limerat | 47415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6 | Triage

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 11:44

Sharing

Report Analysis Logs

General

Target

WinRAR.exe
Size

28KB
MD5

1bb96e140f557472fc121bd147c7fef2
SHA1

f1dca9840d4619ed536c733e618f301748041f82
SHA256

47415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6
SHA512

8611b8a6a4eae862d412de1e13047b36cd9854bad75b1e8224a820f91630977908c9e560326da8a538dab097cf51b9407ed17a6050535df6ce98e8bd68b4a48d
SSDEEP

768:+pOL6TvwdHRv3Jx5LY45N6voFBANLM37/j:+pJvwdH93JjlWwFBA96

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1111
antivm
true
c2_url
https://pastebin.com/raw/Qik1mEQY
delay
3
download_payload
false
install
true
install_name
WinRAR.exe
main_folder
AppData
pin_spread
false
sub_folder
\System\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/Qik1mEQY
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WinRAR.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	WinRAR.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

flow	ioc
31	pastebin.com
32	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2240	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	WinRAR.exe
Token: SeDebugPrivilege	4392	WinRAR.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2240	4524	WinRAR.exe	93
PID 4524 wrote to memory of 2240	4524	WinRAR.exe	93
PID 4524 wrote to memory of 2240	4524	WinRAR.exe	93
PID 4524 wrote to memory of 4392	4524	WinRAR.exe	95
PID 4524 wrote to memory of 4392	4524	WinRAR.exe	95
PID 4524 wrote to memory of 4392	4524	WinRAR.exe	95

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\System\WinRAR.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2240
- C:\Users\Admin\AppData\Roaming\System\WinRAR.exe
  "C:\Users\Admin\AppData\Roaming\System\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4392

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=16F7EDD6082A69DF04D5F954090D68E2; domain=.bing.com; expires=Wed, 11-Jun-2025 11:44:08 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D815E93C58464762825217F5D35E5590 Ref B: LON04EDGE0607 Ref C: 2024-05-17T11:44:08Z
date: Fri, 17 May 2024 11:44:08 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=16F7EDD6082A69DF04D5F954090D68E2; _EDGE_S=SID=1E3158F1DB5468F503724C73DA38697D

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=6hp9s3oZLnrPC13WId_58DD8W6jt4fThhPAWnyIt97s; domain=.bing.com; expires=Wed, 11-Jun-2025 11:44:09 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 23396A7E580F488FB2D2F451D701C3DA Ref B: LON04EDGE0607 Ref C: 2024-05-17T11:44:09Z
date: Fri, 17 May 2024 11:44:08 GMT
GET

https://www.bing.com/aes/c.gif?RG=26c7f7c5668d42a9b9895de93725d3be&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134247Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

Remote address:

23.62.61.99:443

Request

GET /aes/c.gif?RG=26c7f7c5668d42a9b9895de93725d3be&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134247Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=16F7EDD6082A69DF04D5F954090D68E2

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 038A708815B840FBB9350EEC04D57B5F Ref B: BRU30EDGE0509 Ref C: 2024-05-17T11:44:08Z
content-length: 0
date: Fri, 17 May 2024 11:44:09 GMT
set-cookie: _EDGE_S=SID=1E3158F1DB5468F503724C73DA38697D; path=/; httponly; domain=bing.com
set-cookie: MUIDB=16F7EDD6082A69DF04D5F954090D68E2; path=/; httponly; expires=Wed, 11-Jun-2025 11:44:09 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5f3d3e17.1715946248.1d97f4de
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

99.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.61.62.23.in-addr.arpa

IN PTR

Response

99.61.62.23.in-addr.arpa

IN PTR

a23-62-61-99deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.99:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=16F7EDD6082A69DF04D5F954090D68E2; _EDGE_S=SID=1E3158F1DB5468F503724C73DA38697D; MSPTC=6hp9s3oZLnrPC13WId_58DD8W6jt4fThhPAWnyIt97s; MUIDB=16F7EDD6082A69DF04D5F954090D68E2
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 17 May 2024 11:44:10 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5f3d3e17.1715946250.1d97f9ec
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

WinRAR.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

104.20.3.235
GET

https://pastebin.com/raw/Qik1mEQY

WinRAR.exe

Remote address:

172.67.19.24:443

Request

GET /raw/Qik1mEQY HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 11:44:19 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 1
Last-Modified: Fri, 17 May 2024 11:44:18 GMT
Server: cloudflare
CF-RAY: 88535ad85f8a3862-LHR
GET

https://pastebin.com/raw/Qik1mEQY

WinRAR.exe

Remote address:

172.67.19.24:443

Request

GET /raw/Qik1mEQY HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 11:44:42 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 24
Last-Modified: Fri, 17 May 2024 11:44:18 GMT
Server: cloudflare
CF-RAY: 88535b6a8f663862-LHR
GET

https://pastebin.com/raw/Qik1mEQY

WinRAR.exe

Remote address:

172.67.19.24:443

Request

GET /raw/Qik1mEQY HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 11:45:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 47
Last-Modified: Fri, 17 May 2024 11:44:18 GMT
Server: cloudflare
CF-RAY: 88535bfbefef3862-LHR
GET

https://pastebin.com/raw/Qik1mEQY

WinRAR.exe

Remote address:

172.67.19.24:443

Request

GET /raw/Qik1mEQY HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 11:45:28 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 70
Last-Modified: Fri, 17 May 2024 11:44:18 GMT
Server: cloudflare
CF-RAY: 88535c87da5b3862-LHR
GET

https://pastebin.com/raw/Qik1mEQY

WinRAR.exe

Remote address:

172.67.19.24:443

Request

GET /raw/Qik1mEQY HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 11:45:53 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 95
Last-Modified: Fri, 17 May 2024 11:44:18 GMT
Server: cloudflare
CF-RAY: 88535d26cdea3862-LHR
GET

https://pastebin.com/raw/Qik1mEQY

WinRAR.exe

Remote address:

172.67.19.24:443

Request

GET /raw/Qik1mEQY HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 11:46:18 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 120
Last-Modified: Fri, 17 May 2024 11:44:18 GMT
Server: cloudflare
CF-RAY: 88535dc3be943862-LHR
DNS

24.19.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.19.67.172.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.24.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.24.18.2.in-addr.arpa

IN PTR

Response

18.24.18.2.in-addr.arpa

IN PTR

a2-18-24-18deploystaticakamaitechnologiescom
DNS

82.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.90.14.23.in-addr.arpa

IN PTR

Response

82.90.14.23.in-addr.arpa

IN PTR

a23-14-90-82deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AC75D1B037654B77A327903E5FD719EF Ref B: LON04EDGE1011 Ref C: 2024-05-17T11:45:43Z
date: Fri, 17 May 2024 11:45:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 849A2E38ABF746B58E1B07B54E592DEB Ref B: LON04EDGE1011 Ref C: 2024-05-17T11:45:43Z
date: Fri, 17 May 2024 11:45:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10112AE092494EECBC1C3628F38320D5 Ref B: LON04EDGE1011 Ref C: 2024-05-17T11:45:43Z
date: Fri, 17 May 2024 11:45:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C6E30F51F7184AD2B3642FB27074E6D8 Ref B: LON04EDGE1011 Ref C: 2024-05-17T11:45:43Z
date: Fri, 17 May 2024 11:45:42 GMT

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De889Zw5PpVEr61oh9i0X5oLDVUCUw38u3-M3IqSdVOb8tfVBq9o72kRunXDmDVaLUgT402yefQmw8joQUTq-osKfo449io097972SW1h_a2FTRBgmM3T0gokUDAIjwulyMYx-CmxmfAUYJxK1gH2oEpxcExFGHh-tBUiNfdlBAR2QndJRo%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9d514c957e3910cb31e22abed1017a69&TIME=20240426T134247Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204
23.62.61.99:443

https://www.bing.com/aes/c.gif?RG=26c7f7c5668d42a9b9895de93725d3be&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134247Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=26c7f7c5668d42a9b9895de93725d3be&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134247Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

HTTP Response

200
23.62.61.99:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
172.67.19.24:443

https://pastebin.com/raw/Qik1mEQY

tls, http

WinRAR.exe

1.6kB
8.6kB
18
19

HTTP Request

GET https://pastebin.com/raw/Qik1mEQY

HTTP Response

200

HTTP Request

GET https://pastebin.com/raw/Qik1mEQY

HTTP Response

200

HTTP Request

GET https://pastebin.com/raw/Qik1mEQY

HTTP Response

200

HTTP Request

GET https://pastebin.com/raw/Qik1mEQY

HTTP Response

200

HTTP Request

GET https://pastebin.com/raw/Qik1mEQY

HTTP Response

200

HTTP Request

GET https://pastebin.com/raw/Qik1mEQY

HTTP Response

200
192.168.254.187:53

WinRAR.exe

260 B
5
192.168.254.187:53

WinRAR.exe

260 B
5
192.168.254.187:53

WinRAR.exe

260 B
5
192.168.254.187:53

WinRAR.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

77.1kB
2.1MB
1542
1537

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
192.168.254.187:53

WinRAR.exe

260 B
5
192.168.254.187:53

WinRAR.exe

260 B
5

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

99.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

99.61.62.23.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

WinRAR.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.19.24

104.20.4.235

104.20.3.235
8.8.8.8:53

24.19.67.172.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

24.19.67.172.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

18.24.18.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

18.24.18.2.in-addr.arpa
8.8.8.8:53

82.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

82.90.14.23.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinRAR.exe.log

Filesize
709B

MD5
8a1197be130e48aa5aeeafd43eb6bb9f

SHA1
cb790c7c216e41524348eaa0e5b74926e78dbfc6

SHA256
547474087ec8f71dfd32b76f9b74c86f9844addf5082df37562a2c2c0cae4bfb

SHA512
4ad9d8dbbc253c8d7b1c2b4ec5f115c770f02bdbbc21ca0b422e251a3a98331e169c5062cabf7da81d5ae0d295b3778ef105ef82709df1a4ace71be288b8f166

Download Submit
C:\Users\Admin\AppData\Roaming\System\WinRAR.exe

Filesize
28KB

MD5
1bb96e140f557472fc121bd147c7fef2

SHA1
f1dca9840d4619ed536c733e618f301748041f82

SHA256
47415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6

SHA512
8611b8a6a4eae862d412de1e13047b36cd9854bad75b1e8224a820f91630977908c9e560326da8a538dab097cf51b9407ed17a6050535df6ce98e8bd68b4a48d

Download Submit
memory/4392-17-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4392-18-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4392-19-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4524-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/4524-1-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/4524-2-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4524-3-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/4524-4-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4524-5-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4524-16-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download