mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 19:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
Size

759KB
MD5

aa1f1a243e1c643d3628a1d03fe3dfe5
SHA1

9a7e886e9cf0a312e98a6ec70f2d2a67eb9ac486
SHA256

781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754
SHA512

eb319b6eeefc62ca9da42ac8a8b935988dd8f850fc0c02000dc08c4e56e8b9cd27dbdea3eef713a2c45a381c57add3fca4dd3d79663b888b4462c76929cc1337
SSDEEP

12288:zMrxy90kdsZQT9R4xmy3mv88YzniUK2WsJ/wt17qS20y353p6ua4En6oxOcKmRgt:iytT9o7Wtu9WsJ30yJ3lXmJxq5

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral9/memory/2736-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral9/memory/2736-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral9/memory/2736-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral9/memory/2736-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral9/files/0x000700000002343e-20.dat	family_redline
behavioral9/memory/1260-22-0x0000000000E40000-0x0000000000E7E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3612	Ok5Lc0Vf.exe
1656	1sr67Cy1.exe
1260	2RB567CG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ok5Lc0Vf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 2736	1656	1sr67Cy1.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	2736	WerFault.exe	89

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3612	4852	781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe	84
PID 4852 wrote to memory of 3612	4852	781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe	84
PID 4852 wrote to memory of 3612	4852	781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe	84
PID 3612 wrote to memory of 1656	3612	Ok5Lc0Vf.exe	85
PID 3612 wrote to memory of 1656	3612	Ok5Lc0Vf.exe	85
PID 3612 wrote to memory of 1656	3612	Ok5Lc0Vf.exe	85
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 1656 wrote to memory of 2736	1656	1sr67Cy1.exe	89
PID 3612 wrote to memory of 1260	3612	Ok5Lc0Vf.exe	91
PID 3612 wrote to memory of 1260	3612	Ok5Lc0Vf.exe	91
PID 3612 wrote to memory of 1260	3612	Ok5Lc0Vf.exe	91

C:\Users\Admin\AppData\Local\Temp\781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
"C:\Users\Admin\AppData\Local\Temp\781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ok5Lc0Vf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ok5Lc0Vf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sr67Cy1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sr67Cy1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 540
        5⤵
        Program crash
        
        PID:1864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2RB567CG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2RB567CG.exe
    3⤵
    - Executes dropped EXE
    PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2736 -ip 2736
1⤵
PID:4484

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=219EA325F56667E72D62B7A2F4DD6677; domain=.bing.com; expires=Mon, 16-Jun-2025 19:13:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 97A149442EF84E56AA3FA0EE2FD2B656 Ref B: LON04EDGE0919 Ref C: 2024-05-22T19:13:15Z
date: Wed, 22 May 2024 19:13:14 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=219EA325F56667E72D62B7A2F4DD6677; _EDGE_S=SID=193F73AFF6546577011C6728F7FE6455

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=xerU2ZyVY_4eeI-zTZuAqDBV2HpLJJREL46VdrTS6D8; domain=.bing.com; expires=Mon, 16-Jun-2025 19:13:15 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 37C458224F0146229AA86FFBE757B61F Ref B: LON04EDGE0919 Ref C: 2024-05-22T19:13:15Z
date: Wed, 22 May 2024 19:13:15 GMT
GET

https://www.bing.com/aes/c.gif?RG=6fbefcfb34264851b055c05bd7fade32&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132727Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

Remote address:

23.62.61.129:443

Request

GET /aes/c.gif?RG=6fbefcfb34264851b055c05bd7fade32&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132727Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=219EA325F56667E72D62B7A2F4DD6677

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 59FD024E12164D5189FBFD8E28A538BE Ref B: DUS30EDGE0813 Ref C: 2024-05-22T19:13:15Z
content-length: 0
date: Wed, 22 May 2024 19:13:15 GMT
set-cookie: _EDGE_S=SID=193F73AFF6546577011C6728F7FE6455; path=/; httponly; domain=bing.com
set-cookie: MUIDB=219EA325F56667E72D62B7A2F4DD6677; path=/; httponly; expires=Mon, 16-Jun-2025 19:13:15 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1716405195.1a48dac2
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

129.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.61.62.23.in-addr.arpa

IN PTR

Response

129.61.62.23.in-addr.arpa

IN PTR

a23-62-61-129deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.129:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=219EA325F56667E72D62B7A2F4DD6677; _EDGE_S=SID=193F73AFF6546577011C6728F7FE6455; MSPTC=xerU2ZyVY_4eeI-zTZuAqDBV2HpLJJREL46VdrTS6D8; MUIDB=219EA325F56667E72D62B7A2F4DD6677
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 22 May 2024 19:13:16 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1716405196.1a48df51
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

200.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.17.2.in-addr.arpa

IN PTR

Response

200.197.17.2.in-addr.arpa

IN PTR

a2-17-197-200deploystaticakamaitechnologiescom
DNS

217.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.197.17.2.in-addr.arpa

IN PTR

Response

217.197.17.2.in-addr.arpa

IN PTR

a2-17-197-217deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 329579
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CE75E36E12C04277AC73B771C43435E1 Ref B: LON04EDGE1021 Ref C: 2024-05-22T19:14:48Z
date: Wed, 22 May 2024 19:14:48 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 381531
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 64B71F40BF8746E78C4C49130FEFF4C7 Ref B: LON04EDGE1021 Ref C: 2024-05-22T19:14:48Z
date: Wed, 22 May 2024 19:14:48 GMT
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

89.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.16.208.104.in-addr.arpa

IN PTR
DNS

89.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.16.208.104.in-addr.arpa

IN PTR

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QAVeeeg8Kw6iAaZXC4MqmDVUCUzP5-TVNk_9Lh8ZWpbfY2PLgXXGZ_j9NqS2T9Dw3CS-AbQ_pFEvnLTvEdfse2clrjh3pUsVOPKvmNg2gNSfA-pjAgXtQH5XyMWZUmWw3OZv24TLjEKaC-LZD6K4LAun3pZuqIlGw4Gxi40R9SZ3WLL5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc3a7ad920d371547778dcbb9a697401f&TIME=20240426T132727Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

HTTP Response

204
23.62.61.129:443

https://www.bing.com/aes/c.gif?RG=6fbefcfb34264851b055c05bd7fade32&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132727Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

tls, http2

1.5kB
5.4kB
17
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=6fbefcfb34264851b055c05bd7fade32&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132727Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

HTTP Response

200
77.91.124.86:19084

2RB567CG.exe

260 B
5
23.62.61.129:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
17
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
77.91.124.86:19084

2RB567CG.exe

260 B
5
77.91.124.86:19084

2RB567CG.exe

260 B
5
77.91.124.86:19084

2RB567CG.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

27.7kB
743.9kB
552
549

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
77.91.124.86:19084

2RB567CG.exe

260 B
5
77.91.124.86:19084

2RB567CG.exe

260 B
5

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

129.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

129.61.62.23.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

200.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

200.197.17.2.in-addr.arpa
8.8.8.8:53

217.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

217.197.17.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

89.16.208.104.in-addr.arpa

dns

144 B
2

DNS Request

89.16.208.104.in-addr.arpa

DNS Request

89.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ok5Lc0Vf.exe

Filesize
563KB

MD5
138c33958320e3e3a0f6d4d48eabcd47

SHA1
159ead1f9c8b9614c303d8949e0110ac4deaa307

SHA256
4a09067f906ac2830ba540f4a4d674b6dc0740aa443514c0c9b4387976626272

SHA512
fc9f213afea7cd839ab684cba872b30bbb1ee360d4a388876897fddcc6c3c5043ed8f222bce37bbac6dec24b9d0573947016c9d557dbd053357656f2389b735d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sr67Cy1.exe

Filesize
1.1MB

MD5
ab206af415ba79326b5e785a1712fb9a

SHA1
e99bf49b1ea7e4bbb48fb404782b2934ca36717a

SHA256
cf50c17b31a2dc71085471d09dd2bbbb4123507a00f4515d9095c25391088839

SHA512
20e0f019ae11d2e96590f89a9b947995032b510d40b647c8162ebbf6a563f381fa42a8fe70fe01c473bae8abcd4b80c60c7a5d116e52bee98cfa8a786de83b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2RB567CG.exe

Filesize
221KB

MD5
3ef4b51b9e3ae103caa495e11923ad05

SHA1
bd868fd3bc00b77e6fc0a884b13152692ffb93e5

SHA256
78cd14290f7c3802dafe46bc63dd3de21340f691a6ab760fe337ac6c316bdc0a

SHA512
09aad3c71276f54f4c2401aeb66ad6960f5a68de4a38d8c815d08dbd410ee475ec14f1e5ea7b4679ca73b0b42e83ccc7ff840738fb7418ed0c2133822f161d77

Download Submit
memory/1260-27-0x0000000008160000-0x000000000826A000-memory.dmp

Filesize
1.0MB

Download
memory/1260-22-0x0000000000E40000-0x0000000000E7E000-memory.dmp

Filesize
248KB

Download
memory/1260-23-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/1260-24-0x0000000007D70000-0x0000000007E02000-memory.dmp

Filesize
584KB

Download
memory/1260-25-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/1260-26-0x0000000008E50000-0x0000000009468000-memory.dmp

Filesize
6.1MB

Download
memory/1260-28-0x0000000007E30000-0x0000000007E42000-memory.dmp

Filesize
72KB

Download
memory/1260-29-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

Filesize
240KB

Download
memory/1260-30-0x0000000007E60000-0x0000000007EAC000-memory.dmp

Filesize
304KB

Download
memory/2736-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.