mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 18:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Size

912KB
MD5

5f4de66cb9b1568753b8a44fad14b23e
SHA1

e2c294ab014a574e4b8ea8d65f2ae46af5f3713e
SHA256

5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a
SHA512

acd31c122a20e8a77ab2f170f783679a2924d1dc958b32f384474590a0ea90c525976ce1c7ccd5be82098d2cee90bbfc9293ebae89a86fe3919ee929cd2265e0
SSDEEP

12288:hMrMy9025kLy2eMdZp7L5QvRc/3aVqtmikIDH3qh5LAYUKEnIqHF+x7SB/h5vs6:FyT5tAf5Qk3CqtwUa/LAHn1HF+1SB1

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral6/memory/4544-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/4544-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/4544-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x000700000002346b-33.dat	family_redline
behavioral6/memory/1756-35-0x0000000000CE0000-0x0000000000D10000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4868	x9609062.exe
4248	x3537467.exe
4940	x4553268.exe
4596	g7015082.exe
1756	h2779192.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3537467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4553268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9609062.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 4544	4596	g7015082.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4252	4596	WerFault.exe	87

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 4868	2168	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe	83
PID 2168 wrote to memory of 4868	2168	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe	83
PID 2168 wrote to memory of 4868	2168	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe	83
PID 4868 wrote to memory of 4248	4868	x9609062.exe	84
PID 4868 wrote to memory of 4248	4868	x9609062.exe	84
PID 4868 wrote to memory of 4248	4868	x9609062.exe	84
PID 4248 wrote to memory of 4940	4248	x3537467.exe	85
PID 4248 wrote to memory of 4940	4248	x3537467.exe	85
PID 4248 wrote to memory of 4940	4248	x3537467.exe	85
PID 4940 wrote to memory of 4596	4940	x4553268.exe	87
PID 4940 wrote to memory of 4596	4940	x4553268.exe	87
PID 4940 wrote to memory of 4596	4940	x4553268.exe	87
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4596 wrote to memory of 4544	4596	g7015082.exe	91
PID 4940 wrote to memory of 1756	4940	x4553268.exe	95
PID 4940 wrote to memory of 1756	4940	x4553268.exe	95
PID 4940 wrote to memory of 1756	4940	x4553268.exe	95

C:\Users\Admin\AppData\Local\Temp\5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
"C:\Users\Admin\AppData\Local\Temp\5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9609062.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9609062.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3537467.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3537467.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4553268.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4553268.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7015082.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7015082.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 212
        6⤵
        Program crash
        
        PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe
        5⤵
        Executes dropped EXE
        
        PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4596 -ip 4596
1⤵
PID:3980

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3A95C0F3CC006FDD38BFD474CDE06E9E; domain=.bing.com; expires=Mon, 16-Jun-2025 18:47:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E34F0DD671EC4D0F9E9BFDF0B9C5A125 Ref B: LON04EDGE1211 Ref C: 2024-05-22T18:47:34Z
date: Wed, 22 May 2024 18:47:34 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A95C0F3CC006FDD38BFD474CDE06E9E; _EDGE_S=SID=377F2693FC9668752D183214FDEF6900

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=9xfodPnkBRueF8SHTYejY_06JGN7ObWr_cIGCzxp0D4; domain=.bing.com; expires=Mon, 16-Jun-2025 18:47:35 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A127CE5D373A46F2AE7EB2FD1FAACB8A Ref B: LON04EDGE1211 Ref C: 2024-05-22T18:47:35Z
date: Wed, 22 May 2024 18:47:34 GMT
GET

https://www.bing.com/aes/c.gif?RG=e482f0a2da9a44ba9e3dc4f86d4637f5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112443Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

Remote address:

23.62.61.194:443

Request

GET /aes/c.gif?RG=e482f0a2da9a44ba9e3dc4f86d4637f5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112443Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A95C0F3CC006FDD38BFD474CDE06E9E

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9D17DEBAADF34AE7B0D3FA94987BC130 Ref B: LON212050706025 Ref C: 2024-05-22T18:47:35Z
content-length: 0
date: Wed, 22 May 2024 18:47:35 GMT
set-cookie: _EDGE_S=SID=377F2693FC9668752D183214FDEF6900; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3A95C0F3CC006FDD38BFD474CDE06E9E; path=/; httponly; expires=Mon, 16-Jun-2025 18:47:35 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1716403655.12b864d4
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.194:443

Request

GET /th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=3A95C0F3CC006FDD38BFD474CDE06E9E; _EDGE_S=SID=377F2693FC9668752D183214FDEF6900; MSPTC=9xfodPnkBRueF8SHTYejY_06JGN7ObWr_cIGCzxp0D4; MUIDB=3A95C0F3CC006FDD38BFD474CDE06E9E
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1548
date: Wed, 22 May 2024 18:47:37 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1716403657.12b86cf8
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D5142288797E48DCA5B96A4EF1ABF59C Ref B: LON04EDGE1106 Ref C: 2024-05-22T18:49:14Z
date: Wed, 22 May 2024 18:49:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0B2F4C61DD4E436B871FF1DF01EEB651 Ref B: LON04EDGE1106 Ref C: 2024-05-22T18:49:14Z
date: Wed, 22 May 2024 18:49:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F6F3324A0A0647DCAEB31A067296A830 Ref B: LON04EDGE1106 Ref C: 2024-05-22T18:49:14Z
date: Wed, 22 May 2024 18:49:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B3C2DCBBD6D74162B1BF9928793D49C6 Ref B: LON04EDGE1106 Ref C: 2024-05-22T18:49:14Z
date: Wed, 22 May 2024 18:49:14 GMT

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

tls, http2

2.5kB
9.1kB
20
18

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82N4vcxBpUXCmSbb4kqdaPjVUCUxIhm6jo4bfkr23gytiKxXXKer_Rm5iwzRMfiFD-twptE4-8A2cDLO4sgf3qBM-Jeo68L1Hkc-zuwU43HZI_IBNbh3cnJEUDnyyAcN-yn3WPkfq3vDlObnGJ0RTzcIGfhl77Qy3J3GyVk63AEiXBm_D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D93114cfc7f1d17c337432ac71fc17867&TIME=20240508T112443Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204
77.91.124.55:19071

h2779192.exe

260 B
160 B
5
4
23.62.61.194:443

https://www.bing.com/aes/c.gif?RG=e482f0a2da9a44ba9e3dc4f86d4637f5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112443Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=e482f0a2da9a44ba9e3dc4f86d4637f5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112443Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

HTTP Response

200
23.62.61.194:443

https://www.bing.com/th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
6.8kB
18
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
160 B
5
4
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

96.8kB
2.8MB
2043
2038

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
200 B
5
5
77.91.124.55:19071

h2779192.exe

260 B
160 B
5
4

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9609062.exe

Filesize
810KB

MD5
66f7f8baa8e1ae254d925d449c8e3c53

SHA1
ed6c763314fb4123d472e6b5528056505761e79c

SHA256
dda98b7031f2c6d93883b6412395567def11c58eb7ec49a23783187c8f88b0d2

SHA512
4108b3774a162430c09e1bd71bfce56e71854b1871d7eb3061a948ae5ed3b8511f530af9b28bbdf24054a5881b862b4e623a0d04c81a1de709ff1571658de14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3537467.exe

Filesize
547KB

MD5
2a9a0f177a18efc4637d0fd3899e0a27

SHA1
112d8b5d3e840eb9be5043cbf9a371560403dc76

SHA256
4c1096497fe933093803640bfebddbce9349f21741e627f51650ab6fafdb4c59

SHA512
f362fd8c1104f25a6b7e6277c981335ce021de18f125b3051ed5e2d08a2a1cc541ccfcfda5465c3c9ae08555fac3b1af19154c9c4eb52eca00251e31bc7aa30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4553268.exe

Filesize
381KB

MD5
faa93c16778a1368d978b6102a4e3da8

SHA1
25bd3a9bbd31743cf5fbb5c0fd00251af74cb326

SHA256
6bd4b1c650e8a3770f508e4aa6e8468e6d1d6f2872fd51974f2d7b857a5ffe50

SHA512
d9c2637e28c5e0cc051d98b6ab364ecdd109e3cc870520554eee6a67229bb0c5e9ad5908741f4b9d1add5f31a02ff6268fe99817bd55e7b1ecfee35d687c66a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7015082.exe

Filesize
346KB

MD5
07fde6b1142b5ed94e1eee5acec4f438

SHA1
1557ed8a1f8e8ca8a53cbad2adb5b087c84ab581

SHA256
e74cee163ea262850a9925f6ff1ee63415d0c26ee75b45f9395aa8c36c938b5d

SHA512
0e91c2a62062e9d1f5ce2fad436956f39b117d7789da91fbc586539162f87842017157036cb1eab9910fbf5a014c146a1062bb8e880b90a7cd0c2ed25e409a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe

Filesize
174KB

MD5
bc9f0aa9d56d5695f7a12e8b50ec383f

SHA1
a4b1a4586098e52860a88bd72d4096cea5f4e0a6

SHA256
7dba4fdbffbfec09028375424ac35e581d60c8f9d1c9c7c7a17815c0d500f23e

SHA512
e863353a5ef207448ede278331775d86813593e334ca38d46d1f3cdfac74a0493889b409b1bc8eccbd31be05f2a3d11b53194283a40a979b6eb57642594102f7

Download Submit
memory/1756-36-0x00000000031B0000-0x00000000031B6000-memory.dmp

Filesize
24KB

Download
memory/1756-35-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/1756-37-0x0000000005DA0000-0x00000000063B8000-memory.dmp

Filesize
6.1MB

Download
memory/1756-38-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/1756-39-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/1756-40-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/1756-41-0x00000000059A0000-0x00000000059EC000-memory.dmp

Filesize
304KB

Download
memory/4544-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4544-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4544-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.