cybergate | 7f081ef130ca8c6efa1ab2d90278eef84754ff7d1b233cd8cc9a9eae2da2c8a7

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 19:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Size

678KB
MD5

d345f96bb56293d23f5ae4e148c9a912
SHA1

67b12b289a1c95b016080af4e969edc4039a7dc6
SHA256

7f081ef130ca8c6efa1ab2d90278eef84754ff7d1b233cd8cc9a9eae2da2c8a7
SHA512

7b065da737862d4267aeeaa40dc43b7ef0fa0fcae2281465bbe8fc30b8250139e156de3702021c49104889141318fe8033e6ab05fafbc56a94c5264fa2a7631d
SSDEEP

12288:4pEOo6dfbUHUHcC8X8UvbRCf+OpiNpOTEojCP4/XrI5P28Sq+f:zOo+jUu+8KbRhggP4/P8Ef

Score

10^/10

cybergate qqqqqqqqqqqqqqq discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

QQQQQQQQQQQQQQQ

qa06.no-ip.org:3460

Mutex

qqqfqq

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
File exit Nood Foun!!!
message_box_title
Lütfen Javanýzý Güncelleyiniz!!!
password
azabhantr55
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{IP2427AU-EVX2-2AA6-3E75-8BQHTU67770G}	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IP2427AU-EVX2-2AA6-3E75-8BQHTU67770G}\StubPath = "C:\\Windows\\install\\svchost.exe Restart"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
2564	svchost.exe
2152	svchost.exe
2824	svchost.exe
1664	svchost.exe
584	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
2564	svchost.exe
2152	svchost.exe
2824	svchost.exe
1664	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\svchost.exe"	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 2564 set thread context of 2152	2564	svchost.exe	32
PID 1664 set thread context of 584	1664	svchost.exe	35

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-112-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\install\svchost.exe	svchost.exe
File created	C:\Windows\install\svchost.exe	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\Windows\install\svchost.exe	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\Windows\install\svchost.exe	svchost.exe
File opened for modification	C:\Windows\install\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

NTFS ADS 13 IoCs

description	ioc	Process
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	svchost.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	svchost.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_	svchost.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe
File created	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File created	C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	svchost.exe
Token: SeDebugPrivilege	2824	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
2564	svchost.exe
1664	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2660	3068	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2564	2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2564	2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2564	2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2564	2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	31
PID 2660 wrote to memory of 1268	2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	21
PID 2660 wrote to memory of 1268	2660	d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe	21
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2564 wrote to memory of 2152	2564	svchost.exe	32
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33
PID 2152 wrote to memory of 2824	2152	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\d345f96bb56293d23f5ae4e148c9a912_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\install\svchost.exe
      "C:\Windows\install\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\install\svchost.exe
        
        C:\Windows\install\svchost.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\install\svchost.exe
        
        "C:\Windows\install\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\install\svchost.exe
        
        "C:\Windows\install\svchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\install\svchost.exe
        
        C:\Windows\install\svchost.exe
        8⤵
        Executes dropped EXE
        
        PID:584

Network

DNS

www.server.com

svchost.exe

Remote address:

8.8.8.8:53

Request

www.server.com

IN A

Response

www.server.com

IN CNAME

server.com

server.com

IN A

52.8.126.80

52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

152 B
3
52.8.126.80:80

www.server.com

svchost.exe

52 B
1

8.8.8.8:53

www.server.com

dns

svchost.exe

60 B
90 B
1
1

DNS Request

www.server.com

DNS Response

52.8.126.80

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF

Filesize
971B

MD5
4fb011915ab8cf8795bda338db529637

SHA1
5aa3c7dbe22e7f822eb0a3ee02250b520029f32d

SHA256
8116c2c81d6a6cf64432bfb9e340b8b11c320d970349383529a43bfcef0d64ed

SHA512
fd5e7f2c154b642b0e4045a64646d44ff51635710dd7705e44fcca8cffa8b33db8943a73c196a461620c4fb6e0e5888b4ff4d5b5aa132804f83a83b5171906c3

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF

Filesize
971B

MD5
3adf21c4ab9c6705980c3edaba3ffe0e

SHA1
5e0e17b7709dbeb5c211feb5b11fa8b3994cc2cb

SHA256
61ec6aeec78b5c4378ee153008eea3b2753249ca5a0a9338cde593c948f30181

SHA512
94e716c27e01d0bf04e277ca739d9beb24f4b0ac618c6b91bdf520cfd7a18db40a4062ba008b0a1bd4c11dccd20457afff24849c59e998647008efda3caeda7b

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPV3NJ10508YTGRVYKVB7JAW4KXFSPF7VBCVP4GF

Filesize
971B

MD5
3ff3525183d8cd819cbaedbe2cda771a

SHA1
ccf9d0e019b8024d88fb60607ab11dff59c2c0cb

SHA256
dab66caa1035eb61f04f7cf717b7f83f6c6458a8e718267963e0fb52b4292e55

SHA512
214c72feb8431b7a9d63a31b4b16e6b0eaea5c77d27b4fff23dbe142d9a970dd0df326c172ceda8517523de3037544c01f0e8a5059c049a2c19765b35b90aa71

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\app.dat

Filesize
971B

MD5
2ecd8fa316dfcb1aa44a26e8b40b3ed2

SHA1
3416713748948a46d59f8268ac91be7496aa5b7e

SHA256
989b8059c91e81b7194cc25123e600574a1edc338442e4a6b99f478e6bfef86f

SHA512
7b9a5c4485437f533b9d8a681d3cab8716bb70937b25f1964313f48384d7d28cdce899cd63bcc1c25c355145cce7d2f408e8ff5da50f4d6cd54ccedeb86c3b4b

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\app.dat

Filesize
971B

MD5
e6d91561ae57349cefcd893f8c05f498

SHA1
c61504baf772e895153c2cd8cbd1c75072f7f864

SHA256
db44adc0d5bdfc3a4af30a56ad44d322a6436cf180ae0508fb40397be3fb6ec4

SHA512
9ec6180b6003ead0163de38933ce386ca10a4593cc858772805e0493e8c31c96e5b876ddbbb4569d076f5cae2b71baf4d562a4731a27f7731c0574c631f8666a

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\updates.dat

Filesize
971B

MD5
4116c95caf9a64954875842aa4347477

SHA1
79e6bb67942b5537c358ae20852e489e19fc0876

SHA256
c7ffbdc5182fbeb09d146b537e4a4a16836d2e3dbf9f50fe79db02de3cd0b6be

SHA512
35af028d84224aa58ed3b17c2a8c47117bde05992672c54fbbfdc284a98b65bc18a5e8ce8a5bd8ed447be96bb42ac5524334566d3338b567bd01a9762fdef2eb

Download Submit
C:\ProgramData\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\updates.dat

Filesize
971B

MD5
82c88990144458d888b11068a0bdb48d

SHA1
eb4ee6be11532be1bc2dda45fc49ff969417262f

SHA256
f41e7e9fffc978cc97a3c1f4dcefebed8810badc50e1fc8e02ab585eabf35ae4

SHA512
eb6e82af0afdc6f1421155f6a11969db24777202ccaed3cc0b2185fba543ea2fc0b9adee4e49b8046d71500ca6208ceeb8fe8c3f897d38f46aedfbe87f5857a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
2132bb909e4a3642996b367dfb1b7d26

SHA1
01700bb18522ee66b2283bf1f318af4906e78997

SHA256
fb1b2a477b6131347566a25dc4373c9e7da024936afe8d24190b93a19cc4d611

SHA512
d80b597c608d3e9c8556f08412db0e05c3df7f81537591eb8946ac25ebb373f7565277b5f50931dc9913ea28a3852b78e18ab4605179c75374508e4be86b17a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9ef4e807a3b6c141de6c62168f06364

SHA1
138529640a4a43aba222ab32725c65969d47dc65

SHA256
1e4b54e6416a3b2404e454774612c97b2a5d33807d825529f4e0e7e2e2f38c77

SHA512
6b2f46cfbfb65d7c8f573d5098d82f81c823a5601339d396924babb6a53d43442b026d5018b70440be8c1c2b20f17d8804f1345926295b83beb4b3d1bfa579a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
01068aae6f6fb55d8cfe0d598ca2cafb

SHA1
3b7ecea4574025cf7c3a018c871b5075076a74fa

SHA256
9938b196b1dafd292387b2ef89228a6d2fa3cf33f991155cf51556e2f5d50a88

SHA512
349060dd9aa37360e1b5a7ffcaddafcbd3a3fab59f4f62cb0c187af08137f878f71227de52fd47de5d94fc99b3157b7a094d5e381d3762f6ee654c37a7356627

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
99f02ed73847c3849502c4bcb37bc4e3

SHA1
3a4d955cd4fe209ba96c5849f153bc909f85d183

SHA256
27a3a0d894bd34a6beeb78b149d6056bf86118a8be20cd30eb13b884dffdd887

SHA512
520a5d5a62126192ffc76c8d33a295177c383911643e52a9d66a245c71161bb95efaa3ff21a1ede2a1eb7b6d2777ea181972db4c42ddab81a5a37ca3dccdfa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
689bf1fa28bb9873bcf41fa97280723f

SHA1
6f8954925e037bb6bf4b56c0966e69ae0330ff3a

SHA256
9824e6b9eefd47893976692d9dd2ef0b67ec8a993c94632b69befbfba301a96d

SHA512
fae8ef95dd9c9ba26ccae5555f8932653fbd1bbdb75b2ed60d4850548ddb18b1a46ebe227bde35353819f3cf4b1377177e4cb625dc4e1e962de7aa4937391a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2733fac27ee7df0498bf91295ca5f89

SHA1
5a7c50580b0919156c3b70249ce6711edf421852

SHA256
c69e4b36b65d413970f69a773556aef38469c46f20d0a954d3fa944bf97890c8

SHA512
91e39256aea390f513f405b5ddb215c8f4e815cbea0daeae241fdeedb63710445d8f65a80c2fa268badc4222026d61386507eb7940dee46cbd295eacd57030cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
065a6f983ac0d845270a1100c49ef505

SHA1
fce9b462d5ba7ba064044beda92b5ca64279f61c

SHA256
decc7f31ca9fe6fd5b59b5c8f33c69be3af4d64886e6dcbeb0cf5f0cdee1d7dc

SHA512
55384e19da343533ea7388b52a835fbcfd2510f17c8335204cc5ef7595177357188601c638daec6105b90b624b1ffa703ac88dd5b375fe4c469e34af141f6056

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6569fde455b9a6e02f57e112a038fd93

SHA1
a246c39c20fd2705c4d05d5406215214fec90fbc

SHA256
53184c56df61bae4a3953411948742e397219301412c08980b9722714e035a43

SHA512
c043d045545605466bb126b4c0763c8786b1d5a78382d15545e34b94b7f5596ba422e2a5beba2f30eb457090da37c9bba58e416e6fe61dfc18bf130de6e9a1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
074a15ec964569d68960191c32c02838

SHA1
f4b41322d9853af2e5a26f26952ae2ae0bb26201

SHA256
ecd77c1abbb94176c0d642e7b1a610f11834cb900a7bd1b8659a83f28ceac706

SHA512
dabd648c41ae2fe4e551f6e77924de8da2a34ec3aa4c4285cd8c49d00e358a56d80f42938d36e10ff66a198b1253fe41ceaf915da72ca256d27c72ade8624815

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
121b5c2204712edb662f377a5c12f93b

SHA1
e714459fc07d281ac2980aa0c2219b88a72bfed2

SHA256
5aa3ae44861a77b7e70e6ef7d825a7cbd236d5a6301b738b12dea899163ce868

SHA512
d802b9b3048f354e4a9d485ba62a33937f98f93c88d72912cd8756d5ae2dad70a9f8a1a66b8683164a432f5b186013995231275c74341aae826a999a71fab4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a216b94e0e2fcbc82d75d25007f379f

SHA1
3ed30f056c201e6a85d731645375bb6964c08bfe

SHA256
8ec95abb2fc74e75679556e6c66f906a80fbd44bee66ddecf86669f56a6e4c37

SHA512
eedbe74603a5d5a7f3fbe848e31d4f0cb478dae88cb4ba39ced3d1dbc95a300703f542007fe399cd6cca91836ac10bc1b550e43b5c5f875d65469f911a2073d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8cdeeda8251025b2da230036af719d63

SHA1
3a324783fc1a9af83b5101f639842d6c3ac66ab4

SHA256
a3861936739c12a13eebfe5c294303debd8b233e914f532f85d3347d0c334cbe

SHA512
f7c11462b264b1166bb4431b9c6a006e5cb36ad11047b852ecca13c53198a75936991ac5ad4b7769241e17c72832d153d7bc5ed9b104df98f60cfaec0dea50cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ae397c2a667a9037388911a1d8d0d2c

SHA1
004f7c0b5cc6ff88faa3804377e3c1fbabb84a83

SHA256
c33832ff55c8615ff82ea82aeeddb86f980f926eb693943f368d21ab24f7167d

SHA512
b646163bed27fcbd42eccdb25899a335e4194a94638ca9d734bdcac9978cf097d62d0ce285dbd25c0f100a9664ae1d3ef2aa8e21f101ca01a892a49a49e5c51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19ee9f93c44f55f6218bdbbfcb80f9ac

SHA1
3c3618957782d757944173b87e570a26a7a9786d

SHA256
62ace41929861cc3ba21d983356fd9c11dde38cade3cab104f3b147f4739ac52

SHA512
94138d416f0b845b15c39ffb12bc80e8a55232fc93da6b0ca6c9aadd7701f90fca417ccbac64d0d33ec7961f8c8a50008a92456c38b93ea2ca4a7a3358f17413

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
268e5d055e3477f16578a91cdab00227

SHA1
3b95cc49403c1ed0cae7abaa004ac2c7a7f01178

SHA256
1886470f88b6145a0b257c6944e0dff03992599a43ba1a900c905bb0f99135ac

SHA512
9dda21c02afd1c7544e5e2509bcd72eb0054f004786e32fd2f4f0820ef2c43fa7b764a0029aa6d5736de82a755b779cfa0e8dbcf945411474fffe679bcb2b5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
719a24668a1cc4c534eb2bf74e497cc5

SHA1
d8ebb4eaa29d6b54b4d15884cace7159d3267aa0

SHA256
2b3eede1229d9904aead674b922d8b385b074fa411aeb4ed08564b28be7f854c

SHA512
cae2e218b6062093d9a87b3195509a3e1e072b069b899889c9d85244942677f0c04e0c2608e26e0b50eb0c3e9aa6dea8b6a0e7d7dbc2fef6bb88d0b1f4efa890

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11c3f0325f6c6f50998e4c1687423256

SHA1
ef847c24ea8d14aaba59044958c947063e96f7af

SHA256
b0f94b0c90527bf421d5ee5d3b908580d55626f746accc3d738a149ccb398cd7

SHA512
c9c8215cfe183a4450354c28daf60c32b3a4a7e85aa5ea1063f1d7beca3a3c3fed352827fd84bb27c89f9b0369e2075527f3b81203b8965a4f6fed879b5df901

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a99f473acb0a10a402e0ba9e555389e

SHA1
575dda07409272842417e03436633f197ca478b4

SHA256
64865ee8fec297a5cb551ed64ee66d57c6784cbf8ae1a9ef6379a68017839966

SHA512
e620e9e0cc21c50a81129cad76a9ad415903c4e8427eda9ee335598b345291820086c170bc7c390d141d171ee217d9ba4e07dc2e1c7178ee6088e3e15bc1fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a1f71d4fd690f392da73665604a287b

SHA1
482d7ffa90e93afeb5f830233b5420d74e1d809a

SHA256
91dd220674a00d73b935a962c6593b736ca3775446253977bd633f14ba3fdc53

SHA512
c167031021c5c1077fb465f6e1a45368d654370674f3b253e51080307483f5bd38cdcba286e989ce612eb31b0bcadc8cefc99c8d2c87bc7bf60543122dd99998

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\dya.dat

Filesize
971B

MD5
51205a92e13c0bf90a52a838ad397389

SHA1
973fe63c2327393911362f191ec22b80d6cd749b

SHA256
5280dccd4b01dc3cc7bb9c2e55708d77186d75cef4163b65b1f11c78d88e574c

SHA512
f9c5b73d754d36fe68fab0d16af3fe12884e5c68ddedff7a150167cfab5647726d9f0855b6642e523103c7d033d2390077d08c6b10dcd64684f103eb834a5d12

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_VNRTQLEGCNCNSVJMW\1.0.0\Data\dya.dat

Filesize
971B

MD5
743d3fbe854813d9a594dec9c55c7ea9

SHA1
0c1192cffb60a3f340f1c0e86629105f26fa6e90

SHA256
f489994b3ecf70f309d249224addb310c2dc9999ea4c24b68c8ccb275123bb2b

SHA512
a8e9ca138e34ffecad3992e1388465159d32b916a3238afd083d32e59ab5631a2f7de282d06732cea0deec3162e3547fbecef023ee39968b490900e94960a7b4

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\Windows\install\svchost.exe

Filesize
678KB

MD5
d345f96bb56293d23f5ae4e148c9a912

SHA1
67b12b289a1c95b016080af4e969edc4039a7dc6

SHA256
7f081ef130ca8c6efa1ab2d90278eef84754ff7d1b233cd8cc9a9eae2da2c8a7

SHA512
7b065da737862d4267aeeaa40dc43b7ef0fa0fcae2281465bbe8fc30b8250139e156de3702021c49104889141318fe8033e6ab05fafbc56a94c5264fa2a7631d

Download Submit
memory/1268-62-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2152-106-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2152-108-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2152-434-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2152-112-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2564-88-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2564-100-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2564-107-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-51-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2660-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2660-52-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2660-47-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2660-46-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2824-124-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2824-119-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2824-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3068-0-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3068-49-0x0000000000406000-0x00000000004A3000-memory.dmp

Filesize
628KB

Download
memory/3068-50-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3068-44-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3068-1-0x0000000000406000-0x00000000004A3000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.