File name:

FINALDOCUMENT.exe

Full analysis: https://app.any.run/tasks/a14edce2-75fd-4cdb-86b8-af543767b828
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: February 20, 2025, 08:58:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
formbook
stealer
netreactor
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

0D0EC39D42DDF165923137C085390865

SHA1:

66B9F20F8538DD57721D5F3EF8420B959C0D85FD

SHA256:

0297C69A6525DCC36009EBCF3DF69478F22E99D788DD81B1A26728C7ACB663E9

SSDEEP:

24576:3Dd88mWhq9CU6RH1G6PZ16y2gQYr0dKGCtYOYoAbXIZ1HtHKz1f7fVha/ipOl9zT:zd88mWhq9CU6RH1G6PZ16y2gQYr0dKGK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • FINALDOCUMENT.exe (PID: 2940)

    • FORMBOOK has been detected

      • colorcpl.exe (PID: 5892)
      • explorer.exe (PID: 4488)

    • FORMBOOK has been detected (YARA)

      • colorcpl.exe (PID: 5892)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 4488)

    • Connects to the CnC server

      • explorer.exe (PID: 4488)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • FINALDOCUMENT.exe (PID: 2940)

    • Executable content was dropped or overwritten

      • FINALDOCUMENT.exe (PID: 2940)

    • Starts CMD.EXE for commands execution

      • colorcpl.exe (PID: 5892)

    • Deletes system .NET executable

      • cmd.exe (PID: 2124)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 4488)

  • INFO

    • Creates files or folders in the user directory

      • FINALDOCUMENT.exe (PID: 2940)

    • Reads the computer name

      • FINALDOCUMENT.exe (PID: 2940)
      • RegSvcs.exe (PID: 1616)

    • Create files in a temporary directory

      • FINALDOCUMENT.exe (PID: 2940)

    • Reads the machine GUID from the registry

      • FINALDOCUMENT.exe (PID: 2940)

    • Manual execution by a user

      • colorcpl.exe (PID: 5892)

    • Process checks computer location settings

      • FINALDOCUMENT.exe (PID: 2940)

    • Checks supported languages

      • FINALDOCUMENT.exe (PID: 2940)
      • RegSvcs.exe (PID: 1616)

    • .NET Reactor protector has been detected

      • FINALDOCUMENT.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(5892) colorcpl.exe
C2www.b13t17.pro/my18/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)cicotte.shop
tetrf.net
rkidnclothing.net
ibriz.online
49fb2ka.top
matic.xyz
yh.lol
f59m.club
vc-panels-coral.sbs
tpsx.top
ealturmat.xyz
sianglobalinvestment.site
ourpetia.online
q801.info
oslslat.store
gt77.net
skpmypqxn.xyz
nackcy.shop
abfyxerlink.info
rym.net
reenhive.energy
asinobest.casino
otorhomes-for-seniors-bear.sbs
ateriapg.net
uetedit.net
evalora.xyz
ali100.online
friquechoice.shop
ommunityministernetwork.net
aytollfpg.vip
avurenilopaxo.click
s588zg.top
mtkash.online
etttttt169.top
skconofdallas.net
y009.xyz
r836068.xyz
olankidigipro.online
volvefyxerprotech.info
irosat.pro
romosinevitaveis.shop
hh113.top
77.lol
yjapan-vpass.shop
cvban.xyz
elium.solutions
eimdallsupplychains.net
pabox.xyz
ahooodi.xyz
idadari29nice.makeup
utomotivacion.net
y046.xyz
acucardsvcs.online
35lfeq932r.shop
irtualvisionlk.pro
asis.rent
nkj89qv.top
hetollroads-paytollqqc.help
luspoints.store
elegslga.best
58mc.top
47gy.top
ontery.net
ie.info
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2091:01:09 19:15:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 880128
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xd8c9a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft
FileDescription: AnalogClock
FileVersion: 1.0.0.0
InternalName: gbxyt.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: gbxyt.exe
ProductName: AnalogClock
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start finaldocument.exe schtasks.exe no specs conhost.exe no specs regsvcs.exe no specs #FORMBOOK colorcpl.exe no specs cmd.exe no specs conhost.exe no specs #FORMBOOK explorer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFINALDOCUMENT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2124/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\SysWOW64\cmd.execolorcpl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2940"C:\Users\admin\Desktop\FINALDOCUMENT.exe" C:\Users\admin\Desktop\FINALDOCUMENT.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
AnalogClock
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\finaldocument.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4488C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5848"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lbpblE" /XML "C:\Users\admin\AppData\Local\Temp\tmpABA5.tmp"C:\Windows\SysWOW64\schtasks.exeFINALDOCUMENT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5892"C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Color Control Panel
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\colorui.dll
Formbook
(PID) Process(5892) colorcpl.exe
C2www.b13t17.pro/my18/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)cicotte.shop
tetrf.net
rkidnclothing.net
ibriz.online
49fb2ka.top
matic.xyz
yh.lol
f59m.club
vc-panels-coral.sbs
tpsx.top
ealturmat.xyz
sianglobalinvestment.site
ourpetia.online
q801.info
oslslat.store
gt77.net
skpmypqxn.xyz
nackcy.shop
abfyxerlink.info
rym.net
reenhive.energy
asinobest.casino
otorhomes-for-seniors-bear.sbs
ateriapg.net
uetedit.net
evalora.xyz
ali100.online
friquechoice.shop
ommunityministernetwork.net
aytollfpg.vip
avurenilopaxo.click
s588zg.top
mtkash.online
etttttt169.top
skconofdallas.net
y009.xyz
r836068.xyz
olankidigipro.online
volvefyxerprotech.info
irosat.pro
romosinevitaveis.shop
hh113.top
77.lol
yjapan-vpass.shop
cvban.xyz
elium.solutions
eimdallsupplychains.net
pabox.xyz
ahooodi.xyz
idadari29nice.makeup
utomotivacion.net
y046.xyz
acucardsvcs.online
35lfeq932r.shop
irtualvisionlk.pro
asis.rent
nkj89qv.top
hetollroads-paytollqqc.help
luspoints.store
elegslga.best
58mc.top
47gy.top
ontery.net
ie.info
Total events
832
Read events
832
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940FINALDOCUMENT.exeC:\Users\admin\AppData\Local\Temp\tmpABA5.tmpxml
MD5:938A54A04E343A17E28586CFA78AB0CC
SHA256:CDE8B331A70A65693422CC5C9EC760DE9ED22BE29DCEF123205E0F54E964DB7F
2940FINALDOCUMENT.exeC:\Users\admin\AppData\Roaming\lbpblE.exeexecutable
MD5:0D0EC39D42DDF165923137C085390865
SHA256:0297C69A6525DCC36009EBCF3DF69478F22E99D788DD81B1A26728C7ACB663E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4488
explorer.exe
GET
103.249.106.98:80
http://www.yh.lol/my18/?vzu=fC/kKZ8BVJqgCZya5TUl0ARmqrQWVBQskM0czZfCfOKL4A1XMt0O31iNLKUT4BRfAamL&Gpm=MhDxCv
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3996
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.15.178.202:443
www.bing.com
Akamai International B.V.
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3996
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3996
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3996
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 23.15.178.202
  • 23.15.178.201
  • 23.15.178.200
  • 23.15.178.219
  • 23.15.178.216
  • 23.15.178.224
  • 23.15.178.217
  • 23.15.178.232
  • 23.15.178.211
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.skpmypqxn.xyz
unknown
www.elegslga.best
unknown
www.tetrf.net
unknown
www.asis.rent
unknown
self.events.data.microsoft.com
  • 20.189.173.25
whitelisted

Threats

PID
Process
Class
Message
4488
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FINALDOCUMENT.exe