| File name: | Compradenuevospedidos.exe |
| Full analysis: | https://app.any.run/tasks/8a97f4b7-9ddd-49a2-a6e6-6dece442514e |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | May 15, 2025, 15:47:21 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 1C7063F644B0423C78453B7ED01EB431 |
| SHA1: | 7476787D8CE99842C0AFBB5BEF4A2B8F16B30126 |
| SHA256: | 4E3E68593A4F252B6D2815E6E1FC744F364F2808EA76192143E480F355E3021D |
| SSDEEP: | 24576:4VdKWePth5MIo7PNHlfJew/5EWV7Q0QYP5Bx8gxgYlCPkuTE/RROfgS0XvuBqKQ:4V5ePthGIo7VHpJew/5EWVc0QYP5Bx8s |
MALICIOUS
Uses Task Scheduler to run other applications
- Compradenuevospedidos.exe (PID: 7812)
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 5492)
FORMBOOK has been detected
- systray.exe (PID: 8144)
- explorer.exe (PID: 5492)
FORMBOOK has been detected (YARA)
- systray.exe (PID: 8144)
Connects to the CnC server
- explorer.exe (PID: 5492)
SUSPICIOUS
Executable content was dropped or overwritten
- Compradenuevospedidos.exe (PID: 7812)
Reads security settings of Internet Explorer
- Compradenuevospedidos.exe (PID: 7812)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 5492)
Deletes system .NET executable
- cmd.exe (PID: 2800)
Starts CMD.EXE for commands execution
- systray.exe (PID: 8144)
INFO
Creates files or folders in the user directory
- Compradenuevospedidos.exe (PID: 7812)
Reads the machine GUID from the registry
- Compradenuevospedidos.exe (PID: 7812)
.NET Reactor protector has been detected
- Compradenuevospedidos.exe (PID: 7812)
Checks supported languages
- Compradenuevospedidos.exe (PID: 7812)
- RegSvcs.exe (PID: 8108)
Reads the computer name
- Compradenuevospedidos.exe (PID: 7812)
- RegSvcs.exe (PID: 8108)
Process checks computer location settings
- Compradenuevospedidos.exe (PID: 7812)
Create files in a temporary directory
- Compradenuevospedidos.exe (PID: 7812)
Manual execution by a user
- systray.exe (PID: 8144)
Reads the software policy settings
- slui.exe (PID: 7564)
Checks proxy server information
- slui.exe (PID: 7564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(8144) systray.exe
C2www.d0ees.sbs/ad20/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)haenovacreations.shop
oderedcapital.net
istrict9.shop
evthrive.shop
orizonroleplay.shop
aser-hair-removal-329457.sbs
ovellandco.net
reavessportsdul.shop
9es.top
luffytailsmart.store
aser-hair-removal-329879.sbs
laroni.top
lrstudiorecording.online
agen.app
xkrh3.top
elvetvoicetheology.website
194lk.cfd
4n03s3vj9b8ztm.xyz
s3ddd.xyz
itness-apps-s2025s.sbs
sss5.xyz
uismaffei.xyz
aita.online
izac.art
roup-mexico.net
79685.equipment
rtemisbet-art.vip
iethupimg.xyz
ublin-shledrc-acaj.info
ettamachi80.shop
iofertilizers.online
3k3j5m3a.top
bogadosgratismadrid.online
ottous365.shop
nguvenilenlerimizden.xyz
x84q.top
-journey.net
7965.pet
ink8d22.top
orasanlikardesler.online
oikeo88.vip
n-lanjing8.net
hilrrrjhglhut.xyz
fi-hub.xyz
eridyam.uno
gimn.wtf
kidoki.live
kj.pet
t312.xyz
i53.college
ruises-80628.bond
sai1.top
agelmackers.click
adonou.online
xumehe.info
lectrical-work-service.shop
kleszp.xyz
xjbyqsnndjx.xyz
ehmetkamar.net
0nkeys.xyz
coffee.house
5412737.vip
kurp.town
iyuangou.ltd
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (72.2) |
|---|---|---|
| .scr | | | Windows screen saver (12.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.4) |
| .exe | | | Win32 Executable (generic) (4.4) |
| .exe | | | Generic Win/DOS Executable (1.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:05:15 08:51:29+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 818176 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc9a92 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | Delivery Market |
| FileVersion: | 1.0.0.0 |
| InternalName: | cywz.exe |
| LegalCopyright: | Copyright © 2016 |
| LegalTrademarks: | - |
| OriginalFileName: | cywz.exe |
| ProductName: | Delivery Market |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
130
Monitored processes
11
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2800 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\SysWOW64\cmd.exe | — | systray.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5492 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7372 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7564 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7812 | "C:\Users\admin\Desktop\Compradenuevospedidos.exe" | C:\Users\admin\Desktop\Compradenuevospedidos.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Delivery Market Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 8036 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lAnNBz" /XML "C:\Users\admin\AppData\Local\Temp\tmp1097.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | Compradenuevospedidos.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8044 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8100 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | Compradenuevospedidos.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 4294967295 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 8108 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | Compradenuevospedidos.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
Total events
4 320
Read events
4 315
Write events
5
Delete events
0
Modification events
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconLayouts |
Value: 00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001B000000000000006100700070006C00690063006100740069006F006E0073006300650072007400610069006E002E006A00700067003E0020002000000010000000000000006200650064006F006C006400650072002E0070006E0067003E002000200000001700000000000000630061006D006500720061007300700072006F00700065007200740079002E007200740066003E002000200000001200000000000000660069006E0061006E00630065006D00610079002E007200740066003E00200020000000140000000000000067006900760069006E00670065006100730069006C0079002E007200740066003E002000200000001300000000000000700061007200740066006F00720077006100720064002E007200740066003E00200020000000160000000000000070006F0070006D00610069006E00740065006E0061006E00630065002E007200740066003E0020002000000015000000000000007300650076006500720061006C006400650076006900630065002E0070006E0067003E002000200000001400000000000000790065006C006C006F0077006C00650074007400650072002E006A00700067003E002000200000001D0000000000000043006F006D00700072006100640065006E007500650076006F007300700065006400690064006F0073002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000000400000A0401100 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconNameVersion |
Value: 1 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts |
| Operation: | write | Name: | LastUpdate |
Value: 930C266800000000 | |||
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7812 | Compradenuevospedidos.exe | C:\Users\admin\AppData\Local\Temp\tmp1097.tmp | xml | |
MD5:B8BFD82C0D0EAAAD3934965F6CFFE596 | SHA256:6068B86FBB7173754DE683E4B259909F5E599AB5469616823570385A7143E4E9 | |||
| 7812 | Compradenuevospedidos.exe | C:\Users\admin\AppData\Roaming\lAnNBz.exe | executable | |
MD5:1C7063F644B0423C78453B7ED01EB431 | SHA256:4E3E68593A4F252B6D2815E6E1FC744F364F2808EA76192143E480F355E3021D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
11
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.134:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5492 | explorer.exe | GET | 200 | 3.33.243.145:80 | http://www.coffee.house/ad20/?1b_lPP=1F5fvaggNR2GiHhP6iM3aqhmIvFhl7wWmLrC/a8Ru4zzJEoiC8dd0VgL7wM0v1O1Lel/&tzux=gXChVbm890V8EH | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.48.23.134:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2112 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7476 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7564 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5492 | explorer.exe | 3.33.243.145:80 | www.coffee.house | AMAZON-02 | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
www.194lk.cfd |
| unknown |
www.roup-mexico.net |
| unknown |
www.d0ees.sbs |
| unknown |
www.coffee.house |
| malicious |
www.ublin-shledrc-acaj.info |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5492 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |