General Info

File name

wyDb.exe

Full analysis
https://app.any.run/tasks/37eb710f-1578-44e2-a658-103419805bf7
Verdict
Malicious activity
Analysis date
3/14/2019, 12:50:43
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

emotet

banker

trojan

feodo

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

2da8e7f842bc7a4227b050d45340ebef

SHA1

bf46f00aae3b987c32fe203d20a3b4921f997f0c

SHA256

48e674eccdcd51c22754aa39fac7d8e7d4e9000ecbf996e8f243b591954b6ecc

SSDEEP

3072:k3mz3RniOgOALnJlvXfyg0nxTk2w1EmSSws1fZWyrXPqS4ysXo:WcRn5gOiJlvXag0K2TmiUZlrfUPY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Emotet process was detected
  • wabmetagen.exe (PID: 3312)
EMOTET was detected
  • wabmetagen.exe (PID: 4044)
Connects to CnC server
  • wabmetagen.exe (PID: 4044)
Application launched itself
  • wyDb.exe (PID: 3444)
  • wabmetagen.exe (PID: 3312)
Starts itself from another location
  • wyDb.exe (PID: 2160)
Executable content was dropped or overwritten
  • wyDb.exe (PID: 2160)
Connects to unusual port
  • wabmetagen.exe (PID: 4044)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (52.5%)
.scr
|   Windows screen saver (22%)
.dll
|   Win32 Dynamic Link Library (generic) (11%)
.exe
|   Win32 Executable (generic) (7.5%)
.exe
|   Generic Win/DOS Executable (3.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:03:14 12:28:01+01:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
25600
InitializedDataSize:
196608
UninitializedDataSize:
null
EntryPoint:
0x1240
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
6.22.1.1
ProductVersionNumber:
6.22.1.1
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
Comments:
Internet Download Manager agent for click monitoring in IE-based browsers
CompanyName:
Tonec Inc.
FileDescription:
Internet Download Manager agent for click monitoring in IE-based browsers
FileVersion:
6, 22, 1, 1
InternalName:
IEMonitor
LegalCopyright:
Tonec Inc., Copyright © 1999 - 2015
LegalTrademarks:
Internet Download Manager
OriginalFileName:
IEMonitor.EXE
PrivateBuild:
LProductName
onitorApplication:
< ProductVersion
Tag2211:
ecialBuild:
D

Screenshots

Processes

Total processes
33
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start wydb.exe no specs wydb.exe #EMOTET wabmetagen.exe no specs #EMOTET wabmetagen.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3444
CMD
"C:\Users\admin\AppData\Local\Temp\wyDb.exe"
Path
C:\Users\admin\AppData\Local\Temp\wyDb.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Tonec Inc.
Description
Internet Download Manager agent for click monitoring in IE-based browsers
Version
6, 22, 1, 1
Modules
Image
c:\users\admin\appdata\local\temp\wydb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2160
CMD
"C:\Users\admin\AppData\Local\Temp\wyDb.exe"
Path
C:\Users\admin\AppData\Local\Temp\wyDb.exe
Indicators
Parent process
wyDb.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Tonec Inc.
Description
Internet Download Manager agent for click monitoring in IE-based browsers
Version
6, 22, 1, 1
Modules
Image
c:\users\admin\appdata\local\temp\wydb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\wabmetagen\wa
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID
3312
CMD
"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"
Path
C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
Indicators
Parent process
wyDb.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Tonec Inc.
Description
Internet Download Manager agent for click monitoring in IE-based browsers
Version
6, 22, 1, 1
Modules
Image
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
4044
CMD
"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"
Path
C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
Indicators
Parent process
wabmetagen.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Tonec Inc.
Description
Internet Download Manager agent for click monitoring in IE-based browsers
Version
6, 22, 1, 1
Modules
Image
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
68
Read events
54
Write events
14
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
EnableFileTracing
0
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
EnableConsoleTracing
0
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
FileTracingMask
4294901760
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
ConsoleTracingMask
4294901760
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
MaxFileSize
1048576
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
FileDirectory
%windir%\tracing
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
EnableFileTracing
0
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
EnableConsoleTracing
0
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
FileTracingMask
4294901760
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
ConsoleTracingMask
4294901760
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
MaxFileSize
1048576
4044
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
FileDirectory
%windir%\tracing
4044
wabmetagen.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4044
wabmetagen.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2160
wyDb.exe
C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
executable
MD5: 2da8e7f842bc7a4227b050d45340ebef
SHA256: 48e674eccdcd51c22754aa39fac7d8e7d4e9000ecbf996e8f243b591954b6ecc

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
46
TCP/UDP connections
46
DNS requests
0
Threats
106

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4044 wabmetagen.exe GET 404 201.220.152.101:80 http://201.220.152.101/ AR
xml
malicious
4044 wabmetagen.exe GET 404 190.97.219.241:80 http://190.97.219.241/ CO
xml
malicious
4044 wabmetagen.exe GET 404 160.3.238.131:50000 http://160.3.238.131:50000/ US
xml
malicious
4044 wabmetagen.exe GET 404 189.209.217.49:80 http://189.209.217.49/ MX
xml
malicious
4044 wabmetagen.exe GET 404 67.248.56.82:22 http://67.248.56.82:22/ US
xml
suspicious
4044 wabmetagen.exe GET 404 64.46.91.165:80 http://64.46.91.165/ US
xml
malicious
4044 wabmetagen.exe GET 404 64.9.43.60:8080 http://64.9.43.60:8080/ US
xml
malicious
4044 wabmetagen.exe GET –– 201.239.154.191:443 http://201.239.154.191:443/ CL
––
––
malicious
4044 wabmetagen.exe GET 404 71.182.128.166:80 http://71.182.128.166/ US
xml
malicious
4044 wabmetagen.exe GET 404 76.168.149.66:8080 http://76.168.149.66:8080/ US
xml
malicious
4044 wabmetagen.exe GET –– 185.94.252.3:443 http://185.94.252.3:443/ DE
––
––
malicious
4044 wabmetagen.exe GET 404 5.230.147.179:8080 http://5.230.147.179:8080/ DE
xml
malicious
4044 wabmetagen.exe GET 404 64.13.225.150:8080 http://64.13.225.150:8080/ US
xml
malicious
4044 wabmetagen.exe GET 404 203.143.86.111:8080 http://203.143.86.111:8080/ AU
xml
malicious
4044 wabmetagen.exe GET 404 187.142.0.234:22 http://187.142.0.234:22/ MX
xml
malicious
4044 wabmetagen.exe GET 404 173.255.196.209:8080 http://173.255.196.209:8080/ US
xml
malicious
4044 wabmetagen.exe GET –– 67.205.149.117:443 http://67.205.149.117:443/ US
––
––
malicious
4044 wabmetagen.exe GET 404 87.106.210.123:80 http://87.106.210.123/ DE
xml
malicious
4044 wabmetagen.exe GET 404 62.151.17.5:8090 http://62.151.17.5:8090/ ES
xml
malicious
4044 wabmetagen.exe GET 404 201.253.238.50:80 http://201.253.238.50/ AR
xml
malicious
4044 wabmetagen.exe GET 404 186.113.255.229:22 http://186.113.255.229:22/ CO
xml
malicious
4044 wabmetagen.exe GET –– 173.255.250.241:443 http://173.255.250.241:443/ US
––
––
malicious
4044 wabmetagen.exe GET 404 90.219.97.38:80 http://90.219.97.38/ GB
xml
malicious
4044 wabmetagen.exe GET 404 50.31.0.160:8080 http://50.31.0.160:8080/ US
xml
malicious
4044 wabmetagen.exe GET –– 178.62.37.188:443 http://178.62.37.188:443/ GB
––
––
malicious
4044 wabmetagen.exe GET 404 187.189.195.208:8443 http://187.189.195.208:8443/ MX
xml
malicious
4044 wabmetagen.exe GET –– 211.63.34.183:443 http://211.63.34.183:443/ KR
––
––
malicious
4044 wabmetagen.exe GET –– 45.33.49.124:443 http://45.33.49.124:443/ US
––
––
malicious
4044 wabmetagen.exe GET 404 45.36.20.17:8443 http://45.36.20.17:8443/ US
xml
malicious
4044 wabmetagen.exe GET 404 103.39.131.88:80 http://103.39.131.88/ IN
xml
malicious
4044 wabmetagen.exe GET 404 24.243.101.134:80 http://24.243.101.134/ US
xml
malicious
4044 wabmetagen.exe GET 404 213.191.168.93:80 http://213.191.168.93/ BG
xml
malicious
4044 wabmetagen.exe GET 404 200.50.185.54:80 http://200.50.185.54/ AR
xml
malicious
4044 wabmetagen.exe GET 404 201.192.156.113:8090 http://201.192.156.113:8090/ CR
xml
malicious
4044 wabmetagen.exe GET 404 62.75.187.192:8080 http://62.75.187.192:8080/ FR
xml
malicious
4044 wabmetagen.exe GET –– 186.4.234.27:443 http://186.4.234.27:443/ EC
––
––
malicious
4044 wabmetagen.exe GET 404 58.171.215.214:8080 http://58.171.215.214:8080/ AU
xml
malicious
4044 wabmetagen.exe GET 404 200.113.185.229:8080 http://200.113.185.229:8080/ CL
xml
malicious
4044 wabmetagen.exe GET –– 190.46.30.14:443 http://190.46.30.14:443/ CL
––
––
malicious
4044 wabmetagen.exe GET –– 45.123.3.54:443 http://45.123.3.54:443/ IN
––
––
malicious
4044 wabmetagen.exe GET 404 208.78.100.202:8080 http://208.78.100.202:8080/ US
xml
malicious
4044 wabmetagen.exe GET 404 59.103.164.174:80 http://59.103.164.174/ PK
xml
malicious
4044 wabmetagen.exe GET 404 67.209.208.130:8443 http://67.209.208.130:8443/ US
xml
malicious
4044 wabmetagen.exe GET 404 147.135.210.39:8080 http://147.135.210.39:8080/ PL
xml
malicious
4044 wabmetagen.exe GET 404 108.188.116.179:80 http://108.188.116.179/ US
xml
malicious
–– –– GET 404 86.239.117.57:8090 http://86.239.117.57:8090/ FR
xml
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4044 wabmetagen.exe 201.220.152.101:80 Intercom SRL AR malicious
4044 wabmetagen.exe 190.97.219.241:80 Empresa de Recursos Tecnologicos S.A E.S.P CO malicious
4044 wabmetagen.exe 160.3.238.131:50000 Cable One, Inc. US malicious
4044 wabmetagen.exe 189.209.217.49:80 Axtel, S.A.B. de C.V. MX malicious
4044 wabmetagen.exe 67.248.56.82:22 Time Warner Cable Internet LLC US suspicious
4044 wabmetagen.exe 64.46.91.165:80 Telconet S.A US malicious
4044 wabmetagen.exe 64.9.43.60:8080 Level 3 Communications, Inc. US malicious
4044 wabmetagen.exe 201.239.154.191:443 VTR BANDA ANCHA S.A. CL malicious
4044 wabmetagen.exe 71.182.128.166:80 MCI Communications Services, Inc. d/b/a Verizon Business US malicious
4044 wabmetagen.exe 76.168.149.66:8080 Time Warner Cable Internet LLC US malicious
4044 wabmetagen.exe 185.94.252.3:443 Andreas Fahl trading as Megaservers.de DE malicious
4044 wabmetagen.exe 5.230.147.179:8080 GHOSTnet GmbH DE malicious
4044 wabmetagen.exe 64.13.225.150:8080 Media Temple, Inc. US malicious
4044 wabmetagen.exe 203.143.86.111:8080 OMNIconnect Pty Ltd AU malicious
4044 wabmetagen.exe 187.142.0.234:22 Uninet S.A. de C.V. MX malicious
4044 wabmetagen.exe 173.255.196.209:8080 Linode, LLC US malicious
4044 wabmetagen.exe 67.205.149.117:443 Digital Ocean, Inc. US malicious
4044 wabmetagen.exe 87.106.210.123:80 1&1 Internet SE DE malicious
4044 wabmetagen.exe 62.151.17.5:8090 Orange Espagne SA ES malicious
4044 wabmetagen.exe 201.253.238.50:80 Telecom Argentina S.A. AR malicious
4044 wabmetagen.exe 186.113.255.229:22 COLOMBIA TELECOMUNICACIONES S.A. ESP CO malicious
4044 wabmetagen.exe 173.255.250.241:443 Linode, LLC US malicious
4044 wabmetagen.exe 90.219.97.38:80 Sky UK Limited GB malicious
4044 wabmetagen.exe 50.31.0.160:8080 Steadfast US malicious
4044 wabmetagen.exe 178.62.37.188:443 Digital Ocean, Inc. GB malicious
4044 wabmetagen.exe 187.189.195.208:8443 TOTAL PLAY TELECOMUNICACIONES SA DE CV MX malicious
4044 wabmetagen.exe 211.63.34.183:443 LG DACOM Corporation KR malicious
4044 wabmetagen.exe 45.33.49.124:443 Linode, LLC US malicious
4044 wabmetagen.exe 45.36.20.17:8443 Time Warner Cable Internet LLC US malicious
4044 wabmetagen.exe 103.39.131.88:80 Gujarat Telelink Pvt Ltd IN malicious
4044 wabmetagen.exe 24.243.101.134:80 Time Warner Cable Internet LLC US malicious
4044 wabmetagen.exe 213.191.168.93:80 Blizoo Media and Broadband BG malicious
4044 wabmetagen.exe 200.50.185.54:80 SAN VICENTE CABLE Y TELECOMUNICACIONES SRL AR malicious
4044 wabmetagen.exe 201.192.156.113:8090 Instituto Costarricense de Electricidad y Telecom. CR malicious
4044 wabmetagen.exe 62.75.187.192:8080 Host Europe GmbH FR malicious
4044 wabmetagen.exe 186.4.234.27:443 Telconet S.A EC malicious
4044 wabmetagen.exe 58.171.215.214:8080 Telstra Pty Ltd AU malicious
4044 wabmetagen.exe 200.113.185.229:8080 Telefonica Empresas CL malicious
4044 wabmetagen.exe 190.46.30.14:443 VTR BANDA ANCHA S.A. CL malicious
4044 wabmetagen.exe 45.123.3.54:443 Blue Lotus Support Services Pvt Ltd IN malicious
4044 wabmetagen.exe 208.78.100.202:8080 Rackspace Ltd. US malicious
4044 wabmetagen.exe 59.103.164.174:80 Pakistan Telecom Company Limited PK malicious
4044 wabmetagen.exe 67.209.208.130:8443 Plateau Telecommunications Incorporated US malicious
4044 wabmetagen.exe 147.135.210.39:8080 OVH SAS PL malicious
4044 wabmetagen.exe 108.188.116.179:80 BRIGHT HOUSE NETWORKS, LLC US malicious
–– –– 86.239.117.57:8090 Orange FR malicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 8
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 18
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 14
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 6
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 3
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 15
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 17
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 1
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 13
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 7
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 11
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 19
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 2
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
4044 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request
–– –– A Network Trojan was detected ET CNC Feodo Tracker Reported CnC Server group 24
–– –– A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request

46 ETPRO signatures available at the full report

Debug output strings

No debug info.