| File name: | REVISED SOA 19-03-25 PDF.exe |
| Full analysis: | https://app.any.run/tasks/ec439fde-b9fc-4606-b030-cc8d0928dfca |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | March 25, 2025, 04:50:06 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 2F2BE19E7DF6549682B6DB140841EF0C |
| SHA1: | 46B52EC65561265ED8936CBE1A4FDF417D87D629 |
| SHA256: | 582C078327541D1459228AEBF38C9471B78E3A2C03CB9C375622209221970709 |
| SSDEEP: | 24576:oZI/a8TeQ5R9BOtuN657AM+Qcvb1sJ3PsPbdehDJCZjs5enw2YrvfrETakI55w2p:oZI/a8TeQ5R9ctuN657t+QcD1sJ3PsPM |
MALICIOUS
Uses Task Scheduler to run other applications
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
FORMBOOK has been detected (YARA)
- raserver.exe (PID: 6456)
FORMBOOK has been detected
- raserver.exe (PID: 6456)
SUSPICIOUS
Process drops legitimate windows executable
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Reads security settings of Internet Explorer
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Executable content was dropped or overwritten
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Starts CMD.EXE for commands execution
- raserver.exe (PID: 6456)
Deletes system .NET executable
- cmd.exe (PID: 3132)
Starts a Microsoft application from unusual location
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
INFO
Reads the computer name
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
- MSBuild.exe (PID: 2096)
Create files in a temporary directory
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Creates files or folders in the user directory
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Checks supported languages
- MSBuild.exe (PID: 2096)
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Reads the machine GUID from the registry
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Process checks computer location settings
- REVISED SOA 19-03-25 PDF.exe (PID: 4880)
Manual execution by a user
- raserver.exe (PID: 6456)
Reads the software policy settings
- slui.exe (PID: 6036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(6456) raserver.exe
C2www.enelog.xyz/a03d/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)nfluencer-marketing-13524.bond
cebepu.info
lphatechblog.xyz
haoyun.website
itiz.xyz
orld-visa-center.online
si.art
alata.xyz
mmarketing.xyz
elnqdjc.shop
ensentoto.cloud
voyagu.info
onvert.today
1fuli9902.shop
otelhafnia.info
rumpchiefofstaff.store
urvivalflashlights.shop
0090.pizza
ings-hu-13.today
oliticalpatriot.net
5970.pizza
arimatch-in.legal
eepvid.xyz
bfootball.net
otorcycle-loans-19502.bond
nline-advertising-34790.bond
behm.info
aportsystems.store
agiararoma.net
agfov4u.xyz
9769.mobi
ome-renovation-86342.bond
kkkk.shop
duxrib.xyz
xurobo.info
leurdivin.online
ive-neurozoom.store
ndogaming.online
dj1.lat
yselection.xyz
52628.xyz
lsaadmart.store
oftware-download-92806.bond
avid-hildebrand.info
orashrine.store
erpangina-treatment-views.sbs
ategorie-polecane-831.buzz
oonlightshadow.shop
istromarmitaria.online
gmgslzdc.sbs
asglobalaz.shop
locarry.store
eleefmestreech.online
inggraphic.pro
atidiri.fun
olourclubbet.shop
eatbox.store
romatografia.online
encortex.beauty
8oosnny.xyz
72266.vip
aja168e.live
fath.shop
argloscaremedia.info
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2076:02:18 04:37:19+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 642560 |
| InitializedDataSize: | 2560 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9ec12 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Compatibility Database |
| FileVersion: | 1.0.0.0 |
| InternalName: | NQGj.exe |
| LegalCopyright: | Copyright © Microsoft Corporation. All rights reserved. |
| LegalTrademarks: | - |
| OriginalFileName: | NQGj.exe |
| ProductName: | Compatibility Database |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
145
Monitored processes
11
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1912 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2088 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TsSurBeHosk" /XML "C:\Users\admin\AppData\Local\Temp\tmpF791.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | REVISED SOA 19-03-25 PDF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2096 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | — | REVISED SOA 19-03-25 PDF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 2904 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3132 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\SysWOW64\cmd.exe | — | raserver.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4880 | "C:\Users\admin\AppData\Local\Temp\REVISED SOA 19-03-25 PDF.exe" | C:\Users\admin\AppData\Local\Temp\REVISED SOA 19-03-25 PDF.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Compatibility Database Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 5680 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5968 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6036 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6132 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | — | REVISED SOA 19-03-25 PDF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 4294967295 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
Total events
1 077
Read events
1 077
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4880 | REVISED SOA 19-03-25 PDF.exe | C:\Users\admin\AppData\Roaming\TsSurBeHosk.exe | executable | |
MD5:2F2BE19E7DF6549682B6DB140841EF0C | SHA256:582C078327541D1459228AEBF38C9471B78E3A2C03CB9C375622209221970709 | |||
| 4880 | REVISED SOA 19-03-25 PDF.exe | C:\Users\admin\AppData\Local\Temp\tmpF791.tmp | xml | |
MD5:A5B31AE0A911CE5E9FB16FCC864B1863 | SHA256:ECC701DFA15C2E9DAC7C74232AE6A12ABA9009057FC6C5ADA90A005CD698C660 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5344 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5376 | SIHClient.exe | GET | 200 | 104.119.109.218:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5376 | SIHClient.exe | GET | 200 | 104.119.109.218:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 40.126.32.133:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5344 | backgroundTaskHost.exe | 20.103.156.88:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5344 | backgroundTaskHost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |