Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe
Resource
win10v2004-20241007-en
General
-
Target
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe
-
Size
845KB
-
MD5
a4ff2584dad5f40a71bdd4a108528492
-
SHA1
ad9413cebc5c0fc3ab344c00cb361fef9b0a0efe
-
SHA256
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
-
SHA512
b195494368e80e4d12c9cafced3f13bff87a828ce45cf97e7dbb2bcbe72512d8bdef536947dc43bcc3a8050b71149c9daf7557126cb7e667fdc3c9240c02b4d1
-
SSDEEP
24576:0HMGoI+smdM8YM72MiEi7XKE9TnFwFOh:0MG1hMKHEibNnqO
Malware Config
Extracted
Protocol: smtp- Host:
mail.adendanismanlik.com.tr - Port:
587 - Username:
bilgi@adendanismanlik.com.tr - Password:
Omer1402&
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.adendanismanlik.com.tr - Port:
587 - Username:
bilgi@adendanismanlik.com.tr - Password:
Omer1402& - Email To:
tiryaki.mehmetdemir@gmail.com
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2156 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1648 set thread context of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 3044 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 2156 powershell.exe 3044 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe Token: SeDebugPrivilege 3044 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe Token: SeDebugPrivilege 2156 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3044 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2156 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 31 PID 1648 wrote to memory of 2156 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 31 PID 1648 wrote to memory of 2156 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 31 PID 1648 wrote to memory of 2156 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 31 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 PID 1648 wrote to memory of 3044 1648 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe"C:\Users\Admin\AppData\Local\Temp\bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe"C:\Users\Admin\AppData\Local\Temp\bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3044
-
Network
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A132.226.8.169
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 7d939c4d0c91fa60be31674a584bda73
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 502 Bad Gateway
Content-Type: text/html
Content-Length: 547
Connection: keep-alive
X-Request-ID: 7804054efd19a05388522f9f2d25c64f
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: f119604ae439db875779d8e6af4ed0d8
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 502 Bad Gateway
Content-Type: text/html
Content-Length: 547
Connection: keep-alive
X-Request-ID: 7ccedf0c384ca4621184ea88a67feb12
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: bfe3390afe96447ce12b191fa2c641e9
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2440848d4ad8b52166f65872114b0330
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 502 Bad Gateway
Content-Type: text/html
Content-Length: 547
Connection: keep-alive
X-Request-ID: 9cc60feebdda851951fab3c19c97a5b8
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 502 Bad Gateway
Content-Type: text/html
Content-Length: 547
Connection: keep-alive
X-Request-ID: a79373945263eab9fc7bae32f84370ac
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 502 Bad Gateway
Content-Type: text/html
Content-Length: 547
Connection: keep-alive
X-Request-ID: 43ceea3b127374693fdbae1cfd0a674d
-
Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 48de72a425bbfe898567713161a60474
-
Remote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A104.21.67.152reallyfreegeoip.orgIN A172.67.177.134
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exeRemote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 2483910
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=33%2F6JTkJqQnQ2qRuPttRLPlVmvjKA%2Fb%2FuM%2Famwnupx4KemiWfiuEyEV%2F4Yj1WFsxlIbMb1Q%2F%2F0SYlLoPcJUOcLcUxaNH8sQBUDQnyFXvSAokpa1N96Z9%2FWz%2FfIq4xJKajyrbv%2FU0"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f0cc179ec4acd2a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=36591&min_rtt=26117&rtt_var=14923&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2867&recv_bytes=374&delivery_rate=128910&cwnd=253&unsent_bytes=0&cid=2a5e56e822e48753&ts=118&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exeRemote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 2483917
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=chWKcQWgmukJ8nMLICBnMeiW2nHqCyCMBg3Y4MBh2NS7HFA%2B%2FxrQ%2FjnGJLSp9eadm7kiTnjQCBPWcS4cqUT3DGXuWnovtJpUxHrObGs852iRptdhvKD0utrCNWFcaSZDyL8ylgZt"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f0cc1a87ad7cd2a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=36591&min_rtt=26117&rtt_var=14923&sent=7&recv=9&lost=0&retrans=1&sent_bytes=5437&recv_bytes=475&delivery_rate=128910&cwnd=254&unsent_bytes=0&cid=2a5e56e822e48753&ts=7562&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exeRemote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 2483920
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9qL1n4EK4qnNiY5UoTBqOL3kf0wfqbTuZVkkvhiRSdnCrDaA3W867n99RoTqQhXj16ar1vBQ2fsCNraNi8BbXTxQD7j9iSHsv%2BAV3FKJX1kTa4rEeXN0YXzmrSKSBkjlFJELTBlw"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f0cc1be5c4ecd2a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60135&min_rtt=26117&rtt_var=58281&sent=8&recv=11&lost=0&retrans=1&sent_bytes=6706&recv_bytes=576&delivery_rate=128910&cwnd=255&unsent_bytes=0&cid=2a5e56e822e48753&ts=11081&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.83bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exeRemote address:104.21.67.152:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 2483937
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ThsBY0X71pxeGv%2FDKoN1NB491osk1cRkldjraAAfVS0LJiqMXFp86wc9Zf4kcO3escu4HmyHJI0%2B5wfewOjVCv39217UWLOscaytD9FLGEqgafnUGlojdzPpcK837ZuM87W8P8uE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f0cc227ff61cd2a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=81630&min_rtt=26117&rtt_var=86701&sent=9&recv=13&lost=0&retrans=1&sent_bytes=7975&recv_bytes=677&delivery_rate=128910&cwnd=256&unsent_bytes=0&cid=2a5e56e822e48753&ts=27974&x=0"
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
DNSmail.adendanismanlik.com.trbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exeRemote address:8.8.8.8:53Requestmail.adendanismanlik.com.trIN AResponsemail.adendanismanlik.com.trIN CNAMEadendanismanlik.com.tradendanismanlik.com.trIN A77.245.159.14
-
193.122.130.0:80http://checkip.dyndns.org/httpbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe2.6kB 8.8kB 28 27
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
502HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
502HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
502HTTP Request
GET http://checkip.dyndns.org/HTTP Response
502HTTP Request
GET http://checkip.dyndns.org/HTTP Response
502HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
104.21.67.152:443https://reallyfreegeoip.org/xml/181.215.176.83tls, httpbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe1.3kB 9.7kB 14 11
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
149.154.167.220:443api.telegram.orgtlsbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe388 B 219 B 5 5
-
77.245.159.14:587mail.adendanismanlik.com.trsmtp-submissionbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe601 B 892 B 10 9
-
8.8.8.8:53checkip.dyndns.orgdnsbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
193.122.130.0132.226.247.73193.122.6.168158.101.44.242132.226.8.169
-
8.8.8.8:53reallyfreegeoip.orgdnsbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe65 B 97 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
104.21.67.152172.67.177.134
-
8.8.8.8:53api.telegram.orgdnsbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
-
8.8.8.8:53mail.adendanismanlik.com.trdnsbcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe73 B 103 B 1 1
DNS Request
mail.adendanismanlik.com.tr
DNS Response
77.245.159.14
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2