mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 11:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Size

1.2MB
MD5

8baab3511bf3a99728edaba28284cd3c
SHA1

b935a0b20f20e0f296f67fec1e2aa1c57d9eda09
SHA256

3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a
SHA512

0ac0e6eedb7d6db2f1c383f74d8fcb32829ab7446025670905caf2ceb95bd089fc21e95aa8f00b37c29815c0fc49fbbcad3b9774633d1cffc9dc7ccf57b20b8d
SSDEEP

24576:3y9ILra17CLHayHuMfvmkZOgEopve3fN2o78WXgzCkB6:C9ky7CLRHuMfvmKHpvkV2lkIZB

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/2948-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2948-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2948-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023498-40.dat	family_redline
behavioral7/memory/4736-42-0x0000000000C40000-0x0000000000C7E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4152	yu5Zx2kB.exe
2316	By5WQ8iX.exe
692	TG4Bs8cm.exe
3924	ud9mP7ZB.exe
4116	1TN49Uv4.exe
4736	2tI389xr.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yu5Zx2kB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	By5WQ8iX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	TG4Bs8cm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ud9mP7ZB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 2948	4116	1TN49Uv4.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3156	4116	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4152	1836	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe	83
PID 1836 wrote to memory of 4152	1836	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe	83
PID 1836 wrote to memory of 4152	1836	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe	83
PID 4152 wrote to memory of 2316	4152	yu5Zx2kB.exe	84
PID 4152 wrote to memory of 2316	4152	yu5Zx2kB.exe	84
PID 4152 wrote to memory of 2316	4152	yu5Zx2kB.exe	84
PID 2316 wrote to memory of 692	2316	By5WQ8iX.exe	86
PID 2316 wrote to memory of 692	2316	By5WQ8iX.exe	86
PID 2316 wrote to memory of 692	2316	By5WQ8iX.exe	86
PID 692 wrote to memory of 3924	692	TG4Bs8cm.exe	88
PID 692 wrote to memory of 3924	692	TG4Bs8cm.exe	88
PID 692 wrote to memory of 3924	692	TG4Bs8cm.exe	88
PID 3924 wrote to memory of 4116	3924	ud9mP7ZB.exe	89
PID 3924 wrote to memory of 4116	3924	ud9mP7ZB.exe	89
PID 3924 wrote to memory of 4116	3924	ud9mP7ZB.exe	89
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	91
PID 3924 wrote to memory of 4736	3924	ud9mP7ZB.exe	96
PID 3924 wrote to memory of 4736	3924	ud9mP7ZB.exe	96
PID 3924 wrote to memory of 4736	3924	ud9mP7ZB.exe	96

C:\Users\Admin\AppData\Local\Temp\3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
"C:\Users\Admin\AppData\Local\Temp\3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 592
        7⤵
        Program crash
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe
        6⤵
        Executes dropped EXE
        
        PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4116 -ip 4116
1⤵
PID:4476

Network

DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

144.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

144.107.17.2.in-addr.arpa

IN PTR

Response

144.107.17.2.in-addr.arpa

IN PTR

a2-17-107-144deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=28D2D5940C226C3E2E68C11C0D056DFE; domain=.bing.com; expires=Tue, 17-Jun-2025 11:07:50 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F176F67F513B4A789BE2DEA624409C72 Ref B: LON04EDGE0722 Ref C: 2024-05-23T11:07:50Z
date: Thu, 23 May 2024 11:07:50 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=28D2D5940C226C3E2E68C11C0D056DFE; _EDGE_S=SID=0BF95F6EB3CB6E801D144BE6B2B26FD7

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=sUl0O3l7hMObcqbyq_8y5FoDAEaD40twTnX8q6NYfHM; domain=.bing.com; expires=Tue, 17-Jun-2025 11:07:51 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A95E3ECEC9274EDCB44B89978E86D4DC Ref B: LON04EDGE0722 Ref C: 2024-05-23T11:07:51Z
date: Thu, 23 May 2024 11:07:50 GMT
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=38ccf3c3534247f1bc41d63a16b4717e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134647Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

Remote address:

23.62.61.75:443

Request

GET /aes/c.gif?RG=38ccf3c3534247f1bc41d63a16b4717e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134647Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=28D2D5940C226C3E2E68C11C0D056DFE

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 99F848EFF1AA47AD9FB668038888D618 Ref B: LON212050706039 Ref C: 2024-05-23T11:07:51Z
content-length: 0
date: Thu, 23 May 2024 11:07:51 GMT
set-cookie: _EDGE_S=SID=0BF95F6EB3CB6E801D144BE6B2B26FD7; path=/; httponly; domain=bing.com
set-cookie: MUIDB=28D2D5940C226C3E2E68C11C0D056DFE; path=/; httponly; expires=Tue, 17-Jun-2025 11:07:51 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.473d3e17.1716462471.d036f52
DNS

75.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.61.62.23.in-addr.arpa

IN PTR

Response

75.61.62.23.in-addr.arpa

IN PTR

a23-62-61-75deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.75:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=28D2D5940C226C3E2E68C11C0D056DFE; _EDGE_S=SID=0BF95F6EB3CB6E801D144BE6B2B26FD7; MSPTC=sUl0O3l7hMObcqbyq_8y5FoDAEaD40twTnX8q6NYfHM; MUIDB=28D2D5940C226C3E2E68C11C0D056DFE
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 11:07:52 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.473d3e17.1716462472.d0374e8
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A9122D2336D24351A0C5CC6223596B36 Ref B: LON04EDGE1006 Ref C: 2024-05-23T11:09:31Z
date: Thu, 23 May 2024 11:09:30 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10EAADC4380E4430B1E8B012582F079A Ref B: LON04EDGE1006 Ref C: 2024-05-23T11:09:31Z
date: Thu, 23 May 2024 11:09:30 GMT

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De80ydgclGCA02PaeRDLid-xDVUCUyZO_GkXx3JUma5QKTDzpGGaEpuJMn7jYk-aMoqP9jEZZIMpOU94w297qd5EOBpXhLz6Vk_SvqZt3FZZSYEpXVBxwuQjUi6mY_0YZ57sK5PUSkyBWrHs3rTX_xINCQWHzS2bRU0yPdIYgTvSiwYCcwI%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D8be18068810d1e9e1426e64331032712&TIME=20240426T134647Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

HTTP Response

204
23.62.61.75:443

https://www.bing.com/aes/c.gif?RG=38ccf3c3534247f1bc41d63a16b4717e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134647Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=38ccf3c3534247f1bc41d63a16b4717e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134647Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

HTTP Response

200
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
23.62.61.75:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

46.3kB
1.2MB
910
906

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5
77.91.124.55:19071

2tI389xr.exe

260 B
200 B
5
5

8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

144.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

144.107.17.2.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

75.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.61.62.23.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe

Filesize
1.0MB

MD5
14912fe90c87f625293b7950c3737cf5

SHA1
8ee5a913e589fb2aeea1e66abe20353e229dabeb

SHA256
a01cf01c4a51f51d0aac0db4abd75da7c86dc3fe4eb4ced30e5a700f790b8c7f

SHA512
ff9d03a43f100b2d9729b1f13ef491cbd2a3fc22bf7771e47f05f1af30704ce5b84b01361b03daf79a6d5eac601c4a32247338057179b5f48464d8fb5e36cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe

Filesize
878KB

MD5
b96d024dcec48f44b0e634a0d00b0223

SHA1
49c0257d1656bba562b78ec9ceef0a852bf0f9e2

SHA256
0db5661ebf50793bdeff7536da4cb9ffb340dd640bed042a0261bc85ed758014

SHA512
1ef86c93b05e3bf163272baefd31c44be913fbb0ae5c70469c7e70adfc697f11a0097ba1d6d6e5101087d99adc17a9d997db32c50dcd91f263944ee097042359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe

Filesize
585KB

MD5
595ba700772de93abca49bc60f72fd93

SHA1
0f3d73f972a990e96a2b7980ef39c64408c92cdb

SHA256
6c6f96047ea0811502e9b66c7c24fe647bf990fb1f36bac4c6eb7284d01130fb

SHA512
f21135fe826a515f9edae818359b96e7c90f30544822c792ade243b712420e787d419b2064a0c38afffadf30254e39fdddc4d196b77a1de04ca9d7aaa7678d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe

Filesize
412KB

MD5
8cccf9dfbf727e134a0283c6db3108f1

SHA1
c7cfe5d37931b15213e6ed2e068d4c3d9ec35968

SHA256
235557ff9d81e1539021021a81ef33e5a19b68c4983212d98dbca367474a7025

SHA512
950b007c08420cc515dd021d6521ac7b94d29ae8b70fbcdefd1d1b6183862e141489d3a623ed40657d9d3244db4d853e159b24b12ff512a2c6968b88001e9b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe

Filesize
378KB

MD5
489492c387af0075b9d1a9bcdaae552c

SHA1
020850bcae1226a62dec53d9cd6111f5d47488ca

SHA256
c120782a83cd92cf61f248892c6243486b19e5193196aeac3fdb46c3aef027eb

SHA512
df327f7c12f5ce6ff2d3387cc4778fdceeedf7a073e2b4167fae37b87881b9bbef4a01b38ae8464e4f1a002bc55460986ce94c544b3e61c828fc90bb56281371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe

Filesize
221KB

MD5
2aef8be54c8cb6e31931f4551c5a6b51

SHA1
ff7a407c5c036a306f04819777055d0a29e1da5d

SHA256
af529dbb38a191ff597cf3c0382f8641d8961a7efe18db5abd347a5b74186ad9

SHA512
c6f8013403d4638daa5b847c17820ea1bf0533bc8291e1fb0b5b2494af626965044c28631f9a553da15b95ab0717922ffd4f1b35dd45fdb8e441dcdbe1a83413

Download Submit
memory/2948-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2948-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2948-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4736-42-0x0000000000C40000-0x0000000000C7E000-memory.dmp

Filesize
248KB

Download
memory/4736-43-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/4736-44-0x00000000079F0000-0x0000000007A82000-memory.dmp

Filesize
584KB

Download
memory/4736-45-0x0000000002FA0000-0x0000000002FAA000-memory.dmp

Filesize
40KB

Download
memory/4736-46-0x0000000008AD0000-0x00000000090E8000-memory.dmp

Filesize
6.1MB

Download
memory/4736-47-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

Filesize
1.0MB

Download
memory/4736-48-0x0000000007C00000-0x0000000007C12000-memory.dmp

Filesize
72KB

Download
memory/4736-49-0x0000000007C60000-0x0000000007C9C000-memory.dmp

Filesize
240KB

Download
memory/4736-50-0x0000000007CA0000-0x0000000007CEC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.