File name: | fb.msi |
Full analysis: | https://app.any.run/tasks/5ee1ab4a-ad1d-412b-84ef-e5b484da399e |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | August 25, 2019, 17:10:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0 |
MD5: | EE9F001F43232D7A4CDDD81028198A0F |
SHA1: | 0577D413C9C38D999204A19F560AF179275B710A |
SHA256: | 57792660079BC7EF67D5F4F1C72AADC575FB3F262D905214309598929B38EBB4 |
SSDEEP: | 6144:UEPHzYVe1B9hYHT9X3AJTMZVyVVrLfHwBOBVdijv4DGMnggwIG2lCCxAO54DLQS:UEPMe9hqRmMZIVVnQ8Byjv7Mnf22lC7K |
.msi | | | Microsoft Installer (100) |
---|
Security: | None |
---|---|
Words: | - |
Pages: | 100 |
ModifyDate: | 2013:05:21 11:56:44 |
RevisionNumber: | {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E} |
LastModifiedBy: | devuser |
Template: | ;0 |
Comments: | - |
Keywords: | - |
Author: | www.exetomsi.com |
Subject: | - |
Title: | Exe to msi converter free |
Software: | Windows Installer |
CreateDate: | 2012:09:21 09:56:09 |
LastPrinted: | 2012:09:21 09:56:09 |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3440 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\fb.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3016 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2884 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4000 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3868 | "C:\Windows\Installer\MSID6DE.tmp" | C:\Windows\Installer\MSID6DE.tmp | msiexec.exe | |
User: admin Company: AntGames Integrity Level: MEDIUM Description: GameEnumerations Exit code: 0 Version: 1.4.9.9 | ||||
2936 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYstYCepRBfmlj" /XML "C:\Users\admin\AppData\Local\Temp\tmpACF9.tmp" | C:\Windows\System32\schtasks.exe | MSID6DE.tmp | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3828 | "C:\Windows\Installer\MSID6DE.tmp" | C:\Windows\Installer\MSID6DE.tmp | MSID6DE.tmp | |
User: SYSTEM Company: AntGames Integrity Level: SYSTEM Description: GameEnumerations Exit code: 0 Version: 1.4.9.9 | ||||
2880 | "C:\Windows\System32\dwm.exe" | C:\Windows\System32\dwm.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2072 | /c del "C:\Windows\Installer\MSID6DE.tmp" | C:\Windows\System32\cmd.exe | — | dwm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
276 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3016 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
3016 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFE2AE87C39E87538F.TMP | — | |
MD5:— | SHA256:— | |||
2884 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
3016 | msiexec.exe | C:\Config.Msi\16d103.rbs | — | |
MD5:— | SHA256:— | |||
3016 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF741A419413B3C1AE.TMP | — | |
MD5:— | SHA256:— | |||
4000 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:8F761032829FB6121AEE77E26DC667A6 | SHA256:F83E1592023B7C8F6C15847F26D30770C0A52E6C7304DBA951EEA437E2737649 | |||
4000 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:27665BEFD7EE296B1102B5DC8CDBAD78 | SHA256:DFDAF526173FE8FD75183C5F7BE616A95F67A1C60C13E9608F1B2347F3B9DC21 | |||
3016 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:95A2E625727F4C2900CF965974FC9363 | SHA256:AF565425A4E8A16BB91B67403E5292528ED51FF14B9B86EEC5BA3AB34CDE70A4 | |||
3016 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{edefb5b3-e6f8-4179-a5fd-9c11fddc7a5c}_OnDiskSnapshotProp | binary | |
MD5:95A2E625727F4C2900CF965974FC9363 | SHA256:AF565425A4E8A16BB91B67403E5292528ED51FF14B9B86EEC5BA3AB34CDE70A4 | |||
4000 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:DA3C515385CC0F2D6CD3F517AE61D210 | SHA256:572A194BDC37ED134560F8D0CF7EA1415FCC823C3946D5D3D93C5F44D12EEBC2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
276 | explorer.exe | GET | 463 | 69.172.201.153:80 | http://www.helloflat.com/h313/?GV=3O3LnUZAqflEDt7mhFCW7/JtoxJh4En3yM7bwSuwdZrMCmc6RYNI6BLX8OatqJw9OSjWJw==&uzsD=jjmPcTbp1 | US | html | 8.64 Kb | malicious |
276 | explorer.exe | GET | — | 162.241.244.43:80 | http://www.nerdyheat.com/h313/?GV=rhl562GZV4GYctQL/y/UQ4lav8+/khNaOuGyneIg+ssPiDBZOrk4Z84kH0O1MwE9BZWBXw==&uzsD=jjmPcTbp1&sql=1 | US | — | — | malicious |
276 | explorer.exe | GET | — | 198.54.117.211:80 | http://www.maileast.com/h313/?GV=iHDzGS4vsiXCeJ1hUwmGv8VBt6qEVu027jsQpD94RY3bqdkDfxX/6Z/yzYHVRc5RojlR2A==&uzsD=jjmPcTbp1 | US | — | — | malicious |
276 | explorer.exe | GET | 301 | 185.230.62.177:80 | http://www.sweetreflectionsbynora.com/h313/?GV=5lsZrOhRs/lGJP7gwryuzMlKPU9myIA4i+dF9Mpk2b6PkYez4g5qSOnMuBV72JEeQ8fe0g==&uzsD=jjmPcTbp1&sql=1 | unknown | — | — | malicious |
276 | explorer.exe | POST | — | 162.241.244.43:80 | http://www.nerdyheat.com/h313/ | US | — | — | malicious |
276 | explorer.exe | POST | — | 162.241.244.43:80 | http://www.nerdyheat.com/h313/ | US | — | — | malicious |
276 | explorer.exe | POST | — | 185.230.62.177:80 | http://www.sweetreflectionsbynora.com/h313/ | unknown | — | — | malicious |
276 | explorer.exe | POST | — | 13.84.162.221:80 | http://www.artemisirt.com/h313/ | US | — | — | malicious |
276 | explorer.exe | POST | — | 162.241.244.43:80 | http://www.nerdyheat.com/h313/ | US | — | — | malicious |
276 | explorer.exe | POST | — | 13.84.162.221:80 | http://www.artemisirt.com/h313/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
276 | explorer.exe | 69.172.201.153:80 | www.helloflat.com | Dosarrest Internet Security LTD | US | malicious |
276 | explorer.exe | 13.84.162.221:80 | www.artemisirt.com | Microsoft Corporation | US | malicious |
276 | explorer.exe | 198.54.117.211:80 | www.maileast.com | Namecheap, Inc. | US | malicious |
276 | explorer.exe | 192.64.115.228:80 | www.menflax.com | Namecheap, Inc. | US | malicious |
276 | explorer.exe | 185.230.62.177:80 | www.sweetreflectionsbynora.com | — | — | malicious |
276 | explorer.exe | 162.241.244.43:80 | www.nerdyheat.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.www464567.com |
| unknown |
www.helloflat.com |
| malicious |
www.nerdyheat.com |
| malicious |
www.artemisirt.com |
| malicious |
www.sweetreflectionsbynora.com |
| malicious |
www.menflax.com |
| malicious |
www.sistema-icarai-de-radio-tv.com |
| unknown |
www.maileast.com |
| malicious |
www.llqd-stories.review |
| unknown |
www.weiduicha.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |