privateloader | c089ce71477ac4b8f6875ee49c6532b275d92b210998c683e37eb1a98089a052

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2023, 12:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe
Size

4.0MB
MD5

3134fa9cea6fd7071133d85a5fb4f04e
SHA1

bc8428fa442bc143aaa444e98dae698f440abc3e
SHA256

044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9
SHA512

e0d7e8f40bae193d484ef67342280c10c3223af3ebae7ae8285535435871e145e5a57c3e04944eb7d6df9688e7273e15066cb6748d26fd1015f4f820ae162be8
SSDEEP

98304:706FB3Lep0AUPnz1GWObOOdbvUcPIPaatXQK2ApRE9Zea:7FL3Lk0AUPpGVbdbcyEtXWAzE9ka

Score

10^/10

privateloader evasion loader main themida trojan

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

208.67.104.60

Attributes

payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1376-134-0x0000000000A50000-0x0000000001612000-memory.dmp	themida
behavioral2/memory/1376-143-0x0000000000A50000-0x0000000001612000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ipinfo.io
61	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	InstallUtil.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	InstallUtil.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	InstallUtil.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	InstallUtil.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3796	InstallUtil.exe
3796	InstallUtil.exe
3796	InstallUtil.exe
3796	InstallUtil.exe
3796	InstallUtil.exe
3796	InstallUtil.exe
3796	InstallUtil.exe
3796	InstallUtil.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87
PID 1376 wrote to memory of 3796	1376	044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe	87

C:\Users\Admin\AppData\Local\Temp\044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe
"C:\Users\Admin\AppData\Local\Temp\044d2fde888aaa73c7a60076d4c93cb72d2c5f1ebfbdca29732ae85d0ba3fce9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1484

Network

DNS

metazone1.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

metazone1.com

IN A

Response

metazone1.com

IN A

31.31.196.244
GET

http://metazone1.com/api/tracemap.php

InstallUtil.exe

Remote address:

31.31.196.244:80

Request

GET /api/tracemap.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: metazone1.com

Response

HTTP/1.1 403 Forbidden

Server: nginx
Date: Tue, 03 Jan 2023 12:26:17 GMT
Content-Type: text/html
Content-Length: 201400
Connection: keep-alive
Vary: Accept-Encoding
ETag: "61cc0a19-312b8"
DNS

meta-zone-1.ru

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

meta-zone-1.ru

IN A

Response

meta-zone-1.ru

IN A

31.31.196.244
GET

http://meta-zone-1.ru/api/tracemap.php

InstallUtil.exe

Remote address:

31.31.196.244:80

Request

GET /api/tracemap.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: meta-zone-1.ru

Response

HTTP/1.1 403 Forbidden

Server: nginx
Date: Tue, 03 Jan 2023 12:26:18 GMT
Content-Type: text/html
Content-Length: 201400
Connection: keep-alive
Vary: Accept-Encoding
ETag: "61cc0a19-312b8"
DNS

meta-zone-1.online

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

meta-zone-1.online

IN A

Response

meta-zone-1.online

IN A

31.31.196.244
GET

http://meta-zone-1.online/api/tracemap.php

InstallUtil.exe

Remote address:

31.31.196.244:80

Request

GET /api/tracemap.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: meta-zone-1.online

Response

HTTP/1.1 403 Forbidden

Server: nginx
Date: Tue, 03 Jan 2023 12:26:18 GMT
Content-Type: text/html
Content-Length: 201400
Connection: keep-alive
Vary: Accept-Encoding
ETag: "61cc0a19-312b8"
GET

http://208.67.104.60/api/tracemap.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

GET /api/tracemap.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:19 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 15
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 413
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:19 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 413
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:20 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 413
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:20 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 413
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:20 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 413
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:20 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:20 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:20 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:21 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:21 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:21 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:22 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:23 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:23 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:23 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://208.67.104.60/api/firegate.php

InstallUtil.exe

Remote address:

208.67.104.60:80

Request

POST /api/firegate.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 208.67.104.60

Response

HTTP/1.1 200 OK

Date: Tue, 03 Jan 2023 12:26:23 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

ipinfo.io

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.59.81
GET

https://ipinfo.io/widget

InstallUtil.exe

Remote address:

34.117.59.81:443

Request

GET /widget HTTP/1.1
Connection: Keep-Alive
Referer: https://ipinfo.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: ipinfo.io

Response

HTTP/1.1 200 OK

access-control-allow-origin: *
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
content-type: application/json; charset=utf-8
content-length: 912
date: Tue, 03 Jan 2023 12:26:19 GMT
x-envoy-upstream-service-time: 35
strict-transport-security: max-age=2592000; includeSubDomains
vary: Accept-Encoding
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

vk.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

vk.com

IN A

Response

vk.com

IN A

87.240.137.164

vk.com

IN A

87.240.129.133

vk.com

IN A

87.240.132.72

vk.com

IN A

87.240.132.67

vk.com

IN A

87.240.132.78

vk.com

IN A

93.186.225.194
GET

https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

InstallUtil.exe

Remote address:

87.240.137.164:443

Request

GET /doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: vk.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: kittenx
Date: Tue, 03 Jan 2023 12:26:22 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 139003
Connection: keep-alive
X-Powered-By: KPHP/7.4.113006
Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly
Set-Cookie: remixlang=3; expires=Mon, 08 Jan 2024 19:52:31 GMT; path=/; domain=.vk.com
Set-Cookie: remixstlid=9092856945242514274_TyUVALahm7RTRK4ZBUn3eTSSFWwg97pxXF61BoNGDZk; expires=Wed, 03 Jan 2024 12:26:22 GMT; path=/; domain=.vk.com; secure
Set-Cookie: remixstid=1407836848_epszTabxfTZZLDQZzcDu9R70qzgke0rzJmmgiRIz0EH; expires=Sat, 06 Jan 2024 01:28:54 GMT; path=/; domain=.vk.com; secure
Set-Cookie: remixlgck=e5ec174678d6eb2f90; expires=Sat, 06 Jan 2024 08:07:55 GMT; path=/; domain=.vk.com; secure; HttpOnly
Cache-control: no-store
X-Robots-Tag: noindex,nofollow
Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp
X-XSS-Protection: 1; report=/xss_reports
X-Frame-Options: deny
X-Frontend: front605107
Strict-Transport-Security: max-age=15768000
Access-Control-Expose-Headers: X-Frontend

209.197.3.8:80

322 B
7
31.31.196.244:80

http://metazone1.com/api/tracemap.php

http

InstallUtil.exe

3.8kB
207.7kB
79
151

HTTP Request

GET http://metazone1.com/api/tracemap.php

HTTP Response

403
31.31.196.244:80

http://meta-zone-1.ru/api/tracemap.php

http

InstallUtil.exe

3.8kB
207.7kB
79
151

HTTP Request

GET http://meta-zone-1.ru/api/tracemap.php

HTTP Response

403
31.31.196.244:80

http://meta-zone-1.online/api/tracemap.php

http

InstallUtil.exe

3.9kB
208.0kB
80
152

HTTP Request

GET http://meta-zone-1.online/api/tracemap.php

HTTP Response

403
208.67.104.60:80

http://208.67.104.60/api/firegate.php

http

InstallUtil.exe

9.9kB
5.4kB
49
32

HTTP Request

GET http://208.67.104.60/api/tracemap.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200

HTTP Request

POST http://208.67.104.60/api/firegate.php

HTTP Response

200
34.117.59.81:443

https://ipinfo.io/widget

tls, http

InstallUtil.exe

923 B
6.8kB
9
10

HTTP Request

GET https://ipinfo.io/widget

HTTP Response

200
87.240.137.164:80

vk.com

tls

InstallUtil.exe

449 B
553 B
6
5
87.240.137.164:80

vk.com

tls

InstallUtil.exe

395 B
553 B
6
5
87.240.137.164:80

vk.com

InstallUtil.exe

190 B
92 B
4
2
87.240.137.164:443

https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

tls, http

InstallUtil.exe

5.9kB
150.1kB
115
113

HTTP Request

GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

HTTP Response

200
20.189.173.14:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7

8.8.8.8:53

metazone1.com

dns

InstallUtil.exe

59 B
75 B
1
1

DNS Request

metazone1.com

DNS Response

31.31.196.244
224.0.0.251:5353

158 B
2
8.8.8.8:53

meta-zone-1.ru

dns

InstallUtil.exe

60 B
76 B
1
1

DNS Request

meta-zone-1.ru

DNS Response

31.31.196.244
8.8.8.8:53

meta-zone-1.online

dns

InstallUtil.exe

64 B
80 B
1
1

DNS Request

meta-zone-1.online

DNS Response

31.31.196.244
8.8.8.8:53

ipinfo.io

dns

InstallUtil.exe

55 B
71 B
1
1

DNS Request

ipinfo.io

DNS Response

34.117.59.81
8.8.8.8:53

vk.com

dns

InstallUtil.exe

52 B
148 B
1
1

DNS Request

vk.com

DNS Response

87.240.137.164

87.240.129.133

87.240.132.72

87.240.132.67

87.240.132.78

93.186.225.194

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-144-0x00007FFA252F0000-0x00007FFA254E5000-memory.dmp

Filesize
2.0MB

Download
memory/1376-143-0x0000000000A50000-0x0000000001612000-memory.dmp

Filesize
11.8MB

Download
memory/1376-135-0x00007FFA252F0000-0x00007FFA254E5000-memory.dmp

Filesize
2.0MB

Download
memory/1376-136-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1376-137-0x0000000000A50000-0x0000000001612000-memory.dmp

Filesize
11.8MB

Download
memory/1376-138-0x00007FFA252F0000-0x00007FFA254E5000-memory.dmp

Filesize
2.0MB

Download
memory/1376-134-0x0000000000A50000-0x0000000001612000-memory.dmp

Filesize
11.8MB

Download
memory/1376-146-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1376-132-0x0000000000A50000-0x0000000001612000-memory.dmp

Filesize
11.8MB

Download
memory/1376-139-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-140-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3796-145-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3796-142-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3796-147-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3796-148-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.