502b5a17e5c62cbfb5052e2756235240877cfd7db0003b6764cc0cf785a962ec

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 22:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4644ff643e338dba4beaada055ad79a0N.exe
Size

2.6MB
MD5

4644ff643e338dba4beaada055ad79a0
SHA1

e9ce05dba27d1a730f6bfb77ca455e0910150d6f
SHA256

502b5a17e5c62cbfb5052e2756235240877cfd7db0003b6764cc0cf785a962ec
SHA512

8602b6c5ca2e84070da59ef12228ea5c6d5be3adca111d47f8502fd6a806895ce3e0676d3cf6d7ad8e593b831c9145d0a40692ed96fec197beda41fcd3eabe87
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpbb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	4644ff643e338dba4beaada055ad79a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3640	sysdevbod.exe
1860	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot5F\\xbodloc.exe"	4644ff643e338dba4beaada055ad79a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVJ\\dobasys.exe"	4644ff643e338dba4beaada055ad79a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4644ff643e338dba4beaada055ad79a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1256	4644ff643e338dba4beaada055ad79a0N.exe
1256	4644ff643e338dba4beaada055ad79a0N.exe
1256	4644ff643e338dba4beaada055ad79a0N.exe
1256	4644ff643e338dba4beaada055ad79a0N.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3640	1256	4644ff643e338dba4beaada055ad79a0N.exe	92
PID 1256 wrote to memory of 3640	1256	4644ff643e338dba4beaada055ad79a0N.exe	92
PID 1256 wrote to memory of 3640	1256	4644ff643e338dba4beaada055ad79a0N.exe	92
PID 1256 wrote to memory of 1860	1256	4644ff643e338dba4beaada055ad79a0N.exe	93
PID 1256 wrote to memory of 1860	1256	4644ff643e338dba4beaada055ad79a0N.exe	93
PID 1256 wrote to memory of 1860	1256	4644ff643e338dba4beaada055ad79a0N.exe	93

C:\Users\Admin\AppData\Local\Temp\4644ff643e338dba4beaada055ad79a0N.exe
"C:\Users\Admin\AppData\Local\Temp\4644ff643e338dba4beaada055ad79a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\UserDot5F\xbodloc.exe
  C:\UserDot5F\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1860

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388074_1MIWA2TTYRN56F380&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388074_1MIWA2TTYRN56F380&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 546931
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FB5887C995B143D78E2D0B30F018FE3F Ref B: LON04EDGE0819 Ref C: 2024-08-20T22:26:03Z
date: Tue, 20 Aug 2024 22:26:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 747785
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 05A6A32C10314A718612AFD1E9E3B224 Ref B: LON04EDGE0819 Ref C: 2024-08-20T22:26:03Z
date: Tue, 20 Aug 2024 22:26:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388075_1B72WX0XS183A8WRW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388075_1B72WX0XS183A8WRW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 573690
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7224CC2506844B2EB50138C22E06EB2D Ref B: LON04EDGE0819 Ref C: 2024-08-20T22:26:03Z
date: Tue, 20 Aug 2024 22:26:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 695371
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7BD96B323E9446D98E174187455CAF98 Ref B: LON04EDGE0819 Ref C: 2024-08-20T22:26:03Z
date: Tue, 20 Aug 2024 22:26:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418557_1YV8GA2L9NL51T4LE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418557_1YV8GA2L9NL51T4LE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 643441
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8019E6B257DF4EC7AF5C2E7B95356BEE Ref B: LON04EDGE0819 Ref C: 2024-08-20T22:26:03Z
date: Tue, 20 Aug 2024 22:26:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418558_1RIRIQOUBMYAABIAT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418558_1RIRIQOUBMYAABIAT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 650665
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1306B2533843454EA6EBD15A4C4FC909 Ref B: LON04EDGE0819 Ref C: 2024-08-20T22:26:03Z
date: Tue, 20 Aug 2024 22:26:03 GMT
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response

150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418558_1RIRIQOUBMYAABIAT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

139.8kB
4.0MB
2902
2897

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388074_1MIWA2TTYRN56F380&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388075_1B72WX0XS183A8WRW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418557_1YV8GA2L9NL51T4LE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418558_1RIRIQOUBMYAABIAT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot5F\xbodloc.exe

Filesize
1.4MB

MD5
fcf531548e80ea8e8014f8e97bc9b615

SHA1
ea918ea80e50c66bcf9f4dea7123e888cac328dc

SHA256
6396738af5a4df65c3660611acfb655848f812616e9fb7a5fa1033eaa3c21787

SHA512
58412b00858bc40098af4106ea4a057bcdbd32f53626c72d2005c9dcf9f87c2ae3f3927e9a6d31635ba799ec2718aa00b01553e9141bfdbc9c95bac55123d49e

Download Submit
C:\UserDot5F\xbodloc.exe

Filesize
2.6MB

MD5
818c5c9a4671cb2b704aad46a576f8f8

SHA1
f28fa4f3f64d64b38e1fa6e0f73a3617d9fc0e06

SHA256
82c0289fb7927391efc7f75292daa5076ca2740d58bff52b102caa256deb39a9

SHA512
e497564211d8f0b758ed61b53a752a862d571703baee27ced09bd3eb598e5fa57cdca5dc4e4911d005bbc0dc039fd6908eccf8d58938840404e9f1c1e98963bf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
6354407f635f4f73026392b49bb7cbf3

SHA1
44a819d421bb4560504a6df1427a54f5e60b570f

SHA256
2cef3e4fd33c51fbd00bc1dc915ff5701caf3ba6190f775e4788b26d6a17996c

SHA512
45911109e26e9e4144e06eea54b7d0c3b6a25def315ac5b2bfb0bf2cd18907799432f12d6505b13c3b40cb9de40344bdef440759d6a52c5bda929fe21ec2c17c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
0c42106bdf0d84e607ae936dd9c5ad19

SHA1
38221c6f77dbe1f36d6025f551f386b358cd4a89

SHA256
d18de9764819cdf517c1f1c222157cbd50458896b45269cbc745e5d13dbf94d2

SHA512
233e7008a816c58e66463dd68a00e3b2ac50d79d45fb089c075aeaa86b2ba4a18c37835a48e52ff8ca8a0e08e5ffe74d28dc8b02ac32617f02ff988b873b0439

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
d48e36150fd498717048b5ef487d4f01

SHA1
899963d881bebc83690f52b08d983dee5dd0e775

SHA256
fd901f9544e10ba94c114ac06abf392f67c78c3a4631c93cb37472cbf2cb2dc8

SHA512
2b8ed206e01863eae14f3772c413545152e22afacf0bf5b30ace550fec7be3db64a924b9f5d133decb7f087f835ee4e4035d4ad4e2251fcd4b2a43d2b29a6860

Download Submit
C:\VidVJ\dobasys.exe

Filesize
30KB

MD5
09f9f4e546875b92f6068810d8b60410

SHA1
5d30dc83123e0275958f741b5a57da1b143d4174

SHA256
d06b9256591d0a106e2a0b5112ee077e14152e16f691a1ffa93df40c9d31c7e3

SHA512
776153ef167b208db97fb18c6d0919f50465a7a1dcbfe0daad4276730d86c9cce2106003ae430e8f78c8c029ae7ae4eed66baa7414be3114c609f0afc22a7e51

Download Submit
C:\VidVJ\dobasys.exe

Filesize
640KB

MD5
3efe3a0d2138d84b9dacbeb99d16fa84

SHA1
ed441962eefd03038ef40210a5535f6d5b75aacc

SHA256
87aa0c60e65caad44e66cf4836fa14006f682aeb26afb8b2b71d6fea50daab26

SHA512
0fda9120c157f22e1bf6c974408646a3e4dc1a31e0686d9ddf836058535841f68b21e9755b580b9714013c3d0a42ef6de334f40e1980a6ceaea8be42447768b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.