| File name: | Quotation-#1_Hot rolled marking machine cable installation work.exe |
| Full analysis: | https://app.any.run/tasks/d0585dd2-bc2a-4c13-aa77-4c8b7cf84e0f |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | November 29, 2023, 07:39:41 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | BCBA283A5F923E9E272CBC70CFA3A4C7 |
| SHA1: | 1113591E5FE8BA632886B544AABD4537A01DFA9E |
| SHA256: | 3BA7D29CA91976A52F7F4E70DD63BA18BE3A4A1F3E3F733D22E8529284790DF6 |
| SSDEEP: | 24576:v8ZvOZES8VwTGdpZHKbGq+q4zRmcjiHo6g6tRdQxXYcSiMuvMQH:v8ZvOZES8VwadpZHKx+q4zRmcjiHo6gv |
MALICIOUS
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 1388)
Connects to the CnC server
- explorer.exe (PID: 1388)
FORMBOOK has been detected (YARA)
- wlanext.exe (PID: 1448)
SUSPICIOUS
Application launched itself
- Quotation-#1_Hot rolled marking machine cable installation work.exe (PID: 2916)
Starts CMD.EXE for commands execution
- wlanext.exe (PID: 1448)
INFO
Checks supported languages
- Quotation-#1_Hot rolled marking machine cable installation work.exe (PID: 2916)
- wmpnscfg.exe (PID: 276)
- Quotation-#1_Hot rolled marking machine cable installation work.exe (PID: 2512)
Reads the computer name
- Quotation-#1_Hot rolled marking machine cable installation work.exe (PID: 2916)
- Quotation-#1_Hot rolled marking machine cable installation work.exe (PID: 2512)
- wmpnscfg.exe (PID: 276)
Reads the machine GUID from the registry
- Quotation-#1_Hot rolled marking machine cable installation work.exe (PID: 2916)
- wmpnscfg.exe (PID: 276)
Manual execution by a user
- wlanext.exe (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(1448) wlanext.exe
C2www.nursing-degree1.online/sa12/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)retainmyexcellent.com
presentescomamor.com
tractors-29304.bond
schule-der-hippologie.com
flyoe.shop
monolithtf.com
sparksvideo.com
gotasexysecret.com
wildthing-wooddesign.com
nursesgino.com
ahapodcast.com
solarpowerpanel01.space
wb-education.space
harshasirimanna.com
slotmachinesonline3.fun
ygarments.com
kreads.com
suspended-host.com
888fo.live
adorabletool.com
trpdumzraj.top
kravmagahellas.com
0umsyqf2.xyz
n9885.com
detinapalube.com
amcyb.top
zely8.xyz
myaideal.com
onepledgefoundation.com
blur01.com
zcnccq.com
kaleidabit.online
shopnooka.com
herewegotheshow.online
httdivineskincareco.com
disukatravel.com
riddhientertainment.com
riverguardians.net
kaaninokulu5.shop
aitrucksforsale.com
disanapianta.fun
pgslot999v.com
thailandslot138.xyz
vanguardhealthservices.com
newcommerce.store
swevpl.xyz
giupsolution.com
3xohj8.top
baidulink.com
fayansdosemehizmeti.site
tirevibe.com
thecaomomo.com
funfactsgirl.com
qxdjknjnkwqz.com
pc28.live
ranigk.top
spiritualitylab.online
11deagosto.com
aristoteetcie.com
giugiuba.com
stove-pt.bond
dpainterhg.live
kuzaca.com
cg-properties.com
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:11:28 02:12:29+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 592384 |
| InitializedDataSize: | 6656 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9299a |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | AYhmAxFSR.exe |
| LegalCopyright: | |
| OriginalFileName: | AYhmAxFSR.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
45
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 276 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 564 | "C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe" | C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
| 924 | /c del "C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe" | C:\Windows\System32\cmd.exe | — | wlanext.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1388 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1448 | "C:\Windows\System32\wlanext.exe" | C:\Windows\System32\wlanext.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wireless LAN 802.11 Extensibility Framework Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(1448) wlanext.exe C2www.nursing-degree1.online/sa12/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)retainmyexcellent.com presentescomamor.com tractors-29304.bond schule-der-hippologie.com flyoe.shop monolithtf.com sparksvideo.com gotasexysecret.com wildthing-wooddesign.com nursesgino.com ahapodcast.com solarpowerpanel01.space wb-education.space harshasirimanna.com slotmachinesonline3.fun ygarments.com kreads.com suspended-host.com 888fo.live adorabletool.com trpdumzraj.top kravmagahellas.com 0umsyqf2.xyz n9885.com detinapalube.com amcyb.top zely8.xyz myaideal.com onepledgefoundation.com blur01.com zcnccq.com kaleidabit.online shopnooka.com herewegotheshow.online httdivineskincareco.com disukatravel.com riddhientertainment.com riverguardians.net kaaninokulu5.shop aitrucksforsale.com disanapianta.fun pgslot999v.com thailandslot138.xyz vanguardhealthservices.com newcommerce.store swevpl.xyz giupsolution.com 3xohj8.top baidulink.com fayansdosemehizmeti.site tirevibe.com thecaomomo.com funfactsgirl.com qxdjknjnkwqz.com pc28.live ranigk.top spiritualitylab.online 11deagosto.com aristoteetcie.com giugiuba.com stove-pt.bond dpainterhg.live kuzaca.com cg-properties.com | |||||||||||||||
| 2512 | "C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe" | C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe | — | Quotation-#1_Hot rolled marking machine cable installation work.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
| 2916 | "C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe" | C:\Users\admin\AppData\Local\Temp\Quotation-#1_Hot rolled marking machine cable installation work.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
Total events
196
Read events
188
Write events
5
Delete events
3
Modification events
| (PID) Process: | (1388) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D000000000200000000001066000000010000200000007F0C5AFCF1AE7F71286A81A9B86E67A7BE47980777E154AD953E683E2064784E000000000E8000000002000020000000C547D0854BEA52CCDED7859B79990A863903B335001ED826D40C3D8E323F237F30000000DF0FBC24E15CFF4FE438F74D8486DFB808CBF3EC9160BD0CF16731298F2800053F0DC9D2737FB85ABF81EDB882A089A94000000011BAC043EAAF96F8497DEE93A36C7829C97427DA018BC7750377DAC2CC3CE4D64139784732F789D57202D54D80C3AAC2B4B5EE990B65AEF23416199647916AD4 | |||
| (PID) Process: | (1388) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (276) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{FE95C776-7A43-453A-9472-5851F8221939}\{63F65233-9619-4FD1-921F-F66D6E059394} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (276) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{FE95C776-7A43-453A-9472-5851F8221939} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (276) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{513A9FD7-4F03-4D52-8205-EC4A88D35954} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
7
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1388 | explorer.exe | GET | 403 | 35.186.223.180:80 | http://www.11deagosto.com/sa12/?PPx=IISwtXjx5ngY/NYhM9NYY2eetqYwhEG5bldi+LS30Y3q1RuHGPLak/Pz236nh/EYs3XWvA==&3fs=Jz9L_rT | unknown | html | 134 b | unknown |
1388 | explorer.exe | GET | 301 | 37.140.192.129:80 | http://www.qxdjknjnkwqz.com/sa12/?PPx=YMnu32K5vnGIAzsuNI+kXrSaJ/gb07KEbGan6XXMUk+VNr2PpFl6tW1ZJb6nG9UUg5OC1g==&3fs=Jz9L_rT | unknown | html | 162 b | unknown |
1388 | explorer.exe | GET | 301 | 35.214.229.135:80 | http://www.giugiuba.com/sa12/?PPx=FE0MfgnhGsXOLK4AUhxMAXblxJHYmQq2BbYpweBdehtBOy9CCF368tOo9NCF38CX9wEd+g==&3fs=Jz9L_rT | unknown | — | — | unknown |
1388 | explorer.exe | GET | 403 | 185.53.179.94:80 | http://www.stove-pt.bond/sa12/?PPx=FLUq3fU3bwHURwDE4ftDyPnA1UGG00MVWmcpF67JZTTBR3w7142r62017qApcNSBnOPdMg==&3fs=Jz9L_rT | unknown | html | 146 b | unknown |
1388 | explorer.exe | GET | — | 172.67.213.85:80 | http://www.kuzaca.com/sa12/?PPx=HEyJ14t27Tt4w66eknS4cCro3Mh9h61cQJpxQ6aE8VwetNeoTm22GB1+fehwrj5RCK9PFw==&3fs=Jz9L_rT | unknown | — | — | unknown |
1388 | explorer.exe | GET | 200 | 64.190.62.22:80 | http://www.nursing-degree1.online/sa12/?PPx=3Xum2u5dFJjE0SiPC2lsYYh7radjeJDjsdfSuFcgRnrUT2wYZOZFpotiLsZsc9R+LbijKg==&3fs=Jz9L_rT | unknown | html | 21.4 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1388 | explorer.exe | 172.67.213.85:80 | www.kuzaca.com | CLOUDFLARENET | US | unknown |
1388 | explorer.exe | 185.53.179.94:80 | www.stove-pt.bond | Team Internet AG | DE | unknown |
1388 | explorer.exe | 35.214.229.135:80 | www.giugiuba.com | GOOGLE | NL | unknown |
1388 | explorer.exe | 37.140.192.129:80 | www.qxdjknjnkwqz.com | Domain names registrar REG.RU, Ltd | RU | unknown |
1388 | explorer.exe | 35.186.223.180:80 | www.11deagosto.com | GOOGLE | US | unknown |
1388 | explorer.exe | 64.190.62.22:80 | www.nursing-degree1.online | SEDO GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.kuzaca.com |
| unknown |
www.stove-pt.bond |
| unknown |
www.giugiuba.com |
| unknown |
www.qxdjknjnkwqz.com |
| unknown |
www.thecaomomo.com |
| unknown |
www.11deagosto.com |
| unknown |
www.nursing-degree1.online |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1388 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |