File name:

SecuriteInfo.com.Win32.TrojanX-gen.9468.18275

Full analysis: https://app.any.run/tasks/d580b0f6-9f8b-4072-8afd-362970b03700
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: December 05, 2022, 18:34:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
xloader
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

59EC68C614CBD08F061B98EE2F7558B6

SHA1:

518E36C73B44331E89A74C651DDF64E9AD79EE10

SHA256:

1546E632CB3CD6ABB0497A1E941D7C1AFEFD3D1BC7582B63F49D948241406B80

SSDEEP:

6144:ptxBKhzEHZ6pqRMVr5PdD1IQnAPJrueL9KEzbIgsfd+O2hht9lKSYS:ptLKhIZ60+VrVR/UJrueL9PbcV8jt9lH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK detected by memory dumps

      • services.exe (PID: 2752)

    • Formbook is detected

      • services.exe (PID: 2752)

    • Loads dropped or rewritten executable

      • services.exe (PID: 2752)

    • Connects to the CnC server

      • Explorer.EXE (PID: 576)

    • FORMBOOK was detected

      • Explorer.EXE (PID: 576)

    • Unusual connection from system programs

      • Explorer.EXE (PID: 576)

  • SUSPICIOUS

    • Loads DLL from Mozilla Firefox

      • services.exe (PID: 2752)

    • Reads browser cookies

      • services.exe (PID: 2752)

    • Process drops SQLite DLL files

      • services.exe (PID: 2752)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe (PID: 2628)
      • RegSvcs.exe (PID: 3908)

    • Reads the computer name

      • RegSvcs.exe (PID: 3908)
      • SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe (PID: 2628)

    • Manual execution by a user

      • services.exe (PID: 2752)

    • Process checks computer location settings

      • RegSvcs.exe (PID: 3908)

    • Checks proxy server information

      • services.exe (PID: 2752)

    • Executable content was dropped or overwritten

      • services.exe (PID: 2752)

    • Creates a file in a temporary directory

      • services.exe (PID: 2752)

    • Drops a file that was compiled in debug mode

      • services.exe (PID: 2752)

    • Drops the executable file immediately after the start

      • services.exe (PID: 2752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(2752) services.exe
C2www.needook.com/4u5a/
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)wp-operator.online
openhardware.farm
nu2uresale.store
tefalito.store
maximumercrefund.com
bestcolonia.club
zhuanxiandai.com
www460.vip
smartturflawncare.com
pollicino.online
re-curve.tech
michari.com
33344.cyou
marketmall.digital
estacatemucocautin.com
dersameh.com
fangzizhuangxiu47.com
lee-perez.com
nekutenti.com
medhatkouta.com
jhfgroups.com
shopcheap.club
bjrkfw.com
tommy57.shop
anniistore.com
ope-cctv.com
05hc.com
y31jaihdb6zm87.buzz
easydaw.app
www659123.com
suppq.top
thebrotherhood.shop
videosrunman.com
powerscoumembers.com
lodehewulan.yachts
festpay.pro
zhukojobs.com
www64421.com
jxily.com
700544.com
skechersofferte.com
uloggers.com
yt82ra5c.com
kaylastjean.com
nyameci.com
talisian.com
api2022.top
darkchocolatebliss.com
mcarmen.info
kasslot.com
stublan.com
uknowmarket.com
cpitherapy.com
agikdnjs.com
canadianlocalbusiness.com
dkc010.com
cardgloo.com
fuzulyapigyo.xyz
steves.properties
guaiguaimao188.com
cityasset.net
burcinyilmaz.com
inhibit09.online
olanger.email
C2www.needook.com/4u5a/
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7
G/E64auYdhRQM4wZW2bcOaY=
bL57APty/StRpW49a+EdxA==
TppryJ0SoslHe8gJFVc=
HXxDShYIEcUJDahdv2nvl5Hlbp4=
EKaq5c6w0nV3WWlEqM4Www==
VM+YjE8XS1OLcH1roYF4zA==
OwK0wxmBGnq2Fg==
B1zy4bulyfY9tj9DK2eIkeYArpTt
Avj5JeA8m9girqfQ4+cZxA==
AOY4dmDFkCdX8HUJMw==
5cQUw3pPMYr07V8=
P7ZsN4/zt63AEw==
FYyVCOpB8Vl//kSkDLPo91Yy
jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==
iGx9AO58DRhZbXX9
prwVyLkAtlhSU6irmansg8wArpTt
uqa8ZPl+FFObOkdFNg==
tL4OhF22EDaEOkdFNg==
6exH76Z9o7eu/n86vgPE
rJfvmmO0I0KSOkdFNg==
fWeyPQpzFxdBSlPuAlA=
imNhpGXCQjOgCw==
KOLqYk7Qy278+j3g
A4mLyKgkynW7jZZt0F8=
380eDrCm3ApZbXX9
1k6VTs/04X8=
6yQgD+RiKrbnhr77i60lI/gyAQ==
rST4Evf891bSukI=
wYh6yzBy3wDSOkdFNg==
i0j/88JPuMOz
1t8w27cIepbAIqSh0G5dsiUnCw==
uI6hQB6EIE+bFW1woYF4zA==
BPL0Pin+82dmW/OhB0Fr5JHlbp4=
XC5/ZktMXzEnk+xGrPFSE+st
srT4c1/AacoX8F0=
zJeU2qIZ2VCSOkdFNg==
j4a8RbuBvuFZbXX9
asVC+9b7w7eu
L6UfqgNtQjOgCw==
yTgIJt0+qNUilvojOWqqBypDFg==
Ie006MzYHidZbXX9
fbVjId1kpfdZbXX9
w7z+dzqeJEZq2/A6vgPE
bkyOQjI+MYr07V8=
EODzbkTAOSJZbXX9
sZXWleMz4n7HrUI=
YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A==
VTJSAfJU7tISaHT/
d/gIXE8qLIr07V8=
F3XypWdIKor07V8=
uQaJTBhc8R4kr/I6vgPE
1T8ENSkKJLudaZZt0F8=
uc4eyKuvBidZbXX9
txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw==
RMLQh/ZpQjOgCw==
0+Qt17zBCyNZbXX9
JC6jMCHmB77Eu/EFdap62w==
t4XGRQqC3kSB9Tpds2j0Wrg=
T7hCMhTkzX2mf4lVAQjjJOgz
DQ6VYEicGU+NFio7Lw==
PCpjzoTZU3Ol9T1coYF4zA==
DxVl5Jum/t5orqfQ4+cZxA==
OaM0F9KunPxoQUk/Nw==
C2www.needook.com/4u5a/
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)wp-operator.online
openhardware.farm
nu2uresale.store
tefalito.store
maximumercrefund.com
bestcolonia.club
zhuanxiandai.com
www460.vip
smartturflawncare.com
pollicino.online
re-curve.tech
michari.com
33344.cyou
marketmall.digital
estacatemucocautin.com
dersameh.com
fangzizhuangxiu47.com
lee-perez.com
nekutenti.com
medhatkouta.com
jhfgroups.com
shopcheap.club
bjrkfw.com
tommy57.shop
anniistore.com
ope-cctv.com
05hc.com
y31jaihdb6zm87.buzz
easydaw.app
www659123.com
suppq.top
thebrotherhood.shop
videosrunman.com
powerscoumembers.com
lodehewulan.yachts
festpay.pro
zhukojobs.com
www64421.com
jxily.com
700544.com
skechersofferte.com
uloggers.com
yt82ra5c.com
kaylastjean.com
nyameci.com
talisian.com
api2022.top
darkchocolatebliss.com
mcarmen.info
kasslot.com
stublan.com
uknowmarket.com
cpitherapy.com
agikdnjs.com
canadianlocalbusiness.com
dkc010.com
cardgloo.com
fuzulyapigyo.xyz
steves.properties
guaiguaimao188.com
cityasset.net
burcinyilmaz.com
inhibit09.online
olanger.email
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2103-Nov-18 21:46:25
Debug artifacts:
  • HNIOPLN.pdb
Comments:
CompanyName:
FileDescription: HNIOPLN
FileVersion: 1.0.0.0
InternalName: HNIOPLN.exe
LegalCopyright: Copyright © 2022
LegalTrademarks:
OriginalFilename: HNIOPLN.exe
ProductName: HNIOPLN
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2103-Nov-18 21:46:25
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
X\x166F)"#\x19
8192
285236
285696
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99936
.text
294912
42028
42496
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.06849
.rsrc
344064
5858
6144
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.35264
Section_4
352256
16
512
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0.122276
.reloc
360448
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0980042

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.15503
4264
UNKNOWN
UNKNOWN
RT_ICON
32512
1.7815
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.27039
780
UNKNOWN
UNKNOWN
RT_VERSION
1 (#3)
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.trojanx-gen.9468.18275.exe no specs regsvcs.exe no specs #FORMBOOK services.exe #FORMBOOK explorer.exe firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2628"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
HNIOPLN
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.win32.trojanx-gen.9468.18275.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3908"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSecuriteInfo.com.Win32.TrojanX-gen.9468.18275.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2752"C:\Windows\System32\services.exe"C:\Windows\System32\services.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Services and Controller app
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
Formbook
(PID) Process(2752) services.exe
C2www.needook.com/4u5a/
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)wp-operator.online
openhardware.farm
nu2uresale.store
tefalito.store
maximumercrefund.com
bestcolonia.club
zhuanxiandai.com
www460.vip
smartturflawncare.com
pollicino.online
re-curve.tech
michari.com
33344.cyou
marketmall.digital
estacatemucocautin.com
dersameh.com
fangzizhuangxiu47.com
lee-perez.com
nekutenti.com
medhatkouta.com
jhfgroups.com
shopcheap.club
bjrkfw.com
tommy57.shop
anniistore.com
ope-cctv.com
05hc.com
y31jaihdb6zm87.buzz
easydaw.app
www659123.com
suppq.top
thebrotherhood.shop
videosrunman.com
powerscoumembers.com
lodehewulan.yachts
festpay.pro
zhukojobs.com
www64421.com
jxily.com
700544.com
skechersofferte.com
uloggers.com
yt82ra5c.com
kaylastjean.com
nyameci.com
talisian.com
api2022.top
darkchocolatebliss.com
mcarmen.info
kasslot.com
stublan.com
uknowmarket.com
cpitherapy.com
agikdnjs.com
canadianlocalbusiness.com
dkc010.com
cardgloo.com
fuzulyapigyo.xyz
steves.properties
guaiguaimao188.com
cityasset.net
burcinyilmaz.com
inhibit09.online
olanger.email
(PID) Process(2752) services.exe
C2www.needook.com/4u5a/
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7
G/E64auYdhRQM4wZW2bcOaY=
bL57APty/StRpW49a+EdxA==
TppryJ0SoslHe8gJFVc=
HXxDShYIEcUJDahdv2nvl5Hlbp4=
EKaq5c6w0nV3WWlEqM4Www==
VM+YjE8XS1OLcH1roYF4zA==
OwK0wxmBGnq2Fg==
B1zy4bulyfY9tj9DK2eIkeYArpTt
Avj5JeA8m9girqfQ4+cZxA==
AOY4dmDFkCdX8HUJMw==
5cQUw3pPMYr07V8=
P7ZsN4/zt63AEw==
FYyVCOpB8Vl//kSkDLPo91Yy
jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==
iGx9AO58DRhZbXX9
prwVyLkAtlhSU6irmansg8wArpTt
uqa8ZPl+FFObOkdFNg==
tL4OhF22EDaEOkdFNg==
6exH76Z9o7eu/n86vgPE
rJfvmmO0I0KSOkdFNg==
fWeyPQpzFxdBSlPuAlA=
imNhpGXCQjOgCw==
KOLqYk7Qy278+j3g
A4mLyKgkynW7jZZt0F8=
380eDrCm3ApZbXX9
1k6VTs/04X8=
6yQgD+RiKrbnhr77i60lI/gyAQ==
rST4Evf891bSukI=
wYh6yzBy3wDSOkdFNg==
i0j/88JPuMOz
1t8w27cIepbAIqSh0G5dsiUnCw==
uI6hQB6EIE+bFW1woYF4zA==
BPL0Pin+82dmW/OhB0Fr5JHlbp4=
XC5/ZktMXzEnk+xGrPFSE+st
srT4c1/AacoX8F0=
zJeU2qIZ2VCSOkdFNg==
j4a8RbuBvuFZbXX9
asVC+9b7w7eu
L6UfqgNtQjOgCw==
yTgIJt0+qNUilvojOWqqBypDFg==
Ie006MzYHidZbXX9
fbVjId1kpfdZbXX9
w7z+dzqeJEZq2/A6vgPE
bkyOQjI+MYr07V8=
EODzbkTAOSJZbXX9
sZXWleMz4n7HrUI=
YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A==
VTJSAfJU7tISaHT/
d/gIXE8qLIr07V8=
F3XypWdIKor07V8=
uQaJTBhc8R4kr/I6vgPE
1T8ENSkKJLudaZZt0F8=
uc4eyKuvBidZbXX9
txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw==
RMLQh/ZpQjOgCw==
0+Qt17zBCyNZbXX9
JC6jMCHmB77Eu/EFdap62w==
t4XGRQqC3kSB9Tpds2j0Wrg=
T7hCMhTkzX2mf4lVAQjjJOgz
DQ6VYEicGU+NFio7Lw==
PCpjzoTZU3Ol9T1coYF4zA==
DxVl5Jum/t5orqfQ4+cZxA==
OaM0F9KunPxoQUk/Nw==
(PID) Process(2752) services.exe
C2www.needook.com/4u5a/
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)wp-operator.online
openhardware.farm
nu2uresale.store
tefalito.store
maximumercrefund.com
bestcolonia.club
zhuanxiandai.com
www460.vip
smartturflawncare.com
pollicino.online
re-curve.tech
michari.com
33344.cyou
marketmall.digital
estacatemucocautin.com
dersameh.com
fangzizhuangxiu47.com
lee-perez.com
nekutenti.com
medhatkouta.com
jhfgroups.com
shopcheap.club
bjrkfw.com
tommy57.shop
anniistore.com
ope-cctv.com
05hc.com
y31jaihdb6zm87.buzz
easydaw.app
www659123.com
suppq.top
thebrotherhood.shop
videosrunman.com
powerscoumembers.com
lodehewulan.yachts
festpay.pro
zhukojobs.com
www64421.com
jxily.com
700544.com
skechersofferte.com
uloggers.com
yt82ra5c.com
kaylastjean.com
nyameci.com
talisian.com
api2022.top
darkchocolatebliss.com
mcarmen.info
kasslot.com
stublan.com
uknowmarket.com
cpitherapy.com
agikdnjs.com
canadianlocalbusiness.com
dkc010.com
cardgloo.com
fuzulyapigyo.xyz
steves.properties
guaiguaimao188.com
cityasset.net
burcinyilmaz.com
inhibit09.online
olanger.email
576C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3428"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exeservices.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msasn1.dll
Total events
1 637
Read events
1 614
Write events
23
Delete events
0

Modification events

(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2752) services.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
1
Suspicious files
2
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2752services.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:EDA40EA55FF2EB2A2E5ACA836BB1CC26
SHA256:330B88EACB778B86DFF1A90189121E8B3280723BE9FBF4E55174EDE2BBF74AF0
2752services.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sqlite-dll-win32-x86-3150000[1].zipcompressed
MD5:16F94AEE2D9A53BF8E58722679063051
SHA256:43A12CC1C155D0BB9686A1FCBC90BABC9E99DBEC475BDDC2ACACF31BD2B159E8
2752services.exeC:\Users\admin\AppData\Local\Temp\9ratq.zipcompressed
MD5:16F94AEE2D9A53BF8E58722679063051
SHA256:43A12CC1C155D0BB9686A1FCBC90BABC9E99DBEC475BDDC2ACACF31BD2B159E8
2752services.exeC:\Users\admin\AppData\Local\Temp\sqlite3.deftext
MD5:DE71633DE073966EB5D5F787EAC989BB
SHA256:C810A7589A228352269413CC503647DF82B4320B7C0B596A15D2842DAC7F843A
2752services.exeC:\Users\admin\AppData\Local\Temp\1--Lt08NNsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
26
DNS requests
6
Threats
58

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
576
Explorer.EXE
POST
405
89.31.143.1:80
http://www.dersameh.com/4u5a/
DE
html
150 b
malicious
2752
services.exe
GET
200
45.33.6.223:80
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
US
compressed
429 Kb
whitelisted
576
Explorer.EXE
POST
405
89.31.143.1:80
http://www.dersameh.com/4u5a/
DE
html
150 b
malicious
576
Explorer.EXE
POST
404
154.209.6.241:80
http://www.y31jaihdb6zm87.buzz/4u5a/
HK
html
146 b
malicious
576
Explorer.EXE
POST
405
89.31.143.1:80
http://www.dersameh.com/4u5a/
DE
html
150 b
malicious
576
Explorer.EXE
GET
200
89.31.143.1:80
http://www.dersameh.com/4u5a/?mJwHH0=DO8SLO7p+ieBn2EC0Mc3V7PpH5Hc4tmKhL6K9ytUp3CH+6ohEz4Q1B3Jq/CsB6yB8F/4+t2o4Lfhsb/t/Yv8ZU/1O3qwbzpadSS9L00=&4h=I29L_rMXcnyh
DE
html
6.48 Kb
malicious
576
Explorer.EXE
POST
94.23.162.163:80
http://www.darkchocolatebliss.com/4u5a/
DE
malicious
576
Explorer.EXE
POST
94.23.162.163:80
http://www.darkchocolatebliss.com/4u5a/
DE
malicious
576
Explorer.EXE
POST
404
154.209.6.241:80
http://www.y31jaihdb6zm87.buzz/4u5a/
HK
html
146 b
malicious
576
Explorer.EXE
POST
94.23.162.163:80
http://www.darkchocolatebliss.com/4u5a/
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
576
Explorer.EXE
38.55.236.89:80
www.ope-cctv.com
STARCLOUD GLOBAL PTE., LTD.
US
malicious
576
Explorer.EXE
94.23.162.163:80
www.darkchocolatebliss.com
OVH SAS
DE
malicious
2752
services.exe
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
suspicious
576
Explorer.EXE
89.31.143.1:80
www.dersameh.com
IP Exchange GmbH
DE
malicious
94.23.162.163:80
www.darkchocolatebliss.com
OVH SAS
DE
malicious
576
Explorer.EXE
154.209.6.241:80
www.y31jaihdb6zm87.buzz
YISU CLOUD LTD
HK
malicious
576
Explorer.EXE
162.213.255.142:80
www.marketmall.digital
NAMECHEAP-NET
US
malicious

DNS requests

Domain
IP
Reputation
www.ope-cctv.com
  • 38.55.236.89
malicious
www.sqlite.org
  • 45.33.6.223
whitelisted
www.dersameh.com
  • 89.31.143.1
malicious
www.darkchocolatebliss.com
  • 94.23.162.163
malicious
www.y31jaihdb6zm87.buzz
  • 154.209.6.241
malicious
www.marketmall.digital
  • 162.213.255.142
malicious

Threats

PID
Process
Class
Message
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
576
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
576
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (POST) M2
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.TrojanX-gen.9468.18275