File name: | new 1.txt |
Full analysis: | https://app.any.run/tasks/29ea7142-fa3f-44da-affa-8e30b345d120 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 14, 2018, 04:29:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | 80818856A7CADF68456337B17B1C318D |
SHA1: | 5C8B8175C75D9F02FD0889CD6D958ED452F14D16 |
SHA256: | 8E5DE01820734FE46F2161B81123246472AD835B568CAD6109877172C2BEFBBF |
SSDEEP: | 3:0Z3:0t |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\new 1.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4020 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 61.0.2 | ||||
3624 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.0.194107319\1281099046" -childID 1 -isForBrowser -prefsHandle 1332 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 1432 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 | ||||
2636 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.6.1035511051\1302626400" -childID 2 -isForBrowser -prefsHandle 2416 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 2504 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 | ||||
3016 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.12.1551129682\1183777204" -childID 3 -isForBrowser -prefsHandle 3060 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 3072 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 | ||||
2972 | "C:\Users\admin\Downloads\ReimageRepair.exe" | C:\Users\admin\Downloads\ReimageRepair.exe | — | firefox.exe |
User: admin Company: Reimage Integrity Level: MEDIUM Description: Reimage Downloader Exit code: 3221226540 Version: 1.542 | ||||
3172 | "C:\Users\admin\Downloads\ReimageRepair.exe" | C:\Users\admin\Downloads\ReimageRepair.exe | firefox.exe | |
User: admin Company: Reimage Integrity Level: HIGH Description: Reimage Downloader Exit code: 2 Version: 1.542 | ||||
2840 | "C:\Users\admin\AppData\Local\Temp\nso44EC.tmp\ns4655.tmp" "C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txt | C:\Users\admin\AppData\Local\Temp\nso44EC.tmp\ns4655.tmp | — | ReimageRepair.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2256 | cmd /c ""C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txt" | C:\Windows\system32\cmd.exe | — | ns4655.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2684 | "C:\Users\admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';" | C:\Users\admin\AppData\Local\Temp\sqlite3.exe | — | cmd.exe |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.metadata | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.pset | — | |
MD5:— | SHA256:— | |||
4020 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:707C12070C52E55C2A996AC15E219B95 | SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4020 | firefox.exe | GET | — | 199.59.242.151:80 | http://www.fanneemae.com/favicon.ico | US | — | — | malicious |
4020 | firefox.exe | GET | 503 | 172.217.168.228:80 | http://www.google.com/sorry/index?continue=http://www.google.com/dp/ads%3Fmax_radlink_len%3D60%26r%3Dm%26client%3Ddp-bodis30_3ph%26channel%3Dpid-bodis-gcontrol40%252Cpid-bodis-gcontrol104%26hl%3Den%26adsafe%3Dlow%26type%3D3%26optimize_terms%3Don%26terms%3Dfannie%2520mae%2520home%2520loans%252Cfannie%2520mae%2520home%2520application%252Cfannie%2520mae%2520refinance%252Cfannie%2520mae%2520loan%2520rates%252Cfannie%2520mae%2520and%2520freddie%2520mac%252Cfannie%2520mae%2520financial%2520aid%252Chome%2520down%2520payment%2520assistance%26swp%3Das-drid-2561634113391178%26uiopt%3Dfalse%26oe%3DUTF-8%26ie%3DUTF-8%26fexp%3D21404%252C17300002%26format%3Dr7%26num%3D0%26output%3Dafd_ads%26domain_name%3Dwww.fanneemae.com%26v%3D3%26adext%3Das1%252Csr1%26bsl%3D8%26u_his%3D2%26u_tz%3D0%26dt%3D1544761802997%26u_w%3D1280%26u_h%3D720%26biw%3D1264%26bih%3D585%26psw%3D1264%26psh%3D900%26frm%3D0%26uio%3Dff6fa6st24sa11lt30as1sl1sr1-%26jsv%3D10546%26rurl%3Dhttp%253A%252F%252Fwww.fanneemae.com%252F&hl=en&q=EgS55n2MGMvjzOAFIhkA8aeDS3yQtGwnxf6S0WhpIdRO2kobVLLoMgFy | US | — | 5.22 Kb | whitelisted |
4020 | firefox.exe | GET | 301 | 52.73.222.18:80 | http://fannemae.com/ | US | html | 192 b | malicious |
4020 | firefox.exe | GET | 302 | 70.40.222.168:80 | http://25t.net/dnimport/brx/index_f5.php?d=fanneemae.com | US | binary | 20 b | unknown |
4020 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
4020 | firefox.exe | GET | 200 | 172.217.168.228:80 | http://www.google.com/adsense/domains/caf.js | US | text | 52.7 Kb | whitelisted |
4020 | firefox.exe | GET | 302 | 172.217.168.228:80 | http://www.google.com/dp/ads?max_radlink_len=60&r=m&client=dp-bodis30_3ph&channel=pid-bodis-gcontrol40%2Cpid-bodis-gcontrol104&hl=en&adsafe=low&type=3&optimize_terms=on&terms=fannie%20mae%20home%20loans%2Cfannie%20mae%20home%20application%2Cfannie%20mae%20refinance%2Cfannie%20mae%20loan%20rates%2Cfannie%20mae%20and%20freddie%20mac%2Cfannie%20mae%20financial%20aid%2Chome%20down%20payment%20assistance&swp=as-drid-2561634113391178&uiopt=false&oe=UTF-8&ie=UTF-8&fexp=21404%2C17300002&format=r7&num=0&output=afd_ads&domain_name=www.fanneemae.com&v=3&adext=as1%2Csr1&bsl=8&u_his=2&u_tz=0&dt=1544761802997&u_w=1280&u_h=720&biw=1264&bih=585&psw=1264&psh=900&frm=0&uio=ff6fa6st24sa11lt30as1sl1sr1-&jsv=10546&rurl=http%3A%2F%2Fwww.fanneemae.com%2F | US | html | 1.23 Kb | whitelisted |
4020 | firefox.exe | GET | 200 | 199.59.242.151:80 | http://www.fanneemae.com/px.gif?ch=2&rn=9.54130594448226 | US | image | 42 b | malicious |
4020 | firefox.exe | GET | 200 | 2.16.186.112:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
4020 | firefox.exe | POST | 200 | 216.58.215.238:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4020 | firefox.exe | 52.73.222.18:80 | fannemae.com | Amazon.com, Inc. | US | unknown |
4020 | firefox.exe | 52.222.159.239:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
4020 | firefox.exe | 52.89.32.107:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
4020 | firefox.exe | 34.216.156.21:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
4020 | firefox.exe | 216.58.215.238:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
4020 | firefox.exe | 70.40.222.168:80 | 25t.net | Unified Layer | US | unknown |
4020 | firefox.exe | 172.217.168.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
4020 | firefox.exe | 199.59.242.151:80 | www.fanneemae.com | Bodis, LLC | US | malicious |
4020 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
4020 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
drcwo519tnci7.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
4020 | firefox.exe | A Network Trojan was detected | SC WORM Worm:Win32/Esfury - C&C checkin |
4020 | firefox.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4020 | firefox.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3172 | ReimageRepair.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
3172 | ReimageRepair.exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
3172 | ReimageRepair.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.Reimage Check-in |
3172 | ReimageRepair.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
3172 | ReimageRepair.exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
3172 | ReimageRepair.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
3172 | ReimageRepair.exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |