cybergate | 237fcdd89b6a0f8ae80f803d6586f680c1985eecbc4bed2af10836dea1f114c4

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CYBERG~1.exe
Size

324KB
MD5

66a881c43f39821a1b0549b5f14a8d66
SHA1

c8928788664acab21d64872ffa6e36374f406adf
SHA256

8cdf60f38753481c688f6a12e26e6edeae19e2a781313bd01d802e53c66a6c31
SHA512

8ffe3e90ff53b978ab840dd043014ddf75f014fa2e0b6aa57b36c01ad39a6306934d09a86aad7209adfd2c033833c30d4cf0819fea3f43cb1ba3ccc0796cc4b2
SSDEEP

6144:XGWhtZitMYUH/abBAMMU6NStDQdRa1+IBfkeSDh+UsJA3XQyja/GqkrJOoXY:V9tzH/MKlXN5u1Zkeg+Usq3AyjaGqklz

Score

10^/10

cybergate jonah discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Jonah

jonahjameson.no-ip.biz:100

Mutex

L7Y726M8KC7VN5

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	CYBERG~1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	CYBERG~1.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	CYBERG~1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	CYBERG~1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4NB74UR8-1KM1-M450-561I-KEG45YGMRAJA}	CYBERG~1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4NB74UR8-1KM1-M450-561I-KEG45YGMRAJA}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	CYBERG~1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4NB74UR8-1KM1-M450-561I-KEG45YGMRAJA}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4NB74UR8-1KM1-M450-561I-KEG45YGMRAJA}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
620	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	explorer.exe
620	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	CYBERG~1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	CYBERG~1.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	CYBERG~1.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\install\	explorer.exe
File created	C:\Windows\SysWOW64\install\server.exe	CYBERG~1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2836	2756	CYBERG~1.exe	30

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2836-26-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral3/memory/2460-552-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral3/memory/2460-900-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CYBERG~1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CYBERG~1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	CYBERG~1.exe
Token: SeBackupPrivilege	2460	explorer.exe
Token: SeRestorePrivilege	2460	explorer.exe
Token: SeBackupPrivilege	2432	explorer.exe
Token: SeRestorePrivilege	2432	explorer.exe
Token: SeDebugPrivilege	2432	explorer.exe
Token: SeDebugPrivilege	2432	explorer.exe
Token: SeDebugPrivilege	620	server.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2836	CYBERG~1.exe
2432	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2432	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2756 wrote to memory of 2836	2756	CYBERG~1.exe	30
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21
PID 2836 wrote to memory of 1196	2836	CYBERG~1.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\CYBERG~1.exe
  "C:\Users\Admin\AppData\Local\Temp\CYBERG~1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\CYBERG~1.exe
    CYBERG~1.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2432
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
      - C:\Windows\SysWOW64\install\server.exe
        
        server.exe
        6⤵
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
81fc4abeaf078a1ae0cc553a755819b8

SHA1
66cb0ddf7bcd1f41aea6e938f64d186db2d1493f

SHA256
e0c94bc9c07bf96267a9cb968b5d5e101234cff157ab7b8a5f289531ca5273a5

SHA512
34b4475225452b20bc2be03692ccea03a3570e7f3275aabb011ad449e16df6f0fe949dbbb77d5c17ef77645c593da612742d902bad8f8585afef848614cdad6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6f1e82fbf81927298213ca227eb9f622

SHA1
7652402f2c4972249ebfbec6a6695b3e44c7f974

SHA256
c5ddb8ea56c819efb757d0eae24c30e17a61b33d4ce042e44c4e42f8a6560abf

SHA512
1772597f26a59635dfde9766ce1c8c44a8208048c3e9e02d9bac5d345b4b28cb631f231d092eec845231ccdef0a6e8cf31b94da03669f21da9e1e27812ac51c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d02bc2128fd3afa49a49c77c09b7d04

SHA1
2c53510b72fb68ab2fdec0ae656969e846c699ff

SHA256
06e045fb11d0c3ad8e4890f5b8a371a93d38cb279954db82409689a36e1abea0

SHA512
34cf365ddc4faa6f82047bf23ca8901ad5b21f9b9f7a8c634b88d8584b2b82a5a50346c3ea9aea599f431091fa173a10fcdc88f119a2bdb7cfd6f5becc8476b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ab4d6e7924e7afc0d3cc58dbe8a2dab

SHA1
ba2bc60b2a49482d5df750cb3bc005e210796174

SHA256
1e7ec29ab47e9585ae0c7bcc132f0249075538811f04021ce71e7ac7287d9031

SHA512
c51b4ca92513052528899dcde31d6abaa5a3fb4cdce027fc27faa1e884ff2e86be3fbb08f7c2d843c13ba78f801bd71fb24619331ea7b4abf489f0dbbfac30f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
03ceb99a85c6f62eb7ed71b0a9790799

SHA1
799c20ea0aa5013afb07a0b0e29846cb235ab4ba

SHA256
40fc514d0fbf34b05eb95b2e9869a47c2a9ce778322caa62015b2524459b7a5d

SHA512
a0036ee79b4cbe818aeec4e917c0ebe6e9783e81b1426613c6ba9b5ef11623d1b901e2022f5a17e924925506232e1315be16462f9d0da76b126560dd727f759f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
913fa4c4ee0ec264badbe795576af2ac

SHA1
6237a29586a90dd0845bc45c309a81dfae4144b4

SHA256
a962527285e846441bf352570b34efa1b311fc5333c3330358780d538b7f44e1

SHA512
4687a54b3808f04a42257e42a20a3d98d0f2d51656f1bc17ea91842059dd28fea0c281922be461fca204b73862593db6238d50da708885f87be00eb6695bb824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a0327b4626f9bcd9a23e6e6311d0e4f2

SHA1
d026312837391f349e8f01204fa204da20037fda

SHA256
fa7d87d12e7c67fe5f0cd3c12927befe5a5e95a305f75139eea88cc13df7469a

SHA512
00fa9bb8fb7300a3a299524d6d945ec061c47c6b52cabbbb9f87e6d317f9ebafd3a165859bb1414e73b6474e98272b1f1e30f2ffe00793b2c19f642185ed2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6385f5f68656a24432e302b0205b9732

SHA1
1cd3a54d1dd9c2ac0976eacfa0f4b21f7fe3da20

SHA256
d74a91b5d3eab42ba8739e309294bf4b80b437588e6a7bb0f648ae411c8d0a2c

SHA512
bbf3d7c6460144ac3fcb64dcd08a0975f75a34d563252a92d0e352184035612a19684826ec40beb51fdbd686c745f4aff6ef249943dfaecb9910efb92b42e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1421d7959ef1504f954fcf2b56bedae3

SHA1
19e1da4ccbd4d3b3c2d70f6a6e1a0c31850a5f9a

SHA256
00aef9d74fd5751a4a3c01543e749d380066843d0d76b27558e153a8b10dd3b1

SHA512
9d32823b6f3a525e8111308c8a8295b32e9fb1411292d9ce8ed9e2989686bb6a7a76a81a60ad450e269164b03f10487ccffbdd54addea04b373296cb26f24f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f457457988660f4970d41b82f4f9104f

SHA1
e3cfedb9ce0043470a18f5178eea676b3ca835f3

SHA256
9aeecff9d4535f8144a0da32f50fe26dbd9b739ac0b148a3377d6a698eb5b3b4

SHA512
b30888ad0dd99079029f40ace47fa55552ff2619844b8d6249fefb3dbb149dac30809c8ed192b10b0acf03f21172729382b4ea06d7896226d6381e79088ccb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
35f9de198dd09ccd875d70d1c2cd3b4f

SHA1
a9a77231469c52da366e5e005ba1ebc9441fdcf7

SHA256
946f295ab162738bb08bc4ef16dddabc1b658e7af292c3115192192004766324

SHA512
e937c1d8c697de0269a2bdd132b45b0d0b1410589463a9361dde4b45743b8803964eecad0752627b683fb75bc700d4f2e10d6427dc3c233d0417340e71ff8f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
89d28e2925de2a4cd193a66d6b6a3bde

SHA1
1ed7db2c727d91cef76e555eb7556e0533d3589d

SHA256
b5f99b6c2245f2338bcb862a45aa20d76e2381f80c7ca74f5d1dbbe7bb6058f5

SHA512
0a05abcb66f5ea2e64edf1c52e8f0b54dbd73ae7d2574e75a29e21ea9e1c3c993dc02d832faf49866b74d78b229e5c0112fc720487daa8a127e5a98f2de4c308

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a0d16e9390ade08031a5f85c55ef72c1

SHA1
6b48c3b51be393937d65d769a59e2930aad9a9f3

SHA256
ef474e103e48556b50924482b742f93e6fd9264976da18cf39b9be19b8f526c8

SHA512
754c4ab7641232918599d21c9eb487f86028fab19d6ff4549daa65dac0fcd6efa98671f0fa2d2361c82ceeb5873c691b5a0e36bf133a9f7ecc2e4e215da24f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ff1e37931cf68c08fe625f2fe0cbe3d0

SHA1
4dcdb4a2fa79f9d1b9c0a4195677f8e5da03196f

SHA256
87f2439ae82548d6ecf1b2e3d8021f07f2ddb95d0bc0272044d7f3e56ae0f591

SHA512
cde6752819eb4c5b926d3494344f47d47fdf407f526b56e835441cecf2703b61964906380491036b9035bd6711e683d3e9379b2c96f03986c9034f1dd8b22cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7baaa5ab8417471579a2451c12239203

SHA1
ac7cf537aed27790f11ae30fc45ee4de5f72b428

SHA256
b2d75c90d87e8139411ef932347fad3019d7850a130fbd14ac3a647f42967691

SHA512
a8a753b6d1d22a410d7053fa8bc626c2b7f4faea27865b9552b84d14a335a5b470bde416304b54251e6815bca51f13a8f21868aa9feb5cbb0c4dbee24bd42990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e650537d377f43b1f8ef971e9beb6e6

SHA1
6405fac5de53c31f329db0b6368efbf5fcf317b3

SHA256
2f99534caf59e645ec5da63080df70e5299b8e3973692ea2f0c5e4ac86a0feb9

SHA512
3b04e6c6ba4a28c49b0a495d818bdd614f5a4d623c83c22f1b713fb941204983cd8445cbf7a1bf6f548a16e4077ffb9bb83fb45fc40f5e5986c00ed9bb139a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c22f1cae2f36a3fee3f66561e9d94571

SHA1
bd8a38afb73068ddb4c46562731f2fc908145a14

SHA256
c246ccd109a75c868e4c3355d9e300ce6b9d0dd7c3d7c73ce81dfba24776381f

SHA512
3936b5c98f78afbdbb7324d6a3204aa8aae529deed1d1664c2b3ef9856c8fedabdecfe4785f74eebb4a75c50dc2478b9e3f9b2056e74087948f6a5ec6b5931d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2f9a29fff4f286225a9f0033dfd63416

SHA1
a2f0cdbfdc496697181ef0db54fd9d8cded3636b

SHA256
6fc8430abfee22fba29a284338b04a59b624a87dfc5700585768eb28e298d3cb

SHA512
f52462f0c2761598eb78e3510c5ee390bc23f7f563b4edac803c4616a32a90f5c58ce327b11a62bd7ba60637c5c0caf1f078f52550b5dbd33a1caf9182b8f2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f7e588b0d173fa3a0cbf0c5f55655384

SHA1
9503f3148820ba1f729b2e231aeb8516caed631c

SHA256
78f082f7ed8fa0b99a437b538a85f9f45a40621aecfe35d2d9b15eeda938792d

SHA512
588b4c852c10df8c77f73c8102c1a07dc66d08ad12b2ce5599c99d383d89fca768cb315958c3bc6bdec18fe5c4af78bc455febe90e0144d2bf0e2ae2bdf1cf88

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
324KB

MD5
66a881c43f39821a1b0549b5f14a8d66

SHA1
c8928788664acab21d64872ffa6e36374f406adf

SHA256
8cdf60f38753481c688f6a12e26e6edeae19e2a781313bd01d802e53c66a6c31

SHA512
8ffe3e90ff53b978ab840dd043014ddf75f014fa2e0b6aa57b36c01ad39a6306934d09a86aad7209adfd2c033833c30d4cf0819fea3f43cb1ba3ccc0796cc4b2

Download Submit
memory/1196-27-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2460-900-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2460-275-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2460-552-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2460-277-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2756-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-21-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2756-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-26-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2836-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-15-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-324-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-20-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-879-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2836-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-23-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-22-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-13-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads