systembc | a0a5ebd512b7685798ac966c0b05415df9eff585a79af11c9ff99d7aa17e2101

max time kernel
299s
max time network
304s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2024, 11:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2579be109c1035cb96942951710020a8.exe
Size

147KB
MD5

2579be109c1035cb96942951710020a8
SHA1

6987472967c8ce5e3d5fd6730a9da2964afacd10
SHA256

a0a5ebd512b7685798ac966c0b05415df9eff585a79af11c9ff99d7aa17e2101
SHA512

191ea3d7edc69f1cb9d1ec4967074667c5e1c6b02fdaa8bbc5a4414bf5ca00ccafadc49670c5b3065133915d78e482572545f1d0c8c3382e6a767c1f08a33a21
SSDEEP

3072:9NuSXw/c4JHdNX8PAzCABaxg0r27f8EjQspDNJJAksa:9oSXw/hfNXmAzbYg02Ok

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

advertspace10.club:4044

logstat17.club:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
1068	tpubil.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/4088-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral5/memory/4088-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral5/memory/4088-4-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral5/memory/4088-7-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral5/files/0x000200000002a9eb-14.dat	upx
behavioral5/memory/1068-18-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral5/memory/1068-22-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral5/memory/1068-29-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
9	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\tpubil.job	2579be109c1035cb96942951710020a8.exe
File opened for modification	C:\Windows\Tasks\tpubil.job	2579be109c1035cb96942951710020a8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4088	2579be109c1035cb96942951710020a8.exe
4088	2579be109c1035cb96942951710020a8.exe

C:\Users\Admin\AppData\Local\Temp\2579be109c1035cb96942951710020a8.exe
"C:\Users\Admin\AppData\Local\Temp\2579be109c1035cb96942951710020a8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\ProgramData\hcvemg\tpubil.exe
C:\ProgramData\hcvemg\tpubil.exe start2
1⤵
- Executes dropped EXE
PID:1068

Network

GET

https://api.ipify.org/

tpubil.exe

Remote address:

104.26.13.205:443

Request

GET / HTTP/1.0
Host: api.ipify.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.1 200 OK

Date: Mon, 15 Apr 2024 11:42:11 GMT
Content-Type: text/plain
Content-Length: 14
Connection: close
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 874babbae9a3888f-LHR
GET

http://131.188.40.189/tor/status-vote/current/consensus

tpubil.exe

Remote address:

131.188.40.189:80

Request

GET /tor/status-vote/current/consensus HTTP/1.0
Host: 131.188.40.189
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:42:11 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Mon, 15 Apr 2024 12:00:00 GMT
Vary: X-Or-Diff-From-Consensus
GET

http://216.218.219.41/tor/server/fp/569205e569326034ab961115ff2c68089b367426

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/569205e569326034ab961115ff2c68089b367426 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:42:14 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:42:14 GMT
GET

http://193.23.244.244/tor/server/fp/e92b5ff578bbe96b45f9dd27eeec9361507fe9ad

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/e92b5ff578bbe96b45f9dd27eeec9361507fe9ad HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:42:35 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:42:35 GMT
GET

http://193.23.244.244/tor/server/fp/896c57b19526321e0d8cec403e96b650a709f4e2

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/896c57b19526321e0d8cec403e96b650a709f4e2 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:42:36 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:42:36 GMT
GET

http://193.23.244.244/tor/server/fp/234d670eaa794f092f7bd758d5d2aa7f4e3ffbe3

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/234d670eaa794f092f7bd758d5d2aa7f4e3ffbe3 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:42:42 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:42:42 GMT
GET

http://216.218.219.41/tor/server/fp/cf019f1d92427113250a338bbba10950442bea88

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/cf019f1d92427113250a338bbba10950442bea88 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:42:53 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:42:53 GMT
GET

http://193.23.244.244/tor/server/fp/dbc64fed17851b59951a76c5f1f54a49efdbfc2f

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/dbc64fed17851b59951a76c5f1f54a49efdbfc2f HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:04 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:04 GMT
GET

http://216.218.219.41/tor/server/fp/0077ddddb54954214cfee0fe8aa85ddc857e7c8a

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/0077ddddb54954214cfee0fe8aa85ddc857e7c8a HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:13 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:13 GMT
GET

http://193.23.244.244/tor/server/fp/1eb0e62c2284a61c4c099097b25132ce114d4ea0

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/1eb0e62c2284a61c4c099097b25132ce114d4ea0 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:27 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:27 GMT
GET

http://193.23.244.244/tor/server/fp/5e0d5b2b4c1aace479607e84ec1bce988910ab46

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/5e0d5b2b4c1aace479607e84ec1bce988910ab46 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:27 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:27 GMT
GET

http://193.23.244.244/tor/server/fp/6e4915e9d86e607d68d99b98a9a63f60e5882d57

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/6e4915e9d86e607d68d99b98a9a63f60e5882d57 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:37 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:37 GMT
GET

http://216.218.219.41/tor/server/fp/4c122dfaed8bd43ad63bb1045af53a9708f17695

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/4c122dfaed8bd43ad63bb1045af53a9708f17695 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:38 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:38 GMT
GET

http://216.218.219.41/tor/server/fp/8d333b669f8e68d01a72f05e435f4d4b2bf74467

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/8d333b669f8e68d01a72f05e435f4d4b2bf74467 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:44 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:44 GMT
GET

http://216.218.219.41/tor/server/fp/752ed5a0e4f87b46ec825dce32a517272a9c278a

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/752ed5a0e4f87b46ec825dce32a517272a9c278a HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:46 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:46 GMT
GET

http://193.23.244.244/tor/server/fp/18d6b387d4c29dc9042b22411020dcb05626de75

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/18d6b387d4c29dc9042b22411020dcb05626de75 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:47 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:47 GMT
GET

http://216.218.219.41/tor/server/fp/fd81c299b8c3f7770a64ad21c054c863efd9e130

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/fd81c299b8c3f7770a64ad21c054c863efd9e130 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:53 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:53 GMT
GET

http://216.218.219.41/tor/server/fp/b6b842fb52e5c4fd0cad432adb6c7f46e8112a55

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/b6b842fb52e5c4fd0cad432adb6c7f46e8112a55 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:43:54 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:43:54 GMT
GET

http://193.23.244.244/tor/server/fp/e3f98c86c9e01138dd8ea06b1e660a0cdb4b2782

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/e3f98c86c9e01138dd8ea06b1e660a0cdb4b2782 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:05 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:05 GMT
GET

http://216.218.219.41/tor/server/fp/fe384392c982659ab28b51fb98c2179b5e8ce371

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/fe384392c982659ab28b51fb98c2179b5e8ce371 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:16 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:16 GMT
GET

http://193.23.244.244/tor/server/fp/7ff0a2f04b33c4d233723eae9c6880a7660a617b

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/7ff0a2f04b33c4d233723eae9c6880a7660a617b HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:20 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:20 GMT
GET

http://193.23.244.244/tor/server/fp/fc1e441e097ba36930aa2f615efb325af76d2595

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/fc1e441e097ba36930aa2f615efb325af76d2595 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:25 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:25 GMT
GET

http://193.23.244.244/tor/server/fp/9c97939fd72ea7a301195e41dcda907e4494a9b5

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/9c97939fd72ea7a301195e41dcda907e4494a9b5 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:26 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:26 GMT
DNS

14.100.78.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.100.78.140.in-addr.arpa

IN PTR

Response
DNS

14.100.78.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.100.78.140.in-addr.arpa

IN PTR

Response
GET

http://193.23.244.244/tor/server/fp/0f5a78ecba449016b00f05a85398d5ad3dc7a895

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/0f5a78ecba449016b00f05a85398d5ad3dc7a895 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:27 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:27 GMT
DNS

98.23.245.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.23.245.172.in-addr.arpa

IN PTR

Response

98.23.245.172.in-addr.arpa

IN PTR

172-245-23-98-hostcolocrossingcom
DNS

213.79.178.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.79.178.87.in-addr.arpa

IN PTR

Response

213.79.178.87.in-addr.arpa

IN PTR

p57b24fd5dip0t-ipconnectde
DNS

213.79.178.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.79.178.87.in-addr.arpa

IN PTR

Response

213.79.178.87.in-addr.arpa

IN PTR

p57b24fd5dip0t-ipconnectde
GET

http://193.23.244.244/tor/server/fp/b638a74697e715c66b52f785ef80c951a93ffd92

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/b638a74697e715c66b52f785ef80c951a93ffd92 HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:35 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:35 GMT
GET

http://216.218.219.41/tor/server/fp/0e76ffd838788737855e06a8266c845b5316a150

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/0e76ffd838788737855e06a8266c845b5316a150 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:36 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:36 GMT
GET

http://193.23.244.244/tor/server/fp/b7f27fba6058f4f6d2ecbb715de7539af9e6c7bc

tpubil.exe

Remote address:

193.23.244.244:80

Request

GET /tor/server/fp/b7f27fba6058f4f6d2ecbb715de7539af9e6c7bc HTTP/1.0
Host: 193.23.244.244
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:37 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:37 GMT
DNS

116.185.21.65.in-addr.arpa

Remote address:

8.8.8.8:53

Request

116.185.21.65.in-addr.arpa

IN PTR

Response

116.185.21.65.in-addr.arpa

IN PTR

static1161852165clientsyour-serverde
DNS

116.185.21.65.in-addr.arpa

Remote address:

8.8.8.8:53

Request

116.185.21.65.in-addr.arpa

IN PTR
DNS

183.241.128.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.241.128.178.in-addr.arpa

IN PTR

Response
DNS

183.241.128.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.241.128.178.in-addr.arpa

IN PTR

Response
GET

http://216.218.219.41/tor/server/fp/1112436fb1ddd1d28c7d753c97126e91cff6d20a

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/1112436fb1ddd1d28c7d753c97126e91cff6d20a HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:39 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:39 GMT
DNS

234.60.196.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.60.196.93.in-addr.arpa

IN PTR

Response

234.60.196.93.in-addr.arpa

IN PTR

p5dc43ceadip0t-ipconnectde
DNS

234.60.196.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.60.196.93.in-addr.arpa

IN PTR

Response

234.60.196.93.in-addr.arpa

IN PTR

p5dc43ceadip0t-ipconnectde
DNS

131.156.69.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.156.69.159.in-addr.arpa

IN PTR

Response

131.156.69.159.in-addr.arpa

IN PTR

fryhufenreuterinfo
DNS

131.156.69.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.156.69.159.in-addr.arpa

IN PTR

Response

131.156.69.159.in-addr.arpa

IN PTR

fryhufenreuterinfo
GET

http://216.218.219.41/tor/server/fp/f1a800765664ca7d983897d133c825945c288745

tpubil.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/f1a800765664ca7d983897d133c825945c288745 HTTP/1.0
Host: 216.218.219.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept:*/*
Connection: close

Response

HTTP/1.0 200 OK

Date: Mon, 15 Apr 2024 11:44:46 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Wed, 17 Apr 2024 11:44:46 GMT

104.26.13.205:443

https://api.ipify.org/

tls, http

tpubil.exe

906 B
5.6kB
10
12

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
131.188.40.189:80

http://131.188.40.189/tor/status-vote/current/consensus

http

tpubil.exe

70.8kB
3.3MB
1419
2386

HTTP Request

GET http://131.188.40.189/tor/status-vote/current/consensus

HTTP Response

200
185.2.195.157:52443

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/569205e569326034ab961115ff2c68089b367426

http

tpubil.exe

492 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/569205e569326034ab961115ff2c68089b367426

HTTP Response

200
5.78.45.39:443

tls, https

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/e92b5ff578bbe96b45f9dd27eeec9361507fe9ad

http

tpubil.exe

492 B
2.6kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/e92b5ff578bbe96b45f9dd27eeec9361507fe9ad

HTTP Response

200
202.61.252.121:61004

tls

tpubil.exe

1.2kB
3.4kB
9
8
193.23.244.244:80

http://193.23.244.244/tor/server/fp/896c57b19526321e0d8cec403e96b650a709f4e2

http

tpubil.exe

492 B
3.3kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/896c57b19526321e0d8cec403e96b650a709f4e2

HTTP Response

200
45.13.104.185:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/234d670eaa794f092f7bd758d5d2aa7f4e3ffbe3

http

tpubil.exe

492 B
2.8kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/234d670eaa794f092f7bd758d5d2aa7f4e3ffbe3

HTTP Response

200
92.204.41.234:9998

tpubil.exe

208 B
4
85.214.236.165:443

tls, https

tpubil.exe

1.3kB
3.4kB
9
8
216.218.219.41:80

http://216.218.219.41/tor/server/fp/cf019f1d92427113250a338bbba10950442bea88

http

tpubil.exe

492 B
2.9kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/cf019f1d92427113250a338bbba10950442bea88

HTTP Response

200
50.3.182.145:443

tls

tpubil.exe

337 B
132 B
4
3
193.42.11.238:443

tls, https

tpubil.exe

1.3kB
3.4kB
9
8
193.23.244.244:80

http://193.23.244.244/tor/server/fp/dbc64fed17851b59951a76c5f1f54a49efdbfc2f

http

tpubil.exe

492 B
2.9kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/dbc64fed17851b59951a76c5f1f54a49efdbfc2f

HTTP Response

200
71.19.144.65:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/0077ddddb54954214cfee0fe8aa85ddc857e7c8a

http

tpubil.exe

492 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/0077ddddb54954214cfee0fe8aa85ddc857e7c8a

HTTP Response

200
146.70.80.19:9001

tls

tpubil.exe

1.3kB
3.5kB
9
8
193.23.244.244:80

http://193.23.244.244/tor/server/fp/1eb0e62c2284a61c4c099097b25132ce114d4ea0

http

tpubil.exe

492 B
2.9kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/1eb0e62c2284a61c4c099097b25132ce114d4ea0

HTTP Response

200
89.190.6.9:9030

tls

tpubil.exe

1.3kB
3.5kB
9
10
193.23.244.244:80

http://193.23.244.244/tor/server/fp/5e0d5b2b4c1aace479607e84ec1bce988910ab46

http

tpubil.exe

492 B
2.7kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/5e0d5b2b4c1aace479607e84ec1bce988910ab46

HTTP Response

200
128.140.112.79:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/6e4915e9d86e607d68d99b98a9a63f60e5882d57

http

tpubil.exe

492 B
2.9kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/6e4915e9d86e607d68d99b98a9a63f60e5882d57

HTTP Response

200
217.160.114.102:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/4c122dfaed8bd43ad63bb1045af53a9708f17695

http

tpubil.exe

492 B
3.0kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/4c122dfaed8bd43ad63bb1045af53a9708f17695

HTTP Response

200
88.216.223.3:80

tls, http

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/8d333b669f8e68d01a72f05e435f4d4b2bf74467

http

tpubil.exe

492 B
4.8kB
6
7

HTTP Request

GET http://216.218.219.41/tor/server/fp/8d333b669f8e68d01a72f05e435f4d4b2bf74467

HTTP Response

200
83.148.233.129:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/752ed5a0e4f87b46ec825dce32a517272a9c278a

http

tpubil.exe

492 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/752ed5a0e4f87b46ec825dce32a517272a9c278a

HTTP Response

200
212.146.101.18:443

tls, https

tpubil.exe

1.3kB
3.4kB
9
8
193.23.244.244:80

http://193.23.244.244/tor/server/fp/18d6b387d4c29dc9042b22411020dcb05626de75

http

tpubil.exe

492 B
2.7kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/18d6b387d4c29dc9042b22411020dcb05626de75

HTTP Response

200
51.222.24.62:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/fd81c299b8c3f7770a64ad21c054c863efd9e130

http

tpubil.exe

492 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/fd81c299b8c3f7770a64ad21c054c863efd9e130

HTTP Response

200
45.9.60.140:9001

tls

tpubil.exe

1.3kB
3.5kB
9
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/b6b842fb52e5c4fd0cad432adb6c7f46e8112a55

http

tpubil.exe

492 B
2.9kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/b6b842fb52e5c4fd0cad432adb6c7f46e8112a55

HTTP Response

200
95.216.115.85:8443

tls

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/e3f98c86c9e01138dd8ea06b1e660a0cdb4b2782

http

tpubil.exe

492 B
2.8kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/e3f98c86c9e01138dd8ea06b1e660a0cdb4b2782

HTTP Response

200
31.220.74.133:9001

tls

tpubil.exe

1.3kB
3.5kB
9
10
216.218.219.41:80

http://216.218.219.41/tor/server/fp/fe384392c982659ab28b51fb98c2179b5e8ce371

http

tpubil.exe

492 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/fe384392c982659ab28b51fb98c2179b5e8ce371

HTTP Response

200
92.116.235.188:7919

tls

tpubil.exe

1.3kB
3.5kB
9
8
193.23.244.244:80

http://193.23.244.244/tor/server/fp/7ff0a2f04b33c4d233723eae9c6880a7660a617b

http

tpubil.exe

492 B
2.6kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/7ff0a2f04b33c4d233723eae9c6880a7660a617b

HTTP Response

200
148.251.41.235:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/fc1e441e097ba36930aa2f615efb325af76d2595

http

tpubil.exe

492 B
2.7kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/fc1e441e097ba36930aa2f615efb325af76d2595

HTTP Response

200
140.78.100.14:8443

tls

tpubil.exe

1.3kB
3.5kB
9
8
193.23.244.244:80

http://193.23.244.244/tor/server/fp/9c97939fd72ea7a301195e41dcda907e4494a9b5

http

tpubil.exe

538 B
5.1kB
7
7

HTTP Request

GET http://193.23.244.244/tor/server/fp/9c97939fd72ea7a301195e41dcda907e4494a9b5

HTTP Response

200
172.245.23.98:8080

tls

tpubil.exe

1.3kB
3.6kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/0f5a78ecba449016b00f05a85398d5ad3dc7a895

http

tpubil.exe

492 B
3.5kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/0f5a78ecba449016b00f05a85398d5ad3dc7a895

HTTP Response

200
87.178.79.213:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/b638a74697e715c66b52f785ef80c951a93ffd92

http

tpubil.exe

492 B
2.7kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/b638a74697e715c66b52f785ef80c951a93ffd92

HTTP Response

200
65.21.185.116:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/0e76ffd838788737855e06a8266c845b5316a150

http

tpubil.exe

492 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/0e76ffd838788737855e06a8266c845b5316a150

HTTP Response

200
178.128.241.183:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
193.23.244.244:80

http://193.23.244.244/tor/server/fp/b7f27fba6058f4f6d2ecbb715de7539af9e6c7bc

http

tpubil.exe

492 B
2.7kB
6
5

HTTP Request

GET http://193.23.244.244/tor/server/fp/b7f27fba6058f4f6d2ecbb715de7539af9e6c7bc

HTTP Response

200
93.196.60.234:9001

tls

tpubil.exe

1.3kB
3.5kB
9
8
216.218.219.41:80

http://216.218.219.41/tor/server/fp/1112436fb1ddd1d28c7d753c97126e91cff6d20a

http

tpubil.exe

492 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/1112436fb1ddd1d28c7d753c97126e91cff6d20a

HTTP Response

200
159.69.156.131:9001

tls

tpubil.exe

1.3kB
3.5kB
10
9
216.218.219.41:80

http://216.218.219.41/tor/server/fp/f1a800765664ca7d983897d133c825945c288745

http

tpubil.exe

492 B
2.9kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/f1a800765664ca7d983897d133c825945c288745

HTTP Response

200
79.113.201.139:1337

tls

tpubil.exe

1.2kB
3.4kB
7
7

8.8.8.8:53

14.100.78.140.in-addr.arpa

dns

144 B
272 B
2
2

DNS Request

14.100.78.140.in-addr.arpa

DNS Request

14.100.78.140.in-addr.arpa
8.8.8.8:53

98.23.245.172.in-addr.arpa

dns

216 B
351 B
3
3

DNS Request

98.23.245.172.in-addr.arpa

DNS Request

213.79.178.87.in-addr.arpa

DNS Request

213.79.178.87.in-addr.arpa
8.8.8.8:53

116.185.21.65.in-addr.arpa

dns

144 B
129 B
2
1

DNS Request

116.185.21.65.in-addr.arpa

DNS Request

116.185.21.65.in-addr.arpa
8.8.8.8:53

183.241.128.178.in-addr.arpa

dns

148 B
282 B
2
2

DNS Request

183.241.128.178.in-addr.arpa

DNS Request

183.241.128.178.in-addr.arpa
8.8.8.8:53

234.60.196.93.in-addr.arpa

dns

144 B
230 B
2
2

DNS Request

234.60.196.93.in-addr.arpa

DNS Request

234.60.196.93.in-addr.arpa
8.8.8.8:53

131.156.69.159.in-addr.arpa

dns

146 B
214 B
2
2

DNS Request

131.156.69.159.in-addr.arpa

DNS Request

131.156.69.159.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hcvemg\tpubil.exe

Filesize
147KB

MD5
2579be109c1035cb96942951710020a8

SHA1
6987472967c8ce5e3d5fd6730a9da2964afacd10

SHA256
a0a5ebd512b7685798ac966c0b05415df9eff585a79af11c9ff99d7aa17e2101

SHA512
191ea3d7edc69f1cb9d1ec4967074667c5e1c6b02fdaa8bbc5a4414bf5ca00ccafadc49670c5b3065133915d78e482572545f1d0c8c3382e6a767c1f08a33a21

Download Submit
memory/1068-31-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-30-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-29-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-22-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-18-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-16-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4088-4-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4088-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4088-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4088-8-0x0000000000BB0000-0x0000000000BE4000-memory.dmp

Filesize
208KB

Download
memory/4088-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4088-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4088-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4088-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request