analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://185.33.85.52/FR/DFI-6059.jpg

Full analysis: https://app.any.run/tasks/b3e7d3c6-8883-4977-8932-7aaf7a2c6f8c
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: September 30, 2020, 12:34:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

69A1012645E68EC71F61E3E623CC1802

SHA1:

E9C94760B171EB223D28E66AC67E3FC50D1494DF

SHA256:

37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0

SSDEEP:

6144:aJZj3XBjlkq27zgxRb01xJIdtNMlY0u0UC7lYA7C:+zZo7cvb0Jq0PL72Am

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • DFI-6059.exe (PID: 1760)
      • osign.exe (PID: 1200)
    • Changes the autorun value in the registry

      • reg.exe (PID: 2716)
      • cmstp.exe (PID: 3060)
    • Application was dropped or rewritten from another process

      • AddInProcess32.exe (PID: 2920)
      • ftyplnzpidzxwhlh.exe (PID: 4012)
    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • cmstp.exe (PID: 3060)
      • Firefox.exe (PID: 1400)
    • Connects to CnC server

      • explorer.exe (PID: 352)
    • Actions looks like stealing of personal data

      • cmstp.exe (PID: 3060)
    • Stealing of credential data

      • cmstp.exe (PID: 3060)
  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 352)
      • cmstp.exe (PID: 3060)
    • Starts CMD.EXE for commands execution

      • DFI-6059.exe (PID: 1760)
      • cmstp.exe (PID: 3060)
    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 352)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2688)
    • Executable content was dropped or overwritten

      • DFI-6059.exe (PID: 1760)
      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 2276)
    • Starts itself from another location

      • DFI-6059.exe (PID: 1760)
    • Executed via COM

      • DllHost.exe (PID: 2276)
    • Creates files in the program directory

      • DllHost.exe (PID: 2276)
    • Loads DLL from Mozilla Firefox

      • cmstp.exe (PID: 3060)
  • INFO

    • Manual execution by user

      • DFI-6059.exe (PID: 1760)
      • cmstp.exe (PID: 3060)
    • Reads the hosts file

      • cmstp.exe (PID: 3060)
    • Creates files in the user directory

      • Firefox.exe (PID: 1400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.scr | Windows screen saver (46.4)
.dll | Win32 Dynamic Link Library (generic) (23.3)
.exe | Win32 Executable (generic) (15.9)
.exe | Generic Win/DOS Executable (7.1)
.exe | DOS Executable Generic (7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:05:31 00:08:42+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 413184
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x66c6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.2.2
ProductVersionNumber: 1.1.2.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 0e!$4rn[13j-u_7&2gm^58b<
CompanyName: r;24a,#0f5s]u
FileDescription: u,78r&]5zx(1*6do_0)4t
FileVersion: 1.1.2.2
InternalName: DFI-6059.exe
LegalCopyright: Copyright © 2002 - 2020
OriginalFileName: DFI-6059.exe
ProductName: u,78r&]5zx(1*6do_0)4t
ProductVersion: 1.1.2.2
AssemblyVersion: 0.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-May-2020 22:08:42
Comments: 0e!$4rn[13j-u_7&2gm^58b<
CompanyName: r;24a,#0f5s]u
FileDescription: u,78r&]5zx(1*6do_0)4t
FileVersion: 1.1.2.2
InternalName: DFI-6059.exe
LegalCopyright: Copyright © 2002 - 2020
OriginalFilename: DFI-6059.exe
ProductName: u,78r&]5zx(1*6do_0)4t
ProductVersion: 1.1.2.2
Assembly Version: 0.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 30-May-2020 22:08:42
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00064C74
0x00064E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.46602
.rsrc
0x00068000
0x000005FE
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.43227
.reloc
0x0006A000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
Latin 1 / Western European
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
12
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start rundll32.exe no specs dfi-6059.exe cmd.exe no specs reg.exe osign.exe no specs addinprocess32.exe no specs #FORMBOOK cmstp.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object ftyplnzpidzxwhlh.exe no specs #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3900"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\DFI-6059.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1760"C:\Users\admin\Desktop\DFI-6059.exe" C:\Users\admin\Desktop\DFI-6059.exe
explorer.exe
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
2688"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\cmd.exeDFI-6059.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2716REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1200"C:\Users\admin\osign.exe" C:\Users\admin\osign.exeDFI-6059.exe
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
2920"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exeosign.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
3060"C:\Windows\System32\cmstp.exe"C:\Windows\System32\cmstp.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
3660/c del "C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Windows\System32\cmd.execmstp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 253
Read events
2 231
Write events
22
Delete events
0

Modification events

(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
rundll32.exe
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Operation:writeName:9
Value:
4400460049002D0036003000350039002E006A007000670000006E003200000000000000000000004446492D363035392E6A70672E6C6E6B00004E0008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000004400460049002D0036003000350039002E006A00700067002E006C006E006B00000020000000
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg
Operation:writeName:0
Value:
4400460049002D0036003000350039002E006A007000670000006E003200000000000000000000004446492D363035392E6A70672E6C6E6B00004E0008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000004400460049002D0036003000350039002E006A00700067002E006C006E006B00000020000000
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg
Operation:writeName:MRUListEx
Value:
00000000FFFFFFFF
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Operation:writeName:MRUListEx
Value:
09000000080000000700000006000000050000000400000003000000020000000100000000000000FFFFFFFF
(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
6000000034000000A00400008002000000000000
Executable files
6
Suspicious files
73
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:38B91E590AF861C87B617E425FC20B46
SHA256:4E911749E2CCBDC2BDD463993F0B3472C407A25727F84257B39CE16D45D87CB1
352explorer.exeC:\Users\admin\Desktop\DFI-6059.exeexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
3060cmstp.exeC:\Users\admin\AppData\Roaming\556PN550\556logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
1760DFI-6059.exeC:\Users\admin\osign.exeexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\DFI-6059.jpg.lnklnk
MD5:BB42E38730F71D2A75ED98EBAA713132
SHA256:36098BD5F08A8AC9F387463C80C8E086707C11EF3357A943324381E7417CBD8D
1760DFI-6059.exeC:\Users\admin\AppData\Local\Temp\AddInProcess32.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
1760DFI-6059.exeC:\Users\admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dllexecutable
MD5:14FF402962AD21B78AE0B4C43CD1F194
SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
352explorer.exeC:\Users\admin\AppData\Local\Temp\Obxl\ftyplnzpidzxwhlh.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
1400Firefox.exeC:\Users\admin\AppData\Roaming\556PN550\556logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
3060cmstp.exeC:\Users\admin\AppData\Roaming\556PN550\556logim.jpegimage
MD5:6E7C8A88BB4D8FAC6F59684A98D5794B
SHA256:13547B3A6085349D6F517A4253A3EE3397CC4DD13F1D66DFA963B4E4DCED9A1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
13
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
66.96.160.147:80
http://www.castlemanage.com/dmr/?mRIdw=sasuKwuJRfQteuTYy3gfg+Zo9SFGAVbJPj/SdT82N1jX3fmPl/kqkifmjmHorfLNhQH0BA==&Vn0=7n1PCDU8_JuhFjM0&sql=1
US
malicious
352
explorer.exe
POST
66.96.160.147:80
http://www.castlemanage.com/dmr/
US
malicious
352
explorer.exe
POST
66.96.160.147:80
http://www.castlemanage.com/dmr/
US
malicious
352
explorer.exe
POST
217.70.184.50:80
http://www.duplex-id.com/dmr/
FR
malicious
352
explorer.exe
POST
23.20.239.12:80
http://www.fdgre.com/dmr/
US
malicious
352
explorer.exe
POST
23.20.239.12:80
http://www.fdgre.com/dmr/
US
malicious
352
explorer.exe
GET
302
23.20.239.12:80
http://www.fdgre.com/dmr/?mRIdw=pl2XKLR6Qu0fsDbawNevngdDV4+Tbm2qyZ1wVwJzv7sGgviU6Mv09qIf8QbF/K4D4/G1cw==&Vn0=7n1PCDU8_JuhFjM0&sql=1
US
html
181 b
malicious
352
explorer.exe
POST
217.70.184.50:80
http://www.duplex-id.com/dmr/
FR
malicious
352
explorer.exe
POST
66.96.160.147:80
http://www.castlemanage.com/dmr/
US
malicious
352
explorer.exe
POST
217.70.184.50:80
http://www.duplex-id.com/dmr/
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
23.20.239.12:80
www.fdgre.com
Amazon.com, Inc.
US
shared
352
explorer.exe
66.96.160.147:80
www.castlemanage.com
The Endurance International Group, Inc.
US
malicious
352
explorer.exe
3.216.121.17:80
www.oleasalon.com
US
malicious
352
explorer.exe
217.70.184.50:80
www.duplex-id.com
GANDI SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.oleasalon.com
  • 3.216.121.17
malicious
www.rooster-money.com
unknown
www.castlemanage.com
  • 66.96.160.147
malicious
www.fdgre.com
  • 23.20.239.12
malicious
www.fakua.top
unknown
www.duplex-id.com
  • 217.70.184.50
malicious

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
10 ETPRO signatures available at the full report
No debug info