File name: | thisisformbook_00400000.bin |
Full analysis: | https://app.any.run/tasks/88bdc871-9f50-452c-b7ca-a118f193e578 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 05, 2022, 05:03:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B04F27359E900F9D5B27FBED01BD34BF |
SHA1: | 9B71336614D061AE6B960D16DF3211766B1FA871 |
SHA256: | 461CB71FFB7FABAEC49906891179AC90434FDD95ED255F0F45738A624D3045B0 |
SSDEEP: | 3072:twJNtKkd7XQYdCMWwDgAFGsukONMFbgxQej+sy6s8Hk6fMg+65VZn20:ktKi7AcCogAYcON5xQefnMgPZn |
.exe | | | DOS Executable Generic (100) |
---|
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2005-Dec-30 07:31:02 |
e_magic: | MZ |
---|---|
e_cblp: | 21061 |
e_cp: | 232 |
e_crlc: | - |
e_cparhdr: | 22528 |
e_minalloc: | 59523 |
e_maxalloc: | 35593 |
e_ss: | 33736 |
e_sp: | 15552 |
e_csum: | 139 |
e_ip: | 49411 |
e_cs: | 49283 |
e_ovno: | 65288 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 200 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 1 |
TimeDateStamp: | 2005-Dec-30 07:31:02 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 171560 | 172032 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.32226 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3076 | "C:\Users\admin\Desktop\thisisformbook_00400000.bin.exe" | C:\Users\admin\Desktop\thisisformbook_00400000.bin.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3296 | "C:\Windows\System32\audiodg.exe" | C:\Windows\System32\audiodg.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Audio Device Graph Isolation Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1344 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3116 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | — | audiodg.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3296) audiodg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3296 | audiodg.exe | GET | 404 | 45.33.6.223:80 | http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080600.zip | US | — | — | whitelisted |
1344 | Explorer.EXE | GET | 200 | 188.114.97.3:80 | http://www.uniquegiftlab.com/tdet/?YPRxRz4x=f/uqFmIzO3+aJeAOQDOR3WsXs9dLDbmI4+Yjf0IU5IAoVYc8qaxVV7AGFpWTC8MtnsSgSD6GYw+n3RsnIE5xpLfqGEwAUInXCNgKd48=&Fdj8-=xNuhZlkhY | US | html | 1.36 Kb | malicious |
1344 | Explorer.EXE | GET | 200 | 64.190.63.111:80 | http://www.caraudiohub-au.site/tdet/?YPRxRz4x=7xDtZY43xQIYbKxn4DD7D53EZ+AfS6ECxaTlMevFq9VPN5WtFC4gEC1HoXOKGgU/hyx/WIPpWdYCYdQ02PK+FDTuuLGk5cS5vg8O6i4=&Fdj8-=xNuhZlkhY | US | html | 21.0 Kb | malicious |
1344 | Explorer.EXE | POST | — | 23.202.231.167:80 | http://www.dumptruckersonly.com/tdet/ | US | — | — | malicious |
1344 | Explorer.EXE | POST | 403 | 64.190.63.111:80 | http://www.caraudiohub-au.site/tdet/ | US | compressed | 110 b | malicious |
1344 | Explorer.EXE | POST | 403 | 64.190.63.111:80 | http://www.caraudiohub-au.site/tdet/ | US | compressed | 110 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 188.114.97.3:80 | www.uniquegiftlab.com | CLOUDFLARENET | NL | malicious |
3296 | audiodg.exe | 45.33.6.223:80 | www.sqlite.org | Linode, LLC | US | suspicious |
1344 | Explorer.EXE | 23.202.231.167:80 | www.dumptruckersonly.com | Akamai International B.V. | US | malicious |
1344 | Explorer.EXE | 64.190.63.111:80 | www.caraudiohub-au.site | SEDO GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.uniquegiftlab.com |
| malicious |
www.sqlite.org |
| whitelisted |
www.amisens.com |
| malicious |
www.caraudiohub-au.site |
| malicious |
www.dumptruckersonly.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1344 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1344 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1344 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1344 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1344 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1344 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1344 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1344 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1344 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1344 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |