analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

59b77bef509a86fb919f06399ddb7dba4a481b390756f813925d56a2a2ac942a

Full analysis: https://app.any.run/tasks/b60ec8ec-2d39-4edc-9abd-50b48e5db7fe
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: June 19, 2019, 12:26:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
trojan
formbook
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

277BE3E1BA28127DA08C0415F5F7CA1C

SHA1:

B2490AC3C762978BAFC1F3159AEEB4F14C93D1B3

SHA256:

59B77BEF509A86FB919F06399DDB7DBA4A481B390756F813925D56A2A2AC942A

SSDEEP:

6144:/EvlSjY4XFGb9gENuscQ11OeEuQPOUl7:/EYjJQbWEsAHOeEuQPd7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • FORMBOOK was detected

      • explorer.exe (PID: 252)
    • Changes the autorun value in the registry

      • audiodg.exe (PID: 3032)
    • Actions looks like stealing of personal data

      • audiodg.exe (PID: 3032)
    • Formbook was detected

      • audiodg.exe (PID: 3032)
      • Firefox.exe (PID: 3152)
    • Connects to CnC server

      • explorer.exe (PID: 252)
    • Stealing of credential data

      • audiodg.exe (PID: 3032)
  • SUSPICIOUS

    • Executed via COM

      • DrvInst.exe (PID: 2240)
    • Executed as Windows Service

      • vssvc.exe (PID: 2216)
    • Starts Microsoft Installer

      • explorer.exe (PID: 252)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2252)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2252)
    • Starts CMD.EXE for commands execution

      • audiodg.exe (PID: 3032)
    • Loads DLL from Mozilla Firefox

      • audiodg.exe (PID: 3032)
    • Creates files in the user directory

      • audiodg.exe (PID: 3032)
  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2216)
    • Searches for installed software

      • msiexec.exe (PID: 2252)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 2240)
    • Application was dropped or rewritten from another process

      • MSI2E01.tmp (PID: 2524)
      • MSI2E01.tmp (PID: 2852)
      • MSI2E01.tmp (PID: 3844)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 2240)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2252)
      • MSI2E01.tmp (PID: 2524)
      • MSI2E01.tmp (PID: 2852)
    • Application launched itself

      • MSI2E01.tmp (PID: 2852)
      • MSI2E01.tmp (PID: 2524)
    • Manual execution by user

      • audiodg.exe (PID: 3032)
    • Creates files in the user directory

      • Firefox.exe (PID: 3152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2012:09:21 09:56:09
CreateDate: 2012:09:21 09:56:09
Software: Windows Installer
Title: Exe to msi converter free
Subject: -
Author: www.exetomsi.com
Keywords: -
Comments: -
Template: ;0
LastModifiedBy: devuser
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate: 2013:05:21 11:56:44
Pages: 100
Words: -
Security: None
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msi2e01.tmp no specs msi2e01.tmp msi2e01.tmp no specs #FORMBOOK audiodg.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\59b77bef509a86fb919f06399ddb7dba4a481b390756f813925d56a2a2ac942a.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2252C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2216C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2240DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2524"C:\Windows\Installer\MSI2E01.tmp"C:\Windows\Installer\MSI2E01.tmpmsiexec.exe
User:
admin
Company:
PiOnEEr
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2852"C:\Windows\Installer\MSI2E01.tmp"C:\Windows\Installer\MSI2E01.tmp
MSI2E01.tmp
User:
SYSTEM
Company:
PiOnEEr
Integrity Level:
SYSTEM
Exit code:
0
Version:
1.00
3844"C:\Windows\Installer\MSI2E01.tmp"C:\Windows\Installer\MSI2E01.tmpMSI2E01.tmp
User:
SYSTEM
Company:
PiOnEEr
Integrity Level:
SYSTEM
Exit code:
0
Version:
1.00
3032"C:\Windows\System32\audiodg.exe"C:\Windows\System32\audiodg.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Audio Device Graph Isolation
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3732/c del "C:\Windows\Installer\MSI2E01.tmp"C:\Windows\System32\cmd.exeaudiodg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
ctfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
508
Read events
325
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
79
Text files
60
Unknown types
0

Dropped files

PID
Process
Filename
Type
2252msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2252msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFFBA00C17E17F28AB.TMP
MD5:
SHA256:
2240DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
2252msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:BDA0B18B2C5BACEF6564CF78FBFEEB98
SHA256:0DFD46790745469C16F315B0D1CB8D628EDBB6E5A5C74A50ECF38591224A39AC
2216vssvc.exeC:
MD5:
SHA256:
2252msiexec.exeC:\Config.Msi\1527e7.rbs
MD5:
SHA256:
2252msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFB2CE57F7F5CDE2E0.TMP
MD5:
SHA256:
2240DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:C0FB8DAFA2BDB0B65F57D894DB90D158
SHA256:179B4507D5E3C2C9EA1A4B50FBA947D2D52142ECDC5C54D55A0EBDC75EB9CFE8
2240DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:188C7EE0F19E555041E7151415671F49
SHA256:2CED5759E1823FE5A532850164FC5501522E73A82A0247314EC6AF1017578AFB
2252msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{a741b095-4e1e-46fc-a116-3ee15927c055}_OnDiskSnapshotPropbinary
MD5:BDA0B18B2C5BACEF6564CF78FBFEEB98
SHA256:0DFD46790745469C16F315B0D1CB8D628EDBB6E5A5C74A50ECF38591224A39AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
14
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
252
explorer.exe
GET
116.62.65.122:80
http://www.rongfn.com/ch/?Wx=EZAeHaU8DxYZj7L3zBfc1diHYcj069MslCkKdeIIWTgsN0tr+Vc9MbO8eAGl5XQkDkr9sA==&CPx=lhnx&sql=1
CN
malicious
252
explorer.exe
GET
35.246.6.109:80
http://www.pelotaxelmundo.com/ch/?Wx=IuyqOhv3Bw1dAc9JoGHZUYxPqg0Y8/wmTCzawfajS5bNk+Z+VeCNuaZhlvffg0a4smka7A==&CPx=lhnx&sql=1
US
malicious
252
explorer.exe
POST
35.246.6.109:80
http://www.pelotaxelmundo.com/ch/
US
malicious
252
explorer.exe
POST
35.246.6.109:80
http://www.pelotaxelmundo.com/ch/
US
malicious
252
explorer.exe
GET
301
89.238.73.29:80
http://www.cryptbtc.com/ch/?Wx=b3TwIfAoNqXSeyCjnzp92NUGovUzyAx3Rn0bAC93ITBh5XXmDctEOPsFC6v/ZM6UZHBgKA==&CPx=lhnx
DE
html
325 b
unknown
252
explorer.exe
POST
116.62.65.122:80
http://www.rongfn.com/ch/
CN
malicious
GET
199.192.23.100:80
http://www.kervax.com/ch/?Wx=0BnHzfNJGEpa+1AdOV0dNyS1nffdL3u9hZirk4P94qQEohloHJJVj8TKxLIp2Xc664AgmA==&CPx=lhnx
US
malicious
252
explorer.exe
POST
116.62.65.122:80
http://www.rongfn.com/ch/
CN
malicious
252
explorer.exe
POST
116.62.65.122:80
http://www.rongfn.com/ch/
CN
malicious
252
explorer.exe
POST
35.246.6.109:80
http://www.pelotaxelmundo.com/ch/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
116.62.65.122:80
www.rongfn.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
252
explorer.exe
89.238.73.29:80
www.cryptbtc.com
manitu GmbH
DE
unknown
252
explorer.exe
116.62.65.122:80
www.rongfn.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
252
explorer.exe
35.246.6.109:80
www.pelotaxelmundo.com
US
malicious
45.58.41.210:80
www.freeplatz.com
Atlantic.net, Inc.
US
malicious
252
explorer.exe
45.58.41.210:80
www.freeplatz.com
Atlantic.net, Inc.
US
malicious
199.192.23.100:80
US
malicious

DNS requests

Domain
IP
Reputation
www.cryptbtc.com
  • 89.238.73.29
unknown
www.stormbattle.com
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
www.rongfn.com
  • 116.62.65.122
malicious
www.pelotaxelmundo.com
  • 35.246.6.109
malicious
www.freeplatz.com
  • 45.58.41.210
malicious
www.heartlandresaerch.com
unknown
www.ckpvktkj.com
unknown
www.profile-hones.date
unknown
www.kervax.com
malicious

Threats

PID
Process
Class
Message
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
11 ETPRO signatures available at the full report
No debug info