blackmoon | b394e8102efa9dcfbfacf4b2c442decaf93657223537bc61fbf141822077ded2

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

12.3MB
MD5

d44dde23adf8b719b299c0d0541d5676
SHA1

83320720aad1e6871a97cc55a0ec51f05f246bfa
SHA256

b394e8102efa9dcfbfacf4b2c442decaf93657223537bc61fbf141822077ded2
SHA512

fe991a73a23b13ff396f86f95cc75a154be42171144d56f2aefa9c3ce8abdaebbeb2f583bb1520e5cc8d20d66ce24305692d63fc07b6e2fd8571842a8649c5d8
SSDEEP

196608:o3XTYQmknGzwHaOtVPHd9swFBubKLtchEYX2AxFpx4g1JoHZiDzDhpyT4t2:4ujzwV3BubKyeapug7ciDzDhpyTv

Score

10^/10

blackmoon mimikatz banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/memory/2400-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/files/0x00080000000173a9-5.dat	family_blackmoon
behavioral1/memory/2936-9-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/memory/2400-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/files/0x00080000000173a9-5.dat	mimikatz
behavioral1/memory/2936-9-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
2936	birveeb.exe
2312	birveeb.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	cmd.exe
2396	cmd.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	29	117.50.22.22	1864	nslookup.exe
Destination IP	37	208.67.220.220	1596	nslookup.exe
Destination IP	72	208.67.220.220	2104	nslookup.exe
Destination IP	12	117.50.22.22	2636	nslookup.exe
Destination IP	15	208.67.222.222	1756	nslookup.exe
Destination IP	62	117.50.11.11	2412	nslookup.exe
Destination IP	73	208.67.220.220	2104	nslookup.exe
Destination IP	117	117.50.11.11	1812	nslookup.exe
Destination IP	120	117.50.22.22	1428	nslookup.exe
Destination IP	31	117.50.22.22	1864	nslookup.exe
Destination IP	51	208.67.222.222	496	nslookup.exe
Destination IP	19	208.67.220.220	2120	nslookup.exe
Destination IP	48	117.50.22.22	2212	nslookup.exe
Destination IP	14	208.67.222.222	1756	nslookup.exe
Destination IP	33	208.67.222.222	1688	nslookup.exe
Destination IP	53	208.67.220.220	2972	nslookup.exe
Destination IP	63	117.50.11.11	2412	nslookup.exe
Destination IP	80	117.50.11.11	2528	nslookup.exe
Destination IP	83	117.50.22.22	1680	nslookup.exe
Destination IP	126	208.67.220.220	1068	nslookup.exe
Destination IP	18	208.67.220.220	2120	nslookup.exe
Destination IP	36	208.67.220.220	1596	nslookup.exe
Destination IP	67	117.50.22.22	468	nslookup.exe
Destination IP	70	208.67.222.222	2000	nslookup.exe
Destination IP	88	208.67.222.222	1628	nslookup.exe
Destination IP	90	208.67.220.220	2552	nslookup.exe
Destination IP	109	208.67.220.220	2620	nslookup.exe
Destination IP	30	117.50.22.22	1864	nslookup.exe
Destination IP	47	117.50.22.22	2212	nslookup.exe
Destination IP	54	208.67.220.220	2972	nslookup.exe
Destination IP	71	208.67.220.220	2104	nslookup.exe
Destination IP	106	208.67.222.222	880	nslookup.exe
Destination IP	107	208.67.220.220	2620	nslookup.exe
Destination IP	65	117.50.22.22	468	nslookup.exe
Destination IP	26	117.50.11.11	860	nslookup.exe
Destination IP	55	208.67.220.220	2972	nslookup.exe
Destination IP	81	117.50.11.11	2528	nslookup.exe
Destination IP	87	208.67.222.222	1628	nslookup.exe
Destination IP	105	208.67.222.222	880	nslookup.exe
Destination IP	122	208.67.222.222	1600	nslookup.exe
Destination IP	50	208.67.222.222	496	nslookup.exe
Destination IP	69	208.67.222.222	2000	nslookup.exe
Destination IP	101	117.50.22.22	2896	nslookup.exe
Destination IP	103	117.50.22.22	2896	nslookup.exe
Destination IP	118	117.50.11.11	1812	nslookup.exe
Destination IP	11	117.50.22.22	2636	nslookup.exe
Destination IP	45	117.50.11.11	1828	nslookup.exe
Destination IP	82	117.50.11.11	2528	nslookup.exe
Destination IP	8	117.50.11.11	2948	nslookup.exe
Destination IP	13	117.50.22.22	2636	nslookup.exe
Destination IP	17	208.67.220.220	2120	nslookup.exe
Destination IP	102	117.50.22.22	2896	nslookup.exe
Destination IP	123	208.67.222.222	1600	nslookup.exe
Destination IP	124	208.67.222.222	1600	nslookup.exe
Destination IP	28	117.50.11.11	860	nslookup.exe
Destination IP	34	208.67.222.222	1688	nslookup.exe
Destination IP	46	117.50.11.11	1828	nslookup.exe
Destination IP	64	117.50.11.11	2412	nslookup.exe
Destination IP	66	117.50.22.22	468	nslookup.exe
Destination IP	84	117.50.22.22	1680	nslookup.exe
Destination IP	104	208.67.222.222	880	nslookup.exe
Destination IP	108	208.67.220.220	2620	nslookup.exe
Destination IP	32	208.67.222.222	1688	nslookup.exe
Destination IP	44	117.50.11.11	1828	nslookup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\gqmenrnz\birveeb.exe	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\gqmenrnz\birveeb.exe	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	birveeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	birveeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2396	cmd.exe
1156	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00080000000173a9-5.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1156	PING.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	2936	birveeb.exe
Token: SeDebugPrivilege	2312	birveeb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
2936	birveeb.exe
2312	birveeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2396	2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	30
PID 2400 wrote to memory of 2396	2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	30
PID 2400 wrote to memory of 2396	2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	30
PID 2400 wrote to memory of 2396	2400	2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	30
PID 2396 wrote to memory of 1156	2396	cmd.exe	32
PID 2396 wrote to memory of 1156	2396	cmd.exe	32
PID 2396 wrote to memory of 1156	2396	cmd.exe	32
PID 2396 wrote to memory of 1156	2396	cmd.exe	32
PID 2396 wrote to memory of 2936	2396	cmd.exe	33
PID 2396 wrote to memory of 2936	2396	cmd.exe	33
PID 2396 wrote to memory of 2936	2396	cmd.exe	33
PID 2396 wrote to memory of 2936	2396	cmd.exe	33
PID 2312 wrote to memory of 2836	2312	birveeb.exe	35
PID 2312 wrote to memory of 2836	2312	birveeb.exe	35
PID 2312 wrote to memory of 2836	2312	birveeb.exe	35
PID 2312 wrote to memory of 2836	2312	birveeb.exe	35
PID 2836 wrote to memory of 2820	2836	cmd.exe	37
PID 2836 wrote to memory of 2820	2836	cmd.exe	37
PID 2836 wrote to memory of 2820	2836	cmd.exe	37
PID 2836 wrote to memory of 2820	2836	cmd.exe	37
PID 2312 wrote to memory of 2728	2312	birveeb.exe	38
PID 2312 wrote to memory of 2728	2312	birveeb.exe	38
PID 2312 wrote to memory of 2728	2312	birveeb.exe	38
PID 2312 wrote to memory of 2728	2312	birveeb.exe	38
PID 2728 wrote to memory of 2884	2728	cmd.exe	40
PID 2728 wrote to memory of 2884	2728	cmd.exe	40
PID 2728 wrote to memory of 2884	2728	cmd.exe	40
PID 2728 wrote to memory of 2884	2728	cmd.exe	40
PID 2312 wrote to memory of 2876	2312	birveeb.exe	41
PID 2312 wrote to memory of 2876	2312	birveeb.exe	41
PID 2312 wrote to memory of 2876	2312	birveeb.exe	41
PID 2312 wrote to memory of 2876	2312	birveeb.exe	41
PID 2876 wrote to memory of 2948	2876	cmd.exe	43
PID 2876 wrote to memory of 2948	2876	cmd.exe	43
PID 2876 wrote to memory of 2948	2876	cmd.exe	43
PID 2876 wrote to memory of 2948	2876	cmd.exe	43
PID 2312 wrote to memory of 892	2312	birveeb.exe	45
PID 2312 wrote to memory of 892	2312	birveeb.exe	45
PID 2312 wrote to memory of 892	2312	birveeb.exe	45
PID 2312 wrote to memory of 892	2312	birveeb.exe	45
PID 892 wrote to memory of 2636	892	cmd.exe	47
PID 892 wrote to memory of 2636	892	cmd.exe	47
PID 892 wrote to memory of 2636	892	cmd.exe	47
PID 892 wrote to memory of 2636	892	cmd.exe	47
PID 2312 wrote to memory of 3020	2312	birveeb.exe	48
PID 2312 wrote to memory of 3020	2312	birveeb.exe	48
PID 2312 wrote to memory of 3020	2312	birveeb.exe	48
PID 2312 wrote to memory of 3020	2312	birveeb.exe	48
PID 3020 wrote to memory of 1756	3020	cmd.exe	50
PID 3020 wrote to memory of 1756	3020	cmd.exe	50
PID 3020 wrote to memory of 1756	3020	cmd.exe	50
PID 3020 wrote to memory of 1756	3020	cmd.exe	50
PID 2312 wrote to memory of 2456	2312	birveeb.exe	51
PID 2312 wrote to memory of 2456	2312	birveeb.exe	51
PID 2312 wrote to memory of 2456	2312	birveeb.exe	51
PID 2312 wrote to memory of 2456	2312	birveeb.exe	51
PID 2456 wrote to memory of 2120	2456	cmd.exe	53
PID 2456 wrote to memory of 2120	2456	cmd.exe	53
PID 2456 wrote to memory of 2120	2456	cmd.exe	53
PID 2456 wrote to memory of 2120	2456	cmd.exe	53
PID 2312 wrote to memory of 2592	2312	birveeb.exe	54
PID 2312 wrote to memory of 2592	2312	birveeb.exe	54
PID 2312 wrote to memory of 2592	2312	birveeb.exe	54
PID 2312 wrote to memory of 2592	2312	birveeb.exe	54

C:\Users\Admin\AppData\Local\Temp\2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-21_d44dde23adf8b719b299c0d0541d5676_amadey_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gqmenrnz\birveeb.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1156
- - C:\Windows\gqmenrnz\birveeb.exe
    C:\Windows\gqmenrnz\birveeb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2936

C:\Windows\gqmenrnz\birveeb.exe
C:\Windows\gqmenrnz\birveeb.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
  2⤵
  PID:332
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:444
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
  2⤵
  PID:600
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
  2⤵
  PID:620
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
    3⤵
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1156
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
    3⤵
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 1.1.1.1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1088
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 1.1.1.1
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 1.1.1.1
    3⤵
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\gqmenrnz\birveeb.exe

Filesize
12.3MB

MD5
190a94afc42e66bcaf4858b77464d7ee

SHA1
d7db7efa11502c2ec1ce290898f33b7ebf547747

SHA256
168ec20d22ffaa886f2bbd6af254da0eac5291af33188954c8de5546732c8e0d

SHA512
8382603f0b2710c1eb8232d0f642b6e9fb0512795ce98cd7bc32c00e723694b54dd0ec3edd2d581a4fc469dd03540b759126601c506f47d5f1c68f0238f0f123

Download Submit
memory/2400-0-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/2400-4-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/2936-9-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download