Sandbox Analysis: https://tria.ge/231209-1ya5lacce6 Initial URL: hxxps://videocallgirl[.]top/alb/ (Careful, autodownload of malicious .zip) downloads malicious .zip via: hxxps://download-ai[.]top/Eseoa%20Onlyfans%20Leak%20(Photos%20&%20Videos)%20Eseoa-Onlyfans-Leak-1570E020C.zip?t=ONS_Bokyem .zip file content: - several .exe files posing as images. - 1x .dll file called WDSync.dll (probably dll sideloading) -> downloads and installs php.exe and additiaonal payloads via videox-hamster[.]top hxxp://videox-hamster[.]top/backup/Canon.exe hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll reaches out to: hxxps://api.ipify.org/ C2: hxxps://10minions[.]top/api/rss with initial data: ?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)] Additional URLs contacted: hxxp://albumphotography[.]top/version4.txt?ran=[NUM VALUE] hxxp://albumphotography[.]top/im10025.json hxxp://albumphotography[.]top/cm10044.json hxxp://albumphotography[.]top/AviraLib/BouncyCastle.Crypto.dll hxxp://albumphotography[.]top/AviraLib/EntityFramework.SqlServer.dll hxxp://albumphotography[.]top/AviraLib/NAudio.dll hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.EF6.dll hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.Linq.dll hxxp://albumphotography[.]top/AviraLib/x86/SQLite.Interop.dll hxxp://albumphotography[.]top/extension_c.zip?ran=[NUM VALUE] hxxp://albumphotography[.]top/AviraLib/EntityFramework.dll hxxp://albumphotography[.]top/AviraLib/Ionic.Zip.dll hxxp://albumphotography[.]top/AviraLib/Newtonsoft.Json.dll hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.dll hxxp://albumphotography[.]top/AviraLib/x64/SQLite.Interop.dll hxxp://albumphotography[.]top/extensionl.zip?ran=[NUM VALUE] Other potential C2s: hxxp://sluter[.]top:8080/?udid=[unique ID] hxxp://pa688[.]top:8080/?udid=[unique ID] Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud? Among the opened links are googleapis.com googlevideo.com play.google.com ade.googlesyndication.com yt3.ggpht.com facebook.com static.xx.fbcdn.net Additional URLs of this campaign via pivoting: 8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip) albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip) albumpga[.]top/alb/ (careful, autodownload of malicious .zip)