cybergate | d947d57fa3aa32c330c1ba314871bf276a561779dd92ad371dedfa1a42ef2fc7

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

290KB
MD5

509c05659338dd7878266b3b3ef2d76e
SHA1

813dae2f52f3c84316f57f1a59bab562418874a1
SHA256

e4f0b6f55e7c1820e031decac47b87258a6e0dc84b53239a8ac70b5ac22c41ab
SHA512

2cdae44e78956c9b661e906e45d03d1752e66fca6708548021619cc141d66685e32f15049c137028753afca2b3c55cf689a693ac92a6104f0be3cb79cf8d1253
SSDEEP

6144:4mcD66RRj85JGmrpQsK3RD2u270jupCJsCxC9:RcD663ZZ2zkPaCxE

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

arrozmaionese.no-ip.biz:3000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
drive.
install_file
tasksrc.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
arroz
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	main.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\drive.\\tasksrc.exe"	main.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	main.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\drive.\\tasksrc.exe"	main.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1D3IN5-D26O-453H-0FV7-YY2J63XYMN2Q}	main.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1D3IN5-D26O-453H-0FV7-YY2J63XYMN2Q}\StubPath = "C:\\Windows\\system32\\drive.\\tasksrc.exe Restart"	main.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1D3IN5-D26O-453H-0FV7-YY2J63XYMN2Q}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1D3IN5-D26O-453H-0FV7-YY2J63XYMN2Q}\StubPath = "C:\\Windows\\system32\\drive.\\tasksrc.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	main.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	tasksrc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\drive.\\tasksrc.exe"	main.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\drive.\\tasksrc.exe"	main.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drive\tasksrc.exe	main.exe
File opened for modification	C:\Windows\SysWOW64\drive\	main.exe
File created	C:\Windows\SysWOW64\drive\tasksrc.exe	main.exe
File opened for modification	C:\Windows\SysWOW64\drive\tasksrc.exe	main.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1468-3-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1468-6-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1468-63-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3880-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2132-134-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3880-157-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2132-159-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	4892	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksrc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	main.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2132	main.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	main.exe
Token: SeDebugPrivilege	2132	main.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1468	main.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56
PID 1468 wrote to memory of 3392	1468	main.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:3880
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
  - - C:\Windows\SysWOW64\drive\tasksrc.exe
      "C:\Windows\system32\drive\tasksrc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 564
        5⤵
        Program crash
        
        PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4892 -ip 4892
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
c83f1aaa6a770f5a88ff9cf6532d967a

SHA1
adb5e34cc6e3b3a66aaa087d84ad1c8a7e5d3a56

SHA256
3defa757bd0ba511e533cbd23fc38e510d29581a382ff88231cc31439abb973e

SHA512
fda3b3ce9456243386c9018f0cf4db06cd11f3dfc0dc99342502b402c8cf7c417045ea1eaddda597dd7411e64d531a6453a44b4ca2aa2ede085b05f83b19b064

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4015cad725d1eee23e17f20ab438525

SHA1
eae6e68b1729baaad288082b0249c67140429825

SHA256
f99a8125c007bc881e1b346646ca71917ca8548401f6a9123e566fceadbcb3b6

SHA512
ce5957aef2ef7dd68a18eff3fd84277a4e47e79bf1ddd3079cc2cc5a6a0a07794e21e0dd59536ed4edfb93bf94a9306f67b1ef9bfc589c5f7ed63074a3451150

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12a8ed38ae413b8202befe94777f9f6e

SHA1
34c43b32f3a1ea6e9845046dddc8dcc9d37f60f8

SHA256
d4444a65cf14388a567eb63f434354abad4b17a700381637741eee9c60728451

SHA512
a31ca62c09ac801193134f48bbb88b807a89d086fef4205d55fbea18137daedcfab3bf0678b7c306ba69c75036ad44c012dd457cb3f3b5cdd678a93e953f1bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4c3378aa261058353415dfe40fff28d

SHA1
89431638d5c4c8c6f60eda3b320b9a434a98cdbc

SHA256
0226e93f969a268ab673f97f40589c7359ba1905226add686aa2642080703401

SHA512
aeba6c9ff981ddbeb84351cbfcdf107741b9c739daab92b47e91c3a8df3edc6cce59d13c727271aa480937faf37a24faf7e81fc6c7e6589d06158deb8dfbce1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aadb8b6480196579479a3680aa0b5a29

SHA1
39cf052bdec01b97d19ae0af27b35fd1c0b788ed

SHA256
93101193e2482026afc3efe04d46d625ad256faccc9dab9a6905d1d09ec0058c

SHA512
ba9cc0b416b4ff95ba8a1b1c88c9d7342df9f0f6cfad0e079c51625fa067031a9e006e00831e707dea757d3ede64ff47446961f1f424b529bb5d6efeb1a2a22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12417cc758b941ecec71f9c7fc0f1b34

SHA1
deb72a9f163887a28d11992a592e52111019dd00

SHA256
7676bf5a3a76f82e7c3435e58f2d5fa84fd7b1893274731ffe91667a68efb0fd

SHA512
cbfa1088df99ac0c8c2c7dbccc694d81ae5f5dd3b194c761657dd8e10f038ff7ddda92c663dc115dab87d90534b5fe8570614af93b6a27d8289ecb4b5fc0b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
463bcd74b70506e9896473968f44b068

SHA1
dc8375b202f5f833ffd87bc08852b9a53427e72a

SHA256
0ecfd3ae8b59a3863f3ccce5796390eaa88194f1b4ca887adc3353396a5dae91

SHA512
c5b870241b90f9b7dfdddd62b93ef2292f8997c61168e27f14d9c972579e68890ab11c965cd8d05de9c88fc6b1df9e49a3eef981a0c4a304a2a482465977c8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
58df88d1968b52510b33c534671c0494

SHA1
2c42a2d1abb3258f9302e8c5427e3ac9fd30080b

SHA256
33646f640f49dcf90913198c3acdc44fffc4326b72cfc47a9d9733567e47ef46

SHA512
5ccb86a88c57011873dcdb654eab026fa9da575b4125a98386115a44bc77b492a5ba9ef8704f966e057354b4fa0fbd2594cc757f7ca6946ffef098020e4028b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9678834ae70e3e43d903a3b064035acf

SHA1
2626551e6f528469c123611aa5e1aed78cd00cca

SHA256
e6ec8c22e6a29a06a765878673726686e58c0cd5248b39ec8104708ce15b2812

SHA512
1d9b92878243ab97fdc374efe1ff77225fdbef3cdb5974cd99d1fd623b43b38c2302ae5ebfea1f6f348c60cfa68fc564973655ded2b6130e31cc2b404180c382

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a0fa28591ae1ff3d9b58cd8531661899

SHA1
c6295806b31666271792ec65a9e1b56ab0c069a1

SHA256
1b6c32a4eb761ae6165edb1188e0247e0a23894627124e6014ee1fcff61a974c

SHA512
929df8e46e5ba09217e8fd5f136c19b672350a0fc90d0f46c64485c54b7f5a093cf1d0c9cb6b36c4131697ec1e509fd2238e0d5ed9b148f216de4c773082a026

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f9ee73e036d584c811d311f0cab9621

SHA1
562f777150455bf20e3618143ce5a172de5a18d9

SHA256
959a342a6b1671acb21c09d1ae75c8adfa58aaf627b6faa963a319d9909b0a76

SHA512
b56eb875d6a8bd684ba3bc156b56b8a221826c12f02d276f80e7943aa9ace6ce8a51032966a13b7a9b73bfc19be3b7544112cb323324437d4ea5640895aa6176

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
18569135a3560c499f9bf41accc52334

SHA1
0a9c340799c6236904b2fa04938dd23c5893f6c3

SHA256
280cba1cce1e83b07ad55a63f45ca5b113d07227622d32b84b36cbd32262f4df

SHA512
d6af3aced9c6bf9396878370499177e58d9e22d930a77858ee0da4bb5bd99665cad5b52f364d52015c3cc8adea8b9478d0e5470511c9d213595f4fdb2fef8d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b9782ed309c1d44e20d820232f83aab7

SHA1
c48d8a57ebbad1539e9c5df0a3404427929dc229

SHA256
49c73aa3c5baa32b91a5a91febf26006b488fb1645477e1a7232d0c00fd83e22

SHA512
2c89a488631e14ad6efcf7c551f88ad30e0ddad7c4aa7f43a4302d2210c0f8c9c552e04fae00c5a847ec5e625e11c680ff21fb3063098d27927a2d16b2db6aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
128a1e65258b04c682306fe447be438e

SHA1
6fd26da0847103811722b365ee67d0a47b8a46d8

SHA256
edfd59efc3a21d8315c2cd72a005e8e0e7234ffdb97e0d9671a952ef03ac95e6

SHA512
30b9e5b7ef6e56437fcddab7b23709dd1fd74998e5be3c25b3875124b69ccc143249bd06e82f6217217b26812d4ab1b80852980d3e09b8bee04768595c691410

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b753534f585a7f0b0bf5379e5d561ed3

SHA1
d87e5e18d60f71067916b08b2ccabc399aa2bb04

SHA256
73041f4f809b4739fb48ef4e6703fc55d8c4991d4bd12083411275435171cce5

SHA512
101e74ccfa5ab27e54f0afbd4d28b026f88688bc9ddedc9c7df7f789e1bebd9ea67036253219526d638683c504f567ff7d796e8dbba7a558bf10eb7b54371e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cacb6b494da758a52541defb829521e8

SHA1
9563e261abab09d5107a90295e9830c272a29e85

SHA256
5a154ec1d97edf4a9e24ef9f2a4e36f5852e997b2b59aa3c04042de448c32112

SHA512
97807b8c3da77958d59e13cbd2e3905c160c2b12523dd26565069f6ffd0eefa44ad9e1110a1bca3f107980a7fd05d6ff0e3da75d91d32d09e819b6401f73efb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ca73010989cd378d907fa2c6bd37da9

SHA1
ed26398c6e25cdd26aefced6b1ba92b5c5dfc454

SHA256
242d339c29bb24c234030c844fc27960f9f1265b4053be099c1d9ccf11ca796e

SHA512
a50cdf4268af6a1c24b4f10cb55f6114a867dd95896ed26f09e4c453bf50c72a3e26e0a87b17355afb567631a2195da8286915aa1380ce485417b3dc5492daf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
34824212f78c48b46230ec658bfc0673

SHA1
4349245a7ed3ea7252dfa753943e3981a2c06a06

SHA256
610aa6700979bbeae7fe19108df33cf81bd8db51a769d2f1fc6b3312c9b15d04

SHA512
13e2fe838ef5934e95fbe34884e91bc7e9370c08ed38d7d432d7985ed6d2205a702575d9e091f0bd8effc960be7e3389d46aae38fd903fdb74f9e5788026251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
93a450ebf8d31d0525aacb088319381a

SHA1
84af6b21fef0e1fd74f72742c54dd243b7326a3b

SHA256
68d4bd7c02512ff5d45ea7bf80f267b6e96297992fc79b771d4a9cd6fc85931a

SHA512
27ebe09a4dae01f0cd461ce2db7009c9c5eb10250d020832c9125598673f115d555d64916eb8700106d69934f5f414142c21a9ec1f1b42f131ae6901d34263c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8bf39b4764e5847e6a4d8374a17fbc64

SHA1
fed8bf93df4f43cde25072623b8645a503999f36

SHA256
3302dd5f37f1d0dbc1ffcffc12ba288a5d0c4dbe6e8c8bfca4ecdb3c078aebbb

SHA512
9a19649a4cb5087edb5dde8a7dc76620c320c0ac14dfd7da777aa400b9c4e37f45f902e7cf2bf94e1efd9439bc38fe8c5e559621a534e0c97e6f90772872a34c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\drive\tasksrc.exe

Filesize
290KB

MD5
509c05659338dd7878266b3b3ef2d76e

SHA1
813dae2f52f3c84316f57f1a59bab562418874a1

SHA256
e4f0b6f55e7c1820e031decac47b87258a6e0dc84b53239a8ac70b5ac22c41ab

SHA512
2cdae44e78956c9b661e906e45d03d1752e66fca6708548021619cc141d66685e32f15049c137028753afca2b3c55cf689a693ac92a6104f0be3cb79cf8d1253

Download Submit
memory/1468-63-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1468-6-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1468-3-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2132-134-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/2132-159-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3880-68-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3880-157-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3880-66-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/3880-8-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3880-7-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads