cybergate | a6533a4dbe2569787a024354427f0b80937c78051e90074928cd382343f94cd4

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guitarportfolio.exe
Size

324KB
MD5

56817271884bffe78eedb21b9ef2957c
SHA1

1ed0d1bb06e4b7b878f7d6e2a1b061391f308e2f
SHA256

b88f359ef837d4a39e47375cc5d81ded93e9ff633aafbafd3391ecf2b4b4ba0d
SHA512

e4e2a2a6b0f8a58ba202de6c4060f4843e77ba95aec0b97f9419df4da2fe06eb58c9fa70a94202400eb4b1183ec88a8c24d00830fc10335a0f4631b3cec8bdb8
SSDEEP

6144:g0J4yY9zWIjr+Z+Nj6kMjJlzli+GB5u7qGmUIlk0wLjlpEBKlKpS/:r4yYVWIjrr1M9RlpC5uuGmVEflp9US

Score

10^/10

cybergate gringo discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

gringo

fogueteiro.webhop.biz:800

Mutex

6GAVTIIW66I2NP

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winserver.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
online50
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	guitarportfolio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\winserver.exe"	guitarportfolio.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	guitarportfolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\winserver.exe"	guitarportfolio.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{X50U6VAE-6DOW-3S2J-DO04-75502JSQRN2Y}	guitarportfolio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{X50U6VAE-6DOW-3S2J-DO04-75502JSQRN2Y}\StubPath = "C:\\Windows\\install\\winserver.exe Restart"	guitarportfolio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{X50U6VAE-6DOW-3S2J-DO04-75502JSQRN2Y}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{X50U6VAE-6DOW-3S2J-DO04-75502JSQRN2Y}\StubPath = "C:\\Windows\\install\\winserver.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	guitarportfolio.exe

Executes dropped EXE 3 IoCs

pid	Process
4344	winserver.exe
3236	winserver.exe
936	winserver.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	guitarportfolio.exe
4344	winserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\winserver.exe"	guitarportfolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\winserver.exe"	guitarportfolio.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2056	2444	guitarportfolio.exe	83
PID 2056 set thread context of 4456	2056	guitarportfolio.exe	84
PID 4344 set thread context of 3236	4344	winserver.exe	93
PID 3236 set thread context of 936	3236	winserver.exe	94

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-40-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4456-44-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2684-107-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2684-236-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\install\winserver.exe	guitarportfolio.exe
File opened for modification	C:\Windows\install\winserver.exe	guitarportfolio.exe
File opened for modification	C:\Windows\install\winserver.exe	winserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2300	2056	WerFault.exe	83
756	3236	WerFault.exe	93
2724	936	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guitarportfolio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guitarportfolio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guitarportfolio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guitarportfolio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1316	guitarportfolio.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2684	explorer.exe
Token: SeRestorePrivilege	2684	explorer.exe
Token: SeBackupPrivilege	1316	guitarportfolio.exe
Token: SeRestorePrivilege	1316	guitarportfolio.exe
Token: SeDebugPrivilege	1316	guitarportfolio.exe
Token: SeDebugPrivilege	1316	guitarportfolio.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4456	guitarportfolio.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2444	guitarportfolio.exe
4344	winserver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2444 wrote to memory of 2056	2444	guitarportfolio.exe	83
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 2056 wrote to memory of 4456	2056	guitarportfolio.exe	84
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56
PID 4456 wrote to memory of 3508	4456	guitarportfolio.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe
  "C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe
    "C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe
      "C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe
        
        "C:\Users\Admin\AppData\Local\Temp\guitarportfolio.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
      - C:\Windows\install\winserver.exe
        
        "C:\Windows\install\winserver.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\install\winserver.exe
        
        "C:\Windows\install\winserver.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\install\winserver.exe
        
        "C:\Windows\install\winserver.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 556
        9⤵
        Program crash
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 344
        8⤵
        Program crash
        
        PID:756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 344
      4⤵
      Program crash
      PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2056 -ip 2056
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3236 -ip 3236
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 936 -ip 936
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
dce68f643327f72fb307f924fb1c388a

SHA1
4c90beb7aa1bc22cb318117ef992ec547af40212

SHA256
358db295be5bad587243ae7c7dd1e45bf26078b96c04288de391dcc99570d917

SHA512
b7ab4717eca79dc3d935350c8d304e8c405b6cb8c113bf456f3f6a5e6303b1361f12c5063dd85b1bb5fcb1aa443dbbe3f527c6fb035fd9d03ef418769c82206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b8f2e75810d187f5e4f8ce30f4d26566

SHA1
02263faad3a1c25ebf6e781ea624d28e1424c1c4

SHA256
3aa086c69ef0b88fe812944c80b0a7eb9a9f890e86bf3cf8d56ca27045a60ca5

SHA512
34eaee0d79bfabbd28aa6cf31a95a93d88b83251826ea5d9d3ddb58d75f8e9642f49a2d1dabf2c05f0b77a718e2eee4f5d7de1f9d22f7477af5337c39c56757f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
348d6a3dc2cc9c0283023f44af606b8c

SHA1
558416688e75e9461c5d9aed91485819e3909b0a

SHA256
0a51621a526285abf2cee377ce1815183e917a9f30135461e9978d59c74a0822

SHA512
f7caeaa6381430ec3269ee783d91db6255b50268b31bc6f4c73e7eab99ae41b88c98c4f1662eb395ab42dc1e4d879b22aac75e01922abd1da81521730ddca2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d62ef45d933f4a8f65a680b5c402d409

SHA1
66d6629b90a5d0fec78b3fb33e5bde3ec0b88398

SHA256
e4b251e1dde798d2646849bd2482d52b14492c18f3fcc079c6903de26fe050a5

SHA512
d6c73d0f24efbf659b5c42228b3a46e05c46d38b48c8111b5d95285e5f1a894d9d1bde5a4feb16df4295581e34877c3c64e7a5efa8e3c85da728f8f1d743266c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
85680e6933ba249905348ed5bd20b595

SHA1
e2353e56f4e6ed268f394c18b68f4a1e3b549c06

SHA256
471e7d4f7c398425870bc119e7a7a61235594490e5df9d962cd5eb8dd066e329

SHA512
cec99dbc0c66024847a043098eeb7cfcf70a99ae91abdcf33e9651cd526403b9dd6258dde2493b5cc4d2f7dc3c055eb357fc744f264ab5da5dd7cf7f6e3e9a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f40a1d5e2f78bad9fa1ab42ec1790b8f

SHA1
d010338ccac6e14e26d756304518c0082f317088

SHA256
7f34c365fd9c69bef8dee9f83f62cddf9c70330b6aee338ab668f7200489f37a

SHA512
f1d63201e8b1f67dabfa8862a30e84bd552068e9bdcc66785623f4453af1a53e4147e2a861d896b7f91e09dfdd256a1c9cff1213212d080f6eecf3a3bb05e957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5fc765f900f053aa3ab6b86fea671d48

SHA1
20f4308893f1a4ee5f3a57c93a9e6d1a902fad0f

SHA256
54ba677ba5faefd84ceb6486c54d29bd4b54efacbb93b27973476eb79846bc07

SHA512
8e19f09a100ed9eea9f19dab96ae8f4faa5afcceafb7c0bbad908becc9701f2348d49b3d25b91ad63bedc0011591e15d2f5bd58236adccd66fed8b958e7f5099

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4f7698e5f99a1011359ad6ed404ca251

SHA1
2f9d106fc29643e361880d5da3db0e0203da6c62

SHA256
311d6c3be765d711a53ee767e278595c2fce2452c67ccde4410d69c2df545c50

SHA512
5bfabf53b35389eac3ed2812aa100b30d553a94eedbc72551cb96983c539e68069defca5e58abb5e743fd5cc081a6345a9d3e73dbe15f65a201739337f6e005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7b0b5b32cca7ca9014fcdfeb3f3b4c16

SHA1
2e1d322d0eee360c87e4898da756a40ce2850a3e

SHA256
bd3d55f5e761babbbcdc81f7dc53de62e6ae1620d7b9aae8a64d29da7de3ba77

SHA512
6153395370f4cf1004495440a467c0725050fb6653b7af3d7f94e43a16a2413376c13f619289714f545fa097f8639ed6982126f9c9e483164b4a5c6820eea5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b49f820de05b29e60a3368ef986726ef

SHA1
71533dda33cac1f3de23a2d3fd242494e3501e56

SHA256
762edc00121944d2068d212823f1ae9176fd8170225131589cd62341bc5f029d

SHA512
c8b2a583befcf5899bfab980d7a0e1b75b89ad2bd1a3c550cf778a3244dd2d90b9ce427290b299ffc46ecab9939cdc2f6134c214d2a4def6fe0ff0d0aa225319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e13db123780a230d64b68ddb5b860315

SHA1
3e9d43f261fd85e29682faad103d097c662fb825

SHA256
1bcbb7c45b8706bd1d0760d562d1f7ee39112d68dd0f1148581a98ea1a94c09c

SHA512
b6e4cb6e35e601cb06e9349cd06c960ad056500e5ec2e8a52a0a07ce5c483bdfc05bf1ae92b4e3c9254b6abc422305fc863e760c28869a87176a64d1555434e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fa8348a7dea507b9541d1a08e42db15a

SHA1
d4f92ca5543a3f5e7edb75c26c10106a14da56bd

SHA256
076c5c9ae4c511163da0cb33befcdd5b703f4bb4f9b8c166d4bf3391b3ae5c08

SHA512
114010b152b1e9735dc7b95eb58930d8fe07472f8c1dc19d21df38e0fa14e646bb4cdfd1978f6ab2161e5a161924940b545501628c83245ee4f9e0a36560c3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09b9eddc18291719782655b844e51d57

SHA1
475b0905fd58ddab5bdab1a6be4dd3b6245f2c03

SHA256
a95a2f7006ba540bea53a66366a3dbf3d0d2e11d537f96d97ad60fa9a6a940c2

SHA512
243026a2e213987b005de7ee070a2e1a5705a6e03191d00969206c6ea01e6ea95336437cb45a9ace17ab1e278701561b7cd42404d85a0c87141ec57d56e7b5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b84c6a1af796642b4113909b0dd32fe1

SHA1
d5e2267edab7a0f269a0519e4949ce1d609c068d

SHA256
44f5a381bfed8e9aeecc32a20178d81ffb73ca0cc1d01a51807d10c663e5e689

SHA512
84a4afa5b7b2911abde4572a8e86a5defabd2a443320ad9d234bb9cd979940f54a76c84ad382fd1f5c082e115b9d3a28738bd7be3e628b626b7bf81058c8f1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c3fbf732291b7715579f941794446a12

SHA1
82e29c0cf69cae53ea5bb7c892c71fb316f114c1

SHA256
9e253ea0a937989decbf259da4f89a375497e5e9f3be12c4e375ef781d8cddb8

SHA512
b217334929faeebd58d4b725afdb10c2996b86fc68b9c46219caf422077cd2459d94ab0167fd0dddbc20588bfaa7a630f1463fe439c43b99ebfdf9185a8d0ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
197b0348ce1e91bcbbf6bdc7d1cf1c93

SHA1
8c14e27ca375a90b9f8fbb86ccc5d25031f6eda3

SHA256
97adb3ce9480780264f6795342daafd73b2dd50ea10fd6e790ce83b9582ed288

SHA512
e5d1838685977499d453134bae42ee0bcf9fa4ea29a4aabecca2427b57201181fb0fdb0a3c686016806427478d2140e201f33a622e6d6b7973b2f07bc0b662f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
189fae9fff68939a1976de3ab2b6b2cf

SHA1
cea025540047934fab0c86a26a82facbb81f6f9a

SHA256
8d61a812ee0123d94b8877dd6495f33ed86053bc3aaafa8fae75255de83249fa

SHA512
74d1c98155df578690d29ee6b9328125392d50c478f655f7def9b645e18197c61b86c285905d088a99835992c5e23e61ee19793ebcfa2543231e3be4dba3ae23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0b9ab6da7fd5835b1a95434c167de810

SHA1
e3ca778e4524125eb262c78d3dca413e30f6b330

SHA256
345ae70ed97fc730c06af55e582d199e6589609bfa436a81e359d62db6cc0bd9

SHA512
48138f21dcb9422e87dc5acd04ee083bf5df825c53847afd5d0b64a7ab8ad181bf20901db6f8822b8553a9cf866b3f056704afcd7bfeea49743e3e7fabba6bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
be3f149b2ce8e55ff575b93efeb23b2c

SHA1
30ca00901fb64b4a4434eec4b8c3ed0f1bb74725

SHA256
0c6dfc9e74009118f42ef34fd27028c3e39965a97de7e4a1672da5b8b41c6ce0

SHA512
2095115a2e180f1f1e8c70e38cb3609a4172ed63d7df2c2578f65d0afdad267ec3cd41ce47db6ab132f74e4346f61efce492d7066463d1462f2997dcdfc9a6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhD68E8N7Dch1gh.txt

Filesize
2KB

MD5
835ca66c674a8801c1a15d0780ad9337

SHA1
e6b66384d62cd2e8453e5da4c653ef23f63acbc8

SHA256
fe2fb191d88254bae10cef24d1a5d89d9f488f9eca6a1bfe381de9032cd92a73

SHA512
4a57f1381fa88071f93181578b7eb28fb42aa956d0506a73a09c78569753744cd107c95e0cd29b2c128e328bcd5dd32a43e4b9ce61a9f1bbbab2a4af6e74451b

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\install\winserver.exe

Filesize
324KB

MD5
56817271884bffe78eedb21b9ef2957c

SHA1
1ed0d1bb06e4b7b878f7d6e2a1b061391f308e2f

SHA256
b88f359ef837d4a39e47375cc5d81ded93e9ff633aafbafd3391ecf2b4b4ba0d

SHA512
e4e2a2a6b0f8a58ba202de6c4060f4843e77ba95aec0b97f9419df4da2fe06eb58c9fa70a94202400eb4b1183ec88a8c24d00830fc10335a0f4631b3cec8bdb8

Download Submit
memory/2056-32-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2056-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2056-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2684-236-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2684-107-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2684-45-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/2684-46-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/4456-178-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4456-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4456-44-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4456-40-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4456-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4456-34-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4456-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4456-31-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads