File name:

PO#CR21-1178321.exe

Full analysis: https://app.any.run/tasks/0649df08-25ec-44e2-9200-a29bb71394f7
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: November 29, 2023, 02:30:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
formbook
xloader
stealer
spyware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

9740FFCABE988F0904286239839FD9B4

SHA1:

C31E51BB0DFE0739275DC6BC038CA65183496E54

SHA256:

00539AFDBF4E898996217CA8F782CDB57079A1C371BF37214BDC5F38FD6DD6BC

SSDEEP:

24576:nqLuiAu2HXyD1nS9rIy5+3L854B+iZrhjoS3qCH4y2Oqq1BGUDmstdg3:nqyiAJXyD1nS9rt5+3L854B+iBhjoS3g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • PO#CR21-1178321.exe (PID: 668)

    • Drops the executable file immediately after the start

      • PO#CR21-1178321.exe (PID: 668)

    • FORMBOOK has been detected (YARA)

      • control.exe (PID: 2672)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 1944)

    • Connects to the CnC server

      • explorer.exe (PID: 1944)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • PO#CR21-1178321.exe (PID: 668)

    • Reads the Internet Settings

      • PO#CR21-1178321.exe (PID: 668)

    • Application launched itself

      • PO#CR21-1178321.exe (PID: 668)

    • Starts CMD.EXE for commands execution

      • control.exe (PID: 2672)

  • INFO

    • Checks supported languages

      • PO#CR21-1178321.exe (PID: 668)
      • PO#CR21-1178321.exe (PID: 2348)

    • Reads the computer name

      • PO#CR21-1178321.exe (PID: 668)
      • PO#CR21-1178321.exe (PID: 2348)

    • Create files in a temporary directory

      • PO#CR21-1178321.exe (PID: 668)

    • Creates files or folders in the user directory

      • PO#CR21-1178321.exe (PID: 668)

    • Reads the machine GUID from the registry

      • PO#CR21-1178321.exe (PID: 668)

    • Manual execution by a user

      • control.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(2672) control.exe
C2www.piabellacasino347.com/bp31/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)nftcyberpunk.com
nwg7e.top
go99subpay.com
colkora.com
bkicg.com
chubbysamericangrill.com
ongcndwoyao8060.top
goodbye-horses.com
gchzwf.com
baisheng.site
mkfnrej28.xyz
rbxer.com
evitasoht.site
keymuscatgroups.com
jobassistancehub.com
school-necromancer.com
shop-pravaonline.online
prefabricated-homes-62419.com
vzuvzabuv.com
bolfm.com
gasiu.com
newcitymastery.com
xt393d.vip
adminonlinechecker.online
10964.top
labonnepaires.com
cgpattorneys.com
aroundyoo.com
tqmsn.com
dogclubuk.com
tgtsfo.top
nutridietas.com
videopromarket.com
alnawrasalrahhal.com
starnation.top
cascadefinnish.com
fnb.gay
mulharemedia.com
gurubasavschool.com
odisexport.com
midastouchdesign.com
scatter78.win
kpmgds.com
biddrivego.com
chrisbrannon.online
kazi-foods.com
spitzpr-gq.info
28ve5e.top
millerstoehr.com
69mom.com
dmmtcloud.com
arjuncrackers.com
gracelouwilliams.com
8881811.com
fixerradvisory.com
darkpinefarm.com
duke91.com
vemo.site
photonpulsetherapy.com
honchoheadies.com
allthingsnewxpo.com
turdfi.xyz
wowukltd.com
ctnezpay.com
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2050:05:16 01:22:53+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 687104
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xa9bba
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: Microsoft WWA Host
FileVersion: 1.0.0.0
InternalName: YrYvNDAYI.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: YrYvNDAYI.exe
ProductName: Microsoft WWA Host
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start po#cr21-1178321.exe no specs schtasks.exe no specs po#cr21-1178321.exe no specs #FORMBOOK control.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Users\admin\AppData\Local\Temp\PO#CR21-1178321.exe" C:\Users\admin\AppData\Local\Temp\PO#CR21-1178321.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft WWA Host
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\po#cr21-1178321.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
1944C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2064"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tvghbynsxy" /XML "C:\Users\admin\AppData\Local\Temp\tmpB60A.tmp"C:\Windows\SysWOW64\schtasks.exePO#CR21-1178321.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2348"C:\Users\admin\AppData\Local\Temp\PO#CR21-1178321.exe"C:\Users\admin\AppData\Local\Temp\PO#CR21-1178321.exePO#CR21-1178321.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft WWA Host
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\po#cr21-1178321.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2420/c del "C:\Users\admin\AppData\Local\Temp\PO#CR21-1178321.exe"C:\Windows\SysWOW64\cmd.execontrol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2672"C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\control.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Formbook
(PID) Process(2672) control.exe
C2www.piabellacasino347.com/bp31/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)nftcyberpunk.com
nwg7e.top
go99subpay.com
colkora.com
bkicg.com
chubbysamericangrill.com
ongcndwoyao8060.top
goodbye-horses.com
gchzwf.com
baisheng.site
mkfnrej28.xyz
rbxer.com
evitasoht.site
keymuscatgroups.com
jobassistancehub.com
school-necromancer.com
shop-pravaonline.online
prefabricated-homes-62419.com
vzuvzabuv.com
bolfm.com
gasiu.com
newcitymastery.com
xt393d.vip
adminonlinechecker.online
10964.top
labonnepaires.com
cgpattorneys.com
aroundyoo.com
tqmsn.com
dogclubuk.com
tgtsfo.top
nutridietas.com
videopromarket.com
alnawrasalrahhal.com
starnation.top
cascadefinnish.com
fnb.gay
mulharemedia.com
gurubasavschool.com
odisexport.com
midastouchdesign.com
scatter78.win
kpmgds.com
biddrivego.com
chrisbrannon.online
kazi-foods.com
spitzpr-gq.info
28ve5e.top
millerstoehr.com
69mom.com
dmmtcloud.com
arjuncrackers.com
gracelouwilliams.com
8881811.com
fixerradvisory.com
darkpinefarm.com
duke91.com
vemo.site
photonpulsetherapy.com
honchoheadies.com
allthingsnewxpo.com
turdfi.xyz
wowukltd.com
ctnezpay.com
Total events
289
Read events
272
Write events
17
Delete events
0

Modification events

(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:(1944) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(668) PO#CR21-1178321.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(668) PO#CR21-1178321.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(668) PO#CR21-1178321.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(668) PO#CR21-1178321.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
668PO#CR21-1178321.exeC:\Users\admin\AppData\Local\Temp\tmpB60A.tmpxml
MD5:1A1E011FFDC5C640B97DABAB085248BC
SHA256:C6C58C300237ACBCC46D932FE1A2332C2D5552263506718302D0F10FDD33180E
668PO#CR21-1178321.exeC:\Users\admin\AppData\Roaming\tvghbynsxy.exeexecutable
MD5:9740FFCABE988F0904286239839FD9B4
SHA256:00539AFDBF4E898996217CA8F782CDB57079A1C371BF37214BDC5F38FD6DD6BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1944
explorer.exe
GET
403
23.227.38.74:80
http://www.photonpulsetherapy.com/bp31/?bn=D8MWd+gTAP1Zpyx0cA4qJFLm10ow2wcSQL7PBT1NYMTAAYRV3/1idSBxGkoB85NtdJaEWA==&vTd4K=MHQD
CA
html
4.41 Kb
unknown
1944
explorer.exe
GET
410
3.64.163.50:80
http://www.chubbysamericangrill.com/bp31/?bn=vTm2jbh/H0zaLoN7YIrInCa/IqL7qrMsmbcsslIAzwsgUsA5hZMWIncGkx3J5pRVnRMhaw==&vTd4K=MHQD
DE
html
122 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
1944
explorer.exe
3.64.163.50:80
www.chubbysamericangrill.com
AMAZON-02
DE
unknown
1944
explorer.exe
23.227.38.74:80
www.photonpulsetherapy.com
CLOUDFLARENET
CA
unknown

DNS requests

Domain
IP
Reputation
www.chubbysamericangrill.com
  • 3.64.163.50
unknown
www.photonpulsetherapy.com
  • 23.227.38.74
unknown

Threats

PID
Process
Class
Message
1944
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO#CR21-1178321.exe