URL: | http://5.196.172.33/_nav/go.php?abre=0xHUWXSCDR&go=0xb914e2c8&dwe=0xWXMRJMMN |
Full analysis: | https://app.any.run/tasks/170b4e72-6198-4c30-9121-5e2cc4c1c6cd |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 14:42:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | EDC13208907A1C5A0DA20A008AB533AB |
SHA1: | 7484B63D107D8F887D20929E2D0C111CD066E11C |
SHA256: | 4CCB37310ED9227449BF67DD6AFB837911B679916D6E750CFAE4BDD981D5B71F |
SSDEEP: | 3:N1K/ljeZnYAQtfVI0Xpy9ur:CAattfVtyW |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\Internet Explorer\iexplore.exe" http://5.196.172.33/_nav/go.php?abre=0xHUWXSCDR&go=0xb914e2c8&dwe=0xWXMRJMMN | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3432 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J30HDGEZ\ff-bank_asia[1].txt | — | |
MD5:— | SHA256:— | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4IEMV79M\styles-custom[1].css | text | |
MD5:0DC7A4548E5D97E6DB64AAB1D2DAA234 | SHA256:54B35DEB26C4C0C01FA20B6F5CC7BC6D7631EA94EF4676FAD7E539245619CF54 | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@375460198[1].txt | text | |
MD5:C72E87E707D7BAAC3103ECDA60F94CA6 | SHA256:BBDEAE16781D403C8DD4754BEED17586C88211D5CEB38F1840F37751C212DF48 | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:7AFED4D06E15AE27F36CC54BAD9D0291 | SHA256:23229829B43001594B58A6701A9A752958BE892C598D42747B953FD5FDA55BCD | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:AEAD87E585D7AB3551F6A35B07A24CAF | SHA256:1E65AC78DEF7077DE76387196F6B61180FB7C5BCC341CFDF6E16EF413335246B | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J30HDGEZ\ff-bank_asia[1].htm | html | |
MD5:F2EE1CE2996B41F8801B815F1E50FE79 | SHA256:BFE486DB5EE070D54B2A3CFBD70B0A9248ACAB4C0F1DC1CCE6BFB7291B5CB17D | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@ff-bank[1].txt | text | |
MD5:7EF2E77120FAED3EBB7DDFA0AF3DA58A | SHA256:C397328F77E1D67409172C55EA2A45B009D84819D8C723DD636677CFE8581D9B | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT | smt | |
MD5:05A9D744C59C5315D941DBDFD0A28F09 | SHA256:1199C3397FC74E4DB84492486891B9EDD1BEAB8DB7ABCA752D9E2A9C8DE328F3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3432 | iexplore.exe | GET | 302 | 104.24.118.197:80 | http://375460198.host/ | US | — | — | shared |
3432 | iexplore.exe | GET | 302 | 185.20.226.200:80 | http://0xb914e2c8/ | RU | — | — | malicious |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/landings/_common/fonts/PT_Sans/PTS75F_W.eot | US | text | 87 b | shared |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/landings/_common/fonts/PT_Sans/PTS55F_W.eot | US | text | 87 b | shared |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/landings/_common/fonts/HelveticaNeue/HelveticaNeueCyrThin.eot | US | text | 87 b | shared |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/styles.css | US | text | 2.80 Kb | shared |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/fb3.png | US | image | 388 b | shared |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/styles-custom.css | US | text | 183 b | shared |
3432 | iexplore.exe | GET | 200 | 104.27.176.5:80 | http://ff-bank.asia/landings/_common/fonts/PT_Sans/PTS56F_W.eot | US | text | 87 b | shared |
2856 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2856 | iexplore.exe | 104.27.176.5:80 | ff-bank.asia | Cloudflare Inc | US | shared |
3432 | iexplore.exe | 87.250.250.119:443 | mc.yandex.ru | YANDEX LLC | RU | whitelisted |
2856 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3432 | iexplore.exe | 5.196.172.33:80 | — | OVH SAS | FR | unknown |
3432 | iexplore.exe | 104.27.176.5:80 | ff-bank.asia | Cloudflare Inc | US | shared |
3432 | iexplore.exe | 104.24.118.197:80 | 375460198.host | Cloudflare Inc | US | shared |
3432 | iexplore.exe | 185.20.226.200:80 | — | Domain names registrar REG.RU, Ltd | RU | malicious |
3432 | iexplore.exe | 172.217.23.170:443 | ajax.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
375460198.host |
| unknown |
ff-bank.asia |
| unknown |
ajax.googleapis.com |
| whitelisted |
mc.yandex.ru |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3432 | iexplore.exe | A Network Trojan was detected | ET MALWARE Hex Encoded IP HTTP Request - Likely Malware |