File name: | Urgent Request For Quotation.exe |
Full analysis: | https://app.any.run/tasks/a2870218-d93f-4a53-b3cb-c831bf347d89 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 05, 2022, 23:23:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 652477B1B34D67D811EC3498BD029A8B |
SHA1: | CF6F49E4580367BACDC8B0AD2C7D156456C5EA82 |
SHA256: | 3276E7FF57CCBEA104651066C1D45301D52FBFCE23D0D48F5238D82A51ABD852 |
SSDEEP: | 12288:uPuYd+V6b1momPZefIqohbyyGEKGC5TxK4/1xm7tHyJg38i4ePqLPuYd+V6b:uPuYd+V6bIomxiJoKnzxO7d38ijqLPuI |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-05 08:29:01 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | Home |
FileDescription: | ElectionVotingSystem |
FileVersion: | 1.0.0.0 |
InternalName: | XGUI.exe |
LegalCopyright: | Copyright © Home 2011 |
LegalTrademarks: | - |
OriginalFilename: | XGUI.exe |
ProductName: | ElectionVotingSystem |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Dec-05 08:29:01 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 606428 | 606720 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.63139 |
.rsrc | 622592 | 68724 | 69120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.33602 |
.reloc | 696320 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.30609 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 1.98048 | 20 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#2) | 3.28757 | 844 | UNKNOWN | UNKNOWN | RT_VERSION |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2460 | "C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exe" | C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Home Integrity Level: MEDIUM Description: ElectionVotingSystem Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3804 | "C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exe" | C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exe | — | Urgent Request For Quotation.exe | |||||||||||
User: admin Company: Home Integrity Level: MEDIUM Description: ElectionVotingSystem Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3476 | "C:\Windows\System32\wuapp.exe" | C:\Windows\System32\wuapp.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Application Launcher Version: 7.6.7601.24436 (win7sp1_ldr.190409-0600) Modules
Formbook(PID) Process(3476) wuapp.exe C2www.lodehewulan.yachts/snky/ Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo= tvj/KUTKeKgxszIemQ== DTrTokBrjB5leF4= tPeTOuIjJPtH taxtMdIygEdpskxzOQ2ZjoAEeA== CxLuaKAFRrJyuIqQUPbhZw== Tn4fapT5kPmk1H0gpXQ= h5p8hDqGSiRzdSbV i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx EwbfBo6m+UXU2qaVUPbhZw== WpeenFSMquJ3xXD1/b43 niV5qTFu3tfmcgrI fqyyyElbdxWswJ7A Lh7o92ZOr4ghbwvK Y2RYMDue4x+KszIemQ== lN3Y3z5AS85eah1MDvfFQQA= uq+Oqh8MNRxHOOkqA9lqYEZZhJU= FEtGDeGnnRoSQEM= TkMlruotvsmtpFwg6shr03LjwMWGow== 7PGx8hNMep8EMj5Q39dsq16IbbaIrA== JWBJ1NPwDiQGtx/1/b43 jLyxuI7yXHuMCAAEo4w2 u8emc+77PGLK1m71/b43 x/CcdfoDSCRZnVXDPRSpyXmY8VGmvJo= KVhmdDtqi+J1szIemQ== wsdvKMDzVJnqRRgHkQ== t7qiOXzCVU8uTkrIRfwcGc3MSI4= KmYObYWgvRG0NUY= nAjQEiY0lBR3szIemQ== Rbp9QuwhlL3Y6n0gpXQ= 9i/2sO0wWSEWFN1VSTPOC7s4 D3mUkmojJPtH 9j9GR6fFQB5leF4= xgbp6k8+ov9wcVRTFshikCZFcA== aWX+xof8Okn/Uuku87rXRjMObIg= eoNOhYB9un2qA/7BczPs5Zow 2kojAargCM7IyqgrpHwFKbyNjtQU y/zzintehOseIvyhZ/kDfx4= YXZNaeznGso2Kkk= GQyw87qm1C7hMOLb56xmcRg= gnhB/W9glMlovyXzX2M= /gTb6IIzhtlsszIemQ== 2fykfBhO0wIGGB+bIbX48vyNjtQU fLG3th9M26TDQcwJ3rhAbw== gYBibCt5+mkhszIemQ== Mi/qtVF8lR5leF4= +osZ4s4sfzWTmA== P1bvKyhWmoIcNgpGUPbhZw== tMR5NMrQNkZ5ynv1/b43 FEJcaBIWVA0qfh1GUPbhZw== DT4eVFxUjh5leF4= Vo6XENrMLrVRVhnMjQXkeQk= gMjK4FdEoqrdLt+edDrs5Zow HVTpxnKwL8wkcCtAwHw= E6AxvSU83Q== cZo27n9MYTcGQEM= TI52b9eXk5vmcgrI ERLi/Ii6F/1Yop3wxqYtazMObIg= 4xO77Ma1ILuS1H0gpXQ= EuWM4vsLahvPCQb1/b43 EDhHQvo3aRJreGabWzYAeQ== nNXES0A+b9Kj9ZaBgGw= ERz8ic0GIJfIxoQ79dShF63fAA3QHcSDFw== Pm9i8+HMLb1+wn0gpXQ= (PID) Process(3476) wuapp.exe C2www.lodehewulan.yachts/snky/ Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo= tvj/KUTKeKgxszIemQ== DTrTokBrjB5leF4= tPeTOuIjJPtH taxtMdIygEdpskxzOQ2ZjoAEeA== CxLuaKAFRrJyuIqQUPbhZw== Tn4fapT5kPmk1H0gpXQ= h5p8hDqGSiRzdSbV i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx EwbfBo6m+UXU2qaVUPbhZw== WpeenFSMquJ3xXD1/b43 niV5qTFu3tfmcgrI fqyyyElbdxWswJ7A Lh7o92ZOr4ghbwvK Y2RYMDue4x+KszIemQ== lN3Y3z5AS85eah1MDvfFQQA= uq+Oqh8MNRxHOOkqA9lqYEZZhJU= FEtGDeGnnRoSQEM= TkMlruotvsmtpFwg6shr03LjwMWGow== 7PGx8hNMep8EMj5Q39dsq16IbbaIrA== JWBJ1NPwDiQGtx/1/b43 jLyxuI7yXHuMCAAEo4w2 u8emc+77PGLK1m71/b43 x/CcdfoDSCRZnVXDPRSpyXmY8VGmvJo= KVhmdDtqi+J1szIemQ== wsdvKMDzVJnqRRgHkQ== t7qiOXzCVU8uTkrIRfwcGc3MSI4= KmYObYWgvRG0NUY= nAjQEiY0lBR3szIemQ== Rbp9QuwhlL3Y6n0gpXQ= 9i/2sO0wWSEWFN1VSTPOC7s4 D3mUkmojJPtH 9j9GR6fFQB5leF4= xgbp6k8+ov9wcVRTFshikCZFcA== aWX+xof8Okn/Uuku87rXRjMObIg= eoNOhYB9un2qA/7BczPs5Zow 2kojAargCM7IyqgrpHwFKbyNjtQU y/zzintehOseIvyhZ/kDfx4= YXZNaeznGso2Kkk= GQyw87qm1C7hMOLb56xmcRg= gnhB/W9glMlovyXzX2M= /gTb6IIzhtlsszIemQ== 2fykfBhO0wIGGB+bIbX48vyNjtQU fLG3th9M26TDQcwJ3rhAbw== gYBibCt5+mkhszIemQ== Mi/qtVF8lR5leF4= +osZ4s4sfzWTmA== P1bvKyhWmoIcNgpGUPbhZw== tMR5NMrQNkZ5ynv1/b43 FEJcaBIWVA0qfh1GUPbhZw== DT4eVFxUjh5leF4= Vo6XENrMLrVRVhnMjQXkeQk= gMjK4FdEoqrdLt+edDrs5Zow HVTpxnKwL8wkcCtAwHw= E6AxvSU83Q== cZo27n9MYTcGQEM= TI52b9eXk5vmcgrI ERLi/Ii6F/1Yop3wxqYtazMObIg= 4xO77Ma1ILuS1H0gpXQ= EuWM4vsLahvPCQb1/b43 EDhHQvo3aRJreGabWzYAeQ== nNXES0A+b9Kj9ZaBgGw= ERz8ic0GIJfIxoQ79dShF63fAA3QHcSDFw== Pm9i8+HMLb1+wn0gpXQ= (PID) Process(3476) wuapp.exe C2www.lodehewulan.yachts/snky/ Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)antoniahocktraining.com yin831125.com halmang.com qp89k.com villaimmaginare.com remoilandgas.com wadiatours.com tommy57.shop thegiftofindepedence.com videosrunman.com shusemarang.com 1004riwu.com yaoanx.space mcarmen.info lee-perez.com steves.properties oheavenlywreath.shop api2022.top christmascostumes.club innenausbauservice.com hongfei8888.com moroccos.social zhulongzhai.com dailyheraldresearch.com nekutenti.com investus.live vienuongdamos1.click guardify.ru seismoeng.com deviatkina.com wp-operator.online frwqc.com shmhfdc.com motodesultan.online xn--b1aa9abqu3ed.com spirituallyzen.com mondasellsazhomes.com linktau-roads.com pubfive.xyz fyifamilies.co.uk oonrreward.xyz mini-loop.com jamesandjenna2023.com inhibit09.online visitfose.com stublan.com 92toys.com baltic-freya.com uknowmarket.com misssssalena.com dymsumu.com moveecosystem.xyz esignmarketing.com tobewell.store v32.xyz payq29.shop www64421.com leicesterurology.com rdpschools.com srcevracara.com action.vacations englishvibe.ru vietnam-tourismonline.com cpitherapy.com | |||||||||||||||
1488 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
972 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | — | wuapp.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3476) wuapp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3476 | wuapp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sqlite-dll-win32-x86-3380000[1].zip | compressed | |
MD5:5E2D04CB2FAE4E811CA35675C472F5FC | SHA256:DD46A298AB90CA9BA8A1F633F20ABE2DCB805596B5AA68DCB84CCE99E3A56BE1 | |||
3476 | wuapp.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.def | text | |
MD5:A199F89960429326AE36F645FFC387AF | SHA256:35C648FA355503C4B6608C4D482BF8C0AE34AF33D70F08172ECD43816AAAB733 | |||
3476 | wuapp.exe | C:\Users\admin\AppData\Local\Temp\ibzxwhlh.zip | compressed | |
MD5:5E2D04CB2FAE4E811CA35675C472F5FC | SHA256:DD46A298AB90CA9BA8A1F633F20ABE2DCB805596B5AA68DCB84CCE99E3A56BE1 | |||
3476 | wuapp.exe | C:\Users\admin\AppData\Local\Temp\10E304 | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
3476 | wuapp.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.dll | executable | |
MD5:F1E5F58F9EB43ECEC773ACBDB410B888 | SHA256:A15FD84EE61B54C92BB099DFB78226548F43D550C67FB6ADF4CCE3D064AB1C14 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1488 | Explorer.EXE | GET | 200 | 64.190.63.111:80 | http://www.moveecosystem.xyz/snky/?LX54A=RlQNJyXypPc9sngjFl1M5wmMW9ZlkJdT9gN3taI6UP3s0mEpxxAKB2iDKa2YboXW/UWNMe5LxrB9tyR/0Yr96DWEiq3W6BhTQj19S3I=&Tv14=K63DUfwxG0 | US | html | 2.22 Kb | malicious |
1488 | Explorer.EXE | POST | 404 | 162.213.255.142:80 | http://www.pubfive.xyz/snky/ | US | html | 1.05 Kb | malicious |
1488 | Explorer.EXE | POST | 404 | 162.213.255.142:80 | http://www.pubfive.xyz/snky/ | US | html | 1.05 Kb | malicious |
1488 | Explorer.EXE | POST | 404 | 162.213.255.142:80 | http://www.pubfive.xyz/snky/ | US | html | 1.05 Kb | malicious |
1488 | Explorer.EXE | GET | 404 | 162.213.255.142:80 | http://www.pubfive.xyz/snky/?LX54A=UtwnzNjp8alV/kSnZKGH8pVAoYu17PFaIolhdyFgAa3O1EOTaLdjMOLI/I0QxCuF1VFM80p0VBTgepc47/GfNe6NNHEJjHMi5e8g7ys=&Tv14=K63DUfwxG0 | US | html | 1.05 Kb | malicious |
1488 | Explorer.EXE | POST | 404 | 162.213.255.142:80 | http://www.pubfive.xyz/snky/ | US | html | 1.05 Kb | malicious |
1488 | Explorer.EXE | POST | 404 | 82.163.176.114:80 | http://www.lodehewulan.yachts/snky/ | GB | html | 288 b | malicious |
1488 | Explorer.EXE | GET | 404 | 82.163.176.114:80 | http://www.lodehewulan.yachts/snky/?LX54A=PgwnvLH+p8Lcv4bwYzY5qX8WFCH2mnNKjh7WYY7gOvc7QPZfBdPYpe+Gut6BWua4C9gl3ojTXAhULRYEAxQ9y5Gild2UJGE4MqpVzUQ=&Tv14=K63DUfwxG0 | GB | html | 387 b | malicious |
1488 | Explorer.EXE | POST | 404 | 82.163.176.114:80 | http://www.lodehewulan.yachts/snky/ | GB | html | 288 b | malicious |
1488 | Explorer.EXE | POST | 403 | 64.190.63.111:80 | http://www.moveecosystem.xyz/snky/ | US | compressed | 110 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1488 | Explorer.EXE | 107.149.163.158:80 | www.www64421.com | PEGTECHINC | US | malicious |
1488 | Explorer.EXE | 64.190.63.111:80 | www.moveecosystem.xyz | SEDO GmbH | DE | malicious |
— | — | 45.33.6.223:80 | www.sqlite.org | Linode, LLC | US | suspicious |
1488 | Explorer.EXE | 82.163.176.114:80 | www.lodehewulan.yachts | Wildcard UK Limited | GB | malicious |
1488 | Explorer.EXE | 74.208.236.214:80 | www.spirituallyzen.com | IONOS SE | US | malicious |
1488 | Explorer.EXE | 162.213.255.142:80 | www.pubfive.xyz | NAMECHEAP-NET | US | malicious |
— | — | 82.163.176.114:80 | www.lodehewulan.yachts | Wildcard UK Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
www.www64421.com |
| malicious |
www.sqlite.org |
| whitelisted |
www.moveecosystem.xyz |
| malicious |
www.pubfive.xyz |
| malicious |
www.lodehewulan.yachts |
| malicious |
www.spirituallyzen.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1488 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1488 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1488 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1488 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1488 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1488 | Explorer.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1488 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1488 | Explorer.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1488 | Explorer.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1488 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |