| File name: | Links Grabber By Mf4Tn [zone-h] v3.exe |
| Full analysis: | https://app.any.run/tasks/4eeff70f-e503-4043-acb7-8d70142a01d7 |
| Verdict: | Malicious activity |
| Analysis date: | November 20, 2023, 18:50:26 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | D1C72B5A269D93880A5501134FDFFD4E |
| SHA1: | 1D1CD31B2F4BB7B883E03E7980F0F519D6B2A412 |
| SHA256: | 3C5792B0162130D23F6FC52E386EB9A20AA018A9EE5B11D03FAE12F48798E209 |
| SSDEEP: | 12288:5fr6yyvRmgJhXRBedZ2Ch0h1Jpl2z8Zn6XK//boNHdMF:5fr6yyvRDBedZ76h13l9n66//boN |
MALICIOUS
Drops the executable file immediately after the start
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
- Setup.exe (PID: 3216)
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
REVENGERAT has been detected (YARA)
- explorer.exe (PID: 3852)
SUSPICIOUS
Reads the Internet Settings
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
- Setup.exe (PID: 3216)
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
Process drops legitimate windows executable
- Setup.exe (PID: 3216)
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
The process creates files with name similar to system file names
- Setup.exe (PID: 3216)
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
Reads settings of System Certificates
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
Connects to unusual port
- explorer.exe (PID: 3852)
INFO
Create files in a temporary directory
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
- svchost.exe (PID: 3500)
Reads the machine GUID from the registry
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
- Setup.exe (PID: 3484)
- svchost.exe (PID: 3500)
- wmpnscfg.exe (PID: 3632)
- explorer.exe (PID: 3852)
- Setup.exe (PID: 3216)
Creates files or folders in the user directory
- Setup.exe (PID: 3216)
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
Checks supported languages
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
- Setup.exe (PID: 3484)
- svchost.exe (PID: 3500)
- wmpnscfg.exe (PID: 3632)
- explorer.exe (PID: 3852)
- Links Grabber By Mf4Tn .exe (PID: 2928)
- Setup.exe (PID: 3216)
Reads the computer name
- Links Grabber By Mf4Tn [zone-h] v3.exe (PID: 3448)
- Links Grabber By Mf4Tn .exe (PID: 2928)
- Setup.exe (PID: 3216)
- Setup.exe (PID: 3484)
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
- wmpnscfg.exe (PID: 3632)
Reads Environment values
- svchost.exe (PID: 3500)
- explorer.exe (PID: 3852)
Manual execution by a user
- wmpnscfg.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RevengeRat
(PID) Process(3852) explorer.exe
C2 (1)blog.capeturk.com
Ports (1)1111
BotnetNYAN-CAT
Options
MutexRV_MUTEX-FZMONFueOciq
Splitter*-]NK[-*
KeyRevenge-RAT
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (49) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (20.9) |
| .exe | | | Win64 Executable (generic) (18.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.4) |
| .exe | | | Win32 Executable (generic) (3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:03:22 18:41:51+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 561664 |
| InitializedDataSize: | 9728 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x8b00e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | Links Grabber From Notifiers By Mf4Tn [zone-h] |
| FileDescription: | Links Grabber From Notifiers By Mf4Tn [zone-h] |
| FileVersion: | 1.0.0.0 |
| InternalName: | Links Grabber By Mf4Tn.exe |
| LegalCopyright: | Copyright © 2021 |
| OriginalFileName: | Links Grabber By Mf4Tn.exe |
| ProductName: | Links Grabber From Notifiers By Mf4Tn [zone-h] |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
40
Monitored processes
7
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2928 | "C:\Users\admin\AppData\Local\Temp\Links Grabber By Mf4Tn .exe" | C:\Users\admin\AppData\Local\Temp\Links Grabber By Mf4Tn .exe | — | Links Grabber By Mf4Tn [zone-h] v3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Links Grabber From Notifiers By Mf4Tn [zone-h] Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3216 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | — | Links Grabber By Mf4Tn [zone-h] v3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 8.1.1.7900 Modules
| |||||||||||||||
| 3448 | "C:\Users\admin\AppData\Local\Temp\Links Grabber By Mf4Tn [zone-h] v3.exe" | C:\Users\admin\AppData\Local\Temp\Links Grabber By Mf4Tn [zone-h] v3.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Links Grabber From Notifiers By Mf4Tn [zone-h] Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3484 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | — | Links Grabber By Mf4Tn [zone-h] v3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 8.1.1.7900 Modules
| |||||||||||||||
| 3500 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 8.1.1.7900 Modules
| |||||||||||||||
| 3632 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3852 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 Modules
RevengeRat(PID) Process(3852) explorer.exe C2 (1)blog.capeturk.com Ports (1)1111 BotnetNYAN-CAT Options MutexRV_MUTEX-FZMONFueOciq Splitter*-]NK[-* KeyRevenge-RAT | |||||||||||||||
Total events
9 105
Read events
9 055
Write events
47
Delete events
3
Modification events
| (PID) Process: | (3448) Links Grabber By Mf4Tn [zone-h] v3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3448) Links Grabber By Mf4Tn [zone-h] v3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3448) Links Grabber By Mf4Tn [zone-h] v3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3448) Links Grabber By Mf4Tn [zone-h] v3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3216) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3216) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3216) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3216) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3500) svchost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17C\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3632) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{E6872B56-56B3-4957-A90B-CC9F128761A0}\{FDB4D7E0-E6EB-4A14-88C4-BA00DF3ECFF0} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
5
Suspicious files
2
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3448 | Links Grabber By Mf4Tn [zone-h] v3.exe | C:\Users\admin\AppData\Local\Temp\Setup.exe | executable | |
MD5:ADA0CBC54989B2CD2959601C7A5B8499 | SHA256:A19B89DDC700357E618934775FD1A412401B308A9EF6AE686D3F363622065C96 | |||
| 3216 | Setup.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | executable | |
MD5:1303779B354738A8C93CC522FFB21F11 | SHA256:0A8E2FCC8C6393D2E97E6129E862A877A420A54F2530B4AF5EB7F8E2A7A30AF5 | |||
| 3500 | svchost.exe | C:\Users\admin\AppData\Local\Temp\explorer.txt | text | |
MD5:1CD7A82119E0A67CA582A5E856CB329E | SHA256:428E07A62627D104AD1B74601ED82A69B62307EC4979DB4C0FFCC09ED72F95FB | |||
| 3500 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip | compressed | |
MD5:16CB5ACBD98B4C702C84B124C409B893 | SHA256:E16BC115E85227FAE1D9CE8D58F412632BFB0EFA07E1F7C627CECA4A9A72DAB9 | |||
| 3448 | Links Grabber By Mf4Tn [zone-h] v3.exe | C:\Users\admin\AppData\Local\Temp\Links Grabber By Mf4Tn .exe | executable | |
MD5:52B8A584FA6DF999FEAC0A2DF6C4DF9E | SHA256:F8BCED63E388F43D1A3F0FF624DC71A0DBBDAE02257B6AB0BA30BAE442D0C33C | |||
| 3216 | Setup.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip | compressed | |
MD5:C623F9DDCC137107C0AF3CB33F4E94F7 | SHA256:25F65A78D544273B3FA0D67A3243319DC91BCF0EB4019A64D313D2187F274DB6 | |||
| 3852 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\explorer.exe | executable | |
MD5:8E3D99E6A1064F89744CCB24DC6802BB | SHA256:D21A23FFBDFE1BF8232A132B559C99B37F5825D816F83370684E67988B3162A8 | |||
| 3500 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | executable | |
MD5:8E3D99E6A1064F89744CCB24DC6802BB | SHA256:D21A23FFBDFE1BF8232A132B559C99B37F5825D816F83370684E67988B3162A8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
12
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3500 | svchost.exe | HEAD | 200 | 107.180.41.239:80 | http://capeturk.com/5/explorer.txt | unknown | — | — | unknown |
3500 | svchost.exe | GET | 200 | 107.180.41.239:80 | http://capeturk.com/5/explorer.txt | unknown | text | 49 b | unknown |
3500 | svchost.exe | GET | 200 | 107.180.41.239:80 | http://capeturk.com/5/explorer.txt | unknown | text | 49 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3500 | svchost.exe | 107.180.41.239:80 | capeturk.com | AS-26496-GO-DADDY-COM-LLC | US | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3500 | svchost.exe | 142.250.185.225:443 | aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com | GOOGLE | US | whitelisted |
3852 | explorer.exe | 142.250.185.225:443 | aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com | GOOGLE | US | whitelisted |
868 | svchost.exe | 95.101.148.135:80 | — | Akamai International B.V. | NL | unknown |
3852 | explorer.exe | 103.190.107.26:1111 | blog.capeturk.com | HTTVSERVER TECHNOLOGY COMPANY LIMITED | VN | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
868 | svchost.exe | 23.218.208.137:80 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
capeturk.com |
| whitelisted |
aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com |
| unknown |
blog.capeturk.com |
| malicious |
armmf.adobe.com |
| whitelisted |