download: | frank.exe |
Full analysis: | https://app.any.run/tasks/483c5b6d-10e4-4a2c-87d5-41d342e85c2d |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | November 08, 2018, 15:35:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive |
MD5: | 2251D5713E8114609FB6AA3E9BD36673 |
SHA1: | F9F55191099755FC8C62BA08BDF455BD22CC3A4F |
SHA256: | 1BE3A2EAA351611C6510F6CB036D07ACDC7B46E4A83B49062951BF14B80C8334 |
SSDEEP: | 24576:f2O/GlbHgK8GijlJh+z3wmxhKbH3rUO46GyW:6AK8xh03wmxUT3iB |
.exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
---|---|---|
.exe | | | Win64 Executable (generic) (31.7) |
.scr | | | Windows screen saver (15) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xac87 |
UninitializedDataSize: | - |
InitializedDataSize: | 58880 |
CodeSize: | 74752 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2012:06:09 15:19:49+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Jun-2012 13:19:49 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 09-Jun-2012 13:19:49 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001231E | 0x00012400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55555 |
.rdata | 0x00014000 | 0x00001D15 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.99401 |
.data | 0x00016000 | 0x00017724 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.54914 |
.CRT | 0x0002E000 | 0x00000020 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.394141 |
.rsrc | 0x0002F000 | 0x0000C2C0 | 0x0000C400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.45727 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20816 | 1464 | Latin 1 / Western European | English - United States | RT_MANIFEST |
7 | 3.24143 | 556 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.26996 | 974 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.04375 | 530 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.16254 | 776 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.06352 | 380 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 2.33959 | 102 | Latin 1 / Western European | English - United States | RT_STRING |
100 | 1.91924 | 20 | Latin 1 / Western European | Process Default Language | RT_GROUP_ICON |
101 | 4.19099 | 2998 | Latin 1 / Western European | English - United States | RT_BITMAP |
ASKNEXTVOL | 3.42597 | 646 | Latin 1 / Western European | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1496 | "C:\Users\admin\AppData\Local\Temp\frank.exe" | C:\Users\admin\AppData\Local\Temp\frank.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1672 | "C:\Users\admin\AppData\Local\Temp\90407336\rns.exe" qgx=vbw | C:\Users\admin\AppData\Local\Temp\90407336\rns.exe | — | frank.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3164 | C:\Users\admin\AppData\Local\Temp\90407336\rns.exe C:\Users\admin\AppData\Local\Temp\90407336\IKMVB | C:\Users\admin\AppData\Local\Temp\90407336\rns.exe | rns.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3892 | "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe" | C:\Users\admin\AppData\Local\Temp\RegSvcs.exe | — | rns.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
3480 | "C:\Windows\System32\cscript.exe" | C:\Windows\System32\cscript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Version: 5.8.7600.16385 | ||||
3440 | /c del "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe" | C:\Windows\System32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3336 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 68.0.3440.106 | ||||
3604 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701100b0,0x701100c0,0x701100cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2688 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1620 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
1192 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=848,6422127312129028868,12140508893437993133,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=88747EE3A417EED872E1ED9107D35548 --mojo-platform-channel-handle=896 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\ocj.dat | text | |
MD5:2BFEABC8B449A09668371E8371091F24 | SHA256:48DE13701C9EB1C969023C389574C19381D598E1B9773257BE045B10563C5764 | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\nrw.mp3 | text | |
MD5:D19084D895A74DDF37208C9A2A04D808 | SHA256:D05F2464E8BAA4E01B80FCDE1CB1E06F32E09F2FC96BE9C4AF11CE13DB6FE68E | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\xem.bmp | text | |
MD5:E3D47C2D2C4A0EF10F4D6B99B7025D31 | SHA256:770F3A4CCC41C3293DCBA46014AA9C359D89D26344281EAD28750F0934F027A5 | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\igw.pdf | text | |
MD5:44AF209B75353FFA7A0181B8A141F84B | SHA256:8F182DDD391CA6DDE8ECED6322E6D5542B70E427AD7F91D5CF5D905FEEC4A21F | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\efr.bmp | text | |
MD5:AC17706881B5ECA4108AC69D7756B202 | SHA256:5B6328CF41A13DCA9388FD9A4F0E6B97FADF859677D925B898B100EB72A8345D | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\hnq.mp3 | text | |
MD5:FAB79B481C319B651FDBEBA163ABAC34 | SHA256:ED44651D5FCEE90FCE6C71C6C0F97C234B28B70D147667B62FF637C8B8CB2ACC | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\aaq.docx | text | |
MD5:4A2927FDF8596BF0AB5EEE6923A6DB0C | SHA256:3F6D12EA89FABDA15D79ACC2068532D01CE0340974C7D83E087033E1A12538F5 | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\bqd.xl | text | |
MD5:8B4E174CA7350758A33B0490971F84F4 | SHA256:1EF293D70FA9C5B505EE9D61F449AD200B06DADD7C3EF28012A57713D4241A3F | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\nwh.jpg | text | |
MD5:2F9F2C16EF8FD0285D0F34746808FE2D | SHA256:E3DD79C4E3FFA2A017481F1CAC0CB8FBF002ECEF93C1809CEDCAAD386D9F327D | |||
1496 | frank.exe | C:\Users\admin\AppData\Local\Temp\90407336\jpp.jpg | text | |
MD5:63F078ADB3F851122CCA3B51ECB73C87 | SHA256:B331506B36A0F787A1F317E91A1B392E9F515FFFC8FDC3BFEE3EF447D69FA0EE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1604 | explorer.exe | GET | — | 47.52.142.209:80 | http://www.fluorysports.com/aa8/?LhJL=8QtQh+QKR4X7xXWpsWgmLAzc5/T6YCkTzuAoZm2VrSe2knya/26h47lQL8rgD55NpSkKog==&pPv=K2KdTxYP8270tPWP | HK | — | — | malicious |
1604 | explorer.exe | POST | — | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | — | — | malicious |
1604 | explorer.exe | GET | 404 | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/?LhJL=RHDVyMGFPOescSk8fBVyz7avp6vl173cjAxPM1VuTIfp3KGJQuEcxaOelH6TQ4dkTsIRxg==&pPv=K2KdTxYP8270tPWP&sql=1 | US | html | 327 b | malicious |
1604 | explorer.exe | POST | 404 | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | html | 295 b | malicious |
1604 | explorer.exe | POST | — | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | — | — | malicious |
1604 | explorer.exe | POST | — | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3336 | chrome.exe | 172.217.168.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3336 | chrome.exe | 216.58.215.238:443 | apis.google.com | Google Inc. | US | whitelisted |
3336 | chrome.exe | 172.217.168.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3336 | chrome.exe | 172.217.168.67:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
3336 | chrome.exe | 172.217.168.77:443 | accounts.google.com | Google Inc. | US | whitelisted |
1604 | explorer.exe | 47.52.142.209:80 | www.fluorysports.com | Alibaba (China) Technology Co., Ltd. | HK | malicious |
1604 | explorer.exe | 162.213.255.220:80 | www.nadidetadllar.com | Namecheap, Inc. | US | malicious |
3336 | chrome.exe | 216.58.215.227:443 | www.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.gstatic.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
www.google.de |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
www.genesischemist.win |
| unknown |
www.fluorysports.com |
| malicious |
www.nadidetadllar.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1604 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |