xred | aec08458d6c65f48f62b1cbf2d06d8b8fa613cc11eb65bee6987046559f35ed8

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/01/2025, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Size

6.1MB
MD5

d3598f91b2ac9b50fc4ab79d984c289b
SHA1

b11ce902780e0b06f080b147f1ea6abea7728881
SHA256

aec08458d6c65f48f62b1cbf2d06d8b8fa613cc11eb65bee6987046559f35ed8
SHA512

c5bec3a8afe3414fbc2f7ea3939b165cf5ab3b768ed068988896b3b2be74cb8f6909932061796edc17e9f5dc07a71f5e667691b564e7804c5559601a0522f980
SSDEEP

196608:pLkjkq5tgtRceR9dWcvKgS8ccUjkq5tgtRcA:pp9WcigS/Q

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00060000000195b5-303.dat

Executes dropped EXE 11 IoCs

pid	Process
3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
2144	setup.exe
1712	Synaptics.exe
1072	ISBEW64.exe
1020	._cache_Synaptics.exe
756	ISBEW64.exe
2536	ISBEW64.exe
2136	ISBEW64.exe
2436	ISBEW64.exe
1468	setup.exe
1968	ISBEW64.exe

Loads dropped DLL 17 IoCs

pid	Process
1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
2144	setup.exe
1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
2144	setup.exe
2144	setup.exe
1712	Synaptics.exe
1712	Synaptics.exe
2144	setup.exe
2144	setup.exe
2144	setup.exe
2144	setup.exe
2144	setup.exe
2144	setup.exe
1020	._cache_Synaptics.exe
2144	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1688	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	EXCEL.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 1176 wrote to memory of 3064	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	29
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 3064 wrote to memory of 2144	3064	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	30
PID 1176 wrote to memory of 1712	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	31
PID 1176 wrote to memory of 1712	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	31
PID 1176 wrote to memory of 1712	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	31
PID 1176 wrote to memory of 1712	1176	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	31
PID 2144 wrote to memory of 1072	2144	setup.exe	33
PID 2144 wrote to memory of 1072	2144	setup.exe	33
PID 2144 wrote to memory of 1072	2144	setup.exe	33
PID 2144 wrote to memory of 1072	2144	setup.exe	33
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 1712 wrote to memory of 1020	1712	Synaptics.exe	32
PID 2144 wrote to memory of 756	2144	setup.exe	34
PID 2144 wrote to memory of 756	2144	setup.exe	34
PID 2144 wrote to memory of 756	2144	setup.exe	34
PID 2144 wrote to memory of 756	2144	setup.exe	34
PID 2144 wrote to memory of 2536	2144	setup.exe	35
PID 2144 wrote to memory of 2536	2144	setup.exe	35
PID 2144 wrote to memory of 2536	2144	setup.exe	35
PID 2144 wrote to memory of 2536	2144	setup.exe	35
PID 2144 wrote to memory of 2136	2144	setup.exe	36
PID 2144 wrote to memory of 2136	2144	setup.exe	36
PID 2144 wrote to memory of 2136	2144	setup.exe	36
PID 2144 wrote to memory of 2136	2144	setup.exe	36
PID 2144 wrote to memory of 2436	2144	setup.exe	37
PID 2144 wrote to memory of 2436	2144	setup.exe	37
PID 2144 wrote to memory of 2436	2144	setup.exe	37
PID 2144 wrote to memory of 2436	2144	setup.exe	37
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 1020 wrote to memory of 1468	1020	._cache_Synaptics.exe	38
PID 2144 wrote to memory of 1968	2144	setup.exe	39
PID 2144 wrote to memory of 1968	2144	setup.exe	39
PID 2144 wrote to memory of 1968	2144	setup.exe	39
PID 2144 wrote to memory of 1968	2144	setup.exe	39

C:\Users\Admin\AppData\Local\Temp\2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\setup.exe
    C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\setup.exe -package:"C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{88DBE84C-174D-4042-B1BA-450554823E80}
      4⤵
      Executes dropped EXE
      PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FD754B52-9C17-46A0-B449-D809990C6D1D}
      4⤵
      Executes dropped EXE
      PID:756
  - - C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE969BF9-E2D9-4CB5-AFFC-C6977DAE7969}
      4⤵
      Executes dropped EXE
      PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B9B6E34-9474-4EB8-A87F-02636B752BBC}
      4⤵
      Executes dropped EXE
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8525695-38CE-4CE4-9056-1E6AFA454143}
      4⤵
      Executes dropped EXE
      PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2F307E5-C3E9-48FF-94E7-D73F18529C1F}
      4⤵
      Executes dropped EXE
      PID:1968
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\{4AA21ED0-F0DC-4453-A5E4-BE91F13C0B4E}\setup.exe
      C:\Users\Admin\AppData\Local\Temp\{4AA21ED0-F0DC-4453-A5E4-BE91F13C0B4E}\setup.exe InjUpdate -package:"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{4AA21ED0-F0DC-4453-A5E4-BE91F13C0B4E}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{4AA21ED0-F0DC-4453-A5E4-BE91F13C0B4E}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{4AA21ED0-F0DC-4453-A5E4-BE91F13C0B4E}\Disk1\setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1468

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.1MB

MD5
d3598f91b2ac9b50fc4ab79d984c289b

SHA1
b11ce902780e0b06f080b147f1ea6abea7728881

SHA256
aec08458d6c65f48f62b1cbf2d06d8b8fa613cc11eb65bee6987046559f35ed8

SHA512
c5bec3a8afe3414fbc2f7ea3939b165cf5ab3b768ed068988896b3b2be74cb8f6909932061796edc17e9f5dc07a71f5e667691b564e7804c5559601a0522f980

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21pNmQz.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21pNmQz.xlsm

Filesize
25KB

MD5
98430ab656e2f3d619cf048ac00ca578

SHA1
8311f396bbf3308d76accfc0533b32a80696ffe7

SHA256
c3d10cbb17856041aaceaabfb35b8b466910bfd71877edbed116a24ab618800c

SHA512
eaf11300cac412049a953910a6163b8c39e9a6d2fbaa2cd859b2305d3f91478eae68b2a4af0ab25e3e1e4abe25a9fc71e09328879554ce0565bb363772881613

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21pNmQz.xlsm

Filesize
28KB

MD5
38c65c03224ffb74ce9e442ad13ff9a7

SHA1
fb764894adecee0f0b53e5206f52334398921955

SHA256
bd50f0e61f09a84d3693a9765bfc5b8fcdd8054c784b07adb379dc39eadd4f38

SHA512
1ae483aea469bdcfed369b8a8b258cf475866fb1123af8879ba021ec941d34e5d986f98d2ece37c17c66f0e3731f7a5ee0a7147a1562404140e55961f28cd189

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21pNmQz.xlsm

Filesize
28KB

MD5
276181febff7b489604acb616aeae60a

SHA1
92cff0436f8d731fd40493d57c7f9b7b9e77947f

SHA256
3512d0b88a7375274ac68b64004ab2faf829cfb5cc891e76657c25037b2b64ec

SHA512
13850579ed0eca239019dfc2e05275025770bd949d97ea447f6f8bdc46e020fda15d9d44f0a96355a3a48f560c72d9e518aee357a3ffa19b4b0827db19107e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21pNmQz.xlsm

Filesize
30KB

MD5
698047ed14f042e7725c5e73c56455c0

SHA1
7ed50248b349d5b54fe024a881077064740efbcb

SHA256
41ad56e966054660c911b84a19a30eccb1162441ea8f68faa8662ef551eac77a

SHA512
1e0c15300f728987b2b37823e552783b26725c3fbe5e38dab1d50aa91b00ce40ebe24a975e116832dbb042cbf4936e32128ef5f456eecde17b0fef62651979c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21pNmQz.xlsm

Filesize
27KB

MD5
04f38f15eb2f47a72d594a0e7cadcb14

SHA1
674724055c5b4d08ac29771666d5fea5e0ed65ea

SHA256
222232b79b524530d436a9669a94b8ef3d16d8ae3836cd7d1fbf5ec1844bf73c

SHA512
bed1de1891a1274b56e5fef0ac3018212c858bcf6a6d7c6be47fbd813e8f710a0fcfdd30e200458e7179febaefd5f454f638aab6683657fe59eb502d6fafc62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\ISBEW64.exe

Filesize
177KB

MD5
8a1e5a6b1c4e0c7d706eb2b36fa6c8ea

SHA1
49199a62de0eda485b5287bad469f92ad8ebd407

SHA256
4104fde5404bfb3c5347b8ecdaec89a2e746b1162dc75186bc79738805818c0a

SHA512
1393bd6c06c30df7414494e5b06242445eb8afdf5467c6a5e875f2c63506b0b581322b6444c6d8f06b39aa5b04d1c55a631ccf932dc6d5043296dd3ed3cd9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\FontData.ini

Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\_isuser_0x0409.dll

Filesize
968KB

MD5
42e6c4a0d3fc291bf3f01b666bf587db

SHA1
6be7b99dae48fafd25bb929ae26dfafbffee096b

SHA256
b9a2a3e9061a7c6e8ab5811cb93abb0358e3df2c882530be98b824b71ce17f6d

SHA512
27b151d3b9637e9d8402ab406a3fb21e9dfb4d6c8aff429ef2059ea16cb3eb314f510660cad45eae4dff7ec76d9be16594c19514ac52bf445e000926d70fef2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\isrt.dll

Filesize
422KB

MD5
67b3328f3cc34596ec941dda8574f606

SHA1
219a67104a18f71c0ccb7b9d73f435d76e44f584

SHA256
cb80bfdd8263bb9aff04bdc7d6be71ad09800895b616223d8f97048aa0a506f7

SHA512
5e81fac5a4e48353bdd0a60e8882b4b51a79298124d9fe8235940643bf2e4bfb13a881841a69dc479e1658cd42c6772c76a761cc2be8342122e53460357c5091

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\ISSetup.dll

Filesize
788KB

MD5
1c14194bd13d114f8507cc6fa28eb1d1

SHA1
baf3d92a549ec7a419ddc697dafea8282b577960

SHA256
ea231c7a836a666d57752fcb0d50128a9292f7162433ed13a64a0a733c7b46f7

SHA512
b5e4e4b7075ec52a083903b0e96ba6e9901b7f0080eb93f9b2cad0d268c3302c437fd63ee49085fa0819bbd323b872f2b55116f3bd8cf9bb8ff19bcff99b4220

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\data1.cab

Filesize
2.0MB

MD5
3f6c14ddde377b537eb7db19670fb3a9

SHA1
4e1aa09b1460644a97f6e35b13abe41c56c4fa9d

SHA256
7e37cb453c1dc21b36309459c818a447e10d01ae486353726ee85d3ef53c49b4

SHA512
b01e268ebc2f708b51cea635fe9e8b4bc2e7c7f8fcfc7e44648e9bdffa2c0efcb5e9e4bbad4587645ba1d4caf078b83366cb9d0891516b8e6b47891774d6b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\data1.hdr

Filesize
12KB

MD5
b2dc83da67807e9eeeebc37f1dda488f

SHA1
536460cba50fd5bb718354911b0941ac9d1d78b7

SHA256
88923f58734b4aa924f586e48ceb3f0792290ebf986ba4322732a38be422abec

SHA512
bcfc43df3b23d0d2d4c15e7be061012bc7812cf63e98db566d719d73041dba20b82171f01365c96426201c186cea6ebebce572363bf4a954de46083d162fa9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\layout.bin

Filesize
550B

MD5
01afef378eeb930d1f5f486ca40f3b66

SHA1
4a5b7bd54a58e920e95fbbe80ff2c316c4cdbc06

SHA256
2a1c8858a63ae79995fef03a0abe7fdbcf368a53d81e0a41e276c7b9ea949a02

SHA512
f066fcc024407eb96fc4ea8ddfb85c2c4448c9e723863108e588526b3bdba9792c1c24b59fac244ecf18fe739f0bd27f3843f30cd4de1ccbcd397f5ae5b6b246

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\Disk1\setup.inx

Filesize
229KB

MD5
4990595c81aeaf50f32c5681fbfe4608

SHA1
18c6bb6dc5913e7fcbaf1e2612ecdb59db2b93ac

SHA256
531ade9f6105d5ef1ca0add9cad64fb1025180a6767bb6e30bcdcaddc99b07b8

SHA512
c0ff23670388ca9eed4224368d8eb4c1b2f688fb1cdb25a7ced5dae584088ca5933f181d548c1c876c590c8f0e81d4dcd7c7133bfa84b7bc781ef4b01c11cb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\setup.exe

Filesize
1.2MB

MD5
2c0b1c504d9f05c8423259649681e886

SHA1
d80584711d9c048ca4f0b8680363977fd80022d2

SHA256
365466c2d0e39c68cca25dea949e52cb4cf32ff1658763f22cd807b64a8ed7b0

SHA512
daab508ab804123d8dc09fa69be9b05848590b58a31ebb99a63011051eab476ef09a50902afccf6d312875e1ec9b796e02d012cebab15e0202a5bc364c32830c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4C15416-D48A-4D06-A2E3-4AF038D90AB5}\setup.ini

Filesize
2KB

MD5
d15600b0ad28b582c04bda4b5ea78a28

SHA1
460f5f77b80b0aa1b996f1e99e433796732a630e

SHA256
578cca02a20d215086110b7c16bcae3e94186a3267506603aed2398e18eb20ad

SHA512
755b0080e378a48ae02d406688f51f5c6ce4ccb530ae0d8a8367806e140040d82b4827fb2d0175f63bbc3a43aa23a5e9b7125c93867bbba8be779722296b4c60

Download Submit
C:\Users\Admin\Desktop\~$GrantSync.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe

Filesize
5.3MB

MD5
7e90f1980f7ad185b3e672ca4daedeb0

SHA1
80e2516963e6bccde1722ce1b7ca225d58f04f66

SHA256
720375b8d6ce0a58fc4e64398af8acdc4c5e611171fbd60a1b3f0475ae91510f

SHA512
c937879c27ebac8dbad2c7663ea82de275e4a0ef62b83fcc2dca35d4fdef47b638ecc8e70513588a51861ef6c2ddcd600df497d7d56f3391cc5be90cba5b061b

Download Submit
\Users\Admin\AppData\Local\Temp\{A9BE803C-4661-4458-BFB0-6A28D6F395CF}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\_isres_0x0409.dll

Filesize
1.8MB

MD5
a05838872c391e729b414d2b15083983

SHA1
027038259b7c4bfe0066b6f5635e416efbd84157

SHA256
a7c7db8ce84441df150ee880e5bde9c17bc7c85dc87a61b1760738eceb61ad52

SHA512
0b13d56945a381dcfd453e9d21d62b030007d24b89fa6f7eaf75d62ca80f7c7fe1842a44d9deb25e286ac8fb1fe7c3567666c1e116c96dfd641b56e99262125a

Download Submit
memory/1176-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1176-58-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1688-200-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1712-277-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1712-310-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1712-350-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2144-252-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/2144-253-0x0000000003840000-0x0000000003952000-memory.dmp

Filesize
1.1MB

Download
memory/2144-49-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/2144-132-0x0000000003AA0000-0x0000000003C67000-memory.dmp

Filesize
1.8MB

Download
memory/2144-128-0x0000000003840000-0x0000000003952000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads