf59e97fefb46b5cbcc083a9e4acd710e5fdf022ddbe1170b7b0e5e4

SHA512
eac3193ca59a48eee1631bb138ca87912894c0bf8582c1c1a68b6b82b6fd836cf8b7e0ce3e0246ba7d1245e9eae9a398cc61635fe37d9d1f449d28d8ed421636

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e3589a2b9ef3896a0f1c1144613e2468

SHA1
549433489f112e950e18b321d1588820dbae737c

SHA256
80ab3d9300ed8265a52eeaf858eb7ccad9ea0b7614f72bcb1f0536186179a548

SHA512
4fcfaeba88b53bea2d1953f8e43349cc50e6d218d20c9d762f50b2494aeae22451ed5b85bcefaedf88f8f3c515aa9f88b052063991fb39f397dbc0911f56f18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ffae71736d95500043cb93e98492e23

SHA1
0d50ec8312ad697756ec6bf699bc3bb69bd6e532

SHA256
6fd75717c9634e172af11b83889def209b485ed2ab31efcd650e86fb8ea6bb25

SHA512
d3b074f8e793ef864704a042d474200516ed2e00c90f9da225722a3bcf656beddc7ae6922b3784c62301ff3fa46633fcbc9c6fb1e4749aa9d63c28340fb48659

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec77e7d1285718dae2185464a55a0f1b

SHA1
1ea8219156532b8859277527f489f5e03d219c82

SHA256
6dd3d6a54c1a62caf75e57bd9cf94d5e949ff11ae44f276139aff4130e76bff8

SHA512
388524c7d16c9a114be511aed666cf186b4907c5ea5ea39786e712044ff747d78988bc72332d288ed370e27f836e6cc49571d9767ba8bfeec2f670d38100aeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e55f1d5796318f8facc740b63138533f

SHA1
bb51313b9ee6b6355fe5b00945b32fe808db83c8

SHA256
f115ab822e26c8d3c5063cacc5d28f9fd215843059a37567b9f1388e423814ad

SHA512
0a1d95cfbd92b73bb2ecddb8e4acb3316c6863fa0bed32db8fdb8b13acb6a2c9893a3e5a9466dd7c4be4e42ba05ec99b011921640076766be76f40c781749c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4a4038a5176b95b7f9f19fbf14573539

SHA1
0f1f98b4c2da5d0c2e968477d6ddb430955c1c4e

SHA256
d11c30bf7a2a7bbcc6a02269021c43e398ad1ca43430786ad950695bd1260c2f

SHA512
91e7eba26ab6458d708f9336bb4dbbfe6ae37a465d4bd9d7667276ef0cfc31bcf60a7b246f1ec26175b85625da576635a02f8cb0cf555421d777f4b63bbffc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fbf3f2f7402b39d7e3400b5c38ab7665

SHA1
b423dccfdc293badf4fea5b036eabc86d9b0614d

SHA256
50b26dbf595bdcbbcbac42f68df034b723d67cce0465bbea8f0e2f1e73f0c7b5

SHA512
3080e58c6d0fc22e313e5ef2f30322d1a63c152404dc09521bd3cd23fe6bbc35feffe1da01639bf7db3cf01acbf754c60784a631bd8838682b6a80ba2f59363e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb0623aef49222a32f5c0a9e4e9cb305

SHA1
d7e6a6c6b05e3f06c6415067c34d3667c6062561

SHA256
49a6c3e3b4acf7933563e21b8c4f9f6f40e6bec2ed961fcb5761d7a51873d199

SHA512
cbb458b3e12bab550b178d8cfdef7b3686e0f5e96f43d9a18b4878d5d74be7708b0ea330447f51d43e77d737e34a9088903b15fa7b6b7bb3f8cba99bde57dbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea3503447abb1d638fc6b54630574831

SHA1
fbc975b798a221cf9b660f9ff1b0d2ac353dc1cf

SHA256
4317174c1b8b00607958bb1723b84e19c68435f75a40514bee75e5132cafb2a4

SHA512
979a57ff65b7947e7a9904773ece769266b9a6057e1ece877af854727586daf23eaf84d09b47906122d29b9e5235eec67b466b3d968fc240755b15a3fe91981b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4ef5c101a0e2e0791e660808b06a982

SHA1
fa40653016868eb44ce7d1288bfb233cb79bc84c

SHA256
e89b1b0f9abaa807051712d85c4c78f3672daaf6432c6d068dd616fa938a9b97

SHA512
0589090afdffa2696c07cd021584761d3d2a10fc179ba774f50f71de9868fe82d6bba9582551e13baed21cd507f7927d9be5fea9d3ca3d81a724eb1c72db25fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1303cf7ecef93364f20adbebc464fee9

SHA1
79bfb182a4c66897dbd02ebe3953f2ac23a9ec63

SHA256
1f998eca926169a765c880180775fe630a53fac9b84e1a9979e0f00281a3f2fb

SHA512
dc8ba0b31bab4b663dae504dcf69acf821845488e89f627cb8a2f388b4806141aed7efaf6f40ff765e2d63208d90e04f3375ec670fa7a7f8d594a8ce7b002ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5763ddc331b0537aad922e071ccd81f

SHA1
0586444b22e895929f5b477c16aee05dace162c1

SHA256
d4cdf9a40abdeaeaca8c2e47dd1036afbad7b477ea2091256a323141fa1a05d7

SHA512
06e60daba176d6fdbfc584b2285b930d85ba42e5f546413422fde61cfcd9302b3659cfe48c50d1dceeccaad064fdb86332ceb2240056451b3bd17ffe4f214c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a58da5867dc6fac3fedadcd253f4e300

SHA1
de1ad726d9a28541da5b63a6228c81871f5f4f51

SHA256
3ad485d569721a5f3fa4d07a42269894185b0e07417a9e151689a828fd3ac765

SHA512
b83a1b356fdb45842018639b68018d31c221ea4db63794f016de1af00e8807ea49dfc2e365783982578033838810855dbbd32f500c8c064cbc9aa1968e2e222d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08673477593d817287bca52085dc91f9

SHA1
cdaae5e7d4cae9ae2f176a729319558a30721c62

SHA256
d5e25101600c6d3c47f4900dba48d12378e3f4425620ed52eff33d0f99de4aec

SHA512
8f6fc017cbcce2680006510989af8d79ac8fad8c6df063deeffd105d7d7d2b095999a22aa107bfa571f4212d92cf2eb785702ed51e22f8c58af86ae635139f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ae323cdc83ffa379d46351033313eca

SHA1
64dea4bad2870408046b0cca66ef8f5d4c209444

SHA256
837a8ee4e2a748fb4f890990bd5d3de3fa9cdfc26f8f621864330de769d8f8ca

SHA512
2b7f542fa6d334f9184b7d8876eadddb424fd8543ec13ad96edb1ed428707747bf5f75c4e866c34cf61e5eb9da803132ef9927ad748c0f3e96c507da34ee622c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
868KB

MD5
510d994ef4db4b278d4f4a1a54424d19

SHA1
3daed1b23e4a0781747d833729ea82360809974f

SHA256
9af18aa4448b21611d8b94b0387cbf4515cd873e87e95877def7f7a0c47ce1dc

SHA512
ad3d38c01123444d167c862dce2ecdfdcdbbb2e16115c89547db8b5c9966d240004271d31f4710438e11af5ec7197ab3a6bcabec28f0ca37d86c37088325f902

Download Submit
memory/1376-30-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1376-32-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/1376-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1376-33-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/1376-353-0x0000000007290000-0x0000000007550000-memory.dmp

Filesize
2.8MB

Download
memory/1376-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1376-340-0x0000000007290000-0x0000000007550000-memory.dmp

Filesize
2.8MB

Download
memory/2108-349-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2108-352-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2220-341-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/2220-348-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/2700-3-0x0000000000401000-0x00000000006A0000-memory.dmp

Filesize
2.6MB

Download
memory/2700-10-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/2700-0-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/3044-315-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-31-0x0000000001DA0000-0x0000000002060000-memory.dmp

Filesize
2.8MB

Download
memory/3044-18-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3044-15-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3044-72-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-8-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-6-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3044-113-0x0000000001DA0000-0x0000000002060000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads