azorult | 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5

Analysis

max time kernel
3s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/12/2024, 10:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
Size

2.0MB
MD5

f66c44d5c01660f38193a4a7c482a580
SHA1

aecb6d2a32208efc945bc304e39ec9c4b10265d3
SHA256

29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5
SHA512

a04aba7650eb0487c64792ba960b0194b403b8412233c72ffa0161ca87cdc8f641d078bbff8d6a0b70d5f214664ace003b9d331eeb755cd88cdf76dc04d3c062
SSDEEP

24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYJ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yj

Score

10^/10

azorult quasar ebayprofiles discovery infostealer spyware trojan

Malware Config

Extracted

Family

azorult

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000800000001660b-20.dat	family_quasar
behavioral1/memory/2040-54-0x0000000001280000-0x00000000012DE000-memory.dmp	family_quasar
behavioral1/memory/2964-62-0x00000000001F0000-0x000000000024E000-memory.dmp	family_quasar
behavioral1/memory/2004-81-0x0000000001260000-0x00000000012BE000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016c23-82.dat	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2052	vnc.exe
2040	windef.exe

Loads dropped DLL 8 IoCs

pid	Process
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\o:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\r:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\t:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\x:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\y:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\e:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\g:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\z:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\u:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\a:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\s:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\l:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\p:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\q:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\h:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\i:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\k:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\n:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\v:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\w:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\b:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
File opened (read-only)	\??\j:	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000016c23-82.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2052 set thread context of 596	2052	vnc.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	2964	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2204	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2204	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
2612	schtasks.exe
320	schtasks.exe
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2052	vnc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2052	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	30
PID 2572 wrote to memory of 2052	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	30
PID 2572 wrote to memory of 2052	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	30
PID 2572 wrote to memory of 2052	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	30
PID 2572 wrote to memory of 2040	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	32
PID 2572 wrote to memory of 2040	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	32
PID 2572 wrote to memory of 2040	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	32
PID 2572 wrote to memory of 2040	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	32
PID 2052 wrote to memory of 596	2052	vnc.exe	33
PID 2052 wrote to memory of 596	2052	vnc.exe	33
PID 2052 wrote to memory of 596	2052	vnc.exe	33
PID 2052 wrote to memory of 596	2052	vnc.exe	33
PID 2052 wrote to memory of 596	2052	vnc.exe	33
PID 2572 wrote to memory of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2572 wrote to memory of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2572 wrote to memory of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2572 wrote to memory of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2572 wrote to memory of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2572 wrote to memory of 2424	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	34
PID 2572 wrote to memory of 2736	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	35
PID 2572 wrote to memory of 2736	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	35
PID 2572 wrote to memory of 2736	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	35
PID 2572 wrote to memory of 2736	2572	29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe	35
PID 2052 wrote to memory of 596	2052	vnc.exe	33
PID 2052 wrote to memory of 596	2052	vnc.exe	33

C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
"C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    - Maps connected drives based on registry
    PID:596
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2612
- - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HBKuWhANV3b1.bat" "
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204
    - - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        5⤵
        
        PID:2004
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1520
      4⤵
      Program crash
      PID:2224
- C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
  "C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2736

C:\Windows\system32\taskeng.exe
taskeng.exe {1F84D056-C748-4580-ADA0-19FD7D4F5748} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:1680
- C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\vnc.exe
    "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
    3⤵
    PID:2180
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k
      4⤵
      PID:580
- - C:\Users\Admin\AppData\Local\Temp\windef.exe
    "C:\Users\Admin\AppData\Local\Temp\windef.exe"
    3⤵
    PID:868

Network

DNS

ip-api.com

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 10:22:14 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

0x21.in

Remote address:

8.8.8.8:53

Request

0x21.in

IN A

Response

0x21.in

IN A

44.221.84.105
POST

http://0x21.in:8000/_az/

Remote address:

44.221.84.105:8000

Request

POST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 97
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Dec 2024 10:22:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=2ecefd905ec36b822ce5efe16b506eef|181.215.176.83|1734430936|1734430936|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

0x21.in

Remote address:

8.8.8.8:53

Request

0x21.in

IN A

Response

0x21.in

IN A

44.221.84.105
POST

http://0x21.in/_az/

Remote address:

44.221.84.105:8000

Request

POST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 97

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Dec 2024 10:22:16 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=b50abff32e23d73572fccb1e14950689|181.215.176.83|1734430936|1734430936|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
GET

http://ip-api.com/json/

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 10:22:16 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 57
X-Rl: 43
DNS

sockartek.icu

Remote address:

8.8.8.8:53

Request

sockartek.icu

IN A

Response
GET

http://ip-api.com/json/

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 10:23:02 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 12
X-Rl: 42

5.8.88.191:8080

svchost.exe

152 B
3
208.95.112.1:80

http://ip-api.com/json/

http

374 B
560 B
5
2

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
44.221.84.105:8000

http://0x21.in:8000/_az/

http

480 B
870 B
5
5

HTTP Request

POST http://0x21.in:8000/_az/

HTTP Response

200
44.221.84.105:8000

http://0x21.in/_az/

http

469 B
590 B
5
5

HTTP Request

POST http://0x21.in/_az/

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

374 B
560 B
5
2

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
5.8.88.191:443

152 B
3
5.8.88.191:8080

152 B
3
208.95.112.1:80

http://ip-api.com/json/

http

370 B
556 B
5
2

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
5.8.88.191:443

152 B
3
5.8.88.191:8080

152 B
3
5.8.88.191:8080

152 B
3
5.8.88.191:8080

152 B
3
5.8.88.191:8080

152 B
3
5.8.88.191:8080

152 B
3
5.8.88.191:8080

104 B
2

8.8.8.8:53

ip-api.com

dns

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

0x21.in

dns

53 B
69 B
1
1

DNS Request

0x21.in

DNS Response

44.221.84.105
8.8.8.8:53

0x21.in

dns

53 B
69 B
1
1

DNS Request

0x21.in

DNS Response

44.221.84.105
8.8.8.8:53

sockartek.icu

dns

59 B
124 B
1
1

DNS Request

sockartek.icu

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HBKuWhANV3b1.bat

Filesize
208B

MD5
27cbccc6b34632714f4ecc3697c82991

SHA1
61c27bb191be31688613347c9a65c60a86e7b0e3

SHA256
5edc656577cc4535dda0002e07eb88979d7d955107d12b497b7b4f6bffe43bcd

SHA512
2f52f5349bd32f9badf0dbb6ad447045ff4a34e479f5037d3e5dbe399f9abffb93d41415ddd64bf2560c7b0c5a3e901d2eb5d3e25b047baaec8f20023baf1991

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe

Filesize
405KB

MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe

Filesize
349KB

MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\12-17-2024

Filesize
224B

MD5
4dae201c33ad3c1dad6bb75d1ef97463

SHA1
02a27b58427f150905e6e01dccaf901350776503

SHA256
633474d06a49a82a0a8ee878ede9015774f7dd299e5f66782981f2c8bfc6cafd

SHA512
a43ea7826548a1fbd57fbec66af46143942aad2e56e584bb457457457f37bc06ef8a1f2b5d31841d3ee16644c2c30f0615afb9e35978d97ae765484f1b151b65

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

Filesize
2.0MB

MD5
026936d5dbb9b0bee9e5a37a38862761

SHA1
58f30c8ef01a08627a2c485fa396bcf5b0195507

SHA256
95d196430059860f0e3135339e5d21bd69be8c48c39de533c021c573a5e53507

SHA512
28fffd25865661ee1f8c23227e61925604a593450a80b136f6c78748ba8372906cbf92d17e70d7a503a72e4515775730e8872cf903bdbbe64ee9f88cb27d374c

Download Submit
memory/580-114-0x0000000000450000-0x00000000004EC000-memory.dmp

Filesize
624KB

Download
memory/580-109-0x0000000000450000-0x00000000004EC000-memory.dmp

Filesize
624KB

Download
memory/580-108-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/596-49-0x00000000003A0000-0x000000000043C000-memory.dmp

Filesize
624KB

Download
memory/596-46-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/596-53-0x00000000003A0000-0x000000000043C000-memory.dmp

Filesize
624KB

Download
memory/596-48-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2004-81-0x0000000001260000-0x00000000012BE000-memory.dmp

Filesize
376KB

Download
memory/2040-54-0x0000000001280000-0x00000000012DE000-memory.dmp

Filesize
376KB

Download
memory/2424-31-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2424-33-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2424-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-43-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2572-29-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2964-62-0x00000000001F0000-0x000000000024E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.