revengerat | def80f5379a616c7985d76932c65e4d35b53287eba6ad964a08a3e9d589be0bf

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
Size

472KB
MD5

04f9cd1f32905fa8282895840e8d3645
SHA1

ac932595c0cc0fb578e08ac91ebfdd829e64d8d0
SHA256

def80f5379a616c7985d76932c65e4d35b53287eba6ad964a08a3e9d589be0bf
SHA512

94832cfdd761f6e2128f0b53ab79be5fb70bef59d767c48f946878c706ee4af5e0d59053ac99b515719b253c37f521d60d2296338285fbb4075c81b061e00ae2
SSDEEP

6144:7SwCUX1hmXi5Zhr9Dc4f4y3u3VwiaVYu5oLC9:751R35B

Score

10^/10

revengerat yeah bb!persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

yeah bb!

xd.zapto.org:1990

Mutex

RV_MUTEX-aawrHJfWfhaRCl

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2876-2-0x0000000002230000-0x000000000223A000-memory.dmp	revengerat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	Service Host Network Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
264	Service Host Network Service.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service Host Network Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Service Host Network Service.exe"	Service Host Network Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
Token: SeDebugPrivilege	264	Service Host Network Service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 264	2876	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe	31
PID 2876 wrote to memory of 264	2876	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe	31
PID 2876 wrote to memory of 264	2876	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe	31
PID 264 wrote to memory of 1916	264	Service Host Network Service.exe	32
PID 264 wrote to memory of 1916	264	Service Host Network Service.exe	32
PID 264 wrote to memory of 1916	264	Service Host Network Service.exe	32
PID 1916 wrote to memory of 2996	1916	vbc.exe	34
PID 1916 wrote to memory of 2996	1916	vbc.exe	34
PID 1916 wrote to memory of 2996	1916	vbc.exe	34
PID 264 wrote to memory of 1304	264	Service Host Network Service.exe	35
PID 264 wrote to memory of 1304	264	Service Host Network Service.exe	35
PID 264 wrote to memory of 1304	264	Service Host Network Service.exe	35
PID 1304 wrote to memory of 2460	1304	vbc.exe	37
PID 1304 wrote to memory of 2460	1304	vbc.exe	37
PID 1304 wrote to memory of 2460	1304	vbc.exe	37
PID 264 wrote to memory of 2204	264	Service Host Network Service.exe	38
PID 264 wrote to memory of 2204	264	Service Host Network Service.exe	38
PID 264 wrote to memory of 2204	264	Service Host Network Service.exe	38
PID 2204 wrote to memory of 2136	2204	vbc.exe	40
PID 2204 wrote to memory of 2136	2204	vbc.exe	40
PID 2204 wrote to memory of 2136	2204	vbc.exe	40
PID 264 wrote to memory of 1316	264	Service Host Network Service.exe	41
PID 264 wrote to memory of 1316	264	Service Host Network Service.exe	41
PID 264 wrote to memory of 1316	264	Service Host Network Service.exe	41
PID 1316 wrote to memory of 2160	1316	vbc.exe	43
PID 1316 wrote to memory of 2160	1316	vbc.exe	43
PID 1316 wrote to memory of 2160	1316	vbc.exe	43
PID 264 wrote to memory of 912	264	Service Host Network Service.exe	44
PID 264 wrote to memory of 912	264	Service Host Network Service.exe	44
PID 264 wrote to memory of 912	264	Service Host Network Service.exe	44
PID 912 wrote to memory of 2292	912	vbc.exe	46
PID 912 wrote to memory of 2292	912	vbc.exe	46
PID 912 wrote to memory of 2292	912	vbc.exe	46
PID 264 wrote to memory of 1924	264	Service Host Network Service.exe	47
PID 264 wrote to memory of 1924	264	Service Host Network Service.exe	47
PID 264 wrote to memory of 1924	264	Service Host Network Service.exe	47
PID 1924 wrote to memory of 776	1924	vbc.exe	49
PID 1924 wrote to memory of 776	1924	vbc.exe	49
PID 1924 wrote to memory of 776	1924	vbc.exe	49
PID 264 wrote to memory of 1760	264	Service Host Network Service.exe	50
PID 264 wrote to memory of 1760	264	Service Host Network Service.exe	50
PID 264 wrote to memory of 1760	264	Service Host Network Service.exe	50
PID 1760 wrote to memory of 900	1760	vbc.exe	52
PID 1760 wrote to memory of 900	1760	vbc.exe	52
PID 1760 wrote to memory of 900	1760	vbc.exe	52
PID 264 wrote to memory of 2320	264	Service Host Network Service.exe	53
PID 264 wrote to memory of 2320	264	Service Host Network Service.exe	53
PID 264 wrote to memory of 2320	264	Service Host Network Service.exe	53
PID 2320 wrote to memory of 2576	2320	vbc.exe	55
PID 2320 wrote to memory of 2576	2320	vbc.exe	55
PID 2320 wrote to memory of 2576	2320	vbc.exe	55
PID 264 wrote to memory of 2112	264	Service Host Network Service.exe	56
PID 264 wrote to memory of 2112	264	Service Host Network Service.exe	56
PID 264 wrote to memory of 2112	264	Service Host Network Service.exe	56
PID 2112 wrote to memory of 1288	2112	vbc.exe	58
PID 2112 wrote to memory of 1288	2112	vbc.exe	58
PID 2112 wrote to memory of 1288	2112	vbc.exe	58
PID 264 wrote to memory of 1500	264	Service Host Network Service.exe	59
PID 264 wrote to memory of 1500	264	Service Host Network Service.exe	59
PID 264 wrote to memory of 1500	264	Service Host Network Service.exe	59
PID 1500 wrote to memory of 1568	1500	vbc.exe	61
PID 1500 wrote to memory of 1568	1500	vbc.exe	61
PID 1500 wrote to memory of 1568	1500	vbc.exe	61
PID 264 wrote to memory of 2872	264	Service Host Network Service.exe	62

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nflwnnmp.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES116F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc116E.tmp"
      4⤵
      PID:2996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agd5mu0j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES123A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1239.tmp"
      4⤵
      PID:2460
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyoa9dzx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1298.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1297.tmp"
      4⤵
      PID:2136
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n-vmjyfr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12E5.tmp"
      4⤵
      PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpn5vlly.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1334.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1333.tmp"
      4⤵
      PID:2292
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ezh5dcd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1382.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1371.tmp"
      4⤵
      PID:776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odfbuio5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13CF.tmp"
      4⤵
      PID:900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h8gmkxo-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES144D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc144C.tmp"
      4⤵
      PID:2576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxtnpoyr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES149B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc149A.tmp"
      4⤵
      PID:1288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1grsdij_.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14E8.tmp"
      4⤵
      PID:1568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a_mg3oqr.cmdline"
    3⤵
    PID:2872
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1536.tmp"
      4⤵
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1grsdij_.0.vb

Filesize
299B

MD5
9cc9962fb06fd96f5b0f45813d86b15e

SHA1
369ae611e8119a6e15bf13809ee5f71646eb6f42

SHA256
5808ef69bff26e689e4d16c87ea094643e8d288d470efb7922864069975f4c6b

SHA512
27c1b47ccb7560c59b4729cc5fafe3950ebf35d1ea5d8e5a2c22f71ab83e9f158b47c0e5b61e8c9425edcee278535c9edef02a495a9b7b26c29ab51b7aed37ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1grsdij_.cmdline

Filesize
170B

MD5
649568217cc4eeafc1042c894e750dad

SHA1
0097c6962725fa1a05a7cb6be791c652a2d4cbe8

SHA256
08b9c56345b735b534c3a6486c7d29fad45432e66043ae841f5097dd85505f2e

SHA512
bdfb052da1610d79d6f474ec738783ebbebc9b348cfe0a534657a4b639967b96db6d844795080808e8191d71919eff8ea9e7b294041c868d8c217a80dac376fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ezh5dcd.0.vb

Filesize
300B

MD5
8d95ac248def207bdcbc91e02853e7d7

SHA1
b898def2a499cf19eaccd29e69223a8a739f2dc3

SHA256
f0937a3ff662e3ce4bfd06aef7759a085521cf0abd6274190c75bd0355d04dca

SHA512
7784cffe76a67aae24e292115c6624125abdd2eab17bd868250b9e9cc170e5026e66f2b4d126dbff17e94a8db85ed7c56b2e7a9cc2e4eeebda6e9f3cf6affc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ezh5dcd.cmdline

Filesize
171B

MD5
a565c39a13419fafbba5e547f6d5d1b5

SHA1
3cd24774f3a23b4bd610b01e27f4e748c25e864c

SHA256
c93414311640cb3db243d12c0aaff8e5093790f1ca6f534b647ade227697bd64

SHA512
8a1834c7d0a2ec82be791a04d5ca8bfaed445896a126c939d9db699a24bea881d326840f6a080f22f538e0c41b13816ff280eeb3b5dd56979c3c668c609670f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES116F.tmp

Filesize
1KB

MD5
865cdd99955b75e63c5e3fa501a31ac4

SHA1
fec289b5619c472cb54d259bdfbfed25888b1533

SHA256
9c899f45daaffed8970441077895e2a71f2a0aecc7d0776b68d4a9c6397f57ac

SHA512
34e2d991930f95488144909a9845216ff02e15f9dbe93c1e45e92a7350962fe61c4969ba5b4b6528c6b9ae665a0414fae9c299b11de95d417b9bd334966ef887

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES123A.tmp

Filesize
1KB

MD5
e54dc2fdc0a8b6355f70350b3dfd4d63

SHA1
5bcf7632324f0d7765f8f75350c25c2484ebc5c6

SHA256
cbe7443de6af19800d19b11063ccac7b69236474a179889cbef0801f5c66d136

SHA512
e5c64e28afe27c5718168095d2dcdd48e7d4d79749f52bc636de1b9bffbd322acb1b06b68ef33e691195f7626ba6b9b4679707e291db823b5ecbc74572907a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1298.tmp

Filesize
1KB

MD5
b84767144e173127cf12b19a813b5ebe

SHA1
a882fb919453efa61bb229776f6c997768d9d45b

SHA256
0d5f1dfde389a15f018400dd76c9906899e8d2739b4012db68dd4704f686fd6f

SHA512
f1e8e3711149cee365bc046229571559b14710fb9b31788ad56314a34b2af73589dbc587dafdc43d5cba765d5d6a4f4137317fd93b66477e798c3db4d3b76897

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12E6.tmp

Filesize
1KB

MD5
a333216d475b95750f30350c00862653

SHA1
dd03b9397e798067358e9853d87bb85759771d6b

SHA256
795557bcfa9ad50dbe55d707be2ae222671803abe28b765cf006b208087203eb

SHA512
4f4418009286004864bb8709df0be0887324e375fed7b42b31edcff518df24278a6e92ffddf4b4261dea75f8a9ed3c2066d945cdea2cf62672f99f078c425481

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1334.tmp

Filesize
1KB

MD5
abf91b1a135e8a99933f32f4079e3f5e

SHA1
7e7045c4f4344b4019d723b67adc7efdd88c536d

SHA256
84cd68d75e35bcd8529f997c5337ae669fe5b2c05b585b67db02f35cdedee172

SHA512
58934a037e141920cf8d57eaeeae23edeb96c4b526617dbf42d14ff65152bbd90a51149dec8de68f797bdfc3cd6e8cf078113df7388703cf65656863958019fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1382.tmp

Filesize
1KB

MD5
20833ef539f538da44df6854d91bce8e

SHA1
9a05197fa52ee8347ad66925e5d6e5c50322c25a

SHA256
f5dfaa773769131163e03afd8fd9ca760f47351035ad119b98e13d2e76e6b440

SHA512
51846d808323eaa6d1c4f0c62ebf39053d0d6f0342919fd968fe08f9747b73ffcff9772260a469de328b3499a77a69ede75213a4ca13e5b57ee1294123e2d4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES13D0.tmp

Filesize
1KB

MD5
4a2d988e9f965ed626e3003f89c766ed

SHA1
30281d03da9ce9fd12d25455da769cb70843ab77

SHA256
d76b23753b6807813ddbb9c49e0b456da72a80cdd15a6c6de790994172e9abbd

SHA512
39672c85f4cd5d6e3cf1df64abceb51431c1b571d29c59d9790ef572e684c6c09058b030b2d9a3c5ccdd9b2768db9ac2686f0935196dcaf7cc1d8a14a259bf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES144D.tmp

Filesize
1KB

MD5
bc461a2f72f35a5a4c8b325e632634d1

SHA1
103af7e27337e16fe5bd6539c9dc6bc1b5781db1

SHA256
bfb09e601d5cc494c779cf91a8d6b73079ec105e13a6e54dc12d909a0e34edad

SHA512
522a11d31fa6a9e1863e7ecdd59f7a2847fafec5deb42bc59ef64eba4868d9f829b0f5bed7ae17589f91aed3e86fc8b7250208f1b5d14addeb07b0228d1d3f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES149B.tmp

Filesize
1KB

MD5
50322ee984084ad2627fad5126ff22ba

SHA1
011c9ba47410473339d6ee95b1abbf0bcef27a18

SHA256
5f775946087719a3754027b1ff9b28b638ebf9391b3129ce1bfb25ff692c9094

SHA512
6cd2f3f86c35b3875a1665b9dab5fc4453c15f28e5e2524dd90f959a911ae9a5923e752284b3f347e761ddfe52a1e2b0a2da66214be5c0af76d1ad4172563928

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES14E9.tmp

Filesize
1KB

MD5
8797993853c9bcc5eec3db41beffa6cf

SHA1
0e0045af78128cb5b74bfa1866441ff52e65c6b9

SHA256
735e24f8a7acadb5139450c4f19498e4b4f888f4cc82a4316b5f5620ab15bebb

SHA512
b0fe6b1471068275789264adf9e4b6b1e3bc7d2ecb12b672d53af81b61f09afe5a78f3328308ff87b0e128c601179ea0d1ef61f40b013a875650273abe873514

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1537.tmp

Filesize
1KB

MD5
3a1aaca69f509af350e740722805cc92

SHA1
6831d54326808059e4868d08a656b4903e6e10fc

SHA256
dbc1a065401bc477ec2af281ca1a971bb1670821ae449e5516f825dad9196347

SHA512
a67d8119dc5a7965f25dbbd3708b90ad19730421c4f81c46d58c0f9688858026cf26978862b257a0436e5d4bfff8e23765c49fa13c3d44ec12c56a80863b207e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a_mg3oqr.0.vb

Filesize
302B

MD5
2164f94f71ebb52939d82f2ec171103c

SHA1
ffd28d94cbf94c6cba8d0f845e71fb664eab459f

SHA256
040c54f8e7a92092eca8268c4303cca5431cecb9ca26a76f40d131bb499e051a

SHA512
1dd9c4e0a9f0f75749efc8a0e8e42403efa3d001f4d8d44d4b8aae060099bd6e9258bf1e0b80c36e1a05b09ad6202ba5f5c161ccb99b9d0fc1ca0bcd92a00e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a_mg3oqr.cmdline

Filesize
173B

MD5
7c8e539c2e5d56f50201d743c8dd64bf

SHA1
aa012b5ba39582b3523f35556882249e0385a2bf

SHA256
bf15d723e9fbb4dd23e19cfb3a3756b5746d3c5633b12a8935e8b90bb295628e

SHA512
38681babbc6af7e250f5e0de8aadcd742689a1011f7ce36e06877b74fcf7ab5dae8d550a0a21287f6529791ea8b3ac65edbcdc466fbde0c2aa28a49a2a04aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\agd5mu0j.0.vb

Filesize
291B

MD5
a76a60c2684ac4773ce5b1e8b5bd30ea

SHA1
ea5fb32cc347f622ecbe9144daf9af5e47345aae

SHA256
a1e7e84a661d7e999a959d5780c81422b451858de68e78571d0d743f2be1c766

SHA512
1c67a05c6273118a79f8e95f2f0cd5b3ca09875b7267420908f61c95a5764b07c16f6a232b57078883d8ed814763e6128caa9289a897bad5194b8f92e79fcec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\agd5mu0j.cmdline

Filesize
162B

MD5
271784f5fa9ee8d49091f60438895607

SHA1
9fd4fb3adad40da935f8301dae1185f659ee75f1

SHA256
57f732e05fa073184996113d3e18f9207ddef790a0670203396af1cf2166fb6e

SHA512
02a00adbbad2e9b7a9a2601e2f847f8b7603b5e78922c492a102e4c3db67fc82708803dd2d4cffb8896ced3e61b262d64da973c7ce007c2e5e8d30603c4fd48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxtnpoyr.0.vb

Filesize
293B

MD5
e88b145f8a68c93526cbaec5a6936869

SHA1
759b7f383f3bda95fdcf1cc8aecf37169ac58e13

SHA256
0f9c9ce6dedfc73cea95da54e5c6240d4ba8a7a5806c28c002baf9728b1f2401

SHA512
2132264dbd363fcc67290e47787f0cd8f3682d65acddcb35fc74f5c509a63a663fbb37ec6c994ed3d08c4cfb3f4b00de7f57ad74d176ed390add498c7822d3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxtnpoyr.cmdline

Filesize
164B

MD5
5ef92d91fae84513b6cf6f0fed38b3e0

SHA1
20c46511700068f032c8bc28a3b81fa0c218b0a4

SHA256
f57be3d3aca16eed6d86bdf9458e18afa57fbec9e4c731838b51937429f271a6

SHA512
d8d95cdcdca00a2240e784e4b909ee5cde793c0329019c2538330f0b29cb034c1cd805330f9090409ab2918333101e6a78e6c3647141d65f37ee9f06fecef6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8gmkxo-.0.vb

Filesize
300B

MD5
10f8e8f148c9b2f9386b94d27908640e

SHA1
216292484fc202dab8174846364ff485c41a0ec2

SHA256
a1443fe3c06dcf3cf26d6d7708d1c0de00dcd0a1192400c7deb337dcb63b9b31

SHA512
d65605cdceaa275865c771440c1321018e57cd967b6dd0414aedb705b99ee3549fad74e1c957da717122e30d8f91945ab9c16939f29ebc739291a3b5c50e62d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8gmkxo-.cmdline

Filesize
171B

MD5
4b59081727ce3b9f14f69e84f1e1e027

SHA1
7e28a76dc83700fb196921a3d3dcad5f6237da2b

SHA256
6c7714be241dbc97c0062b78b6d6526cec302edda0e10266dc25e1d286a8018e

SHA512
bedbea74814402da5675cd4d8ba55d1fd65df3b7beed7eba861537500b619b7d50cac0d750c1dc97bd9c33058364b6e5204e7378faa6701ab129f0eec8f78abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\n-vmjyfr.0.vb

Filesize
294B

MD5
f4866e8ab8595b841f584628e7a1a51e

SHA1
816df224db06582a61280505031f31d51a3c721f

SHA256
026bef8c6163d61b12ba7fe49f8a31b2af784ac073e87b2ba91a27a8e50df8c7

SHA512
32404956e2425cee66faf09cd15200094197cf5e82cf2678775396779f54176dbdfe69d1ebe98d0189c52719d164015985acfb7d2692989a55789bafbc4a10b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\n-vmjyfr.cmdline

Filesize
165B

MD5
851bee2a7d02723ad8ef5bbdb84dec3f

SHA1
5a2d6e5a2c5e69da5424613d63d91a6ffffceb97

SHA256
ef3dec7fcf3eaf9640e4a82d0fc0407c852d5ec018888271af0db0d56a39c381

SHA512
523cbe66e652cc613173921234940b5bfac07cc1e829d2c3696e3e65c21fe5677d6f38dbf47411fc58a122be516c93d7a3de3f8ff119830420706aee15939af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nflwnnmp.0.vb

Filesize
219B

MD5
3fd23b7ac82058d02d246490f3fcdafb

SHA1
5cd215eebb49950dee64daffe5d2d059c6873710

SHA256
5773f45f6c95c87bdd15b0cdd07b10d65b60beb756a04a820ef6eda0bdf5c509

SHA512
a6bdf5b0b994a7f8c96271955a81ce8bd9ed650d3649bfbe9619c693b574b0da20696a902864a768618f53859fd00b5981b20dece7ee7f92153ec780f9bc5751

Download Submit
C:\Users\Admin\AppData\Local\Temp\nflwnnmp.cmdline

Filesize
216B

MD5
1cc2db56c3903a09993a1259f0b3b1c1

SHA1
b12123fef7e3e901f2d42327914bc3fa00c47e56

SHA256
e8089b5fd42cf6f487e506a9800564da4489c5db436ad6bb2a09c5676039bbf2

SHA512
2a4669b88daac1c7d141d674a833c7a832fc98af9c3911f6b97bf42d7039aea5b73dc033b0686f9b8b3a1b86a6fcd4e2f3157d7a36a1f90ef732cc82528cfd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\odfbuio5.0.vb

Filesize
319B

MD5
e3314a1e42c948c4684959f4b06045a2

SHA1
20a134256d4927408c85d399968ce4c51445b750

SHA256
301eefce986e0ebd58883ceee5c0dacf8739b3e0a4f35130587e116498fb051a

SHA512
243596f379b194879d04baa03a87eba21046c1ad4ce4b8b567d27812465813513664ab7ae4b256245ce6d035b9abb88f4e94f37109dfce5c81a4de22c096cd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\odfbuio5.cmdline

Filesize
190B

MD5
7a246d032d71ff3332c38613b7aa105f

SHA1
da93043665d37e23b414bb0e10b7148b9fe5a3aa

SHA256
d61ccf8e83b971c7b0f4203505e5af366f529b6e6627ed554402511e0f4bd955

SHA512
1eb294b89a239b2c7f55a4bf896aabd3341e6f887734c4d2b535fdcf7aae4e409839df47bc830df39c9eedab910a96ecfde86687b995dc6a1bb87d37e9264d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpn5vlly.0.vb

Filesize
298B

MD5
d93ef597b65c61ca9499e2cff491ca72

SHA1
a0054025705b84b578eb3f4de4eee9036d5c5250

SHA256
748da82a4380e2e8d32c245a9343d73300eba9dd530174df335dcbe05842dc0a

SHA512
be3fd08c56046d96e2faffc3cf8497a82b80ee97b87835575b39f5ad3b7da5416d904b29f342feb44ca98cf38c06ca6f2001638f99e14e73a02cb017b80fe289

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpn5vlly.cmdline

Filesize
169B

MD5
cb82fddd57f3ac6e0c38b1f8b91a9a21

SHA1
57a570788e713998beca6d27bd9832a4cbe276f9

SHA256
33479b9bc37bb31baba12e1b5235277bf65437a0d9cdc63bad45f57715e23c38

SHA512
c071b7713d48e30210486b930e07d5f2f1a23d9594c8255bff56a1c91f834d716bd3aafe576f5f6033b48d4fbf4e951e611935d7bd083edecb312b53b9302b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc116E.tmp

Filesize
732B

MD5
d1ab5cd7b8edf473611603f7c0523c86

SHA1
9735a5ee3505c8d44491ff5fc329ad1de7926c81

SHA256
01a4da2c8dfc942b92d11f4e7ad7d2778cc897656ad6533078157042ffaf8ba9

SHA512
eeb2ef49281d2469e23340ddc195defa178a8aaed59147f0213904232bd09d8a46022eb16785e609589861082395dc7546ba0c2181418c421b959001922925c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1239.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1297.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc12E5.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1333.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc13CF.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc144C.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc149A.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1536.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyoa9dzx.0.vb

Filesize
295B

MD5
79f9aedc9de9b24424e1b20fd3cec209

SHA1
bb2c1538ec9a4a5ba6e9c422ae0fb75d83d9659a

SHA256
9d84f779abe5f866fb0ddf74d38a826f565bdd82d1422ae0ac13f1d7329abc68

SHA512
cf8bde4fa15dcf5b49121e77d25bbbbbeddde4123a731a8631e5a3165d06747b6206ac21bf2786e8d6d59abfbf8a359f4aee52d1eaa1272d6aa9201ba18c7754

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyoa9dzx.cmdline

Filesize
166B

MD5
2e19fda6881599974119566610669a6a

SHA1
cd9c787e90ed32952efd6e43d1d2c709d7222b16

SHA256
51ae52fadaef01c22dfdafbaec00d4df654cb4d57ab59400b08265752737fca2

SHA512
128de67d21016e973cbab63aa92c51cb634cb0e13be1714c1ba0229cd591cbe38e4771995a7ffec8b1cdd3ff844ab7a0ab21c67d1ece12d1712f28b4e952ae72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe

Filesize
472KB

MD5
04f9cd1f32905fa8282895840e8d3645

SHA1
ac932595c0cc0fb578e08ac91ebfdd829e64d8d0

SHA256
def80f5379a616c7985d76932c65e4d35b53287eba6ad964a08a3e9d589be0bf

SHA512
94832cfdd761f6e2128f0b53ab79be5fb70bef59d767c48f946878c706ee4af5e0d59053ac99b515719b253c37f521d60d2296338285fbb4075c81b061e00ae2

Download Submit
memory/264-15-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/264-12-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/264-14-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-0-0x000007FEF613E000-0x000007FEF613F000-memory.dmp

Filesize
4KB

Download
memory/2876-6-0x000007FEF613E000-0x000007FEF613F000-memory.dmp

Filesize
4KB

Download
memory/2876-5-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-4-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-3-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-2-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2876-13-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-1-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads