URL: | http://easydatatransfercleansystemprofessional.duckdns.org/intel/bk.exe |
Full analysis: | https://app.any.run/tasks/f41198a2-bffd-4ead-b227-ab745946d165 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 30, 2020, 14:49:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 9389857FDE772CB2066661BF5A663AC0 |
SHA1: | 0EB27224D77AAC739D5E69F2C298483AC4A1B165 |
SHA256: | 2A665FFD4DE021B5465CB6362C2F4BFCCD67269D6ABD77C232D7D012D3326350 |
SSDEEP: | 3:N1KbUBKEViXqQgaGEWiKru0C:CUKDdgaGEWdC0C |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3972 | "C:\Program Files\Internet Explorer\iexplore.exe" http://easydatatransfercleansystemprofessional.duckdns.org/intel/bk.exe | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3112 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3972 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2152 | "C:\Users\admin\Downloads\bk.exe" | C:\Users\admin\Downloads\bk.exe | iexplore.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3252 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | bk.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1780 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2312 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" 2 1780 10917875 | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2524 | "C:\Windows\System32\lsm.exe" | C:\Windows\System32\lsm.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Local Session Manager Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1232 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | chlz.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
312 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1836 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" 2 312 10921953 | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3112 | iexplore.exe | C:\Users\admin\Downloads\bk.exe.7fkn8kj.partial | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF6B11DA53548F2539.TMP | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\Downloads\bk.exe.7fkn8kj.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2152 | bk.exe | C:\Users\admin\AppData\Roaming\chlz\chlz.exe\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2152 | bk.exe | C:\Users\admin\AppData\Roaming\chlz\chlz.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
3112 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\bk[1].exe | executable | |
MD5:427BA00AC8E9E75DC8B898AFE698F945 | SHA256:C2E81BAD5CF16472E3D169E7F25B935E63C12736CB0EA8E6A678A246CB4DCA66 | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A21FF1BF-7295-11EA-972D-5254004A04AF}.dat | binary | |
MD5:933D838DADB60A4E6CB891638FFFC116 | SHA256:4E1459405A32253C82518EAABFDBF63EFF39659E85E3D6D3EC66893ED7FAEF0E | |||
3972 | iexplore.exe | C:\Users\admin\Downloads\bk.exe | executable | |
MD5:427BA00AC8E9E75DC8B898AFE698F945 | SHA256:C2E81BAD5CF16472E3D169E7F25B935E63C12736CB0EA8E6A678A246CB4DCA66 | |||
2524 | lsm.exe | C:\Users\admin\AppData\Roaming\149MTU1F\149logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2152 | bk.exe | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | executable | |
MD5:427BA00AC8E9E75DC8B898AFE698F945 | SHA256:C2E81BAD5CF16472E3D169E7F25B935E63C12736CB0EA8E6A678A246CB4DCA66 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
372 | explorer.exe | GET | — | 185.106.39.167:80 | http://www.9911742.com/c9c/?Mv18=JiKWIDInMiDtnD599Q4eMxMSLLKdpo/s0tEfqq5vN4706PoptiZkGbOE1Kk2+3GoUQaexg==&VPx4=GfmXFTbpsV&sql=1 | RO | — | — | malicious |
372 | explorer.exe | GET | — | 50.63.202.89:80 | http://www.piwondesigns.com/c9c/?Mv18=B0NUBrbAuiyfr4UKNCmq/N2Gk5/Wrxjp82cS28z6yT03ZnvI3+AkmOXP4OlsyHaaexNh8Q==&VPx4=GfmXFTbpsV&sql=1 | US | — | — | malicious |
372 | explorer.exe | GET | — | 50.63.202.67:80 | http://www.camsman.com/c9c/?Mv18=9jtm6BjDWvR/78FEdJ9Ptsp4p0/67EUcNH/AllztbwMuSInGwX+0NYZbMjydiY9TtJ6Hpw==&VPx4=GfmXFTbpsV&sql=1 | US | — | — | malicious |
3972 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
372 | explorer.exe | POST | — | 185.106.39.167:80 | http://www.9911742.com/c9c/ | RO | — | — | malicious |
372 | explorer.exe | POST | — | 50.63.202.89:80 | http://www.piwondesigns.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | POST | — | 50.63.202.89:80 | http://www.piwondesigns.com/c9c/ | US | — | — | malicious |
3972 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3972 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3972 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3972 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
3972 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3112 | iexplore.exe | 109.169.89.118:80 | easydatatransfercleansystemprofessional.duckdns.org | iomart Cloud Services Limited. | GB | malicious |
372 | explorer.exe | 185.106.39.167:80 | www.9911742.com | — | RO | malicious |
3972 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
372 | explorer.exe | 198.54.112.48:80 | www.nyoxibwer.com | Namecheap, Inc. | US | malicious |
372 | explorer.exe | 50.63.202.89:80 | www.piwondesigns.com | GoDaddy.com, LLC | US | malicious |
— | — | 50.63.202.67:80 | www.camsman.com | GoDaddy.com, LLC | US | malicious |
372 | explorer.exe | 52.213.114.86:80 | www.radyosesmarmaris.com | Amazon.com, Inc. | IE | whitelisted |
372 | explorer.exe | 50.63.202.67:80 | www.camsman.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
easydatatransfercleansystemprofessional.duckdns.org |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
www.wkmind.com |
| unknown |
ieonline.microsoft.com |
| whitelisted |
www.9911742.com |
| malicious |
ocsp.digicert.com |
| whitelisted |
www.piwondesigns.com |
| malicious |
www.majicbbvacuenta.com |
| unknown |
www.lifecode123.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3112 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3112 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |