Analysis
-
max time kernel
598s -
max time network
601s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
27/03/2025, 19:48
Behavioral task
behavioral1
Sample
webrat.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
webrat.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral3
Sample
webrat.exe
Resource
win11-20250313-en
General
-
Target
webrat.exe
-
Size
3.1MB
-
MD5
1c3b8bd025d5b9663dd0e02d3405e0df
-
SHA1
92b07502328992e7fc21a11fac39f93cceffeb22
-
SHA256
18c5e65e4b9da90324c170b3f5f20a1dc8c818b38dcde6b146c3af1f423def3f
-
SHA512
a49523270de2a235aedbd1698d01a70f6d4967e06287e8b8630b1b11758bdb56507fc066d6d404e850e60c6fd9ef2cb075fa3d7085bc24ce9b946d306ff396cb
-
SSDEEP
49152:zRlpygxOgF2Kxw/EnMr+NQdiFyBEQhJHZRPsy4jFwlBJm+/D9cEmbvvF:VlpyWOXKxw8n8/gMBEQ3sTAtRObv
Malware Config
Signatures
-
Detect SalatStealer payload 64 IoCs
resource yara_rule behavioral2/memory/3384-10-0x00000000001E0000-0x0000000000D5C000-memory.dmp family_salatstealer behavioral2/memory/4524-12-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-13-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-14-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-15-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-16-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-17-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-18-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-19-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-20-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-21-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-22-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-23-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-24-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-25-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-26-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-27-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-28-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-31-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/2728-32-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/612-37-0x0000000000F70000-0x0000000001AEC000-memory.dmp family_salatstealer behavioral2/memory/4524-38-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-39-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-40-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-41-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-42-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-43-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-44-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-45-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-46-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-47-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-48-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-49-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-50-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-51-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-52-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-53-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-54-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/2752-56-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/1824-58-0x0000000000F70000-0x0000000001AEC000-memory.dmp family_salatstealer behavioral2/memory/4524-59-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-60-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-61-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-62-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-63-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-64-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-65-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/1520-71-0x00000000008E0000-0x000000000145C000-memory.dmp family_salatstealer behavioral2/memory/4524-72-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-73-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-74-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-77-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-78-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-79-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-80-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-81-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-83-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-84-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-85-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-86-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-87-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-88-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4524-89-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer behavioral2/memory/4740-90-0x0000000000860000-0x00000000013DC000-memory.dmp family_salatstealer -
Salatstealer family
-
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
-
Executes dropped EXE 9 IoCs
pid Process 4524 wininit.exe 2728 wininit.exe 612 csrss.exe 2752 wininit.exe 1824 csrss.exe 1520 wininit.exe 4740 wininit.exe 3248 wininit.exe 3372 csrss.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
resource yara_rule behavioral2/memory/3384-0-0x00000000001E0000-0x0000000000D5C000-memory.dmp upx behavioral2/files/0x00070000000280a9-5.dat upx behavioral2/memory/4524-8-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/3384-10-0x00000000001E0000-0x0000000000D5C000-memory.dmp upx behavioral2/memory/4524-12-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-13-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-14-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-15-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-16-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-17-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-18-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-19-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-20-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-21-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-22-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-23-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-24-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-25-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-26-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-27-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-28-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/2728-30-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-31-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/2728-32-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/612-35-0x0000000000F70000-0x0000000001AEC000-memory.dmp upx behavioral2/memory/612-37-0x0000000000F70000-0x0000000001AEC000-memory.dmp upx behavioral2/memory/4524-38-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-39-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-40-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-41-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-42-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-43-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-44-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-45-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-46-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-47-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-48-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-49-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-50-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-51-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-52-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-53-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-54-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/2752-56-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/1824-58-0x0000000000F70000-0x0000000001AEC000-memory.dmp upx behavioral2/memory/4524-59-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-60-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-61-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-62-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-63-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-64-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-65-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/1520-69-0x00000000008E0000-0x000000000145C000-memory.dmp upx behavioral2/memory/1520-71-0x00000000008E0000-0x000000000145C000-memory.dmp upx behavioral2/memory/4524-72-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-73-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-74-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4740-76-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-77-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4740-78-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4740-79-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-80-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4740-81-0x0000000000860000-0x00000000013DC000-memory.dmp upx behavioral2/memory/4524-83-0x0000000000860000-0x00000000013DC000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\72c1fad3-0cac-7bb7-52ad-ecfdb2acd30c webrat.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe webrat.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\csrss.exe webrat.exe File created C:\Program Files\Google\Chrome\Application\wininit.exe wininit.exe -
pid Process 4868 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language webrat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
Modifies system certificate store 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 wininit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 wininit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 wininit.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3384 webrat.exe 3384 webrat.exe 3384 webrat.exe 3384 webrat.exe 4524 wininit.exe 4524 wininit.exe 2728 wininit.exe 2728 wininit.exe 612 csrss.exe 612 csrss.exe 2752 wininit.exe 2752 wininit.exe 1824 csrss.exe 1824 csrss.exe 4524 wininit.exe 4524 wininit.exe 1520 wininit.exe 1520 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4524 wininit.exe 4740 wininit.exe 4740 wininit.exe 4524 wininit.exe 4524 wininit.exe 4868 powershell.exe 4868 powershell.exe 3164 powershell.exe 3164 powershell.exe 3248 wininit.exe 3248 wininit.exe 3372 csrss.exe 3372 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4524 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4868 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3384 wrote to memory of 4524 3384 webrat.exe 81 PID 3384 wrote to memory of 4524 3384 webrat.exe 81 PID 3384 wrote to memory of 4524 3384 webrat.exe 81 PID 4524 wrote to memory of 1520 4524 wininit.exe 94 PID 4524 wrote to memory of 1520 4524 wininit.exe 94 PID 4524 wrote to memory of 1520 4524 wininit.exe 94 PID 4524 wrote to memory of 4740 4524 wininit.exe 100 PID 4524 wrote to memory of 4740 4524 wininit.exe 100 PID 4524 wrote to memory of 4740 4524 wininit.exe 100 PID 4524 wrote to memory of 4868 4524 wininit.exe 102 PID 4524 wrote to memory of 4868 4524 wininit.exe 102 PID 4524 wrote to memory of 4868 4524 wininit.exe 102 PID 4524 wrote to memory of 3164 4524 wininit.exe 104 PID 4524 wrote to memory of 3164 4524 wininit.exe 104 PID 4524 wrote to memory of 3164 4524 wininit.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\webrat.exe"C:\Users\Admin\AppData\Local\Temp\webrat.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Microsoft\wininit.exeC:\Users\Admin\AppData\Local\Microsoft\wininit.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Program Files\Google\Chrome\Application\wininit.exe"C:\Program Files\Google\Chrome\Application\wininit.exe" -3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
C:\Users\Admin\AppData\Local\Microsoft\wininit.exeC:\Users\Admin\AppData\Local\Microsoft\wininit.exe -3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4740
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit "[console]::InputEncoding = [console]::OutputEncoding = New-Object System.Text.UTF8Encoding"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\wininit.exe"C:\Users\Admin\AppData\Local\Microsoft\wininit.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
C:\Program Files (x86)\Windows Portable Devices\csrss.exe"C:\Program Files (x86)\Windows Portable Devices\csrss.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:612
-
C:\Users\Admin\AppData\Local\Microsoft\wininit.exe"C:\Users\Admin\AppData\Local\Microsoft\wininit.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
C:\Program Files (x86)\Windows Portable Devices\csrss.exe"C:\Program Files (x86)\Windows Portable Devices\csrss.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Microsoft\wininit.exe"C:\Users\Admin\AppData\Local\Microsoft\wininit.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
C:\Program Files (x86)\Windows Portable Devices\csrss.exe"C:\Program Files (x86)\Windows Portable Devices\csrss.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3372
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD527c8ea3b2416e619df13f1abffc15cfc
SHA10b05a924a6d7c81ab910bc05d5cf91c2afaf2197
SHA256989fed38c9051215c36cad29b4c6df8d5583bdfd35d693431679afd2d709d329
SHA512ed053ff191f142d52865e6d42b3ab2e60fef7d5693d2a9087f1a22632ada8af5fd23ddd98b0043f499f2d9fa324e292b79ff0ca5ba69e6048f7a74c4f4dbae03
-
Filesize
3.1MB
MD51c3b8bd025d5b9663dd0e02d3405e0df
SHA192b07502328992e7fc21a11fac39f93cceffeb22
SHA25618c5e65e4b9da90324c170b3f5f20a1dc8c818b38dcde6b146c3af1f423def3f
SHA512a49523270de2a235aedbd1698d01a70f6d4967e06287e8b8630b1b11758bdb56507fc066d6d404e850e60c6fd9ef2cb075fa3d7085bc24ce9b946d306ff396cb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82