analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL Notification_pdf.exe

Full analysis: https://app.any.run/tasks/c65a9826-a16b-4a1f-b1e3-de435a4ac861
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 31, 2023, 22:54:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
formbook
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E9E8C070B34B395489A18BD9CC5CFE97

SHA1:

5822461D43129B2501EF1E963BD3B4BCC182E40D

SHA256:

3FB2EA468D879582791FB74C6EF0898E45F62B2E22C6B6B1311DEF934957CDE2

SSDEEP:

6144:/Ya6KLv4nsx++b52HokQCkaDsR3XBoQV5KIWanleg/K7rfbiiGi:/Y0LvrJAHI7QYkmnlzS7rAi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wrlzkzy.exe (PID: 2192)
      • wrlzkzy.exe (PID: 2484)

    • Steals credentials from Web Browsers

      • chkdsk.exe (PID: 2612)

    • Connects to the CnC server

      • explorer.exe (PID: 1960)

    • Actions looks like stealing of personal data

      • chkdsk.exe (PID: 2612)

    • FORMBOOK was detected

      • explorer.exe (PID: 1960)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DHL Notification_pdf.exe (PID: 2000)
      • chkdsk.exe (PID: 2612)

    • Application launched itself

      • wrlzkzy.exe (PID: 2192)

    • Reads the Internet Settings

      • chkdsk.exe (PID: 2612)

    • Reads browser cookies

      • chkdsk.exe (PID: 2612)

  • INFO

    • Reads the computer name

      • DHL Notification_pdf.exe (PID: 2000)
      • wrlzkzy.exe (PID: 2484)

    • Checks supported languages

      • wrlzkzy.exe (PID: 2484)
      • wrlzkzy.exe (PID: 2192)
      • DHL Notification_pdf.exe (PID: 2000)

    • The process checks LSA protection

      • DHL Notification_pdf.exe (PID: 2000)
      • chkdsk.exe (PID: 2612)

    • Process checks computer location settings

      • wrlzkzy.exe (PID: 2484)

    • Create files in a temporary directory

      • DHL Notification_pdf.exe (PID: 2000)
      • chkdsk.exe (PID: 2612)

    • Manual execution by a user

      • chkdsk.exe (PID: 2612)

    • Creates files or folders in the user directory

      • chkdsk.exe (PID: 2612)

    • Checks proxy server information

      • chkdsk.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductName: 8.14.47.60
LegalTrademarks: Pro-sicilian
LegalCopyright: Copyright Mirielle
FileVersion: 8.14.47.60
FileDescription: sastrugi
CompanyName: Merrie
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 8.14.47.60
FileVersionNumber: 8.14.47.60
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x3640
UninitializedDataSize: 2048
InitializedDataSize: 141824
CodeSize: 26624
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2021:09:25 21:56:47+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Sep-2021 21:56:47
Detected languages:
  • English - United States
CompanyName: Merrie
FileDescription: sastrugi
FileVersion: 8.14.47.60
LegalCopyright: Copyright Mirielle
LegalTrademarks: Pro-sicilian
ProductName: 8.14.47.60

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 25-Sep-2021 21:56:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006676
0x00006800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41746
.rdata
0x00008000
0x0000139A
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14107
.data
0x0000A000
0x00020378
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.11058
.ndata
0x0002B000
0x00010000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0003B000
0x00000CE0
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.22466

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29934
830
UNKNOWN
English - United States
RT_MANIFEST
103
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start dhl notification_pdf.exe wrlzkzy.exe no specs wrlzkzy.exe no specs chkdsk.exe #FORMBOOK explorer.exe firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2000"C:\Users\admin\AppData\Local\Temp\DHL Notification_pdf.exe" C:\Users\admin\AppData\Local\Temp\DHL Notification_pdf.exe
explorer.exe
User:
admin
Company:
Merrie
Integrity Level:
MEDIUM
Description:
sastrugi
Exit code:
0
Version:
8.14.47.60
Modules
Images
c:\users\admin\appdata\local\temp\dhl notification_pdf.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\cryptbase.dll
2192"C:\Users\admin\AppData\Local\Temp\wrlzkzy.exe" C:\Users\admin\AppData\Local\Temp\irwxzea.nfC:\Users\admin\AppData\Local\Temp\wrlzkzy.exeDHL Notification_pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wrlzkzy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2484"C:\Users\admin\AppData\Local\Temp\wrlzkzy.exe"C:\Users\admin\AppData\Local\Temp\wrlzkzy.exewrlzkzy.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wrlzkzy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\user32.dll
2612"C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Check Disk Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\chkdsk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1960C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3036"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exechkdsk.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
67.0.4
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
3 742
Read events
3 714
Write events
28
Delete events
0

Modification events

(PID) Process:(1960) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2612) chkdsk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E707030005001F001600370020000903010000001E768127E028094199FEB9D127C57AFE
Executable files
4
Suspicious files
8
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
2000DHL Notification_pdf.exeC:\Users\admin\AppData\Local\Temp\nslFEBA.tmpobj
MD5:BF608C77D55764DBE793514EBFD026AE
SHA256:4E48DD2367C393DDBAA629161CDA30300B70F46E72A711211FDFEA817CBA70AB
2000DHL Notification_pdf.exeC:\Users\admin\AppData\Local\Temp\wrlzkzy.exeexecutable
MD5:6B34E3F7BF37F2269E6F86CAE8E24EA1
SHA256:16C3749C576220726436BAB7A636C6EBE3E40FB7D5856D7570D421FAFC4703BD
2612chkdsk.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\sqlite-dll-win32-x86-3150000[1].zipcompressed
MD5:16F94AEE2D9A53BF8E58722679063051
SHA256:43A12CC1C155D0BB9686A1FCBC90BABC9E99DBEC475BDDC2ACACF31BD2B159E8
2612chkdsk.exeC:\Users\admin\AppData\Local\Temp\146E771Msqlite
MD5:C72DB02959D2F97D090B0051EE963AD7
SHA256:6D8285E102CD46A9379778B223651ECEE043321E436DD15C2354EC59F5EB22A5
2000DHL Notification_pdf.exeC:\Users\admin\AppData\Local\Temp\irwxzea.nfbinary
MD5:6AE5403C5208EF1BE21DA0CD8A2A6148
SHA256:0A6EAF357EDAFED3B457A7038A9BE8B4E323B2D87E12A3414BE212A262CD8A21
2000DHL Notification_pdf.exeC:\Users\admin\AppData\Local\Temp\mzwei.nvbinary
MD5:E75BF2ACEC6E9A536F58BA066EC0E05A
SHA256:603420DAC511CB1C0A550F6DB3B2F49DA1D18A258F4F7110DD041EE2BE35E4EE
2612chkdsk.exeC:\Users\admin\AppData\Local\Temp\sqlite3.deftext
MD5:DE71633DE073966EB5D5F787EAC989BB
SHA256:C810A7589A228352269413CC503647DF82B4320B7C0B596A15D2842DAC7F843A
2612chkdsk.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:EDA40EA55FF2EB2A2E5ACA836BB1CC26
SHA256:330B88EACB778B86DFF1A90189121E8B3280723BE9FBF4E55174EDE2BBF74AF0
2612chkdsk.exeC:\Users\admin\AppData\Local\Temp\hpt0zji.zipcompressed
MD5:16F94AEE2D9A53BF8E58722679063051
SHA256:43A12CC1C155D0BB9686A1FCBC90BABC9E99DBEC475BDDC2ACACF31BD2B159E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
17
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1960
explorer.exe
GET
404
1.13.186.125:80
http://www.yongleproducts.com/hpb7/?Y-p2B=qNzMMFnF92wYqbyhBvQ7zM5jcX+6jv71hiqfKssSJUPL9XRjbsSUJzKaVPwC8x9DIQVoJ+5/LC2nrwA4dkakQ5sPF8EvHNF3DFyosAA=&cuL4=9ylF2tZLB00u149N
CN
unknown
GET
301
219.94.129.181:80
http://www.kunimi.org/hpb7/?Y-p2B=LsyOeIgM/ET1t5hYUZiec4iAFf8BbadDrF81hKHttqb/Il/dsCib26KgbPV36gXtCptTWNXumMF05ODE+tNCealq4+xz/lTHIwC5ICM=&cuL4=9ylF2tZLB00u149N
JP
malicious
1960
explorer.exe
POST
219.94.129.181:80
http://www.kunimi.org/hpb7/
JP
malicious
1960
explorer.exe
POST
219.94.129.181:80
http://www.kunimi.org/hpb7/
JP
malicious
1960
explorer.exe
POST
162.0.231.77:80
http://www.traindic.top/hpb7/
US
suspicious
1960
explorer.exe
POST
219.94.129.181:80
http://www.kunimi.org/hpb7/
JP
malicious
1960
explorer.exe
POST
404
198.46.160.97:80
http://www.0dhy.xyz/hpb7/
US
html
123 b
suspicious
2612
chkdsk.exe
GET
200
45.33.6.223:80
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
US
compressed
429 Kb
whitelisted
1960
explorer.exe
POST
219.94.129.181:80
http://www.kunimi.org/hpb7/
JP
malicious
1960
explorer.exe
POST
219.94.129.181:80
http://www.kunimi.org/hpb7/
JP
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1960
explorer.exe
1.13.186.125:80
www.yongleproducts.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
198.46.160.97:80
www.0dhy.xyz
AS-COLOCROSSING
US
suspicious
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
suspicious
1960
explorer.exe
162.0.231.77:80
www.traindic.top
NAMECHEAP-NET
US
suspicious
1960
explorer.exe
219.94.129.181:80
www.kunimi.org
SAKURA Internet Inc.
JP
malicious
1960
explorer.exe
198.46.160.97:80
www.0dhy.xyz
AS-COLOCROSSING
US
suspicious
219.94.129.181:80
www.kunimi.org
SAKURA Internet Inc.
JP
malicious

DNS requests

Domain
IP
Reputation
www.yongleproducts.com
  • 1.13.186.125
unknown
www.sqlite.org
  • 45.33.6.223
whitelisted
www.0dhy.xyz
  • 198.46.160.97
suspicious
www.kunimi.org
  • 219.94.129.181
unknown
www.amirah.cfd
malicious
www.bisarropainting.com
unknown
www.traindic.top
  • 162.0.231.77
suspicious

Threats

PID
Process
Class
Message
1960
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1960
explorer.exe
Unknown Classtype
ET MALWARE FormBook CnC Checkin (POST) M2
1960
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1960
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1960
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1960
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1960
explorer.exe
Unknown Classtype
ET MALWARE FormBook CnC Checkin (POST) M2
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1960
explorer.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
1960
explorer.exe
Unknown Classtype
ET MALWARE FormBook CnC Checkin (POST) M2
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DHL Notification_pdf.exe