Malware analysis Cat2022DecFile58373.exe Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	Cat2022DecFile58373.exe
Full analysis:	https://app.any.run/tasks/7d3fa157-064c-4ebe-82d4-1f161e7284f7
Verdict:	Malicious activity
Threats:	FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 05, 2022, 23:12:49
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	formbook xloader trojan stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	59EC68C614CBD08F061B98EE2F7558B6
SHA1:	518E36C73B44331E89A74C651DDF64E9AD79EE10
SHA256:	1546E632CB3CD6ABB0497A1E941D7C1AFEFD3D1BC7582B63F49D948241406B80
SSDEEP:	6144:ptxBKhzEHZ6pqRMVr5PdD1IQnAPJrueL9KEzbIgsfd+O2hht9lKSYS:ptLKhIZ60+VrVR/UJrueL9PbcV8jt9lH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (5.74)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (86.0.4240.198)
Google Chrome (86.0.4240.198)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 83.0 (x86 en-US) (83.0)
Mozilla Firefox 83.0 (x86 en-US) (83.0)
Mozilla Maintenance Service (83.0.0.7621)
Mozilla Maintenance Service (83.0.0.7621)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
Opera 12.15 (12.15.1748)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Skype version 8.29 (8.29)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- FORMBOOK detected by memory dumps
  - cmd.exe (PID: 2872)
- Loads dropped or rewritten executable
  - cmd.exe (PID: 2872)
- Connects to the CnC server
  - Explorer.EXE (PID: 1084)
- FORMBOOK was detected
  - Explorer.EXE (PID: 1084)
- Unusual connection from system programs
  - Explorer.EXE (PID: 1084)
SUSPICIOUS
- Loads DLL from Mozilla Firefox
  - cmd.exe (PID: 2872)
- Process drops SQLite DLL files
  - cmd.exe (PID: 2872)
- Reads browser cookies
  - cmd.exe (PID: 2872)
INFO
- Checks supported languages
  - Cat2022DecFile58373.exe (PID: 856)
  - RegSvcs.exe (PID: 3348)
- Process checks computer location settings
  - RegSvcs.exe (PID: 3348)
- Reads the computer name
  - RegSvcs.exe (PID: 3348)
  - Cat2022DecFile58373.exe (PID: 856)
- Manual execution by a user
  - cmd.exe (PID: 2872)
- Checks proxy server information
  - cmd.exe (PID: 2872)
- Drops a file that was compiled in debug mode
  - cmd.exe (PID: 2872)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 2872)
- Drops the executable file immediately after the start
  - cmd.exe (PID: 2872)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Formbook

(PID) Process(2872) cmd.exe

C2www.needook.com/4u5a/

Strings (75)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

rJfvmmO0I0KSOkdFNg==

fWeyPQpzFxdBSlPuAlA=

imNhpGXCQjOgCw==

KOLqYk7Qy278+j3g

A4mLyKgkynW7jZZt0F8=

380eDrCm3ApZbXX9

1k6VTs/04X8=

6yQgD+RiKrbnhr77i60lI/gyAQ==

rST4Evf891bSukI=

wYh6yzBy3wDSOkdFNg==

i0j/88JPuMOz

1t8w27cIepbAIqSh0G5dsiUnCw==

uI6hQB6EIE+bFW1woYF4zA==

BPL0Pin+82dmW/OhB0Fr5JHlbp4=

XC5/ZktMXzEnk+xGrPFSE+st

srT4c1/AacoX8F0=

zJeU2qIZ2VCSOkdFNg==

j4a8RbuBvuFZbXX9

asVC+9b7w7eu

L6UfqgNtQjOgCw==

yTgIJt0+qNUilvojOWqqBypDFg==

Ie006MzYHidZbXX9

fbVjId1kpfdZbXX9

w7z+dzqeJEZq2/A6vgPE

bkyOQjI+MYr07V8=

EODzbkTAOSJZbXX9

sZXWleMz4n7HrUI=

YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A==

VTJSAfJU7tISaHT/

d/gIXE8qLIr07V8=

F3XypWdIKor07V8=

uQaJTBhc8R4kr/I6vgPE

1T8ENSkKJLudaZZt0F8=

uc4eyKuvBidZbXX9

txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw==

RMLQh/ZpQjOgCw==

0+Qt17zBCyNZbXX9

JC6jMCHmB77Eu/EFdap62w==

t4XGRQqC3kSB9Tpds2j0Wrg=

T7hCMhTkzX2mf4lVAQjjJOgz

DQ6VYEicGU+NFio7Lw==

PCpjzoTZU3Ol9T1coYF4zA==

DxVl5Jum/t5orqfQ4+cZxA==

OaM0F9KunPxoQUk/Nw==

C2www.needook.com/4u5a/

Strings (75)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)wp-operator.online

openhardware.farm

nu2uresale.store

tefalito.store

maximumercrefund.com

bestcolonia.club

zhuanxiandai.com

www460.vip

smartturflawncare.com

pollicino.online

re-curve.tech

michari.com

33344.cyou

marketmall.digital

estacatemucocautin.com

dersameh.com

fangzizhuangxiu47.com

lee-perez.com

nekutenti.com

medhatkouta.com

jhfgroups.com

shopcheap.club

bjrkfw.com

tommy57.shop

anniistore.com

ope-cctv.com

05hc.com

y31jaihdb6zm87.buzz

easydaw.app

www659123.com

suppq.top

thebrotherhood.shop

videosrunman.com

powerscoumembers.com

lodehewulan.yachts

festpay.pro

zhukojobs.com

www64421.com

jxily.com

700544.com

skechersofferte.com

uloggers.com

yt82ra5c.com

kaylastjean.com

nyameci.com

talisian.com

api2022.top

darkchocolatebliss.com

mcarmen.info

kasslot.com

stublan.com

uknowmarket.com

cpitherapy.com

agikdnjs.com

canadianlocalbusiness.com

dkc010.com

cardgloo.com

fuzulyapigyo.xyz

steves.properties

guaiguaimao188.com

cityasset.net

burcinyilmaz.com

inhibit09.online

olanger.email

C2www.needook.com/4u5a/

Strings (75)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

rJfvmmO0I0KSOkdFNg==

fWeyPQpzFxdBSlPuAlA=

imNhpGXCQjOgCw==

KOLqYk7Qy278+j3g

A4mLyKgkynW7jZZt0F8=

380eDrCm3ApZbXX9

1k6VTs/04X8=

6yQgD+RiKrbnhr77i60lI/gyAQ==

rST4Evf891bSukI=

wYh6yzBy3wDSOkdFNg==

i0j/88JPuMOz

1t8w27cIepbAIqSh0G5dsiUnCw==

uI6hQB6EIE+bFW1woYF4zA==

BPL0Pin+82dmW/OhB0Fr5JHlbp4=

XC5/ZktMXzEnk+xGrPFSE+st

srT4c1/AacoX8F0=

zJeU2qIZ2VCSOkdFNg==

j4a8RbuBvuFZbXX9

asVC+9b7w7eu

L6UfqgNtQjOgCw==

yTgIJt0+qNUilvojOWqqBypDFg==

Ie006MzYHidZbXX9

fbVjId1kpfdZbXX9

w7z+dzqeJEZq2/A6vgPE

bkyOQjI+MYr07V8=

EODzbkTAOSJZbXX9

sZXWleMz4n7HrUI=

YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A==

VTJSAfJU7tISaHT/

d/gIXE8qLIr07V8=

F3XypWdIKor07V8=

uQaJTBhc8R4kr/I6vgPE

1T8ENSkKJLudaZZt0F8=

uc4eyKuvBidZbXX9

txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw==

RMLQh/ZpQjOgCw==

0+Qt17zBCyNZbXX9

JC6jMCHmB77Eu/EFdap62w==

t4XGRQqC3kSB9Tpds2j0Wrg=

T7hCMhTkzX2mf4lVAQjjJOgz

DQ6VYEicGU+NFio7Lw==

PCpjzoTZU3Ol9T1coYF4zA==

DxVl5Jum/t5orqfQ4+cZxA==

OaM0F9KunPxoQUk/Nw==

No Malware configuration.

Add for printing

TRiD

.dll	\|	Win32 Dynamic Link Library (generic) (38.3)
.exe	\|	Win32 Executable (generic) (26.2)
.exe	\|	Win16/32 Executable Delphi generic (12)
.exe	\|	Generic Win/DOS Executable (11.6)
.exe	\|	DOS Executable Generic (11.6)

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	2103-Nov-18 21:46:25
Debug artifacts:	HNIOPLN.pdb
Comments:	-
CompanyName:	-
FileDescription:	HNIOPLN
FileVersion:	1.0.0.0
InternalName:	HNIOPLN.exe
LegalCopyright:	Copyright © 2022
LegalTrademarks:	-
OriginalFilename:	HNIOPLN.exe
ProductName:	HNIOPLN
ProductVersion:	1.0.0.0
Assembly Version:	1.0.0.0

DOS Header

e_magic:	MZ
e_cblp:	144
e_cp:	3
e_crlc:	-
e_cparhdr:	4
e_minalloc:	-
e_maxalloc:	65535
e_ss:	-
e_sp:	184
e_csum:	-
e_ip:	-
e_cs:	-
e_ovno:	-
e_oemid:	-
e_oeminfo:	-
e_lfanew:	128

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
NumberofSections:	5
TimeDateStamp:	2103-Nov-18 21:46:25
PointerToSymbolTable:	-
NumberOfSymbols:	-
SizeOfOptionalHeader:	224
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
X\x166F)"#\x19	8192	285236	285696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99936
.text	294912	42028	42496	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.06849
.rsrc	344064	5858	6144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.35264
Section_4	352256	16	512	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	0.122276
.reloc	360448	12	512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.0980042

Resources

Title	Entropy	Size	Codepage	Language	Type
1	4.15503	4264	UNKNOWN	UNKNOWN	RT_ICON
32512	1.7815	20	UNKNOWN	UNKNOWN	RT_GROUP_ICON
1 (#2)	3.27039	780	UNKNOWN	UNKNOWN	RT_VERSION
1 (#3)	5.00112	490	UNKNOWN	UNKNOWN	RT_MANIFEST

Imports


mscoree.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

856

"C:\Users\admin\AppData\Local\Temp\Cat2022DecFile58373.exe"

C:\Users\admin\AppData\Local\Temp\Cat2022DecFile58373.exe

—

Explorer.EXE

User:

admin

Integrity Level:

MEDIUM

Description:

HNIOPLN

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\cat2022decfile58373.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

3348

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

—

Cat2022DecFile58373.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.0.30319.34209 built by: FX452RTMGDR

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2872

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

Explorer.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll

Formbook

(PID) Process(2872) cmd.exe

C2www.needook.com/4u5a/

Strings (75)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

rJfvmmO0I0KSOkdFNg==

fWeyPQpzFxdBSlPuAlA=

imNhpGXCQjOgCw==

KOLqYk7Qy278+j3g

A4mLyKgkynW7jZZt0F8=

380eDrCm3ApZbXX9

1k6VTs/04X8=

6yQgD+RiKrbnhr77i60lI/gyAQ==

rST4Evf891bSukI=

wYh6yzBy3wDSOkdFNg==

i0j/88JPuMOz

1t8w27cIepbAIqSh0G5dsiUnCw==

uI6hQB6EIE+bFW1woYF4zA==

BPL0Pin+82dmW/OhB0Fr5JHlbp4=

XC5/ZktMXzEnk+xGrPFSE+st

srT4c1/AacoX8F0=

zJeU2qIZ2VCSOkdFNg==

j4a8RbuBvuFZbXX9

asVC+9b7w7eu

L6UfqgNtQjOgCw==

yTgIJt0+qNUilvojOWqqBypDFg==

Ie006MzYHidZbXX9

fbVjId1kpfdZbXX9

w7z+dzqeJEZq2/A6vgPE

bkyOQjI+MYr07V8=

EODzbkTAOSJZbXX9

sZXWleMz4n7HrUI=

YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A==

VTJSAfJU7tISaHT/

d/gIXE8qLIr07V8=

F3XypWdIKor07V8=

uQaJTBhc8R4kr/I6vgPE

1T8ENSkKJLudaZZt0F8=

uc4eyKuvBidZbXX9

txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw==

RMLQh/ZpQjOgCw==

0+Qt17zBCyNZbXX9

JC6jMCHmB77Eu/EFdap62w==

t4XGRQqC3kSB9Tpds2j0Wrg=

T7hCMhTkzX2mf4lVAQjjJOgz

DQ6VYEicGU+NFio7Lw==

PCpjzoTZU3Ol9T1coYF4zA==

DxVl5Jum/t5orqfQ4+cZxA==

OaM0F9KunPxoQUk/Nw==

(PID) Process(2872) cmd.exe

C2www.needook.com/4u5a/

Strings (75)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)wp-operator.online

openhardware.farm

nu2uresale.store

tefalito.store

maximumercrefund.com

bestcolonia.club

zhuanxiandai.com

www460.vip

smartturflawncare.com

pollicino.online

re-curve.tech

michari.com

33344.cyou

marketmall.digital

estacatemucocautin.com

dersameh.com

fangzizhuangxiu47.com

lee-perez.com

nekutenti.com

medhatkouta.com

jhfgroups.com

shopcheap.club

bjrkfw.com

tommy57.shop

anniistore.com

ope-cctv.com

05hc.com

y31jaihdb6zm87.buzz

easydaw.app

www659123.com

suppq.top

thebrotherhood.shop

videosrunman.com

powerscoumembers.com

lodehewulan.yachts

festpay.pro

zhukojobs.com

www64421.com

jxily.com

700544.com

skechersofferte.com

uloggers.com

yt82ra5c.com

kaylastjean.com

nyameci.com

talisian.com

api2022.top

darkchocolatebliss.com

mcarmen.info

kasslot.com

stublan.com

uknowmarket.com

cpitherapy.com

agikdnjs.com

canadianlocalbusiness.com

dkc010.com

cardgloo.com

fuzulyapigyo.xyz

steves.properties

guaiguaimao188.com

cityasset.net

burcinyilmaz.com

inhibit09.online

olanger.email

(PID) Process(2872) cmd.exe

C2www.needook.com/4u5a/

Strings (75)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

rJfvmmO0I0KSOkdFNg==

fWeyPQpzFxdBSlPuAlA=

imNhpGXCQjOgCw==

KOLqYk7Qy278+j3g

A4mLyKgkynW7jZZt0F8=

380eDrCm3ApZbXX9

1k6VTs/04X8=

6yQgD+RiKrbnhr77i60lI/gyAQ==

rST4Evf891bSukI=

wYh6yzBy3wDSOkdFNg==

i0j/88JPuMOz

1t8w27cIepbAIqSh0G5dsiUnCw==

uI6hQB6EIE+bFW1woYF4zA==

BPL0Pin+82dmW/OhB0Fr5JHlbp4=

XC5/ZktMXzEnk+xGrPFSE+st

srT4c1/AacoX8F0=

zJeU2qIZ2VCSOkdFNg==

j4a8RbuBvuFZbXX9

asVC+9b7w7eu

L6UfqgNtQjOgCw==

yTgIJt0+qNUilvojOWqqBypDFg==

Ie006MzYHidZbXX9

fbVjId1kpfdZbXX9

w7z+dzqeJEZq2/A6vgPE

bkyOQjI+MYr07V8=

EODzbkTAOSJZbXX9

sZXWleMz4n7HrUI=

YuK38tZjKZ3eQJnC3jxvdM7D2Rpp0A==

VTJSAfJU7tISaHT/

d/gIXE8qLIr07V8=

F3XypWdIKor07V8=

uQaJTBhc8R4kr/I6vgPE

1T8ENSkKJLudaZZt0F8=

uc4eyKuvBidZbXX9

txCp1rM0oc4LhQHpKYJQUKKktIT3GWoNJw==

RMLQh/ZpQjOgCw==

0+Qt17zBCyNZbXX9

JC6jMCHmB77Eu/EFdap62w==

t4XGRQqC3kSB9Tpds2j0Wrg=

T7hCMhTkzX2mf4lVAQjjJOgz

DQ6VYEicGU+NFio7Lw==

PCpjzoTZU3Ol9T1coYF4zA==

DxVl5Jum/t5orqfQ4+cZxA==

OaM0F9KunPxoQUk/Nw==

1084

C:\Windows\Explorer.EXE

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2496

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

—

cmd.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

83.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll

Add for printing

Total events

4 618

Read events

4 217

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2872	cmd.exe	C:\Users\admin\AppData\Local\Temp\sqlite3.def		text
		MD5:88B78A6F643D3341AE9BF96D5816F1C2	SHA256:8CA12E8B973A1974E160AE2E55F2B59870314DF159BA2DC54C7349ACEE176EBE
2872	cmd.exe	C:\Users\admin\AppData\Local\Temp\sqlite3.dll		executable
		MD5:CE5C15B5092877974D5B6476AD1CB2D7	SHA256:1F1A186EA26BD2462EA2A9CF35A816B92CAF0897FDF332AF3A61569E0BA97B24
2872	cmd.exe	C:\Users\admin\AppData\Local\Temp\lhylq.zip		compressed
		MD5:A9A3B70ADCF65BE80C9B00E65D158669	SHA256:BDCD90D909C708EFF9A829C01B428C2B24FAFC15F63DECCD064C2BB12B0A49E3
2872	cmd.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sqlite-dll-win32-x86-3360000[1].zip		compressed
		MD5:A9A3B70ADCF65BE80C9B00E65D158669	SHA256:BDCD90D909C708EFF9A829C01B428C2B24FAFC15F63DECCD064C2BB12B0A49E3
2872	cmd.exe	C:\Users\admin\AppData\Local\Temp\1--Lt08NN		sqlite
		MD5:CC104C4E4E904C3AD7AD5C45FBFA7087	SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1084	Explorer.EXE	POST	—	94.23.162.163:80	http://www.darkchocolatebliss.com/4u5a/	DE	—	—	malicious
1084	Explorer.EXE	POST	—	94.23.162.163:80	http://www.darkchocolatebliss.com/4u5a/	DE	—	—	malicious
1084	Explorer.EXE	POST	—	94.23.162.163:80	http://www.darkchocolatebliss.com/4u5a/	DE	—	—	malicious
1084	Explorer.EXE	POST	—	94.23.162.163:80	http://www.darkchocolatebliss.com/4u5a/	DE	—	—	malicious
1084	Explorer.EXE	POST	—	94.23.162.163:80	http://www.darkchocolatebliss.com/4u5a/	DE	—	—	malicious
2872	cmd.exe	GET	200	45.33.6.223:80	http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip	US	compressed	542 Kb	whitelisted
1084	Explorer.EXE	GET	200	89.31.143.1:80	http://www.dersameh.com/4u5a/?yVDPIrG8=DO8SLO7p+ieBn2EC0Mc3V7PpH5Hc4tmKhL6K9ytUp3CH+6ohEz4Q1B3Jq/CsB6yB8F/4+t2o4Lfhsb/t/Yv8ZU/1O3qwbzpadSS9L00=&Wz=H2ULYnMXcny4a	DE	html	6.48 Kb	malicious
1084	Explorer.EXE	POST	404	154.209.6.241:80	http://www.y31jaihdb6zm87.buzz/4u5a/	HK	html	146 b	malicious
1084	Explorer.EXE	POST	404	154.209.6.241:80	http://www.y31jaihdb6zm87.buzz/4u5a/	HK	html	146 b	malicious
1084	Explorer.EXE	POST	405	89.31.143.1:80	http://www.dersameh.com/4u5a/	DE	html	150 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1084	Explorer.EXE	89.31.143.1:80	www.dersameh.com	IP Exchange GmbH	DE	malicious
1084	Explorer.EXE	38.55.236.89:80	www.ope-cctv.com	STARCLOUD GLOBAL PTE., LTD.	US	malicious
—	—	89.31.143.1:80	www.dersameh.com	IP Exchange GmbH	DE	malicious
2872	cmd.exe	45.33.6.223:80	www.sqlite.org	Linode, LLC	US	suspicious
1084	Explorer.EXE	154.209.6.241:80	www.y31jaihdb6zm87.buzz	YISU CLOUD LTD	HK	malicious
1084	Explorer.EXE	94.23.162.163:80	www.darkchocolatebliss.com	OVH SAS	DE	malicious
—	—	94.23.162.163:80	www.darkchocolatebliss.com	OVH SAS	DE	malicious
2872	cmd.exe	154.209.6.241:80	www.y31jaihdb6zm87.buzz	YISU CLOUD LTD	HK	malicious
—	—	85.159.66.93:80	www.fuzulyapigyo.xyz	Cizgi Telekomunikasyon Anonim Sirketi	TR	malicious
1084	Explorer.EXE	85.159.66.93:80	www.fuzulyapigyo.xyz	Cizgi Telekomunikasyon Anonim Sirketi	TR	malicious

DNS requests

Domain	IP	Reputation
www.ope-cctv.com	38.55.236.89	malicious
www.sqlite.org	45.33.6.223	whitelisted
www.dersameh.com	89.31.143.1	malicious
www.darkchocolatebliss.com	94.23.162.163	malicious
www.y31jaihdb6zm87.buzz	154.209.6.241	malicious
dns.msftncsi.com	131.107.255.255	shared
www.marketmall.digital	162.213.255.142	malicious
www.canadianlocalbusiness.com	172.67.148.132 104.21.29.63	malicious
www.fuzulyapigyo.xyz	85.159.66.93	malicious

Threats

PID	Process	Class	Message
1084	Explorer.EXE	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
1084	Explorer.EXE	A Network Trojan was detected	ET TROJAN FormBook CnC Checkin (GET)
1084	Explorer.EXE	A Network Trojan was detected	ET TROJAN FormBook CnC Checkin (GET)
1084	Explorer.EXE	A Network Trojan was detected	ET TROJAN FormBook CnC Checkin (GET)
1084	Explorer.EXE	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
1084	Explorer.EXE	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
1084	Explorer.EXE	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
1084	Explorer.EXE	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
1084	Explorer.EXE	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
1084	Explorer.EXE	A Network Trojan was detected	ET TROJAN FormBook CnC Checkin (POST) M2

11 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Cat2022DecFile58373.exe

59EC68C614CBD08F061B98EE2F7558B6

518E36C73B44331E89A74C651DDF64E9AD79EE10

1546E632CB3CD6ABB0497A1E941D7C1AFEFD3D1BC7582B63F49D948241406B80

6144:ptxBKhzEHZ6pqRMVr5PdD1IQnAPJrueL9KEzbIgsfd+O2hht9lKSYS:ptLKhIZ60+VrVR/UJrueL9PbcV8jt9lH

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

FORMBOOK detected by memory dumps

Loads dropped or rewritten executable

Connects to the CnC server

FORMBOOK was detected

Unusual connection from system programs

SUSPICIOUS

Loads DLL from Mozilla Firefox

Process drops SQLite DLL files

Reads browser cookies

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Manual execution by a user

Checks proxy server information

Drops a file that was compiled in debug mode

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Malware configuration

Formbook

Static information

TRiD

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Formbook

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings