File name: | SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781 |
Full analysis: | https://app.any.run/tasks/85c1735c-35e9-4265-9bb3-005430c5a0bf |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 06, 2022, 03:36:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 2671DB3CBA1E1848EC04B0DFB326FEA8 |
SHA1: | E78905B037BECF55E0049AA3247F1BCECC379CD3 |
SHA256: | 93887029EDA377FA78729CBF1C96C582C029A828A8F721B731D5ECDDA7555FEC |
SSDEEP: | 6144:qBnmeG0xkz6C2U/2aqg9JBP/W5/tuzQxgJhyESBNoliLAmtESJwx6rbs8S:OGlaKpW5/tuxJhyfB6iLA8ac/S |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2015-Dec-27 05:38:52 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 216 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2015-Dec-27 05:38:52 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 23626 | 24064 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41076 |
.rdata | 28672 | 4446 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14255 |
.data | 36864 | 110712 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.22522 |
.ndata | 151552 | 32768 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 184320 | 202592 | 202752 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.93641 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.90959 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 7.96373 | 38581 | UNKNOWN | English - United States | RT_ICON |
3 | 5.17077 | 38056 | UNKNOWN | English - United States | RT_ICON |
4 | 5.22062 | 21640 | UNKNOWN | English - United States | RT_ICON |
5 | 5.1977 | 16936 | UNKNOWN | English - United States | RT_ICON |
6 | 5.26928 | 9640 | UNKNOWN | English - United States | RT_ICON |
7 | 5.3399 | 4264 | UNKNOWN | English - United States | RT_ICON |
8 | 5.49489 | 2440 | UNKNOWN | English - United States | RT_ICON |
9 | 5.20658 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 3.03466 | 132 | UNKNOWN | English - United States | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2656 | "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe" | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
2584 | "C:\Users\admin\AppData\Local\Temp\opwovm.exe" C:\Users\admin\AppData\Local\Temp\jzacvyuruta.yv | C:\Users\admin\AppData\Local\Temp\opwovm.exe | SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3136 | "C:\Users\admin\AppData\Local\Temp\opwovm.exe" | C:\Users\admin\AppData\Local\Temp\opwovm.exe | — | opwovm.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3212 | "C:\Windows\System32\colorcpl.exe" | C:\Windows\System32\colorcpl.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Color Control Panel Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(3212) colorcpl.exe Decoy C2 (64)codelifed.com doctorbodymake.com amspustaka.com olanger.email 3821c8.com cityasset.net varanasiexpedia.com lodehewulan.yachts 700544.com alypw.com publickit.website new-thinking.digital toggabudhabi.xyz davidemarone.com isc-chemical.com newpublictransit.com kasslot.com oonrreward.xyz seismoeng.com techilmain.com tommy57.shop serverdecipher.com peqevent.com tobewell.store lee-perez.com codacodes.com zr387.com ybkos.link api2022.top leicesterurology.com ope-cctv.com info-akb.com gallerigate.com frwqc.com v32.xyz 92toys.com yt82ra5c.com dailyheraldresearch.com shopcheap.club zuzutrading.com shura-asia.org porggiret.site deckcork.com visitleknes.com eventualstudios.com rajahparkhotelcebu.com cscvlehelp.com gmrsnodes.com 3815ww.com bengalindex.com mahalaburn.com kredity-express.online festpay.pro bookmygennie.com mgalese.com villaimmaginare.com vienuongdamos1.click thebrotherhood.shop 0755lrfk.com zhukojobs.com kyototravel.net shusemarang.com kmuregister.com cuttingedgeprime.com Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end C2www.spirituallyzen.com/m9ae/ (PID) Process(3212) colorcpl.exe Decoy C2 (64)nWTQpX6TYm6dfT3Lcw== 7JaBLgMm8EKn2AlTy5Ksj4Jq yWRJIhE3viQgqEpZS3o= ES9dFo0bytF8vlvRcg== aX/aBZn29pD+cg== lU64sYOZV7ZVpUy1ag== 9BpOCYAPv8L8TyIFAiTp2PSqLg== uEJ2RyQ1BcBXfFr8kT5Z1KV0 oVM42Ury9pD+cg== 0Zl3VkcuKaY+ OjZeGI8dw67Z6eWtnOoBfoI= ytwFn9j4i+N8nKYRSgcfh3xn5LU= xMb1+YkOyxmbxJ53JsP7Pg== HODQpzTBS1gVoi4X0hStKQ== fQ417ycwD+ziKt1u0hStKQ== nsApOqE62sA8uS735uCXVP+YcrQ= 4aobG3oZ3AHqTPs= P2LEwJatZbQZUTayTW0= /bopO7NR6clCfT3Lcw== bBxRRkFY01R+20pZS3o= enylSY//R0Euo5Hc s3hoHGn+blzIzLD2XcWsj4Jq MvZlcWyHEnNHRGHB qDJgM38Zlp2BriDZBnI= JlaRDbpPJo43fT3Lcw== aZgM/YERpLJOfT3Lcw== dgcdTgcuKaY+ N12TQ5X0uI7/dA== 85d5Cn4gEuXNHOY= XGyjNRUvzkzpFEb98NiZYf+YcrQ= nUc1kamtJHlHRGHB M+1WZ6NvT6VHRGHB k1iSQqU6E3biHW3Ev1x/ yoeZZ9suKaY+ yiqErKzdOA== I8FYQ4Mx9pD+cg== e3sMggibmaRHRGHB YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g= A6GFXmNsA4y3ByPuEXU= RkSck9R+79lCe5vEv1x/ c4Hf8OWx18LuWN4pPnA= IK6UOZcpvKTL2/PbBHI= dpbLY0FV8mxHRGHB RoTt48Dgi/aZtJ/Ev1x/ 4/FRPhpH3TPGD0uYB7Yf2PSqLg== 5A5CBZYyzanG52lgk7V7K8G4gdDu5w== p8IpCMzdxqyj2UpZS3o= cToa+3QRpLJOfT3Lcw== Lat9/Yk19pD+cg== CrjklYWQN6tXfIjEv1x/ SfQyB+TxpJSt20pZS3o= eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w== NP7rnOJz7QXxQfk= hrYdLa1V+exp20UX0hStKQ== R+gl+MvhTQHqTPs= CC6YqK+3hWJYpEseExvt2PSqLg== VmybWD1f6EIreDUVP47Yw5la3rI= Sgv5moChVKcQSZYjwYWyvbeuMw== rtxt7QYo5mxHRGHB cH/l/4Ecn61OfT3Lcw== T4iddmuQEGhd1NwMviZm cyH/sQGRb8s6e5vEv1x/ Y3DL3M3XS86ftJ7Ev1x/ U2jGyqnCYcDDJt3mAjZDxf+YcrQ= Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end C2www.spirituallyzen.com/m9ae/ (PID) Process(3212) colorcpl.exe Decoy C2 (64)nWTQpX6TYm6dfT3Lcw== 7JaBLgMm8EKn2AlTy5Ksj4Jq yWRJIhE3viQgqEpZS3o= ES9dFo0bytF8vlvRcg== aX/aBZn29pD+cg== lU64sYOZV7ZVpUy1ag== 9BpOCYAPv8L8TyIFAiTp2PSqLg== uEJ2RyQ1BcBXfFr8kT5Z1KV0 oVM42Ury9pD+cg== 0Zl3VkcuKaY+ OjZeGI8dw67Z6eWtnOoBfoI= ytwFn9j4i+N8nKYRSgcfh3xn5LU= xMb1+YkOyxmbxJ53JsP7Pg== HODQpzTBS1gVoi4X0hStKQ== fQ417ycwD+ziKt1u0hStKQ== nsApOqE62sA8uS735uCXVP+YcrQ= 4aobG3oZ3AHqTPs= P2LEwJatZbQZUTayTW0= /bopO7NR6clCfT3Lcw== bBxRRkFY01R+20pZS3o= enylSY//R0Euo5Hc s3hoHGn+blzIzLD2XcWsj4Jq MvZlcWyHEnNHRGHB qDJgM38Zlp2BriDZBnI= JlaRDbpPJo43fT3Lcw== aZgM/YERpLJOfT3Lcw== dgcdTgcuKaY+ N12TQ5X0uI7/dA== 85d5Cn4gEuXNHOY= XGyjNRUvzkzpFEb98NiZYf+YcrQ= nUc1kamtJHlHRGHB M+1WZ6NvT6VHRGHB k1iSQqU6E3biHW3Ev1x/ yoeZZ9suKaY+ yiqErKzdOA== I8FYQ4Mx9pD+cg== e3sMggibmaRHRGHB YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g= A6GFXmNsA4y3ByPuEXU= RkSck9R+79lCe5vEv1x/ c4Hf8OWx18LuWN4pPnA= IK6UOZcpvKTL2/PbBHI= dpbLY0FV8mxHRGHB RoTt48Dgi/aZtJ/Ev1x/ 4/FRPhpH3TPGD0uYB7Yf2PSqLg== 5A5CBZYyzanG52lgk7V7K8G4gdDu5w== p8IpCMzdxqyj2UpZS3o= cToa+3QRpLJOfT3Lcw== Lat9/Yk19pD+cg== CrjklYWQN6tXfIjEv1x/ SfQyB+TxpJSt20pZS3o= eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w== NP7rnOJz7QXxQfk= hrYdLa1V+exp20UX0hStKQ== R+gl+MvhTQHqTPs= CC6YqK+3hWJYpEseExvt2PSqLg== VmybWD1f6EIreDUVP47Yw5la3rI= Sgv5moChVKcQSZYjwYWyvbeuMw== rtxt7QYo5mxHRGHB cH/l/4Ecn61OfT3Lcw== T4iddmuQEGhd1NwMviZm cyH/sQGRb8s6e5vEv1x/ Y3DL3M3XS86ftJ7Ev1x/ U2jGyqnCYcDDJt3mAjZDxf+YcrQ= Strings (75)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end C2www.spirituallyzen.com/m9ae/ | |||||||||||||||
576 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2576 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | — | colorcpl.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (2584) opwovm.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | satytuyqndhqqq |
Value: C:\Users\admin\AppData\Roaming\pugcbmf\wnrbbehkxrwbgu.exe "C:\Users\admin\AppData\Local\Temp\opwovm.exe" C:\Users\admin\AppData\L | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3212) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2656 | SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe | C:\Users\admin\AppData\Local\Temp\sjxwsz.gz | binary | |
MD5:6D5C5D1FB0C5217DDAF28DB7AE4E5A91 | SHA256:3C483F7DFD417A90A73FB0305E3DEDD0E5A91BDB2B17C8209308E4D90C2AB1BA | |||
2656 | SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe | C:\Users\admin\AppData\Local\Temp\opwovm.exe | executable | |
MD5:6E53EC51F109B4B2F96DF15D9F57B63C | SHA256:6814D2488B5DFE90C8985BF2B482655457CC44B24D58C4094E5D69A42EDC8C0E | |||
2584 | opwovm.exe | C:\Users\admin\AppData\Roaming\pugcbmf\wnrbbehkxrwbgu.exe | executable | |
MD5:6E53EC51F109B4B2F96DF15D9F57B63C | SHA256:6814D2488B5DFE90C8985BF2B482655457CC44B24D58C4094E5D69A42EDC8C0E | |||
2656 | SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe | C:\Users\admin\AppData\Local\Temp\nsiC997.tmp | binary | |
MD5:92E55FCD8EB9EEF4BB4987C3E494567B | SHA256:CA32FF43950CE7C3F44226499F056DC2C2913E60955E60739B098CE496F26C21 | |||
2656 | SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe | C:\Users\admin\AppData\Local\Temp\jzacvyuruta.yv | fli | |
MD5:9A98BCBAEADC635D0612286A89C766A9 | SHA256:1E740C732EEB938A59122B1B15E3EC15D56AC5B2A6462F1662C8B98465243181 | |||
3212 | colorcpl.exe | C:\Users\admin\AppData\Local\Temp\chwxv.zip | compressed | |
MD5:C42EC8F35C6A06666E6AD54471A2728B | SHA256:22BB304AAB3EC7A51FC4DC7749F304BBE01C5EC014144FBC8F86012DC3B0708B | |||
3212 | colorcpl.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.dll | executable | |
MD5:07FB6D31F37FB1B4164BEF301306C288 | SHA256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02 | |||
3212 | colorcpl.exe | C:\Users\admin\AppData\Local\Temp\456b6ELMQ | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
3212 | colorcpl.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sqlite-dll-win32-x86-3210000[1].zip | compressed | |
MD5:C42EC8F35C6A06666E6AD54471A2728B | SHA256:22BB304AAB3EC7A51FC4DC7749F304BBE01C5EC014144FBC8F86012DC3B0708B | |||
3212 | colorcpl.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.def | text | |
MD5:248209B7183B5D5B667DFD77EE847763 | SHA256:9FB7168694EBFA19383DE44AC8AA1B5341DEA5FC228DC7CCE8008C643807FDCE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
576 | Explorer.EXE | GET | 302 | 188.114.96.3:80 | http://www.oonrreward.xyz/m9ae/?Ar2=LevhYPqdwsQo7WECDbB459ZspyUUr+LEH/unqFqLIkFUX6m7L7+nz6QxOZtEbUGpwXH1U9LeHXBcQ/Z4BofTkIyqmkMy/StFRpalI38=&_jG4N=hBclaNlx48 | US | — | — | malicious |
576 | Explorer.EXE | POST | 404 | 192.185.90.105:80 | http://www.gmrsnodes.com/m9ae/ | US | html | 4.57 Kb | malicious |
576 | Explorer.EXE | GET | 520 | 172.67.214.243:80 | http://www.dailyheraldresearch.com/m9ae/?Ar2=q+GqSbkO5kqO+W9u2wMv3YbZtObNyzVKtq6EIVL87IABA33EfP0KRf98pYcXkGuAI3MeUWqMlX/oBOuWez361f5JAttGJNclmjoaEWM=&_jG4N=hBclaNlx48 | US | — | — | malicious |
576 | Explorer.EXE | POST | 404 | 192.185.90.105:80 | http://www.gmrsnodes.com/m9ae/ | US | html | 4.57 Kb | malicious |
576 | Explorer.EXE | GET | 404 | 192.185.90.105:80 | http://www.gmrsnodes.com/m9ae/?Ar2=mwF44ViOu9spAX9yirmP6xmlB9nqplTR930/p+8373gvxGpTfL4ouZObAVq0rWSH8GeW4++fOqUmcVqtvF+Qx0yHgDRGkE5qxmkgXJI=&_jG4N=hBclaNlx48 | US | html | 11.5 Kb | malicious |
3212 | colorcpl.exe | GET | 200 | 45.33.6.223:80 | http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip | US | compressed | 435 Kb | whitelisted |
576 | Explorer.EXE | POST | 405 | 172.67.214.243:80 | http://www.dailyheraldresearch.com/m9ae/ | US | html | 154 b | malicious |
576 | Explorer.EXE | POST | 404 | 192.185.90.105:80 | http://www.gmrsnodes.com/m9ae/ | US | html | 4.57 Kb | malicious |
576 | Explorer.EXE | POST | 404 | 216.40.34.41:80 | http://www.lee-perez.com/m9ae/ | CA | html | 5.00 Kb | malicious |
576 | Explorer.EXE | POST | 404 | 216.40.34.41:80 | http://www.lee-perez.com/m9ae/ | CA | html | 7.84 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 188.114.96.3:80 | www.oonrreward.xyz | CLOUDFLARENET | NL | malicious |
— | — | 45.33.6.223:80 | www.sqlite.org | Linode, LLC | US | suspicious |
576 | Explorer.EXE | 192.185.90.105:80 | www.gmrsnodes.com | UNIFIEDLAYER-AS-1 | US | malicious |
576 | Explorer.EXE | 216.40.34.41:80 | www.lee-perez.com | TUCOWS | CA | malicious |
576 | Explorer.EXE | 172.67.214.243:80 | www.dailyheraldresearch.com | CLOUDFLARENET | US | malicious |
576 | Explorer.EXE | 93.179.126.52:80 | www.700544.com | IT7NET | HK | unknown |
576 | Explorer.EXE | 38.40.166.195:80 | www.frwqc.com | PEGTECHINC | US | malicious |
576 | Explorer.EXE | 74.208.236.65:80 | www.tommy57.shop | IONOS SE | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.oonrreward.xyz |
| malicious |
www.sqlite.org |
| whitelisted |
www.gmrsnodes.com |
| malicious |
www.dailyheraldresearch.com |
| malicious |
www.publickit.website |
| unknown |
www.lee-perez.com |
| malicious |
www.frwqc.com |
| malicious |
www.tommy57.shop |
| malicious |
www.700544.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Potentially Bad Traffic | ET INFO Request to .XYZ Domain with Minimal Headers |
576 | Explorer.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
576 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (POST) M2 |
576 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |