stealerium | 5f2b46e3cfb853b3be645309ea8378f6535bf7128e0794ff9ab2ef0972554e8a

Analysis

max time kernel
129s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 22:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lmfekeldirxz.exe
Size

3.0MB
MD5

0372cb4f806947727400d1937f3e8063
SHA1

89aee134a5226e103f702f434a059c601eebf336
SHA256

5f2b46e3cfb853b3be645309ea8378f6535bf7128e0794ff9ab2ef0972554e8a
SHA512

b92f743d4fd4101bee6e6a8becba6be698f36ac83a18b0913bf0bc22d8a0ca57ea1bf659936a9398f729ed6b0f323bb437e6a67b4e0d5a79efba0baadf093fe1
SSDEEP

49152:L2Xg/Wplj7e9IDcaZw1g9cDv1a4TOJMomYJJ8FRmrc:A8Qle9Id4Vha46JMdEJE

Score

10^/10

stealerium bootkit defense_evasion discovery persistence stealer trojan

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Lmfekeldirxz.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lmfekeldirxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Lmfekeldirxz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	Lmfekeldirxz.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine	Lmfekeldirxz.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Lmfekeldirxz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
31	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Lmfekeldirxz.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
808	Lmfekeldirxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmfekeldirxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4336	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2112	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
808	Lmfekeldirxz.exe
808	Lmfekeldirxz.exe
808	Lmfekeldirxz.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	Lmfekeldirxz.exe
Token: SeDebugPrivilege	2112	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4124	808	Lmfekeldirxz.exe	92
PID 808 wrote to memory of 4124	808	Lmfekeldirxz.exe	92
PID 808 wrote to memory of 4124	808	Lmfekeldirxz.exe	92
PID 4124 wrote to memory of 2572	4124	cmd.exe	94
PID 4124 wrote to memory of 2572	4124	cmd.exe	94
PID 4124 wrote to memory of 2572	4124	cmd.exe	94
PID 4124 wrote to memory of 2112	4124	cmd.exe	95
PID 4124 wrote to memory of 2112	4124	cmd.exe	95
PID 4124 wrote to memory of 2112	4124	cmd.exe	95
PID 4124 wrote to memory of 4336	4124	cmd.exe	96
PID 4124 wrote to memory of 4336	4124	cmd.exe	96
PID 4124 wrote to memory of 4336	4124	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe
"C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 808
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4336

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=25E60E23FB4F67410B5A1BBCFAC46618; domain=.bing.com; expires=Mon, 23-Mar-2026 22:40:35 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 708639AC3E2F4342830ABD7FE31F4ADC Ref B: FRA31EDGE0217 Ref C: 2025-02-26T22:40:35Z
date: Wed, 26 Feb 2025 22:40:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=25E60E23FB4F67410B5A1BBCFAC46618

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=yXk2u09x3y8FQ1Mmypl1uKuxjxvTeabYslgcWG9KcaI; domain=.bing.com; expires=Mon, 23-Mar-2026 22:40:35 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E1E25BEDD32D4ECF8A194F896FCEB662 Ref B: FRA31EDGE0217 Ref C: 2025-02-26T22:40:35Z
date: Wed, 26 Feb 2025 22:40:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=25E60E23FB4F67410B5A1BBCFAC46618; MSPTC=yXk2u09x3y8FQ1Mmypl1uKuxjxvTeabYslgcWG9KcaI

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F434B0D1D0474E2DB14FC335C84DBF40 Ref B: FRA31EDGE0217 Ref C: 2025-02-26T22:40:35Z
date: Wed, 26 Feb 2025 22:40:34 GMT
DNS

ip-api.com

Lmfekeldirxz.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

Lmfekeldirxz.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 26 Feb 2025 22:40:41 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 5
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

Lmfekeldirxz.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.137.232
GET

https://discord.com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB

Lmfekeldirxz.exe

Remote address:

162.159.135.232:443

Request

GET /api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB HTTP/1.1
Host: discord.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Wed, 26 Feb 2025 22:40:43 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Cache-Control: public, max-age=3600, s-maxage=3600
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1740607133
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: HIT
Age: 2511
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pVMlSqP2PtOdGa5fDvoA32hso81M9hhEej6V8R9uGdlD9a4tS7hqpXM%2B0X9S1GYWHMxZP0ryLF9eoMvLgM9ajhvD0taLJPm5adKNcGYZt1gWuf%2BZclY009w2HpWy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Set-Cookie: __cfruid=25e54eb35705fe17bd25c39334a0636657acd6bc-1740609643; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
Set-Cookie: _cfuvid=KIs.dbTylpUEZMm2W3d4D8TcGVa9BWG_oEbNhp97VAg-1740609643813-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 91837041bf46ef2b-LHR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 539839
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3EABDF40FB8B49098B2EE5D3E3CDB2FA Ref B: FRA31EDGE0110 Ref C: 2025-02-26T22:41:11Z
date: Wed, 26 Feb 2025 22:41:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 491307
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 59B62663F1DD42BA933EF5808CCF5F90 Ref B: FRA31EDGE0110 Ref C: 2025-02-26T22:41:11Z
date: Wed, 26 Feb 2025 22:41:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 577346
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DA72F51E445D49619A30799BE2E31818 Ref B: FRA31EDGE0110 Ref C: 2025-02-26T22:41:11Z
date: Wed, 26 Feb 2025 22:41:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 837003
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3C6C1C91EDF441F6A423CE5D14359C67 Ref B: FRA31EDGE0110 Ref C: 2025-02-26T22:41:11Z
date: Wed, 26 Feb 2025 22:41:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 944899
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A62F43D2F4D04469BA8778FA7274897B Ref B: FRA31EDGE0110 Ref C: 2025-02-26T22:41:11Z
date: Wed, 26 Feb 2025 22:41:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 676162
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D0955DF6B37A471CB54E29054F94991B Ref B: FRA31EDGE0110 Ref C: 2025-02-26T22:41:11Z
date: Wed, 26 Feb 2025 22:41:11 GMT

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

tls, http2

2.5kB
10.8kB
25
20

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=078d9c2ba6234102bf1b9b491ccb5534&localId=w:E39843FB-A60C-6B86-72F2-55AF29660625&deviceId=6755478849344917&anid=

HTTP Response

204
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Lmfekeldirxz.exe

310 B
266 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
162.159.135.232:443

https://discord.com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB

tls, http

Lmfekeldirxz.exe

859 B
5.1kB
9
9

HTTP Request

GET https://discord.com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB

HTTP Response

404
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.5kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.5kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.1kB
593 B
10
8
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

145.8kB
4.2MB
3057
3054

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

ip-api.com

dns

Lmfekeldirxz.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

Lmfekeldirxz.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.135.232

162.159.136.232

162.159.138.232

162.159.128.233

162.159.137.232
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.bat

Filesize
56B

MD5
9aaae03ffe3e82eeeb63ecaba771218b

SHA1
32f3d73a8b11764ebabbdb27ef5924259f2eaae6

SHA256
8ca296211c7e81c96c4a091939bfdf02fb31387c79125072f010746fa84efec2

SHA512
336a7c34ffd6c2e681f73aacaf907ee7e7ee1df4938bd77feb7fb59c9a8ffcce79075f27b64bc9697af01009c0b0b52d9df12b7fc2000623284ebb34bca811a2

Download Submit
memory/808-0-0x00000000009C0000-0x0000000000ED2000-memory.dmp

Filesize
5.1MB

Download
memory/808-2-0x00000000009C0000-0x0000000000ED2000-memory.dmp

Filesize
5.1MB

Download
memory/808-3-0x00000000009C0000-0x0000000000ED2000-memory.dmp

Filesize
5.1MB

Download
memory/808-4-0x00000000073B0000-0x0000000007416000-memory.dmp

Filesize
408KB

Download
memory/808-6-0x00000000009C0000-0x0000000000ED2000-memory.dmp

Filesize
5.1MB

Download
memory/808-10-0x00000000009C0000-0x0000000000ED2000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.