Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Stub_CashRAT.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub_CashRAT.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stub_CashRAT.exe.log
|
CSV text
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 5 23:47:24 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 5 23:47:24 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 5 23:47:24 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 5 23:47:24 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 5 23:47:24 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub_CashRAT.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
modified
|
||
|
Chrome Cache Entry: 67
|
ASCII text, with very long lines (2294)
|
downloaded
|
||
|
Chrome Cache Entry: 68
|
ASCII text, with very long lines (4791)
|
downloaded
|
||
|
Chrome Cache Entry: 69
|
ASCII text
|
downloaded
|
||
|
Chrome Cache Entry: 70
|
ASCII text, with very long lines (3572), with no line terminators
|
downloaded
|
||
|
Chrome Cache Entry: 71
|
ASCII text, with very long lines (65531)
|
downloaded
|
||
|
Chrome Cache Entry: 72
|
SVG Scalable Vector Graphics image
|
downloaded
|
||
|
Chrome Cache Entry: 73
|
ASCII text, with very long lines (2124)
|
downloaded
|
There are 7 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\Stub_CashRAT.exe
|
"C:\Users\user\Desktop\Stub_CashRAT.exe"
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub_CashRAT.exe
|
"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub_CashRAT.exe"
|
|
|
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
|
||
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US
--service-sandbox-type=none --mojo-platform-channel-handle=2512 --field-trial-handle=2440,i,14958717023853122591,14025612515888188782,262144
--disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction
/prefetch:8
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://www.google.com/async/ddljson?async=ntp:2
|
192.178.50.68
|
||
|
https://play.google.com/log?format=json&hasfast=true
|
unknown
|
||
|
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
|
192.178.50.68
|
||
|
http://www.broofa.com
|
unknown
|
||
|
https://csp.withgoogle.com/csp/lcreport/
|
unknown
|
||
|
http://www.google.com/bot.html)
|
unknown
|
||
|
https://www.google.com/async/newtab_promos
|
192.178.50.68
|
||
|
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
|
192.178.50.68
|
||
|
https://apis.google.com
|
unknown
|
||
|
http://www.googlebot.com/bot.html)
|
unknown
|
||
|
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
|
unknown
|
||
|
https://domains.google.com/suggest/flow
|
unknown
|
||
|
https://clients6.google.com
|
unknown
|
||
|
https://plus.google.com
|
unknown
|
There are 4 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
plus.l.google.com
|
142.250.217.174
|
||
|
www.google.com
|
192.178.50.68
|
||
|
apis.google.com
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
192.178.50.68
|
www.google.com
|
United States
|
||
|
239.255.255.250
|
unknown
|
Reserved
|
||
|
127.0.0.1
|
unknown
|
unknown
|
||
|
192.168.2.5
|
unknown
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
962000
|
unkown
|
page readonly
|
|
|
|
EAA000
|
heap
|
page read and write
|
||
|
9C0000
|
unkown
|
page readonly
|
||
|
2D25000
|
trusted library allocation
|
page read and write
|
||
|
E00000
|
heap
|
page read and write
|
||
|
7FF848DED000
|
trusted library allocation
|
page execute and read and write
|
||
|
DFC000
|
heap
|
page read and write
|
||
|
7FF848E20000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FB2000
|
trusted library allocation
|
page read and write
|
||
|
DB0000
|
heap
|
page read and write
|
||
|
7FF848E0D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1090000
|
trusted library allocation
|
page read and write
|
||
|
12CF1000
|
trusted library allocation
|
page read and write
|
||
|
7FF848EC6000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B20000
|
heap
|
page read and write
|
||
|
7FF848E96000
|
trusted library allocation
|
page read and write
|
||
|
11D5000
|
heap
|
page read and write
|
||
|
7FF848E90000
|
trusted library allocation
|
page read and write
|
||
|
1B6A0000
|
heap
|
page execute and read and write
|
||
|
EE0000
|
heap
|
page read and write
|
||
|
7FF848E9C000
|
trusted library allocation
|
page execute and read and write
|
||
|
E25000
|
heap
|
page read and write
|
||
|
1B67E000
|
stack
|
page read and write
|
||
|
10A3000
|
trusted library allocation
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
2BE0000
|
heap
|
page execute and read and write
|
||
|
1B0CD000
|
stack
|
page read and write
|
||
|
7FF848FB0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848DF0000
|
trusted library allocation
|
page read and write
|
||
|
D12000
|
stack
|
page read and write
|
||
|
1B570000
|
heap
|
page read and write
|
||
|
CF2000
|
stack
|
page read and write
|
||
|
D76000
|
heap
|
page read and write
|
||
|
1385000
|
heap
|
page read and write
|
||
|
D0C000
|
heap
|
page read and write
|
||
|
1B9AF000
|
stack
|
page read and write
|
||
|
7FF848E2D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF848E1D000
|
trusted library allocation
|
page execute and read and write
|
||
|
D00000
|
heap
|
page read and write
|
||
|
7FF4D9630000
|
trusted library allocation
|
page execute and read and write
|
||
|
1B720000
|
heap
|
page read and write
|
||
|
D32000
|
heap
|
page read and write
|
||
|
D2B000
|
heap
|
page read and write
|
||
|
7FF848F30000
|
trusted library allocation
|
page execute and read and write
|
||
|
EAC000
|
heap
|
page read and write
|
||
|
D70000
|
heap
|
page read and write
|
||
|
1020000
|
heap
|
page read and write
|
||
|
11D0000
|
heap
|
page read and write
|
||
|
1BA2E000
|
stack
|
page read and write
|
||
|
12F0000
|
heap
|
page read and write
|
||
|
10C5000
|
heap
|
page read and write
|
||
|
7FF848E00000
|
trusted library allocation
|
page read and write
|
||
|
12B37000
|
trusted library allocation
|
page read and write
|
||
|
7FF848F00000
|
trusted library allocation
|
page execute and read and write
|
||
|
1BB2E000
|
stack
|
page read and write
|
||
|
DE9000
|
heap
|
page read and write
|
||
|
1100000
|
trusted library allocation
|
page read and write
|
||
|
DF0000
|
heap
|
page read and write
|
||
|
1B28D000
|
stack
|
page read and write
|
||
|
1000000
|
heap
|
page read and write
|
||
|
1B50F000
|
stack
|
page read and write
|
||
|
7FF848E3C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF848E24000
|
trusted library allocation
|
page read and write
|
||
|
7FF848EC0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848F82000
|
trusted library allocation
|
page read and write
|
||
|
7FF848DE3000
|
trusted library allocation
|
page execute and read and write
|
||
|
DA5000
|
heap
|
page read and write
|
||
|
1B8AE000
|
stack
|
page read and write
|
||
|
D43000
|
heap
|
page read and write
|
||
|
7FF848EA0000
|
trusted library allocation
|
page execute and read and write
|
||
|
10A0000
|
trusted library allocation
|
page read and write
|
||
|
D06000
|
heap
|
page read and write
|
||
|
DA0000
|
heap
|
page read and write
|
||
|
2CEE000
|
stack
|
page read and write
|
||
|
2CF1000
|
trusted library allocation
|
page read and write
|
||
|
1B690000
|
heap
|
page execute and read and write
|
||
|
10C0000
|
heap
|
page read and write
|
||
|
1B826000
|
stack
|
page read and write
|
||
|
1AD20000
|
trusted library allocation
|
page read and write
|
||
|
12B33000
|
trusted library allocation
|
page read and write
|
||
|
D45000
|
heap
|
page read and write
|
||
|
10E0000
|
trusted library allocation
|
page read and write
|
||
|
2A7E000
|
stack
|
page read and write
|
||
|
1070000
|
trusted library allocation
|
page read and write
|
||
|
7FF848DE4000
|
trusted library allocation
|
page read and write
|
||
|
11C0000
|
heap
|
page execute and read and write
|
||
|
E2F000
|
heap
|
page read and write
|
||
|
10BF000
|
stack
|
page read and write
|
||
|
7FF848DFD000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF848DF3000
|
trusted library allocation
|
page read and write
|
||
|
1380000
|
heap
|
page read and write
|
||
|
D60000
|
heap
|
page read and write
|
||
|
7FF848EF6000
|
trusted library allocation
|
page execute and read and write
|
||
|
D71000
|
heap
|
page read and write
|
||
|
E1D000
|
heap
|
page read and write
|
||
|
DCE000
|
heap
|
page read and write
|
||
|
7FF848E14000
|
trusted library allocation
|
page read and write
|
||
|
12CF3000
|
trusted library allocation
|
page read and write
|
||
|
EB5000
|
heap
|
page read and write
|
||
|
E31000
|
heap
|
page read and write
|
||
|
2B31000
|
trusted library allocation
|
page read and write
|
||
|
960000
|
unkown
|
page readonly
|
||
|
DD0000
|
heap
|
page read and write
|
||
|
E5C000
|
heap
|
page read and write
|
||
|
12B35000
|
trusted library allocation
|
page read and write
|
||
|
1B7AF000
|
stack
|
page read and write
|
There are 96 hidden memdumps, click here to show them.