File name: | MAY STATEMENT 2022.exe |
Full analysis: | https://app.any.run/tasks/3abdb221-595b-4072-9b3a-b202cbc5e680 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 18:51:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | AA16AE223D4AC79E1314F24CF0B31F9C |
SHA1: | 58503502A5AE1EA3A7E890FB51919AFEBBE369E5 |
SHA256: | 3D4E4CBF7473A22F26EC297357C529D540EABE5A9F72A61BA9F077846220FC7E |
SSDEEP: | 6144:B0YV81g2jpY1PTJv0UWeD17n8XeNKCrXGXwMRi:lGNgTN/D172JCuw8i |
.exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.5) |
.exe | | | Generic Win/DOS Executable (0.2) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x32fa |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 119808 |
CodeSize: | 23040 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2007:06:08 23:48:38+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Jun-2007 21:48:38 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 08-Jun-2007 21:48:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000059AC | 0x00005A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45808 |
.rdata | 0x00007000 | 0x0000117A | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.17514 |
.data | 0x00009000 | 0x0001AFD8 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.98111 |
.ndata | 0x00024000 | 0x00008000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0002C000 | 0x00000900 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.94449 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00226 | 491 | UNKNOWN | English - United States | RT_MANIFEST |
103 | 2.16096 | 20 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2584 | "C:\Users\admin\AppData\Local\Temp\MAY STATEMENT 2022.exe" | C:\Users\admin\AppData\Local\Temp\MAY STATEMENT 2022.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3268 | C:\Users\admin\AppData\Local\Temp\fyhultbjbr.exe C:\Users\admin\AppData\Local\Temp\xejjspvnf | C:\Users\admin\AppData\Local\Temp\fyhultbjbr.exe | — | MAY STATEMENT 2022.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4088 | C:\Users\admin\AppData\Local\Temp\fyhultbjbr.exe C:\Users\admin\AppData\Local\Temp\xejjspvnf | C:\Users\admin\AppData\Local\Temp\fyhultbjbr.exe | — | fyhultbjbr.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3280 | "C:\Windows\System32\raserver.exe" | C:\Windows\System32\raserver.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Remote Assistance COM Server Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
980 | /c del "C:\Users\admin\AppData\Local\Temp\fyhultbjbr.exe" | C:\Windows\System32\cmd.exe | — | raserver.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1464 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3280) raserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2584 | MAY STATEMENT 2022.exe | C:\Users\admin\AppData\Local\Temp\q6z9azglrkdxh | binary | |
MD5:E0000129972701993232C98490FA10F9 | SHA256:1BB0DC1A1B4F0821CBC5DA9B8D8A9F792455B9974E75B5CFD3AAFAAEC29B2DB0 | |||
2584 | MAY STATEMENT 2022.exe | C:\Users\admin\AppData\Local\Temp\xejjspvnf | binary | |
MD5:7D50A973305A8D226606F6F9C768E4B5 | SHA256:0D0221E4E38C9231C96CF49AF24EDABCC78CA934B262E11AA68383539E5E1697 | |||
2584 | MAY STATEMENT 2022.exe | C:\Users\admin\AppData\Local\Temp\nsl933A.tmp | binary | |
MD5:4A13ABA7291B917D82C2794715125408 | SHA256:1CB675DFE1F2AF48AF635959F3F0A3423D9D41263479168841B97D9C1C211984 | |||
2584 | MAY STATEMENT 2022.exe | C:\Users\admin\AppData\Local\Temp\fyhultbjbr.exe | executable | |
MD5:4DEED66FFE97AE7D1BE645C9835CD87A | SHA256:785C15D607683BA7E6360F315DEFEB9582FB8269A9ED585D66D353F7E272AD6D | |||
3280 | raserver.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\pu6s[1].htm | html | |
MD5:0F67E4A285869357EE229CE24F60E9D4 | SHA256:A9EF11BDF098B181C9CBB75B272531793991C287D15D2477AF07EDEAC69672A8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3280 | raserver.exe | GET | — | 198.54.117.218:80 | http://www.airslot138.info/pu6s/?t6OH7BM=uEiaUhlg/iPRQeORC2e5KvF2vZGOGRtzP5OCEP2JX/tGuLq7D3yPzKOO+LtE2QItuUmNSw==&9rA4D=J4NhX | US | — | — | malicious |
1464 | Explorer.EXE | GET | — | 23.227.38.74:80 | http://www.thegemyard.com/pu6s/?t6OH7BM=CspB/0pbD0Sm3c6Nna1iXgKqtsMw4rF18lgDEchp5BIe17WHAazYYnUzV8mR0fLMbZNl3Q==&9rA4D=J4NhX | CA | — | — | malicious |
1464 | Explorer.EXE | GET | 404 | 151.106.109.247:80 | http://www.munichu.com/pu6s/?t6OH7BM=lqyhzA01Ez1iYwoqIlL+Gr51yCdftISyk+fc2jJLw2y1Gt5ekTp+1JpwqVfZ/tDZRFfwiw==&9rA4D=J4NhX | US | html | 277 b | malicious |
1464 | Explorer.EXE | GET | 404 | 156.250.138.226:80 | http://www.pitfal.com/pu6s/?t6OH7BM=vdVDEYRpadWSaKXPwEYuUtTX2h+wRx1sI308IIL+FOtq+usaxBG0NKXHOoKTvO9+DGiqMg==&9rA4D=J4NhX | ZA | html | 7.27 Kb | malicious |
1464 | Explorer.EXE | GET | 301 | 173.82.139.44:80 | http://www.sikao.life/pu6s/?t6OH7BM=dXZlgp6/kynqAmkeQYogej3gXWE8Yze8qZ93GYlkdWXK5Ms8cD0l5H+3ja+yizgiyOCXQw==&9rA4D=J4NhX | US | html | 162 b | malicious |
3280 | raserver.exe | GET | 200 | 209.99.40.222:80 | http://www.stirka-rf.store/pu6s/?t6OH7BM=NXLXgAL+oqywU7nTAIUS2wWNpcJRw1qA6VHGKc8yoMgH3yjW4B87zGLfE0A/HFn3sfU5pQ==&9rA4D=J4NhX | US | html | 272 b | malicious |
1464 | Explorer.EXE | GET | 404 | 3.126.202.50:80 | http://www.californiasurvivors.com/pu6s/?t6OH7BM=Jf/gCS3I+2LMppSEmS0WmCyiNzSDExzhFYvd/3nTInXDtD95ceovVCg7mGYHPA/r2NN+XA==&9rA4D=J4NhX | US | text | 47 b | malicious |
1464 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.bilibili302.xyz/pu6s/?t6OH7BM=ZrSV9l0mH5Bzf5RR6VECn/Rb+lL1lUxqNS+bxaKexSjSC4taWMoEqdXpZ45qR9X6DKGFuw==&9rA4D=J4NhX | US | html | 291 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1464 | Explorer.EXE | 198.54.117.212:80 | www.airslot138.info | Namecheap, Inc. | US | malicious |
— | — | 198.54.117.217:80 | www.airslot138.info | Namecheap, Inc. | US | malicious |
1464 | Explorer.EXE | 23.227.38.74:80 | www.thegemyard.com | Shopify, Inc. | CA | malicious |
3280 | raserver.exe | 198.54.117.218:80 | www.airslot138.info | Namecheap, Inc. | US | malicious |
1464 | Explorer.EXE | 156.250.138.226:80 | www.pitfal.com | MacroLAN | ZA | malicious |
1464 | Explorer.EXE | 151.106.109.247:80 | www.munichu.com | — | US | malicious |
1464 | Explorer.EXE | 209.99.40.222:80 | www.stirka-rf.store | Confluence Networks Inc | US | malicious |
3280 | raserver.exe | 209.99.40.222:80 | www.stirka-rf.store | Confluence Networks Inc | US | malicious |
1464 | Explorer.EXE | 34.102.136.180:80 | www.bilibili302.xyz | — | US | whitelisted |
1464 | Explorer.EXE | 173.82.139.44:80 | www.sikao.life | MULTACOM CORPORATION | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.salamanderfest.com |
| unknown |
www.thegemyard.com |
| malicious |
www.airslot138.info |
| malicious |
www.munichu.com |
| malicious |
www.pitfal.com |
| malicious |
www.stirka-rf.store |
| malicious |
www.californiasurvivors.com |
| malicious |
www.sikao.life |
| malicious |
www.bilibili302.xyz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1464 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1464 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1464 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1464 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |