analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | PO-HN1900021811.exe |
| Full analysis: | https://app.any.run/tasks/77a79e17-85b4-4dd5-bef5-9539285060bf |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | August 26, 2019, 03:49:24 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 32799555914A7D37038E13E8FA86F9D1 |
| SHA1: | EA0ECFFB82C5549C4C2074642A22DE8CF8F8DE9F |
| SHA256: | 58DB2E9ED2651BB1D830F21D7632D0E84051E94EDA7478E7BAB9CBEB6E19825D |
| SSDEEP: | 24576:KXpbEX0p2uiaUAdLOwPYlhqvN+V5R6ot/I3PlmfG8sZiJMJ3Fo9+myCzE:ebEX42uixA8daNa |
MALICIOUS
Connects to CnC server
- explorer.exe (PID: 276)
FORMBOOK was detected
- explorer.exe (PID: 276)
Formbook was detected
- dwm.exe (PID: 2712)
Changes the autorun value in the registry
- dwm.exe (PID: 2712)
Actions looks like stealing of personal data
- dwm.exe (PID: 2712)
Stealing of credential data
- dwm.exe (PID: 2712)
SUSPICIOUS
Executes scripts
- PO-HN1900021811.exe (PID: 3060)
Starts CMD.EXE for commands execution
- dwm.exe (PID: 2712)
Loads DLL from Mozilla Firefox
- dwm.exe (PID: 2712)
Creates files in the user directory
- dwm.exe (PID: 2712)
INFO
Manual execution by user
- dwm.exe (PID: 2712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:07:05 20:22:30+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 514048 |
| InitializedDataSize: | 384512 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7f69e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
35
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3060 | "C:\Users\admin\AppData\Local\Temp\PO-HN1900021811.exe" | C:\Users\admin\AppData\Local\Temp\PO-HN1900021811.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 704 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | PO-HN1900021811.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
| 2712 | "C:\Windows\System32\dwm.exe" | C:\Windows\System32\dwm.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3576 | /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\System32\cmd.exe | — | dwm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 276 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
24
Read events
23
Write events
1
Delete events
0
Modification events
| (PID) Process: | (2712) dwm.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | D8E4ATBP0F3 |
Value: C:\Program Files\Ucpxdclj\colorcplhnclm4t8.exe | |||
Executable files
0
Suspicious files
71
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2712 | dwm.exe | C:\Users\admin\AppData\Roaming\10R8NT0E\10Rlogrc.ini | binary | |
MD5:7D4ABD22AFD15A9F5F54A3A29F9491B9 | SHA256:AD30D824A6A98DF53784F88F3559C2BB4BD1E638534C654D8A23D766457477AE | |||
| 2712 | dwm.exe | C:\Users\admin\AppData\Roaming\10R8NT0E\10Rlogri.ini | — | |
MD5:— | SHA256:— | |||
| 2712 | dwm.exe | C:\Users\admin\AppData\Roaming\10R8NT0E\10Rlogrv.ini | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
276 | explorer.exe | GET | 404 | 103.67.235.120:80 | http://www.activcrew.com/he/?0Pxdft=kXInW5wJ+RaQRtqT9ETLTyKmpK/PB9a9UYI3Bji2NjTfO1yPEqF65TUw+VLOCS/Gp1oQ/g==&jDfD=JfOpLnBp | AU | html | 162 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
276 | explorer.exe | 103.67.235.120:80 | www.activcrew.com | Dreamscape Networks Limited | AU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.cavedeschouans-jard.com |
| unknown |
www.activcrew.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1 ETPRO signatures available at the full report