Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 01:40

General

  • Target

    pidgin.exe

  • Size

    108KB

  • MD5

    c283b2379ea584aab52abee0844b02a0

  • SHA1

    903f9c7dcadf578637d604be681588fffec90e9b

  • SHA256

    8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2

  • SHA512

    a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157

  • SSDEEP

    1536:dV7q+SakHLKZ9tCAxtXSB5TDW/3CEdbjYVl4NGGwWArUiqvBwy/kTkiw3ciwjm:dpHKeJCCtX8TDafkVl4sG10MLoPm

Malware Config

Extracted

Family

darkgate

Version

uPtZ

C2

http://sanibroadbandcommunicton.duckdns.org

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    5864

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    true

  • crypter_raw_stub

    false

  • crypto_key

    qwNPPzrRTNHogf

  • internal_mutex

    hykYbY

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    1

  • rootkit

    false

  • startup_persistence

    true

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Detect DarkGate stealer 14 IoCs
  • Blocklisted process makes network request 37 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pidgin.exe
    "C:\Users\Admin\AppData\Local\Temp\pidgin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3352

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=34B6F6DA363062540A01E23B37D063F6; domain=.bing.com; expires=Sun, 14-Sep-2025 01:40:51 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EE1F6793E9EB41809FE244F7A9F04A82 Ref B: LON04EDGE1011 Ref C: 2024-08-20T01:40:51Z
    date: Tue, 20 Aug 2024 01:40:51 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=34B6F6DA363062540A01E23B37D063F6
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=VVboSKdZp-zYBGyURUu1GIHXm-E21aASJ6hJ72XAfkQ; domain=.bing.com; expires=Sun, 14-Sep-2025 01:40:51 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 62FB9E088C3D4D57BC4B5DA9A833A8B6 Ref B: LON04EDGE1011 Ref C: 2024-08-20T01:40:51Z
    date: Tue, 20 Aug 2024 01:40:51 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=34B6F6DA363062540A01E23B37D063F6; MSPTC=VVboSKdZp-zYBGyURUu1GIHXm-E21aASJ6hJ72XAfkQ
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BBE4DE6434E248129DD8F9819F4C519C Ref B: LON04EDGE1011 Ref C: 2024-08-20T01:40:51Z
    date: Tue, 20 Aug 2024 01:40:51 GMT
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388121_1PVG3IWOLFGR4FW9F&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388121_1PVG3IWOLFGR4FW9F&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 525731
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BE716164F57A4C6A911B14C980176716 Ref B: LON04EDGE0920 Ref C: 2024-08-20T01:42:28Z
    date: Tue, 20 Aug 2024 01:42:28 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 512695
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5EF772BD666A4C9AB0895782742CB90D Ref B: LON04EDGE0920 Ref C: 2024-08-20T01:42:28Z
    date: Tue, 20 Aug 2024 01:42:28 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388122_1UI0S3FKTR1B3YGS8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388122_1UI0S3FKTR1B3YGS8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 585223
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0C1478625B214B55A0ED0758900EE17F Ref B: LON04EDGE0920 Ref C: 2024-08-20T01:42:28Z
    date: Tue, 20 Aug 2024 01:42:28 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 577346
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F1CF986B7EDD407B8731B029A963C6E6 Ref B: LON04EDGE0920 Ref C: 2024-08-20T01:42:28Z
    date: Tue, 20 Aug 2024 01:42:28 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 401499
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A6D2E0FE132741E39EB6A4898252CC74 Ref B: LON04EDGE0920 Ref C: 2024-08-20T01:42:28Z
    date: Tue, 20 Aug 2024 01:42:28 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 676162
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 087CE0B007444C33BAFF9A1F7178F030 Ref B: LON04EDGE0920 Ref C: 2024-08-20T01:42:28Z
    date: Tue, 20 Aug 2024 01:42:28 GMT
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • flag-us
    DNS
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    sanibroadbandcommunicton.duckdns.org
    IN A
    Response
    sanibroadbandcommunicton.duckdns.org
    IN A
    202.142.177.156
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    tls, http2
    2.0kB
    9.3kB
    21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=601873d5fd674d60bdf028447966640a&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=

    HTTP Response

    204
  • 202.142.177.156:9999
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:9999
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    160 B
    5
    4
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    160 B
    5
    4
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 52.111.243.31:443
    322 B
    7
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.3kB
    17
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.3kB
    17
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    121.2kB
    3.4MB
    2474
    2467

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388121_1PVG3IWOLFGR4FW9F&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388122_1UI0S3FKTR1B3YGS8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    160 B
    5
    4
  • 202.142.177.156:9999
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 202.142.177.156:5864
    sanibroadbandcommunicton.duckdns.org
    cmd.exe
    260 B
    200 B
    5
    5
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    sanibroadbandcommunicton.duckdns.org
    dns
    cmd.exe
    246 B
    294 B
    3
    3

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Response

    202.142.177.156

    DNS Response

    202.142.177.156

    DNS Response

    202.142.177.156

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    sanibroadbandcommunicton.duckdns.org
    dns
    cmd.exe
    246 B
    294 B
    3
    3

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Response

    202.142.177.156

    DNS Response

    202.142.177.156

    DNS Response

    202.142.177.156

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    sanibroadbandcommunicton.duckdns.org
    dns
    cmd.exe
    82 B
    98 B
    1
    1

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Response

    202.142.177.156

  • 8.8.8.8:53
    sanibroadbandcommunicton.duckdns.org
    dns
    cmd.exe
    82 B
    98 B
    1
    1

    DNS Request

    sanibroadbandcommunicton.duckdns.org

    DNS Response

    202.142.177.156

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cfhabgd\edhdaak\eecbacb

    Filesize

    163B

    MD5

    3bb66d0681e9d58d52d0c7eea7634c1e

    SHA1

    ee4d26e3cd50886f2a4f6094449f457850da553b

    SHA256

    4b5495c1feceaa753b32979522e0be25b2e0a11d408ab34e062783192f11e051

    SHA512

    334f52c4fed8de5cecf681725cfb251a74a979866226fc13b7c33027b0915c2afc58376085f560a1edcc2369df72e3c6afc51c11b00307c92ea2ec66215c2a42

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfakaec.lnk

    Filesize

    823B

    MD5

    afca655ecd55ab3551dafe65940f993b

    SHA1

    074aac81ec46c04a3dc45dc9e6813bedd5477eee

    SHA256

    00267c000fed8dc522f3dd8aec688822968a909a515ad03c605f1041bada25d1

    SHA512

    b6331223b03f6a0cf6ae5bceb4e3972e804d2f5680e359d9b8d65cda69e7c1e78368f6cb47888fa464c5c49420fe1c7b083e31c8b9025720126b61e9c5eb3b86

  • C:\temp\libssp-0.dll

    Filesize

    88KB

    MD5

    1f521e8b258d2b09f66fb8c940452b72

    SHA1

    7d669fe4108d40ed431a6728a27a2efc5c153bd0

    SHA256

    7786e9e3c7fe54f52b54e4bb922ef569ad68dc14f4096d530824556975e0f462

    SHA512

    61058ec95c20ff46f3613f3bd7647231943b64f8171eb0327ee72613a079bd9d8e639434208bb120b1d5242075a13be6686c0dfd31c04932a93f1bef413192d3

  • C:\temp\pidgin.exe

    Filesize

    108KB

    MD5

    c283b2379ea584aab52abee0844b02a0

    SHA1

    903f9c7dcadf578637d604be681588fffec90e9b

    SHA256

    8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2

    SHA512

    a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157

  • C:\temp\sqlite3.dll

    Filesize

    488KB

    MD5

    05ec7e9dee5c43b659d7843f6eb462a2

    SHA1

    1d37a930765e282b75b1d129258e21f683379245

    SHA256

    b98bacd2a12a4912acb8e6c8b4447c19b811672f5d6c43048b62c9e273c863d4

    SHA512

    fbdd1f7ec8dff695f8914dcd088a1217389d5d6c2c7b130ab8d87679f9f1cf8aa0c62ee303de07b0aa920b4e62a34132c788b20f53e5829d2d9a845ef32ad4f6

  • memory/2112-12-0x0000000003920000-0x0000000003A15000-memory.dmp

    Filesize

    980KB

  • memory/2112-11-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2112-2-0x0000000003920000-0x0000000003A15000-memory.dmp

    Filesize

    980KB

  • memory/2112-10-0x0000000000860000-0x000000000087C000-memory.dmp

    Filesize

    112KB

  • memory/2112-1-0x0000000003630000-0x0000000003820000-memory.dmp

    Filesize

    1.9MB

  • memory/3352-30-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-13-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-9-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-29-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-7-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-33-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-32-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-28-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-27-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-8-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-36-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/3352-39-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.