analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a2b43ba6d6a6af9f0fa07cab1a1ffd64

Full analysis: https://app.any.run/tasks/f0561eef-2ba4-483d-acc9-6883842992c7
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: December 05, 2022, 20:24:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
xloader
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

A2B43BA6D6A6AF9F0FA07CAB1A1FFD64

SHA1:

0D63EE2545439DFF61486E040FB8D921BEE79AE3

SHA256:

9A67166C5A81302300022D5FCF029600356460FCF3CE82FA37DB08B131A0459F

SSDEEP:

6144:LBnmyK4O/ekC2y6gPWJ6OC4tp8k4Hg2Y5nkjtPPraKFMP4wzSl7dlP7O/9Dj:Q7e6gPPOCm8kSIsPWK2Ptzo7dpy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe (PID: 868)
    • Application was dropped or rewritten from another process

      • ycayuhnew.exe (PID: 492)
      • ycayuhnew.exe (PID: 2564)
    • FORMBOOK detected by memory dumps

      • rundll32.exe (PID: 3664)
    • Unusual connection from system programs

      • Explorer.EXE (PID: 912)
    • Connects to the CnC server

      • Explorer.EXE (PID: 912)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 912)
    • Formbook is detected

      • Explorer.EXE (PID: 912)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe (PID: 868)
    • Application launched itself

      • ycayuhnew.exe (PID: 492)
    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 3664)
  • INFO

    • Checks supported languages

      • a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe (PID: 868)
      • ycayuhnew.exe (PID: 492)
      • ycayuhnew.exe (PID: 2564)
    • Reads the computer name

      • a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe (PID: 868)
      • ycayuhnew.exe (PID: 2564)
    • Creates a file in a temporary directory

      • a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe (PID: 868)
    • Drops a file that was compiled in debug mode

      • a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe (PID: 868)
    • Manual execution by a user

      • rundll32.exe (PID: 3664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(3664) rundll32.exe
Decoy C2 (64)3472cc.com
takecareyourhair.com
kontolajigasd21.xyz
daihaitrinh.net
syncmostlatestinfo-file.info
lovesolutionsastrologist.info
angelapryan.com
rio727casino.com
jjsgagets.com
devyatkina.online
thegoldenbeautyqatar.com
czytaj-unas24live.monster
timepoachers.com
gayxxxporn.site
72308.xyz
kristanolivo.com
hijrahfwd.com
bmfighters.com
alfamx.website
handfulofbabesbows.com
nationalsocialism.link
mega-recarga-arg.com
rytstack.com
kfav77.xyz
rrexec.net
linetl.top
freedomcleaningusa.com
abofahad3478.tokyo
teamvalvolineeurope.com
kyty4265.com
afrikannaland.info
dharmatradinguae.com
bqylc.buzz
lifeprojectmanager.pro
streeteli.site
68fk.vip
wasemanntrucking.com
auracreitarusblog.com
dfgzyt.cyou
tecnotuto.net
ookkvip.com
247repairs.info
tyvwotnmrlpjgl.biz
courtneymporter.com
gildainterior.com
papiska.xyz
sparrow.run
tyh-group.com
april-zodiac-sign.info
kiaf1.site
cooleyes.live
partasa.com
connecticutinteriors.com
thelovehandles.us
netinseg.website
diaryranch.xyz
serenaderange.com
milano.icu
vapeseasy.com
hengruncosmetics.com
vlashon.com
masberlian.ink
djayadiwangsa.store
nicneni.xyz
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.ym2668.top/8rmt/
Decoy C2 (64)3472cc.com
takecareyourhair.com
kontolajigasd21.xyz
daihaitrinh.net
syncmostlatestinfo-file.info
lovesolutionsastrologist.info
angelapryan.com
rio727casino.com
jjsgagets.com
devyatkina.online
thegoldenbeautyqatar.com
czytaj-unas24live.monster
timepoachers.com
gayxxxporn.site
72308.xyz
kristanolivo.com
hijrahfwd.com
bmfighters.com
alfamx.website
handfulofbabesbows.com
nationalsocialism.link
mega-recarga-arg.com
rytstack.com
kfav77.xyz
rrexec.net
linetl.top
freedomcleaningusa.com
abofahad3478.tokyo
teamvalvolineeurope.com
kyty4265.com
afrikannaland.info
dharmatradinguae.com
bqylc.buzz
lifeprojectmanager.pro
streeteli.site
68fk.vip
wasemanntrucking.com
auracreitarusblog.com
dfgzyt.cyou
tecnotuto.net
ookkvip.com
247repairs.info
tyvwotnmrlpjgl.biz
courtneymporter.com
gildainterior.com
papiska.xyz
sparrow.run
tyh-group.com
april-zodiac-sign.info
kiaf1.site
cooleyes.live
partasa.com
connecticutinteriors.com
thelovehandles.us
netinseg.website
diaryranch.xyz
serenaderange.com
milano.icu
vapeseasy.com
hengruncosmetics.com
vlashon.com
masberlian.ink
djayadiwangsa.store
nicneni.xyz
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.ym2668.top/8rmt/
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2015-Dec-27 05:38:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2015-Dec-27 05:38:52
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23626
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41076
.rdata
28672
4446
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14255
.data
36864
110712
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22522
.ndata
151552
32768
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
184320
206648
206848
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.67313

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.6686
67624
UNKNOWN
English - United States
RT_ICON
2
4.20636
38056
UNKNOWN
English - United States
RT_ICON
3
4.21554
26600
UNKNOWN
English - United States
RT_ICON
4
4.24892
21640
UNKNOWN
English - United States
RT_ICON
5
4.08716
16936
UNKNOWN
English - United States
RT_ICON
6
7.95631
15974
UNKNOWN
English - United States
RT_ICON
7
4.49335
9640
UNKNOWN
English - United States
RT_ICON
8
4.55083
4264
UNKNOWN
English - United States
RT_ICON
9
5.02221
2440
UNKNOWN
English - United States
RT_ICON
10
4.96191
1128
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe ycayuhnew.exe no specs ycayuhnew.exe no specs #FORMBOOK rundll32.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Users\admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe" C:\Users\admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
492"C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\admin\AppData\Local\Temp\rjyyjwcs.jC:\Users\admin\AppData\Local\Temp\ycayuhnew.exea2b43ba6d6a6af9f0fa07cab1a1ffd64.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ycayuhnew.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2564"C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe"C:\Users\admin\AppData\Local\Temp\ycayuhnew.exeycayuhnew.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ycayuhnew.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3664"C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Formbook
(PID) Process(3664) rundll32.exe
Decoy C2 (64)3472cc.com
takecareyourhair.com
kontolajigasd21.xyz
daihaitrinh.net
syncmostlatestinfo-file.info
lovesolutionsastrologist.info
angelapryan.com
rio727casino.com
jjsgagets.com
devyatkina.online
thegoldenbeautyqatar.com
czytaj-unas24live.monster
timepoachers.com
gayxxxporn.site
72308.xyz
kristanolivo.com
hijrahfwd.com
bmfighters.com
alfamx.website
handfulofbabesbows.com
nationalsocialism.link
mega-recarga-arg.com
rytstack.com
kfav77.xyz
rrexec.net
linetl.top
freedomcleaningusa.com
abofahad3478.tokyo
teamvalvolineeurope.com
kyty4265.com
afrikannaland.info
dharmatradinguae.com
bqylc.buzz
lifeprojectmanager.pro
streeteli.site
68fk.vip
wasemanntrucking.com
auracreitarusblog.com
dfgzyt.cyou
tecnotuto.net
ookkvip.com
247repairs.info
tyvwotnmrlpjgl.biz
courtneymporter.com
gildainterior.com
papiska.xyz
sparrow.run
tyh-group.com
april-zodiac-sign.info
kiaf1.site
cooleyes.live
partasa.com
connecticutinteriors.com
thelovehandles.us
netinseg.website
diaryranch.xyz
serenaderange.com
milano.icu
vapeseasy.com
hengruncosmetics.com
vlashon.com
masberlian.ink
djayadiwangsa.store
nicneni.xyz
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.ym2668.top/8rmt/
(PID) Process(3664) rundll32.exe
Decoy C2 (64)3472cc.com
takecareyourhair.com
kontolajigasd21.xyz
daihaitrinh.net
syncmostlatestinfo-file.info
lovesolutionsastrologist.info
angelapryan.com
rio727casino.com
jjsgagets.com
devyatkina.online
thegoldenbeautyqatar.com
czytaj-unas24live.monster
timepoachers.com
gayxxxporn.site
72308.xyz
kristanolivo.com
hijrahfwd.com
bmfighters.com
alfamx.website
handfulofbabesbows.com
nationalsocialism.link
mega-recarga-arg.com
rytstack.com
kfav77.xyz
rrexec.net
linetl.top
freedomcleaningusa.com
abofahad3478.tokyo
teamvalvolineeurope.com
kyty4265.com
afrikannaland.info
dharmatradinguae.com
bqylc.buzz
lifeprojectmanager.pro
streeteli.site
68fk.vip
wasemanntrucking.com
auracreitarusblog.com
dfgzyt.cyou
tecnotuto.net
ookkvip.com
247repairs.info
tyvwotnmrlpjgl.biz
courtneymporter.com
gildainterior.com
papiska.xyz
sparrow.run
tyh-group.com
april-zodiac-sign.info
kiaf1.site
cooleyes.live
partasa.com
connecticutinteriors.com
thelovehandles.us
netinseg.website
diaryranch.xyz
serenaderange.com
milano.icu
vapeseasy.com
hengruncosmetics.com
vlashon.com
masberlian.ink
djayadiwangsa.store
nicneni.xyz
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.ym2668.top/8rmt/
3564/c del "C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe"C:\Windows\System32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
912C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
735
Read events
735
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
868a2b43ba6d6a6af9f0fa07cab1a1ffd64.exeC:\Users\admin\AppData\Local\Temp\dxlnbanzq.ebinary
MD5:F6710918E3ECDBA55AA451FB1B08742D
SHA256:CC573825ABA59339F11629B7FE1ED9ADF098E5F12004F441948FE45FCC12A5A7
868a2b43ba6d6a6af9f0fa07cab1a1ffd64.exeC:\Users\admin\AppData\Local\Temp\nsg9915.tmpbinary
MD5:99DBE321B839C5C8611FCF92D591D4B3
SHA256:093C821C9C687A401316AD33232533EE8D71BCC8A768F6BBAE6D10686F8A9F33
868a2b43ba6d6a6af9f0fa07cab1a1ffd64.exeC:\Users\admin\AppData\Local\Temp\rjyyjwcs.jbinary
MD5:45CBFD24B9943772008F524A20E0A56F
SHA256:AFEF884E713661B15D8639AC7268B667742EBE67B0E031E7D617F2DD2D5813FF
868a2b43ba6d6a6af9f0fa07cab1a1ffd64.exeC:\Users\admin\AppData\Local\Temp\ycayuhnew.exeexecutable
MD5:D3749F4E6710B8D5BEB987F07A5E8580
SHA256:EDFA8CF65BBE6A0AD70CFC86A451B4AC86D034EFC77F4E117151FAA48AF2D73F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
912
Explorer.EXE
GET
410
3.64.163.50:80
http://www.kiaf1.site/8rmt/?LnJL=Drw+5op+ENV0iYqxo8M7C5N0S+6MRM94/NrVrmq26mmPDOavBy4xzBZqerrVpLizXmCFCw==&jPh8=KnJHvh
US
html
108 b
malicious
912
Explorer.EXE
GET
403
23.227.38.74:80
http://www.streeteli.site/8rmt/?LnJL=gDBz1LMvaRAn16UL/TmQ59mIs755h3wczlOLkLbFqqJke4iY2LTYbrsZzKAEVkVzUYfKdg==&jPh8=KnJHvh
CA
html
5.03 Kb
malicious
912
Explorer.EXE
GET
301
188.114.97.3:80
http://www.ym2668.top/8rmt/?LnJL=pR67c+KOD4QUEFVHl1o9/L5k9VWq5eUb2FdFXw4R7kp/J3UeEjbGljkaWpuPR6UQ7uKBaQ==&jPh8=KnJHvh
US
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
912
Explorer.EXE
188.114.97.3:80
www.ym2668.top
CLOUDFLARENET
NL
malicious
912
Explorer.EXE
3.64.163.50:80
www.kiaf1.site
AMAZON-02
DE
malicious
912
Explorer.EXE
23.227.38.74:80
www.streeteli.site
CLOUDFLARENET
CA
malicious

DNS requests

Domain
IP
Reputation
www.kiaf1.site
  • 3.64.163.50
malicious
www.streeteli.site
  • 23.227.38.74
malicious
www.masberlian.ink
unknown
www.ym2668.top
  • 188.114.97.3
  • 188.114.96.3
malicious

Threats

PID
Process
Class
Message
912
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
912
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
912
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
912
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
912
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
912
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
912
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
912
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
912
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
No debug info