File name:

Urgent Request For Quotation.exe

Full analysis: https://app.any.run/tasks/a2870218-d93f-4a53-b3cb-c831bf347d89
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: December 05, 2022, 23:23:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
xloader
trojan
stealer
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

652477B1B34D67D811EC3498BD029A8B

SHA1:

CF6F49E4580367BACDC8B0AD2C7D156456C5EA82

SHA256:

3276E7FF57CCBEA104651066C1D45301D52FBFCE23D0D48F5238D82A51ABD852

SSDEEP:

12288:uPuYd+V6b1momPZefIqohbyyGEKGC5TxK4/1xm7tHyJg38i4ePqLPuYd+V6b:uPuYd+V6bIomxiJoKnzxO7d38ijqLPuI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • FORMBOOK detected by memory dumps

      • wuapp.exe (PID: 3476)
    • Formbook is detected

      • wuapp.exe (PID: 3476)
    • Connects to the CnC server

      • Explorer.EXE (PID: 1488)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 1488)
    • Unusual connection from system programs

      • Explorer.EXE (PID: 1488)
    • Loads dropped or rewritten executable

      • wuapp.exe (PID: 3476)
  • SUSPICIOUS

    • Application launched itself

      • Urgent Request For Quotation.exe (PID: 2460)
    • Loads DLL from Mozilla Firefox

      • wuapp.exe (PID: 3476)
    • Reads browser cookies

      • wuapp.exe (PID: 3476)
  • INFO

    • Reads the computer name

      • Urgent Request For Quotation.exe (PID: 3804)
      • Urgent Request For Quotation.exe (PID: 2460)
    • Checks supported languages

      • Urgent Request For Quotation.exe (PID: 3804)
      • Urgent Request For Quotation.exe (PID: 2460)
    • Process checks computer location settings

      • Urgent Request For Quotation.exe (PID: 3804)
    • Manual execution by a user

      • wuapp.exe (PID: 3476)
    • Creates a file in a temporary directory

      • wuapp.exe (PID: 3476)
    • Checks proxy server information

      • wuapp.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(3476) wuapp.exe
Decoy C2 (64)AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=
tvj/KUTKeKgxszIemQ==
DTrTokBrjB5leF4=
tPeTOuIjJPtH
taxtMdIygEdpskxzOQ2ZjoAEeA==
CxLuaKAFRrJyuIqQUPbhZw==
Tn4fapT5kPmk1H0gpXQ=
h5p8hDqGSiRzdSbV
i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx
EwbfBo6m+UXU2qaVUPbhZw==
WpeenFSMquJ3xXD1/b43
niV5qTFu3tfmcgrI
fqyyyElbdxWswJ7A
Lh7o92ZOr4ghbwvK
Y2RYMDue4x+KszIemQ==
lN3Y3z5AS85eah1MDvfFQQA=
uq+Oqh8MNRxHOOkqA9lqYEZZhJU=
FEtGDeGnnRoSQEM=
TkMlruotvsmtpFwg6shr03LjwMWGow==
7PGx8hNMep8EMj5Q39dsq16IbbaIrA==
JWBJ1NPwDiQGtx/1/b43
jLyxuI7yXHuMCAAEo4w2
u8emc+77PGLK1m71/b43
x/CcdfoDSCRZnVXDPRSpyXmY8VGmvJo=
KVhmdDtqi+J1szIemQ==
wsdvKMDzVJnqRRgHkQ==
t7qiOXzCVU8uTkrIRfwcGc3MSI4=
KmYObYWgvRG0NUY=
nAjQEiY0lBR3szIemQ==
Rbp9QuwhlL3Y6n0gpXQ=
9i/2sO0wWSEWFN1VSTPOC7s4
D3mUkmojJPtH
9j9GR6fFQB5leF4=
xgbp6k8+ov9wcVRTFshikCZFcA==
aWX+xof8Okn/Uuku87rXRjMObIg=
eoNOhYB9un2qA/7BczPs5Zow
2kojAargCM7IyqgrpHwFKbyNjtQU
y/zzintehOseIvyhZ/kDfx4=
YXZNaeznGso2Kkk=
GQyw87qm1C7hMOLb56xmcRg=
gnhB/W9glMlovyXzX2M=
/gTb6IIzhtlsszIemQ==
2fykfBhO0wIGGB+bIbX48vyNjtQU
fLG3th9M26TDQcwJ3rhAbw==
gYBibCt5+mkhszIemQ==
Mi/qtVF8lR5leF4=
+osZ4s4sfzWTmA==
P1bvKyhWmoIcNgpGUPbhZw==
tMR5NMrQNkZ5ynv1/b43
FEJcaBIWVA0qfh1GUPbhZw==
DT4eVFxUjh5leF4=
Vo6XENrMLrVRVhnMjQXkeQk=
gMjK4FdEoqrdLt+edDrs5Zow
HVTpxnKwL8wkcCtAwHw=
E6AxvSU83Q==
cZo27n9MYTcGQEM=
TI52b9eXk5vmcgrI
ERLi/Ii6F/1Yop3wxqYtazMObIg=
4xO77Ma1ILuS1H0gpXQ=
EuWM4vsLahvPCQb1/b43
EDhHQvo3aRJreGabWzYAeQ==
nNXES0A+b9Kj9ZaBgGw=
ERz8ic0GIJfIxoQ79dShF63fAA3QHcSDFw==
Pm9i8+HMLb1+wn0gpXQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.lodehewulan.yachts/snky/
Decoy C2 (64)AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=
tvj/KUTKeKgxszIemQ==
DTrTokBrjB5leF4=
tPeTOuIjJPtH
taxtMdIygEdpskxzOQ2ZjoAEeA==
CxLuaKAFRrJyuIqQUPbhZw==
Tn4fapT5kPmk1H0gpXQ=
h5p8hDqGSiRzdSbV
i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx
EwbfBo6m+UXU2qaVUPbhZw==
WpeenFSMquJ3xXD1/b43
niV5qTFu3tfmcgrI
fqyyyElbdxWswJ7A
Lh7o92ZOr4ghbwvK
Y2RYMDue4x+KszIemQ==
lN3Y3z5AS85eah1MDvfFQQA=
uq+Oqh8MNRxHOOkqA9lqYEZZhJU=
FEtGDeGnnRoSQEM=
TkMlruotvsmtpFwg6shr03LjwMWGow==
7PGx8hNMep8EMj5Q39dsq16IbbaIrA==
JWBJ1NPwDiQGtx/1/b43
jLyxuI7yXHuMCAAEo4w2
u8emc+77PGLK1m71/b43
x/CcdfoDSCRZnVXDPRSpyXmY8VGmvJo=
KVhmdDtqi+J1szIemQ==
wsdvKMDzVJnqRRgHkQ==
t7qiOXzCVU8uTkrIRfwcGc3MSI4=
KmYObYWgvRG0NUY=
nAjQEiY0lBR3szIemQ==
Rbp9QuwhlL3Y6n0gpXQ=
9i/2sO0wWSEWFN1VSTPOC7s4
D3mUkmojJPtH
9j9GR6fFQB5leF4=
xgbp6k8+ov9wcVRTFshikCZFcA==
aWX+xof8Okn/Uuku87rXRjMObIg=
eoNOhYB9un2qA/7BczPs5Zow
2kojAargCM7IyqgrpHwFKbyNjtQU
y/zzintehOseIvyhZ/kDfx4=
YXZNaeznGso2Kkk=
GQyw87qm1C7hMOLb56xmcRg=
gnhB/W9glMlovyXzX2M=
/gTb6IIzhtlsszIemQ==
2fykfBhO0wIGGB+bIbX48vyNjtQU
fLG3th9M26TDQcwJ3rhAbw==
gYBibCt5+mkhszIemQ==
Mi/qtVF8lR5leF4=
+osZ4s4sfzWTmA==
P1bvKyhWmoIcNgpGUPbhZw==
tMR5NMrQNkZ5ynv1/b43
FEJcaBIWVA0qfh1GUPbhZw==
DT4eVFxUjh5leF4=
Vo6XENrMLrVRVhnMjQXkeQk=
gMjK4FdEoqrdLt+edDrs5Zow
HVTpxnKwL8wkcCtAwHw=
E6AxvSU83Q==
cZo27n9MYTcGQEM=
TI52b9eXk5vmcgrI
ERLi/Ii6F/1Yop3wxqYtazMObIg=
4xO77Ma1ILuS1H0gpXQ=
EuWM4vsLahvPCQb1/b43
EDhHQvo3aRJreGabWzYAeQ==
nNXES0A+b9Kj9ZaBgGw=
ERz8ic0GIJfIxoQ79dShF63fAA3QHcSDFw==
Pm9i8+HMLb1+wn0gpXQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.lodehewulan.yachts/snky/
Decoy C2 (64)antoniahocktraining.com
yin831125.com
halmang.com
qp89k.com
villaimmaginare.com
remoilandgas.com
wadiatours.com
tommy57.shop
thegiftofindepedence.com
videosrunman.com
shusemarang.com
1004riwu.com
yaoanx.space
mcarmen.info
lee-perez.com
steves.properties
oheavenlywreath.shop
api2022.top
christmascostumes.club
innenausbauservice.com
hongfei8888.com
moroccos.social
zhulongzhai.com
dailyheraldresearch.com
nekutenti.com
investus.live
vienuongdamos1.click
guardify.ru
seismoeng.com
deviatkina.com
wp-operator.online
frwqc.com
shmhfdc.com
motodesultan.online
xn--b1aa9abqu3ed.com
spirituallyzen.com
mondasellsazhomes.com
linktau-roads.com
pubfive.xyz
fyifamilies.co.uk
oonrreward.xyz
mini-loop.com
jamesandjenna2023.com
inhibit09.online
visitfose.com
stublan.com
92toys.com
baltic-freya.com
uknowmarket.com
misssssalena.com
dymsumu.com
moveecosystem.xyz
esignmarketing.com
tobewell.store
v32.xyz
payq29.shop
www64421.com
leicesterurology.com
rdpschools.com
srcevracara.com
action.vacations
englishvibe.ru
vietnam-tourismonline.com
cpitherapy.com
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.lodehewulan.yachts/snky/
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Dec-05 08:29:01
Debug artifacts:
  • XGUI.pdb
Comments:
CompanyName: Home
FileDescription: ElectionVotingSystem
FileVersion: 1.0.0.0
InternalName: XGUI.exe
LegalCopyright: Copyright © Home 2011
LegalTrademarks:
OriginalFilename: XGUI.exe
ProductName: ElectionVotingSystem
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2022-Dec-05 08:29:01
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
606428
606720
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.63139
.rsrc
622592
68724
69120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.33602
.reloc
696320
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.30609
67624
UNKNOWN
UNKNOWN
RT_ICON
32512
1.98048
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.28757
844
UNKNOWN
UNKNOWN
RT_VERSION

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start urgent request for quotation.exe no specs urgent request for quotation.exe no specs #FORMBOOK wuapp.exe #FORMBOOK explorer.exe firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2460"C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exe" C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exeExplorer.EXE
User:
admin
Company:
Home
Integrity Level:
MEDIUM
Description:
ElectionVotingSystem
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\urgent request for quotation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3804"C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exe"C:\Users\admin\AppData\Local\Temp\Urgent Request For Quotation.exeUrgent Request For Quotation.exe
User:
admin
Company:
Home
Integrity Level:
MEDIUM
Description:
ElectionVotingSystem
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\urgent request for quotation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3476"C:\Windows\System32\wuapp.exe"C:\Windows\System32\wuapp.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Application Launcher
Version:
7.6.7601.24436 (win7sp1_ldr.190409-0600)
Modules
Images
c:\windows\system32\wuapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Formbook
(PID) Process(3476) wuapp.exe
Decoy C2 (64)AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=
tvj/KUTKeKgxszIemQ==
DTrTokBrjB5leF4=
tPeTOuIjJPtH
taxtMdIygEdpskxzOQ2ZjoAEeA==
CxLuaKAFRrJyuIqQUPbhZw==
Tn4fapT5kPmk1H0gpXQ=
h5p8hDqGSiRzdSbV
i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx
EwbfBo6m+UXU2qaVUPbhZw==
WpeenFSMquJ3xXD1/b43
niV5qTFu3tfmcgrI
fqyyyElbdxWswJ7A
Lh7o92ZOr4ghbwvK
Y2RYMDue4x+KszIemQ==
lN3Y3z5AS85eah1MDvfFQQA=
uq+Oqh8MNRxHOOkqA9lqYEZZhJU=
FEtGDeGnnRoSQEM=
TkMlruotvsmtpFwg6shr03LjwMWGow==
7PGx8hNMep8EMj5Q39dsq16IbbaIrA==
JWBJ1NPwDiQGtx/1/b43
jLyxuI7yXHuMCAAEo4w2
u8emc+77PGLK1m71/b43
x/CcdfoDSCRZnVXDPRSpyXmY8VGmvJo=
KVhmdDtqi+J1szIemQ==
wsdvKMDzVJnqRRgHkQ==
t7qiOXzCVU8uTkrIRfwcGc3MSI4=
KmYObYWgvRG0NUY=
nAjQEiY0lBR3szIemQ==
Rbp9QuwhlL3Y6n0gpXQ=
9i/2sO0wWSEWFN1VSTPOC7s4
D3mUkmojJPtH
9j9GR6fFQB5leF4=
xgbp6k8+ov9wcVRTFshikCZFcA==
aWX+xof8Okn/Uuku87rXRjMObIg=
eoNOhYB9un2qA/7BczPs5Zow
2kojAargCM7IyqgrpHwFKbyNjtQU
y/zzintehOseIvyhZ/kDfx4=
YXZNaeznGso2Kkk=
GQyw87qm1C7hMOLb56xmcRg=
gnhB/W9glMlovyXzX2M=
/gTb6IIzhtlsszIemQ==
2fykfBhO0wIGGB+bIbX48vyNjtQU
fLG3th9M26TDQcwJ3rhAbw==
gYBibCt5+mkhszIemQ==
Mi/qtVF8lR5leF4=
+osZ4s4sfzWTmA==
P1bvKyhWmoIcNgpGUPbhZw==
tMR5NMrQNkZ5ynv1/b43
FEJcaBIWVA0qfh1GUPbhZw==
DT4eVFxUjh5leF4=
Vo6XENrMLrVRVhnMjQXkeQk=
gMjK4FdEoqrdLt+edDrs5Zow
HVTpxnKwL8wkcCtAwHw=
E6AxvSU83Q==
cZo27n9MYTcGQEM=
TI52b9eXk5vmcgrI
ERLi/Ii6F/1Yop3wxqYtazMObIg=
4xO77Ma1ILuS1H0gpXQ=
EuWM4vsLahvPCQb1/b43
EDhHQvo3aRJreGabWzYAeQ==
nNXES0A+b9Kj9ZaBgGw=
ERz8ic0GIJfIxoQ79dShF63fAA3QHcSDFw==
Pm9i8+HMLb1+wn0gpXQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.lodehewulan.yachts/snky/
(PID) Process(3476) wuapp.exe
Decoy C2 (64)AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=
tvj/KUTKeKgxszIemQ==
DTrTokBrjB5leF4=
tPeTOuIjJPtH
taxtMdIygEdpskxzOQ2ZjoAEeA==
CxLuaKAFRrJyuIqQUPbhZw==
Tn4fapT5kPmk1H0gpXQ=
h5p8hDqGSiRzdSbV
i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx
EwbfBo6m+UXU2qaVUPbhZw==
WpeenFSMquJ3xXD1/b43
niV5qTFu3tfmcgrI
fqyyyElbdxWswJ7A
Lh7o92ZOr4ghbwvK
Y2RYMDue4x+KszIemQ==
lN3Y3z5AS85eah1MDvfFQQA=
uq+Oqh8MNRxHOOkqA9lqYEZZhJU=
FEtGDeGnnRoSQEM=
TkMlruotvsmtpFwg6shr03LjwMWGow==
7PGx8hNMep8EMj5Q39dsq16IbbaIrA==
JWBJ1NPwDiQGtx/1/b43
jLyxuI7yXHuMCAAEo4w2
u8emc+77PGLK1m71/b43
x/CcdfoDSCRZnVXDPRSpyXmY8VGmvJo=
KVhmdDtqi+J1szIemQ==
wsdvKMDzVJnqRRgHkQ==
t7qiOXzCVU8uTkrIRfwcGc3MSI4=
KmYObYWgvRG0NUY=
nAjQEiY0lBR3szIemQ==
Rbp9QuwhlL3Y6n0gpXQ=
9i/2sO0wWSEWFN1VSTPOC7s4
D3mUkmojJPtH
9j9GR6fFQB5leF4=
xgbp6k8+ov9wcVRTFshikCZFcA==
aWX+xof8Okn/Uuku87rXRjMObIg=
eoNOhYB9un2qA/7BczPs5Zow
2kojAargCM7IyqgrpHwFKbyNjtQU
y/zzintehOseIvyhZ/kDfx4=
YXZNaeznGso2Kkk=
GQyw87qm1C7hMOLb56xmcRg=
gnhB/W9glMlovyXzX2M=
/gTb6IIzhtlsszIemQ==
2fykfBhO0wIGGB+bIbX48vyNjtQU
fLG3th9M26TDQcwJ3rhAbw==
gYBibCt5+mkhszIemQ==
Mi/qtVF8lR5leF4=
+osZ4s4sfzWTmA==
P1bvKyhWmoIcNgpGUPbhZw==
tMR5NMrQNkZ5ynv1/b43
FEJcaBIWVA0qfh1GUPbhZw==
DT4eVFxUjh5leF4=
Vo6XENrMLrVRVhnMjQXkeQk=
gMjK4FdEoqrdLt+edDrs5Zow
HVTpxnKwL8wkcCtAwHw=
E6AxvSU83Q==
cZo27n9MYTcGQEM=
TI52b9eXk5vmcgrI
ERLi/Ii6F/1Yop3wxqYtazMObIg=
4xO77Ma1ILuS1H0gpXQ=
EuWM4vsLahvPCQb1/b43
EDhHQvo3aRJreGabWzYAeQ==
nNXES0A+b9Kj9ZaBgGw=
ERz8ic0GIJfIxoQ79dShF63fAA3QHcSDFw==
Pm9i8+HMLb1+wn0gpXQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.lodehewulan.yachts/snky/
(PID) Process(3476) wuapp.exe
Decoy C2 (64)antoniahocktraining.com
yin831125.com
halmang.com
qp89k.com
villaimmaginare.com
remoilandgas.com
wadiatours.com
tommy57.shop
thegiftofindepedence.com
videosrunman.com
shusemarang.com
1004riwu.com
yaoanx.space
mcarmen.info
lee-perez.com
steves.properties
oheavenlywreath.shop
api2022.top
christmascostumes.club
innenausbauservice.com
hongfei8888.com
moroccos.social
zhulongzhai.com
dailyheraldresearch.com
nekutenti.com
investus.live
vienuongdamos1.click
guardify.ru
seismoeng.com
deviatkina.com
wp-operator.online
frwqc.com
shmhfdc.com
motodesultan.online
xn--b1aa9abqu3ed.com
spirituallyzen.com
mondasellsazhomes.com
linktau-roads.com
pubfive.xyz
fyifamilies.co.uk
oonrreward.xyz
mini-loop.com
jamesandjenna2023.com
inhibit09.online
visitfose.com
stublan.com
92toys.com
baltic-freya.com
uknowmarket.com
misssssalena.com
dymsumu.com
moveecosystem.xyz
esignmarketing.com
tobewell.store
v32.xyz
payq29.shop
www64421.com
leicesterurology.com
rdpschools.com
srcevracara.com
action.vacations
englishvibe.ru
vietnam-tourismonline.com
cpitherapy.com
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.lodehewulan.yachts/snky/
1488C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
972"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exewuapp.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
Total events
1 534
Read events
1 511
Write events
23
Delete events
0

Modification events

(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3476) wuapp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
1
Suspicious files
2
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3476wuapp.exeC:\Users\admin\AppData\Local\Temp\sqlite3.deftext
MD5:A199F89960429326AE36F645FFC387AF
SHA256:35C648FA355503C4B6608C4D482BF8C0AE34AF33D70F08172ECD43816AAAB733
3476wuapp.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sqlite-dll-win32-x86-3380000[1].zipcompressed
MD5:5E2D04CB2FAE4E811CA35675C472F5FC
SHA256:DD46A298AB90CA9BA8A1F633F20ABE2DCB805596B5AA68DCB84CCE99E3A56BE1
3476wuapp.exeC:\Users\admin\AppData\Local\Temp\ibzxwhlh.zipcompressed
MD5:5E2D04CB2FAE4E811CA35675C472F5FC
SHA256:DD46A298AB90CA9BA8A1F633F20ABE2DCB805596B5AA68DCB84CCE99E3A56BE1
3476wuapp.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:F1E5F58F9EB43ECEC773ACBDB410B888
SHA256:A15FD84EE61B54C92BB099DFB78226548F43D550C67FB6ADF4CCE3D064AB1C14
3476wuapp.exeC:\Users\admin\AppData\Local\Temp\10E304sqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
22
DNS requests
6
Threats
56

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
Explorer.EXE
GET
404
107.149.163.158:80
http://www.www64421.com/snky/?LX54A=63QPzmRuHHRbhEAPc1NiXAo9eXu0AcQKM3x0cNXSJUVRdjUWMu9ZlwZRG+YPOcZx/55L65BAnTHzsU6+EyloNtnHp5io5xbXJi9TO5A=&Tv14=K63DUfwxG0
US
html
146 b
malicious
3476
wuapp.exe
GET
200
45.33.6.223:80
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
US
compressed
553 Kb
whitelisted
1488
Explorer.EXE
POST
403
64.190.63.111:80
http://www.moveecosystem.xyz/snky/
US
compressed
110 b
malicious
1488
Explorer.EXE
POST
403
64.190.63.111:80
http://www.moveecosystem.xyz/snky/
US
compressed
110 b
malicious
1488
Explorer.EXE
POST
403
64.190.63.111:80
http://www.moveecosystem.xyz/snky/
US
compressed
110 b
malicious
1488
Explorer.EXE
POST
403
64.190.63.111:80
http://www.moveecosystem.xyz/snky/
US
compressed
110 b
malicious
1488
Explorer.EXE
POST
403
64.190.63.111:80
http://www.moveecosystem.xyz/snky/
US
compressed
110 b
malicious
1488
Explorer.EXE
GET
200
64.190.63.111:80
http://www.moveecosystem.xyz/snky/?LX54A=RlQNJyXypPc9sngjFl1M5wmMW9ZlkJdT9gN3taI6UP3s0mEpxxAKB2iDKa2YboXW/UWNMe5LxrB9tyR/0Yr96DWEiq3W6BhTQj19S3I=&Tv14=K63DUfwxG0
US
html
2.22 Kb
malicious
1488
Explorer.EXE
POST
404
162.213.255.142:80
http://www.pubfive.xyz/snky/
US
html
1.05 Kb
malicious
1488
Explorer.EXE
POST
404
162.213.255.142:80
http://www.pubfive.xyz/snky/
US
html
1.05 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
suspicious
1488
Explorer.EXE
107.149.163.158:80
www.www64421.com
PEGTECHINC
US
malicious
1488
Explorer.EXE
64.190.63.111:80
www.moveecosystem.xyz
SEDO GmbH
DE
malicious
1488
Explorer.EXE
162.213.255.142:80
www.pubfive.xyz
NAMECHEAP-NET
US
malicious
1488
Explorer.EXE
82.163.176.114:80
www.lodehewulan.yachts
Wildcard UK Limited
GB
malicious
82.163.176.114:80
www.lodehewulan.yachts
Wildcard UK Limited
GB
malicious
1488
Explorer.EXE
74.208.236.214:80
www.spirituallyzen.com
IONOS SE
US
malicious

DNS requests

Domain
IP
Reputation
www.www64421.com
  • 107.149.163.158
malicious
www.sqlite.org
  • 45.33.6.223
whitelisted
www.moveecosystem.xyz
  • 64.190.63.111
malicious
www.pubfive.xyz
  • 162.213.255.142
malicious
www.lodehewulan.yachts
  • 82.163.176.114
malicious
www.spirituallyzen.com
  • 74.208.236.214
malicious

Threats

PID
Process
Class
Message
1488
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1488
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1488
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1488
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1488
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1488
Explorer.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1488
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1488
Explorer.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1488
Explorer.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1488
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
6 ETPRO signatures available at the full report
No debug info