tofsee | 5ee0ce532815fd54fd742fff2f823a948eb8dc7cad0e8185fdffa2bccd0b5f20

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 07:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe
Size

12.0MB
MD5

9f24eab3f06e91c2b47ffa9875804b05
SHA1

0523ba568d63449740df94c77d8b7efeca6985c8
SHA256

5ee0ce532815fd54fd742fff2f823a948eb8dc7cad0e8185fdffa2bccd0b5f20
SHA512

1dc52b7f679fc74e2a041b7bd24a34f5318612c1d60d0e9e367f42c6eb7fe8427a1d7944f8426e32fda3137035e575a9bce32484b66a6d7d8d52a2fcb28862a2
SSDEEP

6144:Bx0+o7WWIsIrMhYUhxAeg4PgOHOrDnbvZFpkGgtTpiHqqqqqqqqqqqqqqqqqqqqn:Bx3o7WWb1Zgag8w7f

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4040	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hhbmngaz\ImagePath = "C:\\Windows\\SysWOW64\\hhbmngaz\\mrbwqczb.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe

Deletes itself 1 IoCs

pid	Process
4084	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	mrbwqczb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4548 set thread context of 4084	4548	mrbwqczb.exe	102

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1736	sc.exe
4912	sc.exe
808	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2688	4548	WerFault.exe	101
4328	1000	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mrbwqczb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1428	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	88
PID 1000 wrote to memory of 1428	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	88
PID 1000 wrote to memory of 1428	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	88
PID 1000 wrote to memory of 4736	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	92
PID 1000 wrote to memory of 4736	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	92
PID 1000 wrote to memory of 4736	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	92
PID 1000 wrote to memory of 1736	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	94
PID 1000 wrote to memory of 1736	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	94
PID 1000 wrote to memory of 1736	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	94
PID 1000 wrote to memory of 4912	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	97
PID 1000 wrote to memory of 4912	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	97
PID 1000 wrote to memory of 4912	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	97
PID 1000 wrote to memory of 808	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	99
PID 1000 wrote to memory of 808	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	99
PID 1000 wrote to memory of 808	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	99
PID 4548 wrote to memory of 4084	4548	mrbwqczb.exe	102
PID 4548 wrote to memory of 4084	4548	mrbwqczb.exe	102
PID 4548 wrote to memory of 4084	4548	mrbwqczb.exe	102
PID 4548 wrote to memory of 4084	4548	mrbwqczb.exe	102
PID 4548 wrote to memory of 4084	4548	mrbwqczb.exe	102
PID 1000 wrote to memory of 4040	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	108
PID 1000 wrote to memory of 4040	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	108
PID 1000 wrote to memory of 4040	1000	2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hhbmngaz\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mrbwqczb.exe" C:\Windows\SysWOW64\hhbmngaz\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4736
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hhbmngaz binPath= "C:\Windows\SysWOW64\hhbmngaz\mrbwqczb.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hhbmngaz "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4912
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hhbmngaz
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:808
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1280
  2⤵
  - Program crash
  PID:4328

C:\Windows\SysWOW64\hhbmngaz\mrbwqczb.exe
C:\Windows\SysWOW64\hhbmngaz\mrbwqczb.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-04-04_9f24eab3f06e91c2b47ffa9875804b05_black-basta_luca-stealer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 512
  2⤵
  - Program crash
  PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4548 -ip 4548
1⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1000 -ip 1000
1⤵
PID:5376

Network

DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN A

Response

microsoft.com

IN A

13.107.246.59
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN MX

Response

microsoft.com

IN MX

microsoft-commail protectionoutlook�
DNS

microsoft-com.mail.protection.outlook.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft-com.mail.protection.outlook.com

IN A

Response

microsoft-com.mail.protection.outlook.com

IN A

52.101.40.26

microsoft-com.mail.protection.outlook.com

IN A

52.101.42.0

microsoft-com.mail.protection.outlook.com

IN A

52.101.11.0

microsoft-com.mail.protection.outlook.com

IN A

52.101.8.49
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX

Response

yahoo.com

IN MX

mta5am0yahoodnsnet

yahoo.com

IN MX

mta7�.

yahoo.com

IN MX

mta6�.
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX
DNS

mta5.am0.yahoodns.net

svchost.exe

Remote address:

8.8.8.8:53

Request

mta5.am0.yahoodns.net

IN A

Response

mta5.am0.yahoodns.net

IN A

98.136.96.76

mta5.am0.yahoodns.net

IN A

67.195.204.77

mta5.am0.yahoodns.net

IN A

67.195.228.110

mta5.am0.yahoodns.net

IN A

98.136.96.91

mta5.am0.yahoodns.net

IN A

98.136.96.77

mta5.am0.yahoodns.net

IN A

98.136.96.74

mta5.am0.yahoodns.net

IN A

67.195.228.111

mta5.am0.yahoodns.net

IN A

67.195.204.73
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418605_1YZ6O1QX1RJB3B5MZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418605_1YZ6O1QX1RJB3B5MZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 193575
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B265A07FC3C74D01A3F8DB353987797A Ref B: LON04EDGE0908 Ref C: 2025-04-04T07:01:22Z
date: Fri, 04 Apr 2025 07:01:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239357290388_16CMXFO1MXGSZHTL5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239357290388_16CMXFO1MXGSZHTL5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 397494
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 21193B2836F9443AB2214D9EA5C69F58 Ref B: LON04EDGE0908 Ref C: 2025-04-04T07:01:22Z
date: Fri, 04 Apr 2025 07:01:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 538654
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EBB2A795E2B4436F84518EE643081ED9 Ref B: LON04EDGE0908 Ref C: 2025-04-04T07:01:22Z
date: Fri, 04 Apr 2025 07:01:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 308655
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 20B90EB095454AC480B52BD359761D20 Ref B: LON04EDGE0908 Ref C: 2025-04-04T07:01:22Z
date: Fri, 04 Apr 2025 07:01:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239357290389_1WHXB2JL6W3CH3HF1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239357290389_1WHXB2JL6W3CH3HF1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 195935
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F75AC4CA5B4341EBB5F0B41DD6BC0634 Ref B: LON04EDGE0908 Ref C: 2025-04-04T07:01:22Z
date: Fri, 04 Apr 2025 07:01:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 617294
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3DDCC04A91B94E5AB4003953E31761A1 Ref B: LON04EDGE0908 Ref C: 2025-04-04T07:01:22Z
date: Fri, 04 Apr 2025 07:01:22 GMT
DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN MX

Response

google.com

IN MX

smtp�
DNS

smtp.google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

smtp.google.com

IN A

Response

smtp.google.com

IN A

64.233.184.26

smtp.google.com

IN A

142.251.5.27

smtp.google.com

IN A

142.251.168.26

smtp.google.com

IN A

142.251.168.27

smtp.google.com

IN A

142.251.5.26
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.187.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 993
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Apr 2025 06:53:13 GMT
Expires: Fri, 04 Apr 2025 07:43:13 GMT
Cache-Control: public, max-age=3000
Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
Age: 518
DNS

mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mail.ru

IN MX

Response

mail.ru

IN MX

mxs�
DNS

mxs.mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mxs.mail.ru

IN A

Response

mxs.mail.ru

IN A

217.69.139.150

mxs.mail.ru

IN A

94.100.180.31

13.107.246.59:80

microsoft.com

svchost.exe

190 B
92 B
4
2
52.101.40.26:25

microsoft-com.mail.protection.outlook.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
98.136.96.76:25

mta5.am0.yahoodns.net

svchost.exe

260 B
5
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

83.6kB
2.3MB
1706
1699

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418605_1YZ6O1QX1RJB3B5MZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239357290388_16CMXFO1MXGSZHTL5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239357290389_1WHXB2JL6W3CH3HF1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
64.233.184.26:25

smtp.google.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
142.250.187.227:80

http://c.pki.goog/r/r1.crl

http

476 B
2.0kB
6
6

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
217.69.139.150:25

mxs.mail.ru

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5

8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
75 B
1
1

DNS Request

microsoft.com

DNS Response

13.107.246.59
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
113 B
1
1

DNS Request

microsoft.com
8.8.8.8:53

microsoft-com.mail.protection.outlook.com

dns

svchost.exe

87 B
151 B
1
1

DNS Request

microsoft-com.mail.protection.outlook.com

DNS Response

52.101.40.26

52.101.42.0

52.101.11.0

52.101.8.49
8.8.8.8:53

yahoo.com

dns

svchost.exe

220 B
134 B
4
1

DNS Request

yahoo.com

DNS Request

yahoo.com

DNS Request

yahoo.com

DNS Request

yahoo.com
8.8.8.8:53

mta5.am0.yahoodns.net

dns

svchost.exe

67 B
195 B
1
1

DNS Request

mta5.am0.yahoodns.net

DNS Response

98.136.96.76

67.195.204.77

67.195.228.110

98.136.96.91

98.136.96.77

98.136.96.74

67.195.228.111

67.195.204.73
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

google.com

dns

svchost.exe

56 B
77 B
1
1

DNS Request

google.com
8.8.8.8:53

smtp.google.com

dns

svchost.exe

61 B
141 B
1
1

DNS Request

smtp.google.com

DNS Response

64.233.184.26

142.251.5.27

142.251.168.26

142.251.168.27

142.251.5.26
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

mail.ru

dns

svchost.exe

53 B
73 B
1
1

DNS Request

mail.ru
8.8.8.8:53

mxs.mail.ru

dns

svchost.exe

57 B
89 B
1
1

DNS Request

mxs.mail.ru

DNS Response

217.69.139.150

94.100.180.31

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrbwqczb.exe

Filesize
12.5MB

MD5
f9e570344e0eb96244c18d85c0426f2a

SHA1
b722c65ebd4e636f95ebecde9d3e6e09ed4a5679

SHA256
88defc9631390d0de3f4bdd7040f853f6397f66f3f3ad272c712e206de5a5cca

SHA512
dd7e78d225966a791cf966818c722b98d394d9443b96bf520911519b6eadd8239b0216f6b3a3ede66e7635268e9c4ec593a1c6c65b1fabe83d3bc980f1584933

Download Submit
memory/1000-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1000-20-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1000-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1000-2-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/1000-21-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/1000-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1000-15-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/1000-3-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4084-12-0x0000000001060000-0x0000000001075000-memory.dmp

Filesize
84KB

Download
memory/4084-16-0x0000000001060000-0x0000000001075000-memory.dmp

Filesize
84KB

Download
memory/4084-23-0x0000000001060000-0x0000000001075000-memory.dmp

Filesize
84KB

Download
memory/4084-24-0x0000000001060000-0x0000000001075000-memory.dmp

Filesize
84KB

Download
memory/4084-25-0x0000000001060000-0x0000000001075000-memory.dmp

Filesize
84KB

Download
memory/4548-11-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4548-10-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4548-9-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4548-18-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.