download: | L0ADER-02-19 |
Full analysis: | https://app.any.run/tasks/5da1bbbc-172c-4274-87d0-59272c9da4e7 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | April 01, 2023, 09:53:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text, with very long lines |
MD5: | D549115F7F780B125C87AD73EB2E88AA |
SHA1: | F9ABF058769F3D5870FA4B7D1F4809CAD9FE2C61 |
SHA256: | A3D140F7CBD1CDF3A583F7DBD245C50D5FB5E2C5F70D400A4666731137282040 |
SSDEEP: | 96:osuWzMNkimQNikMfj1Z/qgl3PJjeIJumKvPF5:pT715hfJjeeuV5 |
.html | | | HyperText Markup Language (100) |
---|
TwitterImage: | - |
---|---|
TwitterDescription: | 🚀 𝐃𝐎𝐖𝐍𝐋𝐎𝐀𝐃: https://www.mediafire.com/file/kgk06oe8geqpic0/Loader.rar/file 🔑 𝐏𝐀𝐒𝐒𝐖𝐎𝐑𝐃: 91563 ✅ Turn off the proxy/vpn/antivirus for the link to work! 👋Dont forget to subscribe on my channel! ⛔️ IF YOU HAVE PROBLEMS DOWNLOADING / INSTALLING!⛔️ If you can’t download / install the archive, you need to: 1. If you can’t download, try to download using another browser! 2. Disable Windows Smart Screen, as well as update the Visual C++ package |
TwitterTitle: | L0ADER |
TwitterCard: | summary |
Robots: | index, follow |
HandheldFriendly: | |
MobileOptimized: | 176 |
HTTPEquivXUACompatible: | IE=edge |
FormatDetection: | telephone=no |
Viewport: | width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no |
Title: | L0ADER – Telegraph |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2824 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\L0ADER-02-19.html" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1656 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2824 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
4056 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2824 CREDAT:333057 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2040 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Loader.rar" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
4052 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2040.34399\Loader.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2040.34399\Loader.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
2804 | "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Loader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
664 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2040.35816\Loader.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2040.35816\Loader.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
2020 | "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | — | Loader.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
|
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 0 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30847387 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30847437 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2824) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:7DB845ACB718291C22814AC5C3E936E9 | SHA256:A834C4A03A2F23E8732585E76B073DF89E0A6CD077BB2C08AECD48C9F57BCC2B | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | der | |
MD5:9BF77CE85A5A981D86A0F7A4672BA22B | SHA256:44ED3A7243FE9995A4439683D11971670EB00101C3832AD30DB5242560B2B354 | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30 | der | |
MD5:49AC34D9D44A16272D96D21C38D5E72C | SHA256:7D0067221DF7D222B3E44A3F4481AC075219B3DD23AF63EE9556D1E226326A07 | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | der | |
MD5:0CC22A011CCAAEBC8D6E46EBB016A84E | SHA256:308735064FF38C7FD32D09FA073F491B50D25B2DCF542A66D59B5ADF5E64944D | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:CC001D7B10B3B0C5DB655A1E24772F84 | SHA256:777C43773CC73D6D5607889F3F975A5A20013D8B8F502207EB1C58CFB3BC87FC | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:2F1E733F4AEF6DD8FB0B2CF504E46970 | SHA256:3F3C575D77A17807229FE34DA154D0551A39E8A525C97234F030DF585FAF2039 | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30 | binary | |
MD5:42048D4197243DF069CD94402A2513DE | SHA256:D07ED5333CB6D4C7BC13985FDD2BEAB7DBAB917387667082E2ABC46FDA69BC45 | |||
2824 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:84698182B902F4BC3C4F5560E699ED55 | SHA256:4FC0C658AC7730527655B1463B7921E6C5FF97FE8CA9676A134E82144E6C7242 | |||
1656 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | binary | |
MD5:622DDAB6E6C1FCB1333FAF96CC36999A | SHA256:DB3A04939B47ABECC4A5D8A3C35C117026096ADFA5651108A13F56DE7252E963 | |||
4056 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:7BD54D1585BFAB8005C36C4D739012F8 | SHA256:AD8C2A476090A7488322D0702739E4A22E2FE8A2594739E7EC415706EDA4EDBB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1656 | iexplore.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
1656 | iexplore.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D | US | der | 1.74 Kb | whitelisted |
4056 | iexplore.exe | GET | — | 142.250.181.227:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | — | — | whitelisted |
4056 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 2.18 Kb | whitelisted |
4056 | iexplore.exe | GET | 200 | 108.138.2.10:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2824 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1656 | iexplore.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
1656 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cb69427b90ba846a | US | compressed | 4.70 Kb | whitelisted |
4056 | iexplore.exe | GET | 200 | 142.250.181.227:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 1.41 Kb | whitelisted |
4056 | iexplore.exe | GET | 200 | 142.250.181.227:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDTHapPXttJahK0MpJdGmyD | US | der | 472 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
2824 | iexplore.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4056 | iexplore.exe | 172.67.70.134:443 | btloader.com | CLOUDFLARENET | US | suspicious |
4056 | iexplore.exe | 142.250.185.206:443 | translate.google.com | GOOGLE | US | whitelisted |
1656 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
1656 | iexplore.exe | 41.63.96.128:80 | ctldl.windowsupdate.com | LLNW | ZA | suspicious |
1656 | iexplore.exe | 192.124.249.22:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
4056 | iexplore.exe | 104.16.53.48:443 | www.mediafire.com | CLOUDFLARENET | — | suspicious |
4056 | iexplore.exe | 142.250.185.168:443 | www.googletagmanager.com | GOOGLE | US | suspicious |
4056 | iexplore.exe | 104.18.32.68:80 | ocsp.usertrust.com | CLOUDFLARENET | — | suspicious |
Domain | IP | Reputation |
---|---|---|
t.me |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.mediafire.com |
| shared |
ocsp.usertrust.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
btloader.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1656 | iexplore.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
1656 | iexplore.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
— | — | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) |
4056 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Abused Content Delivery Network Domain (btloader .com in TLS SNI) |
4056 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Abused Content Delivery Network Domain (btloader .com in TLS SNI) |
— | — | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com) |
2804 | AppLaunch.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
2804 | AppLaunch.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host ZIP Request |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) |