lumma | 1ba0f8cded252936c76a63ee85c3005437d4a0b07edf90a5c3ec71b7dc86a48f

Analysis

max time kernel
94s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 12:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe
Size

374KB
MD5

92121d87c0c698bb0ea94028fbec7627
SHA1

b2c40320d452253a3c3c78301b62ab9d3f2fc5db
SHA256

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf
SHA512

73181e16ecc95de95a4778d14cc07516712d075e6a50d431197f6682ef59c3a1a99ed7e4aea2e0ceba783ab000569beed144f7ef44626347829b35f1654bfdc4
SSDEEP

6144:sCNGAuF/I3j/bFgKWD/hXL+QD8fA7N3X8/Au1u7bURR/mSiMT:sC7uF/Gj5gXV+QDhN3X8ICu743D3

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	4928	WerFault.exe	89

C:\Users\Admin\AppData\Local\Temp\4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe
"C:\Users\Admin\AppData\Local\Temp\4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe"
1⤵
PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1200
  2⤵
  - Program crash
  PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4928 -ip 4928
1⤵
PID:872

Network

DNS

cleartotalfisherwo.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

cleartotalfisherwo.shop

IN A

Response

cleartotalfisherwo.shop

IN A

104.21.72.132

cleartotalfisherwo.shop

IN A

172.67.185.32
POST

https://cleartotalfisherwo.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

104.21.72.132:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cleartotalfisherwo.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=q314v5ar8ivdvf1n19spqo36e1; expires=Sun, 11-Aug-2024 06:42:14 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TSAetRR3FfostJHF0YloZpbgFBEQ%2FmH%2FDUSkrBBJahG8RERw3X6%2Bde0oc74AkAE2gmjBG4Q1IfvLaI8%2FNbjaiPj7f2M5S%2BVzM8pPNhUEcSmck5%2FaTr2zItCoGsA9MZ%2B5wmYMF8%2BfNlOAeg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c91fc4af794e5-LHR
alt-svc: h3=":443"; ma=86400
POST

https://cleartotalfisherwo.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

104.21.72.132:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cleartotalfisherwo.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=bmbn7h5jn17hjfkighrv3okt0q; expires=Sun, 11-Aug-2024 06:42:14 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uvQ5K4sCigiDLtLaRTOq3435T4WcPM4Awu%2B0Mqhnn0gtXD%2BvnifiPJdHhept9eLBn%2FknCkkzRILSnMqWRdeMRoing33coHr9wZZ8PS%2FQ6byLs69rBEj%2FigYUvAYLigXDEqrov%2FVbtVPRew%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c91fd8c7e94e5-LHR
alt-svc: h3=":443"; ma=86400
DNS

worryfillvolcawoi.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

worryfillvolcawoi.shop

IN A

Response

worryfillvolcawoi.shop

IN A

172.67.199.191

worryfillvolcawoi.shop

IN A

104.21.44.125
POST

https://worryfillvolcawoi.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

172.67.199.191:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: worryfillvolcawoi.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=m2noreckirbltrdakpeaccgoui; expires=Sun, 11-Aug-2024 06:42:14 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o5nVTIMnmPL%2BPYG%2F0CE1bxZ71aA4qC91Cc7vjsSK3%2BlfFJkUqoQz2l%2FfixckjhDC5bmnMcKZ0NMOVy4G1DTZdsmqFOaRcFCoyUKNRp0q7UDvtqperTwWjkqq55WE8PcRbXS8DDsfs7KU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c91ff68ae4887-LHR
alt-svc: h3=":443"; ma=86400
DNS

132.72.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.72.21.104.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

enthusiasimtitleow.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

enthusiasimtitleow.shop

IN A

Response

enthusiasimtitleow.shop

IN A

172.67.183.226

enthusiasimtitleow.shop

IN A

104.21.18.233
POST

https://enthusiasimtitleow.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

172.67.183.226:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: enthusiasimtitleow.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=j5lu5jgn2qus692drr1r0p7297; expires=Sun, 11-Aug-2024 06:42:15 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VsjxEA1WhqS%2FiqP%2Ff83U5p5JKueI2ygjDW0pNg3yW7U2fAK8ShQUUXXSSC60f9hTPFeq8oTHiGOAhhZ8xaefYWpYjyOifLRwJiKrMpgaoAS06580BoWauhbDKdTA8bxhBqFaKIY%2FrBQ6Rg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c9201cade6530-LHR
alt-svc: h3=":443"; ma=86400
DNS

dismissalcylinderhostw.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

dismissalcylinderhostw.shop

IN A

Response

dismissalcylinderhostw.shop

IN A

172.67.205.132

dismissalcylinderhostw.shop

IN A

104.21.22.160
POST

https://dismissalcylinderhostw.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

172.67.205.132:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dismissalcylinderhostw.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ikjvc79b73ln6j6gs0d18e7c0f; expires=Sun, 11-Aug-2024 06:42:15 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aWIN2n%2BS4gUQmWQe5qTfFEV8WTnrF0yf9sPTQdSppwW3vUVQc8bHoimF3R01zj5gLvJj%2B%2FOvvP2%2Fyz4gGPnVQfdBDDjAg2Gm%2BlUtdLY1rxPOIN9RrDtMwYmgqWqRVX%2BRHc%2FoSPrGGVKLUvfcDs0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c92042e6d71c0-LHR
alt-svc: h3=":443"; ma=86400
GET

https://www.bing.com/th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.170:443

Request

GET /th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1678
date: Wed, 17 Apr 2024 12:55:36 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.a63d3e17.1713358536.2bad40c9
DNS

25.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.24.18.2.in-addr.arpa

IN PTR

Response

25.24.18.2.in-addr.arpa

IN PTR

a2-18-24-25deploystaticakamaitechnologiescom
DNS

191.199.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.199.67.172.in-addr.arpa

IN PTR

Response
DNS

159.113.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

159.113.53.23.in-addr.arpa

IN PTR

Response

159.113.53.23.in-addr.arpa

IN PTR

a23-53-113-159deploystaticakamaitechnologiescom
DNS

226.183.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.183.67.172.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

affordcharmcropwo.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

affordcharmcropwo.shop

IN A

Response

affordcharmcropwo.shop

IN A

104.21.67.211

affordcharmcropwo.shop

IN A

172.67.181.34
POST

https://affordcharmcropwo.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

104.21.67.211:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: affordcharmcropwo.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ul4004fgj7n0um5qc0nkq5id31; expires=Sun, 11-Aug-2024 06:42:15 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v3ch9DwtJsUIwI%2BzAoy1V3qwQlkcPfeKyiGObX%2FsMSaGf9e1UgJ8FYBchk2ITKVKBMlUL7vEkf7HDFDWeJ%2FchMzV05MtSyEKdRw5QqYyAMO%2B%2F8yS47EaNeg1COZ0ONqaOp%2FUjObN8d8b"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c9206adeb951d-LHR
alt-svc: h3=":443"; ma=86400
DNS

diskretainvigorousiw.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

diskretainvigorousiw.shop

IN A

Response

diskretainvigorousiw.shop

IN A

104.21.23.143

diskretainvigorousiw.shop

IN A

172.67.211.165
POST

https://diskretainvigorousiw.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

104.21.23.143:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: diskretainvigorousiw.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=de6kob9780hk38ioro4dt7r1st; expires=Sun, 11-Aug-2024 06:42:16 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KrznEGyAimm6nhVLMhPzW13uiUls6AHBowGtH8Bqloe5Y%2BKvjJ3EtrT%2BU22DSQ5bt0Ft%2FTYwZ%2B8qjAjXzW%2B8oeGYj%2FZ7U4frKOEW7XMlGPWZoaEbscJGl4CP%2Fs4y7ZoqZzKdr%2B9gRinIO2qf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c92090feb773d-LHR
alt-svc: h3=":443"; ma=86400
DNS

communicationgenerwo.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

communicationgenerwo.shop

IN A

Response

communicationgenerwo.shop

IN A

172.67.166.251

communicationgenerwo.shop

IN A

104.21.83.19
POST

https://communicationgenerwo.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

172.67.166.251:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: communicationgenerwo.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=neskp3dbb5jgov9hb34hmb8ehd; expires=Sun, 11-Aug-2024 06:42:16 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vGXt%2FSbHpS0W5WUu53DN%2Fmcii066b2gm2CIPts8eTOn5U8PReOsGt3HhPRnF4qDTY57pGDj3mpnFRBeFMj%2BY29qJcIFFONubDT%2BlIRoccZs5FPgWbhF805Kawy4ylFABOAlNXcQkf6Je8dVj"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c920b1caa459b-LHR
alt-svc: h3=":443"; ma=86400
DNS

21.114.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.114.53.23.in-addr.arpa

IN PTR

Response

21.114.53.23.in-addr.arpa

IN PTR

a23-53-114-21deploystaticakamaitechnologiescom
DNS

132.205.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.205.67.172.in-addr.arpa

IN PTR

Response
DNS

170.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.61.62.23.in-addr.arpa

IN PTR

Response

170.61.62.23.in-addr.arpa

IN PTR

a23-62-61-170deploystaticakamaitechnologiescom
DNS

211.67.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.67.21.104.in-addr.arpa

IN PTR

Response
DNS

143.23.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.23.21.104.in-addr.arpa

IN PTR

Response
DNS

pillowbrocccolipe.shop

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

8.8.8.8:53

Request

pillowbrocccolipe.shop

IN A

Response

pillowbrocccolipe.shop

IN A

188.114.96.2

pillowbrocccolipe.shop

IN A

188.114.97.2
POST

https://pillowbrocccolipe.shop/api

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

Remote address:

188.114.96.2:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: pillowbrocccolipe.shop

Response

HTTP/1.1 200 OK

Date: Wed, 17 Apr 2024 12:55:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=9npp339s1qh78d9f2av5junhvo; expires=Sun, 11-Aug-2024 06:42:16 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hZtR%2BunB2wFnP2nIbLt4eHtn6tvzWvl8zQMH4u1OkEWwZ5DTJO988a53euZ3XQ0KCagscq%2FLusoBDxPgxt2BSpiHukbPLkwtKs%2BCXLgrPgys6JdZ33vfm3w15UBTR%2BXBnfZqs%2BOP9ple"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 875c920d9f1a0732-LHR
alt-svc: h3=":443"; ma=86400
DNS

2.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.96.114.188.in-addr.arpa

IN PTR

Response
DNS

251.166.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.166.67.172.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

18.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.24.18.2.in-addr.arpa

IN PTR

Response

18.24.18.2.in-addr.arpa

IN PTR

a2-18-24-18deploystaticakamaitechnologiescom
DNS

18.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.24.18.2.in-addr.arpa

IN PTR

Response

18.24.18.2.in-addr.arpa

IN PTR

a2-18-24-18deploystaticakamaitechnologiescom
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

104.21.72.132:443

https://cleartotalfisherwo.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.5kB
7.7kB
13
13

HTTP Request

POST https://cleartotalfisherwo.shop/api

HTTP Response

200

HTTP Request

POST https://cleartotalfisherwo.shop/api

HTTP Response

200
172.67.199.191:443

https://worryfillvolcawoi.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://worryfillvolcawoi.shop/api

HTTP Response

200
13.89.179.14:443

tls, https

2.6kB
4
172.67.183.226:443

https://enthusiasimtitleow.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://enthusiasimtitleow.shop/api

HTTP Response

200
172.67.205.132:443

https://dismissalcylinderhostw.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://dismissalcylinderhostw.shop/api

HTTP Response

200
23.62.61.170:443

https://www.bing.com/th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.9kB
18
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
104.21.67.211:443

https://affordcharmcropwo.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://affordcharmcropwo.shop/api

HTTP Response

200
104.21.23.143:443

https://diskretainvigorousiw.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://diskretainvigorousiw.shop/api

HTTP Response

200
172.67.166.251:443

https://communicationgenerwo.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://communicationgenerwo.shop/api

HTTP Response

200
188.114.96.2:443

https://pillowbrocccolipe.shop/api

tls, http

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://pillowbrocccolipe.shop/api

HTTP Response

200
2.17.197.240:80

138 B
3

8.8.8.8:53

cleartotalfisherwo.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

69 B
101 B
1
1

DNS Request

cleartotalfisherwo.shop

DNS Response

104.21.72.132

172.67.185.32
8.8.8.8:53

worryfillvolcawoi.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

68 B
100 B
1
1

DNS Request

worryfillvolcawoi.shop

DNS Response

172.67.199.191

104.21.44.125
8.8.8.8:53

132.72.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

132.72.21.104.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

enthusiasimtitleow.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

69 B
101 B
1
1

DNS Request

enthusiasimtitleow.shop

DNS Response

172.67.183.226

104.21.18.233
8.8.8.8:53

dismissalcylinderhostw.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

73 B
105 B
1
1

DNS Request

dismissalcylinderhostw.shop

DNS Response

172.67.205.132

104.21.22.160
8.8.8.8:53

25.24.18.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

25.24.18.2.in-addr.arpa
8.8.8.8:53

191.199.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

191.199.67.172.in-addr.arpa
8.8.8.8:53

159.113.53.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

159.113.53.23.in-addr.arpa
8.8.8.8:53

226.183.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

226.183.67.172.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

affordcharmcropwo.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

68 B
100 B
1
1

DNS Request

affordcharmcropwo.shop

DNS Response

104.21.67.211

172.67.181.34
8.8.8.8:53

diskretainvigorousiw.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

71 B
103 B
1
1

DNS Request

diskretainvigorousiw.shop

DNS Response

104.21.23.143

172.67.211.165
8.8.8.8:53

communicationgenerwo.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

71 B
103 B
1
1

DNS Request

communicationgenerwo.shop

DNS Response

172.67.166.251

104.21.83.19
8.8.8.8:53

21.114.53.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

21.114.53.23.in-addr.arpa
8.8.8.8:53

132.205.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

132.205.67.172.in-addr.arpa
8.8.8.8:53

170.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

170.61.62.23.in-addr.arpa
8.8.8.8:53

211.67.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

211.67.21.104.in-addr.arpa
8.8.8.8:53

143.23.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

143.23.21.104.in-addr.arpa
8.8.8.8:53

pillowbrocccolipe.shop

dns

4e9c1f7d15aae6823f08960e01fe823fa0980de545da1d1b2ae1fb4cffde6eaf.exe

68 B
100 B
1
1

DNS Request

pillowbrocccolipe.shop

DNS Response

188.114.96.2

188.114.97.2
8.8.8.8:53

2.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.96.114.188.in-addr.arpa
8.8.8.8:53

251.166.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

251.166.67.172.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

140 B
144 B
2
1

DNS Request

18.31.95.13.in-addr.arpa

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

18.24.18.2.in-addr.arpa

dns

138 B
262 B
2
2

DNS Request

18.24.18.2.in-addr.arpa

DNS Request

18.24.18.2.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

240.143.123.92.in-addr.arpa

DNS Request

240.143.123.92.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4928-1-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/4928-3-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4928-4-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4928-2-0x00000000025D0000-0x000000000261A000-memory.dmp

Filesize
296KB

Download
memory/4928-5-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4928-7-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4928-6-0x0000000000400000-0x000000000087C000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.