Analysis
-
max time kernel
117s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 06:44
Static task
static1
Behavioral task
behavioral1
Sample
20250103141459859.pdf_______________________________________________________________________________________________________.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20250103141459859.pdf_______________________________________________________________________________________________________.exe
Resource
win10v2004-20241007-en
General
-
Target
20250103141459859.pdf_______________________________________________________________________________________________________.exe
-
Size
775KB
-
MD5
7c14dc5ef95870c931fcf8f09c96e888
-
SHA1
35c351c8fb09dc1c5b799e125ab415106c28114c
-
SHA256
d6168f5b1dbb8cd348064262e9f91f0d41d9f49e417d2ac13dc7de58c7d92968
-
SHA512
43291be4ce5a26d137a6e2729532a55ae12414d09163ca6eea503381b9c523a41c041e511e6081323e1360b364e99103a5b82cce3fc2dea6f1b92d6172d92881
-
SSDEEP
12288:JaLvWa+kbJSanAJ4fESIlpQrB9qpKUV0i/HnlYtk7ZnWU7WWFZLubgL3d6NlDXZr:/kmJ+4crB9g0GnTWUaWFJ7dOpXAO
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7784580930:AAGMCki8hBwu16UwwjATu3X8TvVLB-VhfaE/sendMessage?chat_id=5302361040
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2700 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20250103141459859.pdf_______________________________________________________________________________________________________.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20250103141459859.pdf_______________________________________________________________________________________________________.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20250103141459859.pdf_______________________________________________________________________________________________________.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org 8 reallyfreegeoip.org 9 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2100 set thread context of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20250103141459859.pdf_______________________________________________________________________________________________________.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20250103141459859.pdf_______________________________________________________________________________________________________.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2456 20250103141459859.pdf_______________________________________________________________________________________________________.exe 2700 powershell.exe 2456 20250103141459859.pdf_______________________________________________________________________________________________________.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2456 20250103141459859.pdf_______________________________________________________________________________________________________.exe Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2700 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 30 PID 2100 wrote to memory of 2700 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 30 PID 2100 wrote to memory of 2700 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 30 PID 2100 wrote to memory of 2700 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 30 PID 2100 wrote to memory of 2800 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 32 PID 2100 wrote to memory of 2800 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 32 PID 2100 wrote to memory of 2800 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 32 PID 2100 wrote to memory of 2800 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 32 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 PID 2100 wrote to memory of 2456 2100 20250103141459859.pdf_______________________________________________________________________________________________________.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20250103141459859.pdf_______________________________________________________________________________________________________.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20250103141459859.pdf_______________________________________________________________________________________________________.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EjCHCEGQPyQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EjCHCEGQPyQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1E8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\20250103141459859.pdf_______________________________________________________________________________________________________.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2456
-
Network
-
DNScheckip.dyndns.org20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.6.168
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 504 Gateway Time-out
Content-Type: text/html
Content-Length: 557
Connection: keep-alive
-
GEThttp://checkip.dyndns.org/20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
DNSreallyfreegeoip.org20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A104.21.16.1reallyfreegeoip.orgIN A104.21.96.1reallyfreegeoip.orgIN A104.21.64.1reallyfreegeoip.orgIN A104.21.32.1reallyfreegeoip.orgIN A104.21.80.1reallyfreegeoip.orgIN A104.21.112.1reallyfreegeoip.orgIN A104.21.48.1
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015740
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=shpl1p05C1Qwn177snJOINNkW95WXU4qVpRVTe1E94Ck6t3oc6rNl2tcFbbAao46DhkHgzGaSoKC1U4%2F0x4IG66UCO8dmyOEz7w%2BQJNLc0ZbZC%2Bq2hE24fEDzfIZerB8sL5At3OY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d93d12ecd93db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=374&delivery_rate=128224&cwnd=232&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=114&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015743
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQPbYwSLndHWdrtx9ei356VOcUCufaiTUb0tnx5plZsVeECi6ZCddAIV8Gbf6U64Cc2VdbcM1BLhpAPJGibPJCGOVkhMXeXBCG4AygnfpUbxQbRU0vpEps7fCs%2BWvD1eFjPLMDOx"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d93e348a693db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=7&recv=8&lost=0&retrans=1&sent_bytes=5403&recv_bytes=475&delivery_rate=128224&cwnd=234&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=3001&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015746
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w6gNqtwhYkptGp9Lmi%2FTAer4YLzPejxTqDRCwnxztDLSm8YyAhbsTmfC2QIGtn280lDtdF%2BBOitrlJGj2mc7lAOSt7Npsxgw7X7%2FaK9fFJsKm543GWKiJ8xM1u8dPIfPsODSBPta"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d93f52ed293db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=9&recv=10&lost=0&retrans=2&sent_bytes=7941&recv_bytes=576&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=5863&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015749
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iGBDPX%2B4P3inPby3V1%2FAW%2FxS6B9QJ%2F6%2Fb6%2Fuj%2BmarsKiNHVnmtlO7n5JCzmkktW8L4NWOB%2BiJDkbArrF8RMk9TXrZGgta0zqXDx3lznrKTDgKhSCwyrSsNtOlMsuGWXdn7v%2B%2B8Yc"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d94074f9b93db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=11&recv=12&lost=0&retrans=3&sent_bytes=10479&recv_bytes=677&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=8764&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015752
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAEw2IX7Jf4cVVOQ%2Fn1rEjXqpO%2FiJAueGxG%2B4U%2BcmOzI9sJk4brpjPzFLKzsDzXdOdC1hsihmjq7LTHIpUAofeY08ta70kgqrZdhMQcjnQkhY26V6lNCpB7fVpyhCimRIcBEtcat"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d94197e7193db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=14&recv=14&lost=0&retrans=5&sent_bytes=14334&recv_bytes=778&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=11673&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015757
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=duTgxee1btQgDrNmtUoxg7NHgfu2CTplQMlQpUyEHjcy3%2FM1ujZmECEpnVcUAFLYQ9ZvJbWuDLnMXX%2FCQ3FuDrgbRh%2FmBmJgbRtDcTmONZEqNmyOGjZ27qTQTydkVI68KcwDDEcd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d94380fa893db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=16&recv=17&lost=0&retrans=6&sent_bytes=16904&recv_bytes=879&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=16571&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015768
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MXIrqV%2BRev6fvV47ob1fKa2Jnql2Ejkw1YPiHb8iEaHbnkTkQQyEbtPtcDglOmu1GSlqTzH%2BGaU9R5ewZzGepu510Oe1%2F9du1xw7hDltGaEzA2MYjBW%2BWId5GUueSYJxmd4mQDcE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d947e9d5e93db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31037&min_rtt=26522&rtt_var=13913&sent=19&recv=19&lost=0&retrans=8&sent_bytes=20759&recv_bytes=980&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=27848&x=0"
-
GEThttps://reallyfreegeoip.org/xml/181.215.176.8320250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:104.21.16.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6015781
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fw5Bc3pMKScIB7L3RUGuGHlHWBuzY5c4RL5pcuztUBZMkMaYVG%2FRPfgyUDbQJyW%2BVP%2FYU%2Bn67kUUz1zcVGuTEskx11PKYbQmjpLjzZKvyQ%2Bm09vx31lbKnodIwbT39tdMsUzQZmy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905d94cc0b6f93db-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=55161&min_rtt=26522&rtt_var=58684&sent=20&recv=21&lost=0&retrans=8&sent_bytes=22044&recv_bytes=1081&delivery_rate=128224&cwnd=236&unsent_bytes=0&cid=2a7ecd7443f59cd8&ts=40248&x=0"
-
DNSapi.telegram.org20250103141459859.pdf_______________________________________________________________________________________________________.exeRemote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
132.226.247.73:80http://checkip.dyndns.org/http20250103141459859.pdf_______________________________________________________________________________________________________.exe2.5kB 4.8kB 27 21
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
504HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
104.21.16.1:443https://reallyfreegeoip.org/xml/181.215.176.83tls, http20250103141459859.pdf_______________________________________________________________________________________________________.exe2.3kB 23.0kB 27 22
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
149.154.167.220:443api.telegram.orgtls20250103141459859.pdf_______________________________________________________________________________________________________.exe434 B 219 B 6 5
-
8.8.8.8:53checkip.dyndns.orgdns20250103141459859.pdf_______________________________________________________________________________________________________.exe64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
132.226.247.73158.101.44.242193.122.130.0132.226.8.169193.122.6.168
-
8.8.8.8:53reallyfreegeoip.orgdns20250103141459859.pdf_______________________________________________________________________________________________________.exe65 B 177 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
104.21.16.1104.21.96.1104.21.64.1104.21.32.1104.21.80.1104.21.112.1104.21.48.1
-
8.8.8.8:53api.telegram.orgdns20250103141459859.pdf_______________________________________________________________________________________________________.exe62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567a85d0ef4e4501867b837da8833001f
SHA10faed3f41b4f5bcad66a47a0c5d97d2a876c0986
SHA256e50992afe8c6a4d4e517167acc16ecc705e6a32ce4d6eaeefb27fae4df7da980
SHA5127cb6676e387684f034242e2994eca7667fa4e076d90bc02f2aec85d92744a935a4c2f82203bc652d2f6c55078915e34a65a204bf0c2c05e5e47cf18a8753e6ec