analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

product samples pdf.exe

Full analysis: https://app.any.run/tasks/e71d009c-462d-4346-ad04-ae4d0788c513
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: November 14, 2018, 16:03:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

01441BC8B55D498919ACF5421C99932E

SHA1:

493C44AC8449707A3393795ACB567E2E3E908351

SHA256:

0D473BF357232A6555D97AC74359D2ED341E54152748580102D1F365A86436C2

SSDEEP:

12288:2T0U+enjd/wjqkcSBkevXU5wtfYjYL7lBeQF:pLenjd/OcqkevX2zYL7neQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • FORMBOOK was detected

      • explorer.exe (PID: 1604)
    • Formbook was detected

      • wininit.exe (PID: 2404)
      • Firefox.exe (PID: 4044)
    • Connects to CnC server

      • explorer.exe (PID: 1604)
    • Changes the autorun value in the registry

      • wininit.exe (PID: 2404)
    • Actions looks like stealing of personal data

      • wininit.exe (PID: 2404)
    • Stealing of credential data

      • wininit.exe (PID: 2404)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wininit.exe (PID: 2404)
    • Creates files in the user directory

      • wininit.exe (PID: 2404)
    • Loads DLL from Mozilla Firefox

      • wininit.exe (PID: 2404)
    • Executable content was dropped or overwritten

      • explorer.exe (PID: 1604)
      • DllHost.exe (PID: 2660)
    • Creates files in the program directory

      • DllHost.exe (PID: 2660)
    • Executes scripts

      • explorer.exe (PID: 1604)
  • INFO

    • Creates files in the user directory

      • Firefox.exe (PID: 4044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

ProductVersion: 1, 0, 0, 1
ProductName: vidccleaner Application
OriginalFileName: vidccleaner.EXE
LegalTrademarks: -
LegalCopyright: Copyright (C) 2004
InternalName: vidccleaner
FileVersion: 1, 0, 0, 1
FileDescription: vidccleaner MFC Application
CompanyName: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x17b001
UninitializedDataSize: -
InitializedDataSize: 965120
CodeSize: 564224
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • English - United States
  • Russian - Russia
CompanyName: -
FileDescription: vidccleaner MFC Application
FileVersion: 1, 0, 0, 1
InternalName: vidccleaner
LegalCopyright: Copyright (C) 2004
LegalTrademarks: -
OriginalFilename: vidccleaner.EXE
ProductName: vidccleaner Application
ProductVersion: 1, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000040

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 10
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x0008A000
0x00039000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99851
DATA
0x0008B000
0x00002000
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.53185
BSS
0x0008D000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x0008E000
0x00003000
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.73122
.tls
0x00091000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x00092000
0x00001000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_WRITE
0.199108
.reloc
0x00093000
0x00009000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0009C000
0x000DF000
0x0004BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.98019
.aspack
0x0017B000
0x00009000
0x00008800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.40156
.adata
0x00184000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
1.95692
1580
Latin 1 / Western European
English - United States
RT_VERSION
2
4.13649
2440
Latin 1 / Western European
Russian - Russia
RT_ICON
3
3.45824
1128
Latin 1 / Western European
Russian - Russia
RT_ICON
4
7.33857
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
5
7.34613
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
6
7.22825
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
7
7.16823
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
50
3.98723
296
Latin 1 / Western European
UNKNOWN
RT_ICON
51
7.71376
4088
Latin 1 / Western European
UNKNOWN
RT_ICON
52
2.30866
9640
Latin 1 / Western European
UNKNOWN
RT_ICON

Imports

kernel32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start product samples pdf.exe no specs #FORMBOOK wininit.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object mlmlhtvplchf.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Users\admin\AppData\Local\Temp\product samples pdf.exe" C:\Users\admin\AppData\Local\Temp\product samples pdf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
vidccleaner MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2404"C:\Windows\System32\wininit.exe"C:\Windows\System32\wininit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Start-Up Application
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3948/c del "C:\Users\admin\AppData\Local\Temp\product samples pdf.exe"C:\Windows\System32\cmd.exewininit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1604C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4044"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wininit.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
2660C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4020"C:\Program Files\Aeln\mlmlhtvplchf.exe"C:\Program Files\Aeln\mlmlhtvplchf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
vidccleaner MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2132"C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
85
Read events
84
Write events
1
Delete events
0

Modification events

(PID) Process:(2404) wininit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:P2UHZDSXGRF
Value:
C:\Program Files\Aeln\mlmlhtvplchf.exe
Executable files
2
Suspicious files
83
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2404wininit.exeC:\Users\admin\AppData\Roaming\NKR2RS2E\NKRlogrc.inibinary
MD5:7DD5EF3DBBB351ACFC3671A6E0F49047
SHA256:BCD6E29EC1D7F26598284623704D15326637F2E083F4ADDB0A82FF876FDC2B99
2404wininit.exeC:\Users\admin\AppData\Roaming\NKR2RS2E\NKRlogim.jpegimage
MD5:1AF58958F20B1FF4F10AF09028AE7281
SHA256:AF05DFB9E8D011C8EA2A402A61226815D537271B0AEBE950997CF84C1A74ED83
2404wininit.exeC:\Users\admin\AppData\Roaming\NKR2RS2E\NKRlogri.inibinary
MD5:A91326B17FFC60FFA0DB96A24BC0080C
SHA256:7DF0AC1EB893DC02B3A5F65FCEE6D054FFCB34596B7863A339C279D6EF1F5F78
4044Firefox.exeC:\Users\admin\AppData\Roaming\NKR2RS2E\NKRlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
1604explorer.exeC:\Users\admin\AppData\Local\Temp\Aeln\mlmlhtvplchf.exeexecutable
MD5:01441BC8B55D498919ACF5421C99932E
SHA256:0D473BF357232A6555D97AC74359D2ED341E54152748580102D1F365A86436C2
2660DllHost.exeC:\Program Files\Aeln\mlmlhtvplchf.exeexecutable
MD5:01441BC8B55D498919ACF5421C99932E
SHA256:0D473BF357232A6555D97AC74359D2ED341E54152748580102D1F365A86436C2
2404wininit.exeC:\Users\admin\AppData\Roaming\NKR2RS2E\NKRlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1604
explorer.exe
POST
404
199.192.21.6:80
http://www.daylleosin.info/ca/
US
xml
345 b
malicious
1604
explorer.exe
GET
404
199.192.21.6:80
http://www.daylleosin.info/ca/?uZ-D=BZxWaSnsII/g6ctnTIxNFY2IZsx63eCqm5Sjq/EPIYiEr9MsTJliHkoQBda+IXZUeDoh2A==&9r8L-=2dLtQR80V&sql=1
US
xml
345 b
malicious
1604
explorer.exe
POST
404
199.192.21.6:80
http://www.daylleosin.info/ca/
US
xml
345 b
malicious
1604
explorer.exe
GET
404
71.195.174.248:80
http://www.budget-rooter.com/ca/?uZ-D=CoyTDDbhAwHr6UIJTm3cBpEG32JCDY74oE/zetIPjYzk9OB7YvWIDsBE+29lSoJX+Ao0Jw==&9r8L-=2dLtQR80V
US
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1604
explorer.exe
71.195.174.248:80
www.budget-rooter.com
Comcast Cable Communications, LLC
US
suspicious
1604
explorer.exe
199.192.21.6:80
www.daylleosin.info
US
malicious

DNS requests

Domain
IP
Reputation
www.kluu1ev5.promo
unknown
www.budget-rooter.com
  • 71.195.174.248
malicious
www.heatwavepas.com
unknown
www.chuanxiorg.com
unknown
www.0pe094.com
unknown
www.izvpj.info
unknown
www.daylleosin.info
  • 199.192.21.6
malicious
www.rcry.ltd
unknown

Threats

PID
Process
Class
Message
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
5 ETPRO signatures available at the full report
No debug info