download: | api |
Full analysis: | https://app.any.run/tasks/a2d60a92-6312-46ed-8d7a-3a8329381f85 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 14, 2019, 12:14:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C348621CA796B09FB51FBAF6DDD9DA9B |
SHA1: | 7B1AC92B87901AACE2C067DC9792140D618B795B |
SHA256: | 50DB34CD43FF22F4F804F73FC890F5B4B709D526DEE6100BAA8ACC9CF281D3FF |
SSDEEP: | 393216:Vb34D51pmVV+oGRy7yiRDapcXObcwH+yGGJsv6tWKFdu9CYQUearRAVuHw/P/:Vz+1poV+oGR2PXObXKAVuu3 |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:10:14 12:05:43+02:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 16879104 |
InitializedDataSize: | 11647488 |
UninitializedDataSize: | - |
EntryPoint: | 0xd59514 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 13.5.4.0 |
ProductVersionNumber: | 13.5.4.0 |
FileFlagsMask: | 0x003f |
FileFlags: | Debug |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
CompanyName: | Adlice Software |
FileDescription: | Anti-Malware Scan and Removal |
FileVersion: | 13.5.4.0 |
InternalName: | RogueKiller Anti-Malware |
LegalCopyright: | Copyright Adlice Software(C) 2019 |
LegalTrademarks1: | Adlice Software |
LegalTrademarks2: | Adlice Software |
OriginalFileName: | RogueKiller Anti-Malware |
ProductName: | RogueKiller Anti-Malware |
ProductVersion: | 13.5.4.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 14-Oct-2019 10:05:43 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Adlice Software |
FileDescription: | Anti-Malware Scan and Removal |
FileVersion: | 13.5.4.0 |
InternalName: | RogueKiller Anti-Malware |
LegalCopyright: | Copyright Adlice Software(C) 2019 |
LegalTrademarks1: | Adlice Software |
LegalTrademarks2: | Adlice Software |
OriginalFilename: | RogueKiller Anti-Malware |
ProductName: | RogueKiller Anti-Malware |
ProductVersion: | 13.5.4.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000160 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 14-Oct-2019 10:05:43 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x01018C40 | 0x01018E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60269 |
.rdata | 0x0101A000 | 0x004E6BB4 | 0x004E6C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.35077 |
.data | 0x01501000 | 0x00052440 | 0x00031400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.89602 |
.tls | 0x01554000 | 0x0000000D | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.qtmetadL\x02 | 0x01555000 | 0x0000024C | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 3.15593 |
.gfids | 0x01556000 | 0x00000770 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.97983 |
_RDATA | 0x01557000 | 0x00000124 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.51793 |
.rsrc | 0x01558000 | 0x00533D50 | 0x00533E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.88516 |
.reloc | 0x01A8C000 | 0x000AD8A0 | 0x000ADA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64635 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.21878 | 667 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.08492 | 296 | UNKNOWN | English - United States | RT_ICON |
3 | 4.32673 | 3752 | UNKNOWN | English - United States | RT_ICON |
4 | 4.69 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 4.96085 | 1384 | UNKNOWN | English - United States | RT_ICON |
6 | 7.96471 | 21897 | UNKNOWN | English - United States | RT_ICON |
7 | 3.53747 | 16936 | UNKNOWN | English - United States | RT_ICON |
8 | 3.87766 | 9640 | UNKNOWN | English - United States | RT_ICON |
9 | 4.07378 | 6760 | UNKNOWN | English - United States | RT_ICON |
10 | 4.36584 | 4264 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
CRYPT32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
MPR.dll |
OLEAUT32.dll |
OPENGL32.dll |
PSAPI.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2436 | "C:\Users\admin\Desktop\api.exe" | C:\Users\admin\Desktop\api.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM | ||||
1944 | "C:\Users\admin\Desktop\api.exe" | C:\Users\admin\Desktop\api.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
2092 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://adlice.com/thanks-downloading-roguekiller/?utm_campaign=roguekiller&utm_source=soft&utm_medium=btn" | C:\Program Files\Internet Explorer\iexplore.exe | api.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2720 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2092 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2644 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ppx[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ppx[1].exe | — | iexplore.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
1160 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | ppx[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: MSBuild.exe Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3624 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ssdrs[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ssdrs[1].exe | — | iexplore.exe |
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.2.2.13 | ||||
2532 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\odo[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\odo[1].exe | iexplore.exe | |
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.09.0003 | ||||
2064 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\odo[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\odo[1].exe | — | odo[1].exe |
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.09.0003 | ||||
3068 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ssdrs[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ssdrs[1].exe | — | iexplore.exe |
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.2.2.13 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2092 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\thanks-downloading-roguekiller[1].txt | — | |
MD5:— | SHA256:— | |||
1944 | api.exe | C:\ProgramData\RogueKiller\advert | text | |
MD5:397CBB130223A10012C028F74DFE22CD | SHA256:93246526B5B7FDE08925AD22A350FDCA5BC3A45BE7EA4BA6674102CFCE533380 | |||
1944 | api.exe | C:\ProgramData\RogueKiller\config.ini | binary | |
MD5:63C5385BB4EBD97837CE7257C397728C | SHA256:9D6AB3186C01D89B932AAE80B728154928A09240107893AD4ED4B97AAC177764 | |||
1944 | api.exe | C:\ProgramData\RogueKiller\scheduler | text | |
MD5:33BDC95F327314CD002CF5371035F304 | SHA256:7FE10D945C5955A3426FC676D1F3FD322B4CE54350C12B8E67113DB2E7AF2C5E | |||
2720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\go_pricing_styles-a0c49f3c83aa74d3e040032fb3adf3d3[1].css | text | |
MD5:5393507C3F025206937EB80806095673 | SHA256:D1D291DEEE625CB7784A60C80AF2C80660CB754D7D0E04BC54B8FF638A08E6C3 | |||
1944 | api.exe | C:\ProgramData\RogueKiller\Debug\RogueKiller Anti-Malware_debug.log | text | |
MD5:6F59D1B70483D4D2AB01D44A2A27E45B | SHA256:8F8E6046CB0543B15A5DAAC122DF8B4492133DB4738E5B02B8EA85C138B9C554 | |||
2720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\crayon.min-_2.7.2_beta[1].css | text | |
MD5:CD3C5B5011A2D22BA2F4A6EA95FEC06A | SHA256:21179DEC09544F8096211D2628C182BD03EBE55E1BA80998C7FEF336474D40C9 | |||
2720 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:62BA55A05F620101ABB4177A548F11E6 | SHA256:0592E2F5EEE06D4926728E90B27A45C2BD36E0A967791A9F7216171ED8BBE47F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
352 | explorer.exe | GET | — | 157.7.134.248:80 | http://www.fire-wing.net/y00/?GX=SRbXy3vvOTn/nK7ZexqLbZ5dRDT1AxavuiKDFh811MUAWToECvwAM/7mI4pCeWiUrDXdPA==&uFO4=XPxDeFaPj&sql=1 | JP | — | — | malicious |
352 | explorer.exe | GET | — | 23.227.38.64:80 | http://www.simplycitystore.com/y00/?uFO4=XPxDeFaPj&GX=jTnSyqkhbUqkPi81/jAZr150p6mMk6KO2otj7gnsDXCmyot9frb9xkwS95dAD7bHxA0skA== | CA | — | — | malicious |
1160 | MSBuild.exe | GET | 200 | 216.239.32.21:80 | http://ifconfig.me/ip | US | text | 12 b | shared |
352 | explorer.exe | POST | — | 157.7.134.248:80 | http://www.fire-wing.net/y00/ | JP | — | — | malicious |
352 | explorer.exe | GET | — | 199.192.25.235:80 | http://www.moraxy.com/y00/?GX=i4BOXk/Xe46odwxF56aarnhHHL0HSDKheDxJPoPHHOsFUVfohqOXhRE48+RAtyKXnfdhxQ==&uFO4=XPxDeFaPj | US | — | — | malicious |
352 | explorer.exe | POST | — | 157.7.134.248:80 | http://www.fire-wing.net/y00/ | JP | — | — | malicious |
2720 | iexplore.exe | GET | 200 | 185.43.210.27:80 | http://rescue.slotsoft.net/distrib/ssdrs.exe | GB | executable | 3.35 Mb | suspicious |
2720 | iexplore.exe | GET | 200 | 208.115.234.234:80 | http://milap.net/js/ppx.exe | US | executable | 1.09 Mb | malicious |
352 | explorer.exe | POST | — | 74.208.215.128:80 | http://www.islamicityindex.com/y00/ | US | — | — | malicious |
2092 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2720 | iexplore.exe | 172.217.18.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2092 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1944 | api.exe | 178.33.106.117:443 | download.adlice.com | OVH SAS | FR | suspicious |
2720 | iexplore.exe | 104.27.165.26:443 | adlice.com | Cloudflare Inc | US | shared |
2720 | iexplore.exe | 104.27.164.26:443 | adlice.com | Cloudflare Inc | US | shared |
2720 | iexplore.exe | 104.19.199.151:443 | cdnjs.cloudflare.com | Cloudflare Inc | US | shared |
2720 | iexplore.exe | 172.217.22.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
2720 | iexplore.exe | 216.58.207.66:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2720 | iexplore.exe | 172.217.16.174:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2720 | iexplore.exe | 208.115.234.234:80 | milap.net | Limestone Networks, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
download.adlice.com |
| whitelisted |
adflux.adlice.com |
| whitelisted |
adlice.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.adlice.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
cdnjs.cloudflare.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2720 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2720 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1160 | MSBuild.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ifconfig .me) |
1160 | MSBuild.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ifconfig. me) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
— | — | Misc activity | AV INFO DYNAMIC_DNS Query to *.dyndns. Domain |
2720 | iexplore.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain |
2720 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2720 | iexplore.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2720 | iexplore.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
Process | Message |
---|---|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|