File name: | Bank_TT_Copy-pdf.exe |
Full analysis: | https://app.any.run/tasks/f44edf22-e7b2-4c61-ac01-3b68c3dfb433 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | February 18, 2019, 13:33:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | A4A912179461CA1C6F080130D1F805B5 |
SHA1: | 178E45FFA889CB571127A409A182D9C7DFD4654C |
SHA256: | 312213683602373BCBC681F0174F0E17F7E2F2ECD42FD50EF4380CFCF0CD5DF5 |
SSDEEP: | 12288:NnOdpHv60uCVCvEBCOesGSiJM05x++l9QWw:JWpSBaaOxEnxbl9Q |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 1981:06:15 19:37:57+02:00 |
PEType: | PE32 |
LinkerVersion: | 8 |
CodeSize: | 423424 |
InitializedDataSize: | 3072 |
UninitializedDataSize: | - |
EntryPoint: | 0x695ee |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 12.12.14.2 |
ProductVersionNumber: | 12.12.14.2 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | uqoluxemepuqigifakatojex |
CompanyName: | SMART ID DYNAMICS SA |
FileDescription: | The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. |
FileVersion: | 12.12.14.2 |
InternalName: | Bank TT Copy-pdf.exe |
LegalCopyright: | Copyright © 2018 SMART ID DYNAMICS SA |
OriginalFileName: | Bank TT Copy-pdf.exe |
ProductName: | The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. |
ProductVersion: | 12.12.14.2 |
AssemblyVersion: | 0.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Jun-1981 17:37:57 |
Comments: | uqoluxemepuqigifakatojex |
CompanyName: | SMART ID DYNAMICS SA |
FileDescription: | The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. |
FileVersion: | 12.12.14.2 |
InternalName: | Bank TT Copy-pdf.exe |
LegalCopyright: | Copyright © 2018 SMART ID DYNAMICS SA |
OriginalFilename: | Bank TT Copy-pdf.exe |
ProductName: | The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. |
ProductVersion: | 12.12.14.2 |
Assembly Version: | 0.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 15-Jun-1981 17:37:57 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x000675F4 | 0x00067600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.93456 |
.rsrc | 0x0006A000 | 0x00000904 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.34915 |
.reloc | 0x0006C000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3112 | "C:\Users\admin\AppData\Local\Temp\Bank_TT_Copy-pdf.exe" | C:\Users\admin\AppData\Local\Temp\Bank_TT_Copy-pdf.exe | explorer.exe | |
User: admin Company: SMART ID DYNAMICS SA Integrity Level: MEDIUM Description: The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. Exit code: 0 Version: 12.12.14.2 | ||||
3892 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\bin.exe" | C:\Windows\System32\cmd.exe | — | Bank_TT_Copy-pdf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1440 | "C:\Users\admin\AppData\Roaming\bin.exe" | C:\Users\admin\AppData\Roaming\bin.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2772 | "C:\Windows\System32\colorcpl.exe" | C:\Windows\System32\colorcpl.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Color Control Panel Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3848 | /c del "C:\Users\admin\AppData\Roaming\bin.exe" | C:\Windows\System32\cmd.exe | — | colorcpl.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3000 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\Bank_TT_Copy-pdf.exe" "C:\Users\admin\AppData\Local\Windowse.exe" | C:\Windows\System32\cmd.exe | Bank_TT_Copy-pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3456 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Local\Windowse.exe" | C:\Windows\System32\cmd.exe | — | Bank_TT_Copy-pdf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
928 | "C:\Users\admin\AppData\Local\Windowse.exe" | C:\Users\admin\AppData\Local\Windowse.exe | — | cmd.exe |
User: admin Company: SMART ID DYNAMICS SA Integrity Level: MEDIUM Description: The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. Version: 12.12.14.2 |
(PID) Process: | (3112) Bank_TT_Copy-pdf.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3112) Bank_TT_Copy-pdf.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2772) colorcpl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | JFG09T2P |
Value: C:\Program Files\Fkpphyzd\etnho00uhib.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3112 | Bank_TT_Copy-pdf.exe | C:\Users\admin\Documents\bin.txt | text | |
MD5:2B7B526AD3E8D64B8D4B0894A3A26015 | SHA256:4B96E45CB45CD4438150D025653EFBCEE6177D07B97E5E0EA8D50263CF871CC9 | |||
3000 | cmd.exe | C:\Users\admin\AppData\Local\Windowse.exe | executable | |
MD5:A4A912179461CA1C6F080130D1F805B5 | SHA256:312213683602373BCBC681F0174F0E17F7E2F2ECD42FD50EF4380CFCF0CD5DF5 | |||
2772 | colorcpl.exe | C:\Users\admin\AppData\Roaming\J931PQ9F\J93logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3112 | Bank_TT_Copy-pdf.exe | C:\Users\admin\AppData\Roaming\bin.exe | executable | |
MD5:E6AA24CABAFB1F66E2E874A1722ACD13 | SHA256:4FCAFF67DD797D6BC76D9A1202838542BF88789A7EF6E4AC5EC0CA5F1A5301E1 | |||
2772 | colorcpl.exe | C:\Users\admin\AppData\Roaming\J931PQ9F\J93logim.jpeg | image | |
MD5:A725B109F94B74166BC5F64D07C89240 | SHA256:41804574CC194F9F8C6EF35C9C32D841C5AE1A34CCC528B02D27E04AB6B5ABF3 | |||
2772 | colorcpl.exe | C:\Users\admin\AppData\Roaming\J931PQ9F\J93logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
2772 | colorcpl.exe | C:\Users\admin\AppData\Roaming\J931PQ9F\J93logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2028 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.iotafarming.com/p18/?mv14=NshmjjL5QDXaVtXU9h1lR1jqH/fZeUoDOXP4TpQI/2AlYPAxoE2jQFisp6Y4Wl5AncfLDw==&2diD=GfTpkjZp2TvXFbS | US | html | 187 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2028 | explorer.exe | 23.20.239.12:80 | www.iotafarming.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
www.iotafarming.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |