Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/11/2024, 02:52 UTC

General

  • Target

    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe

  • Size

    814KB

  • MD5

    4d05eac9c30331683fe59038aba0d873

  • SHA1

    683812ee2e76037ac4cf1ad0858778fcea44bad6

  • SHA256

    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd

  • SHA512

    eb9f3cd33ee8fd311da446041450a62be3cdcae02c34fd01c2610355fa87795c77e2d0b8fc3208cbf699838f30a1160c6b1f81b20dd68c4fe2a2809ee5bae0a8

  • SSDEEP

    24576:jvYV0HT73uFB1vuQoj5RvdulhTzGB/bNlVC7t:cOzaYQmZ5FNlVg

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8177184706:AAEJ0_bPTtjIc-PnjNdYNmARZ2fvBD17ZJI/sendMessage?chat_id=6198188190

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    "C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
      "C:\Users\Admin\AppData\Local\Temp\be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

  • flag-us
    DNS
    mertvinc.com.tr
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    8.8.8.8:53
    Request
    mertvinc.com.tr
    IN A
    Response
    mertvinc.com.tr
    IN A
    185.244.144.68
  • flag-tr
    GET
    http://mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    185.244.144.68:80
    Request
    GET /fYJJzdXnGgCBdwfMZh209.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: mertvinc.com.tr
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Content-Type: application/octet-stream
    Last-Modified: Mon, 11 Nov 2024 10:25:50 GMT
    Etag: "43a40-6731dbae-e996a4157869782e;;;"
    Accept-Ranges: bytes
    Content-Length: 277056
    Date: Wed, 13 Nov 2024 01:59:23 GMT
    Server: LiteSpeed
    X-Powered-By: PleskLin
  • flag-us
    DNS
    checkip.dyndns.org
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:39 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:39 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:40 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:40 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:41 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:41 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:41 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-jp
    GET
    http://checkip.dyndns.org/
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    132.226.8.169:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:42 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    reallyfreegeoip.org
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    172.67.177.134
    reallyfreegeoip.org
    IN A
    104.21.67.152
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:39 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891909
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MHwOjiu%2ByUzpeX9DNBXP0Jx01699%2FfLn1ZWrxqhUJg46zPZCotJiQ7r2zRD6ZxRK0xlHUf9t%2FpgCTzPIPyOAB6BAWcor6qDaJC2QFPf7gYTVCI6PzTOZ8oZ4oS%2B7RkOu7JfBR4Tj"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b778a4e4d6433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=48449&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=83100&cwnd=253&unsent_bytes=0&cid=4aaa367f64fc9074&ts=155&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:39 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891909
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ChhhODAG8ovGPb1nhe%2Fw8BrFgDQiGUsqgqRwFfpPSH89Ncul0%2BcQbvdrRI1v6xFAX3DiJ8dHutDvoLvUPYLhSArYBf8%2F%2BS7ldqNGxafADkIygNgc7Ms0E%2F3%2B%2FLhXKDaZDT2c9sx%2F"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b778c7f976433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=72944&sent=8&recv=9&lost=0&retrans=0&sent_bytes=4508&recv_bytes=475&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=509&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:40 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891910
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NIBGjLtbVU8P6K5LmZXH1aOKG3XwKdV7zBlbX9q8gslTId%2BRvTRNeHpT4OBSdB8FBi5YG5jSBPgrQpVuUP6AfEWGoSJwR8ABWl%2FGmSzpLQVyPPs6UYx1yAwCP8ICfFYYMEHTEFfK"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b778eb90f6433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=92266&sent=11&recv=12&lost=0&retrans=0&sent_bytes=6150&recv_bytes=576&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=872&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:40 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891910
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2BVz3F7UvxMgMXrlnB9FZmRO2y0f481xoe2pClrS5tqZ6Hn2yrRjClIn1LyeFGaNQzQtdikWlk0uEoGDQJ4gRWEOBxDPiECLGmZr2RvhU5G1Yniys0R2NvyQZp%2BFyAntf5pOvu%2F%2B"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b77911a536433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=106505&sent=14&recv=15&lost=0&retrans=0&sent_bytes=7792&recv_bytes=677&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=1241&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:40 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891910
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jLPGD5wfwosun6WRJrnWWXUo2vfpruUGXw4Quy8bl6YrQHTbu5V3xLRpffjTbgr3%2BC9HbWNqtUxcSqf8MItG%2BtoWO2oUbL1FKVAEqNoXj%2B8qZRMUqD2hAJDlWKJGjGG1E3o8SQCJ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b77932ba66433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=116196&sent=17&recv=18&lost=0&retrans=0&sent_bytes=9434&recv_bytes=778&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=1572&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:41 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891911
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eRPtL88rpURRG3u9Zjdw98NEwI6At7R4QWwEFFtsP748O3DB8CpXBPZwTtCI0onnbfxh9CzVy1eQJS82QmV5ofd%2BpE0rL6RvhCVZXtZWXKhf60tyzMUFDAbLJPVLG3f9SX%2B2o5Qb"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b77954cfe6433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=123197&sent=20&recv=21&lost=0&retrans=0&sent_bytes=11076&recv_bytes=879&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=1918&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:41 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891911
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=erjS2mj522vZZEoy3D7kMKLCRqmrp8yUUIul5HFypvgjTseJD%2F7YdhbX9qFDjWk6GRlfnXobfhDVrq8x0cXl73DCGHgoYm25NPB0TKEzJJWqrubvkLf0v7Fwg1jbdwD2CZJcGot8"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b77977ed26433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=130222&sent=23&recv=24&lost=0&retrans=0&sent_bytes=12718&recv_bytes=980&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=2266&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:41 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891911
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XMETGe8%2F3c8csslwSpUEj%2BNpIbKzmMXBMlDSLzX7%2Bcb5eAN0AMaIZeA7I8OL25VHjtrLuFwIT%2F2MEKaj1h%2BEKO6TBMXuKliC%2B0AN%2BWmLya4i5DLY5y8U%2B53xkqHl%2BxhJfNBE3dK8"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b7799a81d6433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=134936&sent=26&recv=27&lost=0&retrans=0&sent_bytes=14360&recv_bytes=1081&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=2621&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 02:52:42 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 891912
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r9LzcBasEv84Kqc%2BfzUcZ%2BV0EgrAwAJde6nM%2BuKnuXdnXBOwNGd7oqVu2PJFw8dd4ZR78mdROc5LWCCejT4wHAQ7cIzl9CmL9a9%2BaQDndc7WPmiTKs%2FgQDZYR5wRVCtMyPJRd8Wz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e1b779be9c66433-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=138975&sent=29&recv=30&lost=0&retrans=0&sent_bytes=16018&recv_bytes=1182&delivery_rate=83100&cwnd=256&unsent_bytes=0&cid=4aaa367f64fc9074&ts=2972&x=0"
  • flag-us
    DNS
    api.telegram.org
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • 185.244.144.68:80
    http://mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin
    http
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    6.7kB
    285.7kB
    135
    209

    HTTP Request

    GET http://mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin

    HTTP Response

    200
  • 132.226.8.169:80
    http://checkip.dyndns.org/
    http
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    1.9kB
    3.4kB
    15
    15

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.177.134:443
    https://reallyfreegeoip.org/xml/138.199.29.44
    tls, http
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    2.6kB
    19.0kB
    33
    33

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200
  • 149.154.167.220:443
    api.telegram.org
    tls
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    388 B
    179 B
    5
    4
  • 8.8.8.8:53
    mertvinc.com.tr
    dns
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    61 B
    77 B
    1
    1

    DNS Request

    mertvinc.com.tr

    DNS Response

    185.244.144.68

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.8.169
    193.122.130.0
    132.226.247.73
    193.122.6.168
    158.101.44.242

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    65 B
    97 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    172.67.177.134
    104.21.67.152

  • 8.8.8.8:53
    api.telegram.org
    dns
    be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso5A62.tmp\System.dll

    Filesize

    11KB

    MD5

    fc90dfb694d0e17b013d6f818bce41b0

    SHA1

    3243969886d640af3bfa442728b9f0dff9d5f5b0

    SHA256

    7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

    SHA512

    324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

  • memory/1044-13-0x0000000076EE0000-0x0000000077089000-memory.dmp

    Filesize

    1.7MB

  • memory/1044-12-0x0000000076EE1000-0x0000000076FE2000-memory.dmp

    Filesize

    1.0MB

  • memory/2640-14-0x0000000076EE0000-0x0000000077089000-memory.dmp

    Filesize

    1.7MB

  • memory/2640-16-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

  • memory/2640-17-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

  • memory/2640-18-0x0000000000480000-0x00000000004CA000-memory.dmp

    Filesize

    296KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.