File name: | CTM Copy_xlsx.exe |
Full analysis: | https://app.any.run/tasks/6fe5e5b3-464c-4456-b122-b99bac94b644 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 19:09:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 12DF41BBB58BB99AD3DF727681B0750E |
SHA1: | 1A885369FCD806ABB1DDB78A12FB1F6C20D30331 |
SHA256: | 04485275963CA6154767437248125EC169E808006463F79F737D325AEEE8D3A6 |
SSDEEP: | 6144:aNeZwp+BeU153NEYOyldTMSAKTUevYviEt:aNL8p3k8MSAWYKEt |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x34f7 |
UninitializedDataSize: | 2048 |
InitializedDataSize: | 141824 |
CodeSize: | 26112 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2021:09:25 23:55:49+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-Sep-2021 21:55:49 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 25-Sep-2021 21:55:49 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006515 | 0x00006600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43971 |
.rdata | 0x00008000 | 0x0000139A | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14577 |
.data | 0x0000A000 | 0x00020338 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.0137 |
.ndata | 0x0002B000 | 0x00010000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0003B000 | 0x00004298 | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.73075 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.29934 | 830 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.52786 | 4264 | UNKNOWN | English - United States | RT_ICON |
3 | 5.2334 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 2.45849 | 48 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2764 | "C:\Users\admin\AppData\Local\Temp\CTM Copy_xlsx.exe" | C:\Users\admin\AppData\Local\Temp\CTM Copy_xlsx.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3092 | C:\Users\admin\AppData\Local\Temp\qglem.exe C:\Users\admin\AppData\Local\Temp\eafeuqvhw | C:\Users\admin\AppData\Local\Temp\qglem.exe | — | CTM Copy_xlsx.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2836 | C:\Users\admin\AppData\Local\Temp\qglem.exe C:\Users\admin\AppData\Local\Temp\eafeuqvhw | C:\Users\admin\AppData\Local\Temp\qglem.exe | — | qglem.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3524 | "C:\Windows\System32\cmmon32.exe" | C:\Windows\System32\cmmon32.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Monitor Version: 7.02.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(3524) cmmon32.exe Modules (42)kernel32.dll advapi32.dll ws2_32.dll svchost.exe msiexec.exe wuauclt.exe lsass.exe wlanext.exe msg.exe lsm.exe dwm.exe help.exe chkdsk.exe cmmon32.exe nbtstat.exe spoolsv.exe rdpclip.exe control.exe taskhost.exe rundll32.exe systray.exe audiodg.exe wininit.exe services.exe autochk.exe autoconv.exe autofmt.exe cmstp.exe colorcpl.exe cscript.exe explorer.exe WWAHost.exe ipconfig.exe msdt.exe mstsc.exe NAPSTAT.EXE netsh.exe NETSTAT.EXE raserver.exe wscript.exe wuapp.exe cmd.exe Decoys and strings (143)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start jjwire.biz nowufei270.xyz gaypornoi.com rtppromo168.com lzku0vl5b59b.xyz pilotwycieczek.pro winterlandcabins.com planaulamobel.club nikerunningtnday1saikais.xyz newknotes.com fastdeliverydubai.com primecrose.email 16555333333.com sd4bmbn8z00jqq.xyz cloraste.xyz herbootsto.biz austinketofitdiet.site hcbackstage.com desertvan.com ke63zamai2.xyz electriciteguigonnat.com pittstreetstation.com mulukaltejara.com ridecloud.xyz canadianinntexas.com aroinvestmentsinc.com teeprints.host samgarbooshian.com xk4bvysam0gpv1.xyz highriseworld.xyz man-maker.com jinlicpa.com theearthisonepiece.com mbproqisfd.xyz quotingbiz.com longcoin.space 2022coinbase.net idataguard.com 10xesport.com anushashetty.com kaysheavenlybeauty.com bz1lx4ryt.xyz hobbytoyz.xyz fisaspa.com jevohns.xyz uurks.xyz naqhakgckj.com raisastore.com gravity.my.id web3programme.xyz updatemanagementcenter.com betabuild.space fhjdhjf.com ocqff.xyz 134w59th.info 66n.xyz lovewealthsecrets.com 846648.xyz gastroherodiscount.com ogalliance.com soeoul-kk.site straver.biz dayo-casa.com chinagrdq.com f-end C2www.identamazononline.com/ai26/ | |||||||||||||||
1644 | /c del "C:\Users\admin\AppData\Local\Temp\qglem.exe" | C:\Windows\System32\cmd.exe | — | cmmon32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
764 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (764) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2764 | CTM Copy_xlsx.exe | C:\Users\admin\AppData\Local\Temp\zkl6clbg9heou2th753w | binary | |
MD5:F0836BB98DF7513F53DD7F17AE738394 | SHA256:BC129FA6303C97AFD44C21DF5456E390449053FBBA7EC5C4A7BA75985A0C2B13 | |||
2764 | CTM Copy_xlsx.exe | C:\Users\admin\AppData\Local\Temp\eafeuqvhw | binary | |
MD5:681157DCC787D0F0E3292CF3336569B4 | SHA256:43414F1F8CDB49D8E1F1844DCCC59B684D5C28C6D691769656F257F44028D607 | |||
2764 | CTM Copy_xlsx.exe | C:\Users\admin\AppData\Local\Temp\qglem.exe | executable | |
MD5:789A9B225BAC734EE4408B39C3E43726 | SHA256:DC59EEE6A68D128E2BFF339CA2A575F1F48449749A0F31FCEEAB798F0A80B6BC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
764 | Explorer.EXE | GET | — | 173.236.169.80:80 | http://www.quotingbiz.com/ai26/?sPxxV4=3tlSHTJurgNcZ0H1SVSb5gq9mGSLID8SiAS9uc4hNLsCN06X6c5urHvQ7HpXjO4XmN2TjQ==&CXd0k=htJ8Zl | US | — | — | malicious |
764 | Explorer.EXE | GET | 301 | 188.114.97.10:80 | http://www.bz1lx4ryt.xyz/ai26/?sPxxV4=98fAY1fNtIv3oejDkQ0sC34NPLd1m4ip8f8biUOwErl9X2+RzCGTFDrWwVktyNigUphilQ==&CXd0k=htJ8Zl | US | html | 399 b | malicious |
764 | Explorer.EXE | GET | 200 | 23.202.231.167:80 | http://www.samgarbooshian.com/ai26/?sPxxV4=E3zAgi+7L/lEGjyO+4USvjQpzTEoCSFTAloa1oD+2ZcrzWS3DjWKkK7NNVMbLRvR+MvLWg==&CXd0k=htJ8Zl | US | html | 381 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
764 | Explorer.EXE | 173.236.169.80:80 | www.quotingbiz.com | New Dream Network, LLC | US | malicious |
764 | Explorer.EXE | 23.202.231.167:80 | www.samgarbooshian.com | Akamai Technologies, Inc. | US | malicious |
764 | Explorer.EXE | 188.114.97.10:80 | www.bz1lx4ryt.xyz | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bz1lx4ryt.xyz |
| malicious |
www.longcoin.space |
| unknown |
www.quotingbiz.com |
| malicious |
www.samgarbooshian.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
764 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
764 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
764 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
764 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
764 | Explorer.EXE | Potentially Bad Traffic | ET INFO Request to .XYZ Domain with Minimal Headers |
764 | Explorer.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
764 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
764 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
764 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
764 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |