njrat | hxxps://mega[.]nz/file/aFB1VA4R#-_5zCZjiLTQw_mhuJwHgJvTLXAU9oexEG7LXQWYj1Do

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/aFB1VA4R#-_5zCZjiLTQw_mhuJwHgJvTLXAU9oexEG7LXQWYj1Do

Score

10^/10

njrat victim discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d | By Brontok

Botnet

Victim

spk.accesscam.org:55554

Mutex

m9o1ocabbaxon9ndffebx7uutlcl49nl

Attributes

reg_key
m9o1ocabbaxon9ndffebx7uutlcl49nl
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Otp-Bot.exe

Executes dropped EXE 6 IoCs

pid	Process
6068	Otp-Bot.exe
5128	Otp-Bot.exe
5200	Otp-Bot.exe
5288	svchost.exe
5388	Otp-Bot.exe
5692	Otp-Bot.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Otp-Bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Otp-Bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Otp-Bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Otp-Bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Otp-Bot.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
2872	msedge.exe
2872	msedge.exe
760	identity_helper.exe
760	identity_helper.exe
640	msedge.exe
640	msedge.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5128	Otp-Bot.exe
5200	Otp-Bot.exe
5388	Otp-Bot.exe
5692	Otp-Bot.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	612	AUDIODG.EXE
Token: SeRestorePrivilege	2404	7zG.exe
Token: 35	2404	7zG.exe
Token: SeSecurityPrivilege	2404	7zG.exe
Token: SeSecurityPrivilege	2404	7zG.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2404	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4988	2872	msedge.exe	82
PID 2872 wrote to memory of 4988	2872	msedge.exe	82
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 4416	2872	msedge.exe	83
PID 2872 wrote to memory of 3032	2872	msedge.exe	84
PID 2872 wrote to memory of 3032	2872	msedge.exe	84
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85
PID 2872 wrote to memory of 5116	2872	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/aFB1VA4R#-_5zCZjiLTQw_mhuJwHgJvTLXAU9oexEG7LXQWYj1Do
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd64e246f8,0x7ffd64e24708,0x7ffd64e24718
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,5682093322108107466,8054132300275011518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x3a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3744

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11960:154:7zEvent25381
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2404

C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe
"C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6068

C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe
"C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5128
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5288

C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe
"C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5200

C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe
"C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5388

C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe
"C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Otp-Bot.exe.log

Filesize
408B

MD5
42157868488d3ef98c00e3fa12f064be

SHA1
aad391be9ac3f6ce1ced49583690486a5f4186fb

SHA256
b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

SHA512
8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
235b23df5af279165df393abd4adf680

SHA1
25f1d63209be3d78764572256899427a7bb27d54

SHA256
922f787eb4e0cf4440c56d71ad67762d4498c471494c57837c5e78a69ec64ce9

SHA512
6340f010c71cd6c35c00d7b8b0ae91ce98661305502c6d08a735b67e1adb2b9d2587b53c16f17f6a3bf106199ffc2dd3e048d9fe8b2eed32f9a7da431282cde6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23ce0b214f6ecbcf0852bef79f5f4bd6

SHA1
a3b6926588ca84065f0262694bedd467ddca8d26

SHA256
6d6bcb284eadb032c288ade10d8b261b19b643264bf1a5f7405951502809ca26

SHA512
66c5a3037667e09df0b149b0a8933b89139bc673fed90a8744c973ca9270139bdf62d40fd13df2045e45e0049143275a2d912a379c6353296921e2d71952f9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea80ff2dbc46f31582f4a8dee6a7b18c

SHA1
ced3e11058723164818f75e57890b6fe0a0bf14f

SHA256
cc31d357840eae03235038f2874da1f8aff922dc10d99b3df98c4125efbb986a

SHA512
f01dac582759c87056a1ca456674ca779c2834d71a1175563a9f9b3b550450ed1ede8d459fc175d897d94c665c0a7c56fd948c4d519b3e1bd3c8e0f64d05b48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e9fbee8138b2cca1866d0737b31d3dc1

SHA1
ed63e677e7deb606ad55b5b8aab877be34e85fee

SHA256
081dd425d9c90f5758014c45131697b85aa0bc911330c695d797328b027f980e

SHA512
d769212459b7dabac19433a424b6c387aefd5c055823ea7955e95871e1317e639dc114fde49533af4b78ea4b9d73e652822b585a405a73ab214588cdd76a3da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ca1f7e6bd7e1dba612fc0253f095bc00

SHA1
1fb0c4ca0a259093ab6e66f93b7fef07c404d460

SHA256
ddea3ea35705e5df28c096686929995ac16cd5b97ae3d4fa1a1e7de379a5b138

SHA512
1f25735414c233c3493c9c9d564fb3969c83746e44637cc798538ad3bddda2f65551cb08757b5e4f7a205bfeadf05f30afbd93bd3cb9ba8d3a22d960541edd7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d7c2.TMP

Filesize
48B

MD5
e75096c828d0a97e24fbf148ffbc083a

SHA1
43e52627f725672cca95499bb815aa0764a10d86

SHA256
2156a6a8e4be0748f2fab0132b907eb5001c9b4079b0167bb6b5f3a613fe09f7

SHA512
2f1e24fd901da0c779e42bac9399d4796196c601b0ad550689b5393bc420d9ea7d5d6e80400b369759e4036655443059da9c53712962276dbf28b25240cd7605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8af2ca7e47bbc0d1ed65792b21681705

SHA1
56fd9ab5c249aadc069de3d28ea5b1cee74627ef

SHA256
326633dde9c6b2373c5bf3c96e0b70cdba003b64b043333898c908b2677d173c

SHA512
8f31c25850df4952dce6f6564f7fd00ca98698349a34b8a5421fbd0fadc0cf08eeae35e61f198a97558d3f1907efacec8f667ca0f51ab720f66bd02854529ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
72712c11ecb2ba9fe053fcc10a926a04

SHA1
d6d0ac4db1cf8ce28159752dd149d2fd859a5289

SHA256
9d96acad7e3809301639caffcc694108e1d6c70d98c8ac3d185855c11a255a19

SHA512
f2ee934ef75af5dbb74c29189faa0285159862690e033eabc1bca3b50dc96373b3e06316f4bd73335c74fa7e3cd5d176e30531dee8daa62c6e7389d2546cdd54

Download Submit
C:\Users\Admin\Downloads\Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main.zip

Filesize
4.8MB

MD5
4f809ae2e9c133366fa2b0833c5bfe71

SHA1
8e47ed8c9071d3c74b3167aa095773c2bb66fc13

SHA256
fdc2d4a9348dd81d048d8acd8c06ec52c0376456dd2d79c977c61f2e08480eeb

SHA512
34b3e3aadf8ff51b05199ee699571f655e2842248f3c24936a01485d376557873561a8ed73c84785b0fdf5befc4b36d4aa7e31159d87728fb5256ebe699bb692

Download Submit
C:\Users\Admin\Downloads\Zylo-Otp-Bot-Bypass-Verifications-Sms-Bot-Bank-main\Zylo-Otp-Bot\Otp-Bot.exe

Filesize
37KB

MD5
8123fc137d73b3b92fc40be61af08ace

SHA1
b11168a1ad6d72808b176f0c889bfa220d13813e

SHA256
a407ae1ed0a941a41d223a64cefd0baf5163bc4fd35b020d562b7cf3b83442b6

SHA512
cf225e298886dc63584f7615891a3f4fc9773d4e2078a1363dba8547b1e85627b5bb5dcc18dbbcd51e3375bc18fb122ae4846bb92735d0c963ac0e9f71f56453

Download Submit