remcos | cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25

Analysis

max time kernel
4s
max time network
0s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
Size

372KB
MD5

64cb67dfd7cf1af076ac36a20b513937
SHA1

df91c11bc8e7c8af20600df81cf12f6d965d12da
SHA256

cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25
SHA512

fa802ac5b8697f5db018e0182b920f50a6b54ac40559d9ffe1873cf7c482ab6ef31b19a7f5247b7265d3018ed9bd468a894ea4218a6b35bc723b4aa1b4a460e9
SSDEEP

6144:tLdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiKe:tBqQx+H2i+8LBNbdypazCXY0

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 8 IoCs

pid	Process
3044	hab.exe
2680	hab.exe
2536	remcos.exe
2612	remcos.exe
2996	hab.exe
1560	hab.exe
2844	remcos.exe
2624	remcos.exe

Loads dropped DLL 10 IoCs

pid	Process
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
3044	hab.exe
2704	cmd.exe
2704	cmd.exe
2612	remcos.exe
2612	remcos.exe
2996	hab.exe
1612	cmd.exe
1612	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 824	2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	31
PID 3044 set thread context of 2680	3044	hab.exe	33
PID 2536 set thread context of 2612	2536	remcos.exe	38
PID 2996 set thread context of 1560	2996	hab.exe	40
PID 2844 set thread context of 2624	2844	remcos.exe	45

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
File opened for modification	C:\Windows\win.ini	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
3044	hab.exe
3044	hab.exe
2680	hab.exe
2680	hab.exe
2536	remcos.exe
2536	remcos.exe
2612	remcos.exe
2612	remcos.exe
2996	hab.exe
2996	hab.exe
1560	hab.exe
1560	hab.exe
2844	remcos.exe
2844	remcos.exe
2624	remcos.exe
2624	remcos.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
3044	hab.exe
3044	hab.exe
2680	hab.exe
2680	hab.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
3044	hab.exe
2680	hab.exe
2536	remcos.exe
2612	remcos.exe
2996	hab.exe
1560	hab.exe
2844	remcos.exe
2624	remcos.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 824	2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	31
PID 2488 wrote to memory of 824	2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	31
PID 2488 wrote to memory of 824	2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	31
PID 2488 wrote to memory of 824	2488	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	31
PID 824 wrote to memory of 3044	824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	32
PID 824 wrote to memory of 3044	824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	32
PID 824 wrote to memory of 3044	824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	32
PID 824 wrote to memory of 3044	824	cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe	32
PID 3044 wrote to memory of 2680	3044	hab.exe	33
PID 3044 wrote to memory of 2680	3044	hab.exe	33
PID 3044 wrote to memory of 2680	3044	hab.exe	33
PID 3044 wrote to memory of 2680	3044	hab.exe	33
PID 2680 wrote to memory of 2696	2680	hab.exe	34
PID 2680 wrote to memory of 2696	2680	hab.exe	34
PID 2680 wrote to memory of 2696	2680	hab.exe	34
PID 2680 wrote to memory of 2696	2680	hab.exe	34
PID 2696 wrote to memory of 2704	2696	WScript.exe	35
PID 2696 wrote to memory of 2704	2696	WScript.exe	35
PID 2696 wrote to memory of 2704	2696	WScript.exe	35
PID 2696 wrote to memory of 2704	2696	WScript.exe	35
PID 2704 wrote to memory of 2536	2704	cmd.exe	37
PID 2704 wrote to memory of 2536	2704	cmd.exe	37
PID 2704 wrote to memory of 2536	2704	cmd.exe	37
PID 2704 wrote to memory of 2536	2704	cmd.exe	37
PID 2536 wrote to memory of 2612	2536	remcos.exe	38
PID 2536 wrote to memory of 2612	2536	remcos.exe	38
PID 2536 wrote to memory of 2612	2536	remcos.exe	38
PID 2536 wrote to memory of 2612	2536	remcos.exe	38
PID 2612 wrote to memory of 2996	2612	remcos.exe	39
PID 2612 wrote to memory of 2996	2612	remcos.exe	39
PID 2612 wrote to memory of 2996	2612	remcos.exe	39
PID 2612 wrote to memory of 2996	2612	remcos.exe	39
PID 2996 wrote to memory of 1560	2996	hab.exe	40
PID 2996 wrote to memory of 1560	2996	hab.exe	40
PID 2996 wrote to memory of 1560	2996	hab.exe	40
PID 2996 wrote to memory of 1560	2996	hab.exe	40
PID 1560 wrote to memory of 1440	1560	hab.exe	41
PID 1560 wrote to memory of 1440	1560	hab.exe	41
PID 1560 wrote to memory of 1440	1560	hab.exe	41
PID 1560 wrote to memory of 1440	1560	hab.exe	41
PID 1440 wrote to memory of 1612	1440	WScript.exe	42
PID 1440 wrote to memory of 1612	1440	WScript.exe	42
PID 1440 wrote to memory of 1612	1440	WScript.exe	42
PID 1440 wrote to memory of 1612	1440	WScript.exe	42
PID 1612 wrote to memory of 2844	1612	cmd.exe	44
PID 1612 wrote to memory of 2844	1612	cmd.exe	44
PID 1612 wrote to memory of 2844	1612	cmd.exe	44
PID 1612 wrote to memory of 2844	1612	cmd.exe	44
PID 2844 wrote to memory of 2624	2844	remcos.exe	45
PID 2844 wrote to memory of 2624	2844	remcos.exe	45
PID 2844 wrote to memory of 2624	2844	remcos.exe	45
PID 2844 wrote to memory of 2624	2844	remcos.exe	45

C:\Users\Admin\AppData\Local\Temp\cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
"C:\Users\Admin\AppData\Local\Temp\cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe
  "C:\Users\Admin\AppData\Local\Temp\cf5e4e04eae3874b23bcf6ca6f39442717c5599a749b0f558b6420ec25230a25.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        15⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        16⤵
        
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
0ce007cd88f8259d016d2002627efdd1

SHA1
940b721353f939ff322efd2388a535d6b7b3667a

SHA256
e3fbc3c9bf776df8ebfd6a8e0473f64f93ca4db43aa93f7b59e145ba94da9ac5

SHA512
5a76c9816186a72debf3023022b3350b9322cd8b0ca4b91cd00ed7b80f27fac1b9dc2c84eba8a32f8c54dc2cc0524716e647eecca9037210d98a8b95cf9c14ec

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
c296576d66b3f04ccaa55c195b9b2d77

SHA1
e47e19e06e95ef2cc134a0f694384ce9d018018a

SHA256
8faa151aba9cdbfc7744c17d4f23cc21ceb7aa489ba02c749ce7babd7f02c748

SHA512
ad7f3d4ea77ecf01ba8d32d70618be51630adb07733345b6f7bb2f96f9af962a5efc0be55291dd213433f143c02bbb89eccca57370c77828c542be6b7055502a

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
efbab0a76c9d120b30a03968f8bb0ba2

SHA1
ac706784015092fb703c543f37b4c7644ace964d

SHA256
0116765ec2d75a891025706a1db2833291592238c69d9f51a2fa5236ae854407

SHA512
ec291485b81b3cc80acc00c4e40055f77f2b50f39be4ffc2124f17b14ed0c90789b8e154966a3ec1e403c214f283cb146156b1296593fd83ca4c6b4d4910e600

Download Submit
memory/824-14-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/1560-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1560-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2488-12-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/2488-2-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/2488-13-0x0000000077460000-0x0000000077536000-memory.dmp

Filesize
856KB

Download
memory/2488-5-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2488-4-0x0000000077271000-0x0000000077372000-memory.dmp

Filesize
1.0MB

Download
memory/2680-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-36-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads