redline | dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d

Analysis

max time kernel
141s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 13:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe
Size

267KB
MD5

8be7c5ffa92a9118ecb4bfaa5bb92f4c
SHA1

00dcce8ac22908ae1916b2607eeaab533ac974de
SHA256

dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d
SHA512

8d6c4bc0dcc5ab5e3639a492405f6ccbbdceae1079475ad59c21fd89545978a24c07288234c16e1d9bf775e23c66b207078684b5da121ba3aec86dd7389e7449
SSDEEP

6144:9dOllhS4qdxjPxUUszUP1fKV6fb3Iy7rB3rZ27+mmKU:TU/SNRR9xflrMkKU

Score

10^/10

redline 5637482599 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

5637482599

https://pastebin.com/raw/NgsUAPya

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
19	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe
2328	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89
PID 1468 wrote to memory of 2328	1468	dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe	89

C:\Users\Admin\AppData\Local\Temp\dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe
"C:\Users\Admin\AppData\Local\Temp\dabc03d54bff2bb7241f741771c208714489a28566f83025eb10dc05b3d5ee9d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=170129F6A33761E129343D8CA28C60F0; domain=.bing.com; expires=Tue, 03-Jun-2025 13:13:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C869164F63AB4E9EB5F864559C5C5BCE Ref B: LON04EDGE0817 Ref C: 2024-05-09T13:13:29Z
date: Thu, 09 May 2024 13:13:28 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=170129F6A33761E129343D8CA28C60F0; _EDGE_S=SID=2E09E4DAF4496C043718F0A0F5E36D02

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=EPzTyA6nTRFgKc4xcSpQO1Itjk6dUZJjeOTFTQkWToM; domain=.bing.com; expires=Tue, 03-Jun-2025 13:13:30 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 66348360FA1843FE841817E156D9B58E Ref B: LON04EDGE0817 Ref C: 2024-05-09T13:13:30Z
date: Thu, 09 May 2024 13:13:29 GMT
GET

https://www.bing.com/aes/c.gif?RG=6e7988d151f34ab5bb010a5e9231d576&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135156Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

Remote address:

2.17.196.75:443

Request

GET /aes/c.gif?RG=6e7988d151f34ab5bb010a5e9231d576&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135156Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=170129F6A33761E129343D8CA28C60F0

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F2A5B7BEA60A435AB6ABE3BF73D46311 Ref B: DUS30EDGE0806 Ref C: 2024-05-09T13:13:30Z
content-length: 0
date: Thu, 09 May 2024 13:13:30 GMT
set-cookie: _EDGE_S=SID=2E09E4DAF4496C043718F0A0F5E36D02; path=/; httponly; domain=bing.com
set-cookie: MUIDB=170129F6A33761E129343D8CA28C60F0; path=/; httponly; expires=Tue, 03-Jun-2025 13:13:30 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.47c41102.1715260410.35beddf5
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

107.211.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.211.222.173.in-addr.arpa

IN PTR

Response

107.211.222.173.in-addr.arpa

IN PTR

a173-222-211-107deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

RegAsm.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235
GET

https://pastebin.com/raw/NgsUAPya

RegAsm.exe

Remote address:

104.20.3.235:443

Request

GET /raw/NgsUAPya HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 May 2024 13:13:30 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 1540
Last-Modified: Thu, 09 May 2024 12:47:50 GMT
Server: cloudflare
CF-RAY: 8811f27ded1e386e-LHR
DNS

75.196.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.196.17.2.in-addr.arpa

IN PTR

Response

75.196.17.2.in-addr.arpa

IN PTR

a2-17-196-75deploystaticakamaitechnologiescom
DNS

235.3.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.3.20.104.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

omnomnom.top

RegAsm.exe

Remote address:

8.8.8.8:53

Request

omnomnom.top

IN A

Response

omnomnom.top

IN A

195.201.252.28
DNS

28.252.201.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.252.201.195.in-addr.arpa

IN PTR

Response

28.252.201.195.in-addr.arpa

IN PTR

static28252201195clientsyour-serverde
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

2.17.196.105:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=170129F6A33761E129343D8CA28C60F0; _EDGE_S=SID=2E09E4DAF4496C043718F0A0F5E36D02; MSPTC=EPzTyA6nTRFgKc4xcSpQO1Itjk6dUZJjeOTFTQkWToM; MUIDB=170129F6A33761E129343D8CA28C60F0
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 09 May 2024 13:13:32 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.65c41102.1715260412.2770cbec
DNS

105.196.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.196.17.2.in-addr.arpa

IN PTR

Response

105.196.17.2.in-addr.arpa

IN PTR

a2-17-196-105deploystaticakamaitechnologiescom
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

2.18.190.79

a767.dspw65.akamai.net

IN A

2.18.190.77
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

57.15.31.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.15.31.184.in-addr.arpa

IN PTR

Response

57.15.31.184.in-addr.arpa

IN PTR

a184-31-15-57deploystaticakamaitechnologiescom
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19A3851D4B8F4C878C26D30055EBC4AB Ref B: LON04EDGE1115 Ref C: 2024-05-09T13:15:10Z
date: Thu, 09 May 2024 13:15:09 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CE618C393F704BE98C17DE9458A61E89 Ref B: LON04EDGE1115 Ref C: 2024-05-09T13:15:10Z
date: Thu, 09 May 2024 13:15:09 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8bxpffpy6Zp9jxlVY79MSwTVUCUwWnaO2_USypv0wR-U-ZOqDRUayShnatE7mK_F6xlLTkPIHy7bwspOIwhgonGAdzhh9wZrp-1AfZHLrdkZVo_oGzqWLYPvzpPY0XwIqpJJnbFX372cE-X5pDRUdBQsSBP9FQDM9BMFfHsG1l8y2LrU5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd895e4761d7014c66b98825dac2e0c60&TIME=20240426T135156Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204
2.17.196.75:443

https://www.bing.com/aes/c.gif?RG=6e7988d151f34ab5bb010a5e9231d576&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135156Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

tls, http2

1.4kB
5.4kB
16
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=6e7988d151f34ab5bb010a5e9231d576&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135156Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/NgsUAPya

tls, http

RegAsm.exe

772 B
5.7kB
9
9

HTTP Request

GET https://pastebin.com/raw/NgsUAPya

HTTP Response

200
195.201.252.28:443

omnomnom.top

https

RegAsm.exe

2.2MB
39.6kB
1612
755
2.17.196.105:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

42.5kB
1.2MB
905
903

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

107.211.222.173.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

107.211.222.173.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

RegAsm.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.3.235

172.67.19.24

104.20.4.235
8.8.8.8:53

75.196.17.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.196.17.2.in-addr.arpa
8.8.8.8:53

235.3.20.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

235.3.20.104.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

omnomnom.top

dns

RegAsm.exe

58 B
74 B
1
1

DNS Request

omnomnom.top

DNS Response

195.201.252.28
8.8.8.8:53

28.252.201.195.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

28.252.201.195.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

105.196.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

105.196.17.2.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

142 B
442 B
2
2

DNS Request

183.142.211.20.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

2.18.190.79

2.18.190.77
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

57.15.31.184.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

57.15.31.184.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-0-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2328-2-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2328-3-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2328-4-0x0000000006320000-0x0000000006938000-memory.dmp

Filesize
6.1MB

Download
memory/2328-5-0x0000000005DA0000-0x0000000005DB2000-memory.dmp

Filesize
72KB

Download
memory/2328-6-0x0000000005ED0000-0x0000000005FDA000-memory.dmp

Filesize
1.0MB

Download
memory/2328-7-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/2328-8-0x0000000006B90000-0x0000000006BCC000-memory.dmp

Filesize
240KB

Download
memory/2328-9-0x0000000006BD0000-0x0000000006C1C000-memory.dmp

Filesize
304KB

Download
memory/2328-10-0x0000000006F10000-0x00000000070D2000-memory.dmp

Filesize
1.8MB

Download
memory/2328-11-0x0000000007610000-0x0000000007B3C000-memory.dmp

Filesize
5.2MB

Download
memory/2328-12-0x00000000070E0000-0x0000000007172000-memory.dmp

Filesize
584KB

Download
memory/2328-13-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/2328-14-0x0000000007200000-0x0000000007276000-memory.dmp

Filesize
472KB

Download
memory/2328-15-0x0000000007180000-0x000000000719E000-memory.dmp

Filesize
120KB

Download
memory/2328-16-0x0000000007B90000-0x0000000007BE0000-memory.dmp

Filesize
320KB

Download
memory/2328-18-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.