Malware analysis https://bazaar.abuse.ch/download/b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14/ Malicious activity

Add for printing

URL:	https://bazaar.abuse.ch/download/b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14/
Full analysis:	https://app.any.run/tasks/8ad727dd-70ff-4e65-98de-016d8392ba65
Verdict:	Malicious activity
Threats:	DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment. FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 19, 2024, 16:06:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	dbatloader formbook xloader stealer
Indicators:
MD5:	EA054E64C365B85C46C34EABBD1B4ABD
SHA1:	5F648B7B16C24CF2F7A2083116170343F85736E2
SHA256:	3A38B8C9D7E40F7571A14B0B4361D8A9E72B1108849176C1DD5CA81A2D84248B
SSDEEP:	3:N8N0uDWB46tAl3AvaREhivbRBUKm:23G3ylcaXTRm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- DBATLOADER has been detected (YARA)
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Drops the executable file immediately after the start
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Changes the autorun value in the registry
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- FORMBOOK has been detected (YARA)
  - ipconfig.exe (PID: 5340)
- FORMBOOK has been detected (SURICATA)
  - explorer.exe (PID: 4016)
- Connects to the CnC server
  - explorer.exe (PID: 4016)
SUSPICIOUS
- SMB connection has been detected (probably for file transfer)
  - explorer.exe (PID: 4016)
- There is functionality for taking screenshot (YARA)
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Drops a file with a rarely used extension (PIF)
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Reads security settings of Internet Explorer
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Starts CMD.EXE for commands execution
  - ipconfig.exe (PID: 5340)
- Executable content was dropped or overwritten
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Process uses IPCONFIG to get network configuration information
  - explorer.exe (PID: 4016)
- Contacting a server suspected of hosting an CnC
  - explorer.exe (PID: 4016)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 1328)
  - identity_helper.exe (PID: 2216)
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 7120)
  - msedge.exe (PID: 6136)
- Reads the computer name
  - identity_helper.exe (PID: 1328)
  - identity_helper.exe (PID: 2216)
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
- Drops the executable file immediately after the start
  - msedge.exe (PID: 7120)
  - WinRAR.exe (PID: 7304)
- The process uses the downloaded file
  - msedge.exe (PID: 5728)
  - WinRAR.exe (PID: 7304)
  - msedge.exe (PID: 7120)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7304)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4016)
  - ipconfig.exe (PID: 5340)
- Application launched itself
  - msedge.exe (PID: 7120)
  - msedge.exe (PID: 6136)
- Manual execution by a user
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
  - ipconfig.exe (PID: 5340)
- Checks proxy server information
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
  - ipconfig.exe (PID: 5340)
- Reads the software policy settings
  - b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe (PID: 3540)
  - ipconfig.exe (PID: 5340)
- Creates files or folders in the user directory
  - ipconfig.exe (PID: 5340)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

DBatLoader

(PID) Process(3540) b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe

C2 (1)https://onedrive.live.com/download?resid=E0CF7F9E6AAF27EF%211698&authkey=!AP2ndiARY9jfQNI

Formbook

(PID) Process(5340) ipconfig.exe

C2www.nutricognition.com/uj3c/

Strings (84)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Mail\

\Foxmail

\Storage\

\Accounts\Account.rec0

\Data\AccCfg\Accounts.tdat

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

intercontinentalship.com

moneytaoism.com

agardenfortwo.com

trendiddas.com

fjuoomw.xyz

dantvilla.com

shopwithtrooperdavecom.com

lanwenzong.com

xpertsrealty.com

gamelabsmash.com

nomaxdic.com

chillyracing.com

mypleasure-blog.com

projectkyla.com

florurbana.com

oneplacemexico.com

gografic.com

giantht.com

dotombori-base.com

westlifinance.online

maacsecurity.com

lydas.info

instapandas.com

labustiadepaper.net

unglue52.com

onurnet.net

wellkept.info

6111.site

platinumroofingsusa.com

bodyplex.fitness

empireapothecary.com

meigsbuilds.online

garygrover.com

nicholasnikas.com

yd9992.com

protections-clients.info

sueyhzx.com

naturathome.info

superinformatico.net

printsgarden.com

xn--qn1b03fy2b841b.com

preferable.info

ozzyconstructionma.com

10stopp.online

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

209

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6828 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

364

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4520 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

364

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4696 --field-trial-handle=2268,i,9986836857486025945,16137820643698903567,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

676

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5228 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1328

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5756 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1540

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5000 --field-trial-handle=2268,i,9986836857486025945,16137820643698903567,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1964

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6704 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2056

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5296 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2216

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=3372 --field-trial-handle=2388,i,3077336344518029564,13461772307388175151,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2216

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3368 --field-trial-handle=2268,i,9986836857486025945,16137820643698903567,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

27 210

Read events

27 076

Write events

128

Delete events

Modification events


(PID) Process:	(4016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000008022E
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456A1F1CCF85B06E3419214046A96D63B00
(PID) Process:	(4016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000402EC
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456A1F1CCF85B06E3419214046A96D63B00
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(7120) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:	write	Name:	UsageStatsInSample
Value: 1

Add for printing

Executable files

Suspicious files

156

Text files

112

Unknown types

Dropped files

PID	Process	Filename		Type
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-669A8F1E-1BD0.pma		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF428e83.TMP		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF428e83.TMP		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF428e83.TMP		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF428e83.TMP		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF428e93.TMP		—
		MD5:—	SHA256:—
7120	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

107

DNS requests

106

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5608	svchost.exe	HEAD	200	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	HEAD	200	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/07b2b28d-48a0-4636-b791-6e6129c8a3da?P1=1721976818&P2=404&P3=2&P4=XllzCy4pHi218u5R1fB6bJ7bZthFXbP0L0A9OUrtsxYGaGlPCVSwO8luE34h8jnaM2l5zxdJb%2bCNTareNpTIiQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted
5608	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fe059e09-3911-454a-8b1a-3e9137487b65?P1=1721980380&P2=404&P3=2&P4=nW4OIEqXM4Kj98wuZeFibKOZzw2hdwHWtjnIYDwCb%2bf%2boJkuHO2hX63WwZOBDMoRIu39wdQ3FYYYaqNePQ40XQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4716	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5620	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7856	svchost.exe	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6912	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
7120	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
6912	msedge.exe	151.101.66.49:443	bazaar.abuse.ch	FASTLY	US	unknown
6912	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	20.190.160.14 20.190.160.20 40.126.32.138 40.126.32.74 40.126.32.140 40.126.32.72 40.126.32.68 40.126.32.136	whitelisted
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.46	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
bazaar.abuse.ch	151.101.66.49 151.101.130.49 151.101.2.49 151.101.194.49	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.60	whitelisted
business.bing.com	13.107.6.158	whitelisted
bzib.nelreports.net	23.53.40.56 23.53.40.8	whitelisted
www.bing.com	104.126.37.160 104.126.37.153 104.126.37.145 104.126.37.177 104.126.37.163 104.126.37.136 104.126.37.139 104.126.37.186 104.126.37.128 104.126.37.155 2.23.209.179 2.23.209.177 2.23.209.158 2.23.209.149 2.23.209.150 2.23.209.140 2.23.209.133 2.23.209.182 2.23.209.135	whitelisted

Threats

PID	Process	Class	Message
4016	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)
5340	ipconfig.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
5340	ipconfig.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
4016	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)
4016	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)
5340	ipconfig.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
5340	ipconfig.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
4016	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)
4016	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)
4016	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)

Add for printing

No debug info

General Info

https://bazaar.abuse.ch/download/b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14/

EA054E64C365B85C46C34EABBD1B4ABD

5F648B7B16C24CF2F7A2083116170343F85736E2

3A38B8C9D7E40F7571A14B0B4361D8A9E72B1108849176C1DD5CA81A2D84248B

3:N8N0uDWB46tAl3AvaREhivbRBUKm:23G3ylcaXTRm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DBATLOADER has been detected (YARA)

Drops the executable file immediately after the start

Changes the autorun value in the registry

FORMBOOK has been detected (YARA)

FORMBOOK has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

SMB connection has been detected (probably for file transfer)

There is functionality for taking screenshot (YARA)

Drops a file with a rarely used extension (PIF)

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Process uses IPCONFIG to get network configuration information

Contacting a server suspected of hosting an CnC

INFO

Checks supported languages

Reads Microsoft Office registry keys

Reads the computer name

Drops the executable file immediately after the start

The process uses the downloaded file

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Application launched itself

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

DBatLoader

Formbook

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings