URL: | http://www.tekdefense.com |
Full analysis: | https://app.any.run/tasks/5c1272a9-8d98-4f90-bf1c-d0c5f6cb83f2 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | July 17, 2019, 22:03:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | E33D46A48CBA6FC334399E94E49B2ED4 |
SHA1: | FC8FEC6E903A2D95DB9D09EC2141DC2B8908E02D |
SHA256: | 9797D6F7313E862FACF183CC4D81206B78C8ED1F5C64A3EDAA6733014E8B65C2 |
SSDEEP: | 3:N1KJS4eu5In:Cc4j5In |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3896 | "C:\Program Files\Mozilla Firefox\firefox.exe" "http://www.tekdefense.com" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 | ||||
2700 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.0.17354899\1886252546" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 1164 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 | ||||
3884 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.3.468614725\267735086" -childID 1 -isForBrowser -prefsHandle 1568 -prefMapHandle 1636 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 1324 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 | ||||
2944 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.13.192589341\1795676904" -childID 2 -isForBrowser -prefsHandle 2564 -prefMapHandle 2568 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 2580 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 | ||||
3544 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3896.20.509319689\474735054" -childID 3 -isForBrowser -prefsHandle 3652 -prefMapHandle 3620 -prefsLen 6804 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3896 "\\.\pipe\gecko-crash-server-pipe.3896" 3656 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 |
(PID) Process: | (3896) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 0000000000000000 | |||
(PID) Process: | (3896) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3896) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3896 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:D65B2BD591A1D6CC666241E6EEF1AFE7 | SHA256:1B94F69A3BF3CB9F7349FE274CA82166C22D675F9B043B19F2770D044AE9BD16 | |||
3896 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat | text | |
MD5:37818D9B7248F34395C2DB3C0BD4B07F | SHA256:FF229E03D2AB696E81957957EA8D71280B5800A2B0F70EA77998C3FA4E98A8A6 | |||
3896 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:FD4AC055B608CF2C11C9B2C796A4FE1A | SHA256:1D8A349613F7DCB71BF648C8C7F780F3953A2BC53435846289101FD77D8887AF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3896 | firefox.exe | GET | 200 | 198.49.23.177:80 | http://www.tekdefense.com/ | US | html | 86.4 Kb | whitelisted |
3896 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3896 | firefox.exe | GET | 200 | 198.49.23.177:80 | http://www.tekdefense.com/universal/yui/yahoo-dom-event/yahoo-dom-event.js?CE=75 | US | text | 36.1 Kb | whitelisted |
3896 | firefox.exe | GET | 200 | 198.49.23.177:80 | http://www.tekdefense.com/universal/yui/json/json-min.js?CE=75 | US | text | 4.78 Kb | whitelisted |
3896 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3896 | firefox.exe | GET | 200 | 198.49.23.177:80 | http://www.tekdefense.com/universal/yui/connection/connection_core-min.js?CE=75 | US | text | 7.40 Kb | whitelisted |
3896 | firefox.exe | GET | 200 | 2.16.106.209:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
3896 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3896 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3896 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3896 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3896 | firefox.exe | 216.58.206.10:80 | ajax.googleapis.com | Google Inc. | US | whitelisted |
3896 | firefox.exe | 108.128.247.43:443 | location.services.mozilla.com | AT&T Services, Inc. | US | unknown |
3896 | firefox.exe | 198.49.23.177:80 | www.tekdefense.com | Squarespace, Inc. | US | malicious |
3896 | firefox.exe | 216.58.210.10:80 | ajax.googleapis.com | Google Inc. | US | whitelisted |
3896 | firefox.exe | 23.210.248.226:443 | www.paypalobjects.com | Akamai International B.V. | NL | whitelisted |
3896 | firefox.exe | 34.215.70.240:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3896 | firefox.exe | 192.30.253.119:443 | gist.github.com | GitHub, Inc. | US | shared |
3896 | firefox.exe | 13.225.79.58:443 | snippets.cdn.mozilla.net | — | US | unknown |
3896 | firefox.exe | 216.58.205.227:80 | fonts.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
www.tekdefense.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
www.squarespace.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod1-elb-eu-west-1.prod.mozaws.net |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3896 | firefox.exe | A Network Trojan was detected | MALWARE [PTsecurity] Baldr.Stealer C2 Response |
3896 | firefox.exe | A Network Trojan was detected | MALWARE [PTsecurity] Baldr.Stealer C2 Response |