File name: | 59b77bef509a86fb919f06399ddb7dba4a481b390756f813925d56a2a2ac942a |
Full analysis: | https://app.any.run/tasks/b60ec8ec-2d39-4edc-9abd-50b48e5db7fe |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 19, 2019, 12:26:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0 |
MD5: | 277BE3E1BA28127DA08C0415F5F7CA1C |
SHA1: | B2490AC3C762978BAFC1F3159AEEB4F14C93D1B3 |
SHA256: | 59B77BEF509A86FB919F06399DDB7DBA4A481B390756F813925D56A2A2AC942A |
SSDEEP: | 6144:/EvlSjY4XFGb9gENuscQ11OeEuQPOUl7:/EYjJQbWEsAHOeEuQPd7 |
.msi | | | Microsoft Installer (100) |
---|
CodePage: | Windows Latin 1 (Western European) |
---|---|
LastPrinted: | 2012:09:21 09:56:09 |
CreateDate: | 2012:09:21 09:56:09 |
Software: | Windows Installer |
Title: | Exe to msi converter free |
Subject: | - |
Author: | www.exetomsi.com |
Keywords: | - |
Comments: | - |
Template: | ;0 |
LastModifiedBy: | devuser |
RevisionNumber: | {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E} |
ModifyDate: | 2013:05:21 11:56:44 |
Pages: | 100 |
Words: | - |
Security: | None |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\59b77bef509a86fb919f06399ddb7dba4a481b390756f813925d56a2a2ac942a.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2252 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2216 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2240 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2524 | "C:\Windows\Installer\MSI2E01.tmp" | C:\Windows\Installer\MSI2E01.tmp | — | msiexec.exe |
User: admin Company: PiOnEEr Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
2852 | "C:\Windows\Installer\MSI2E01.tmp" | C:\Windows\Installer\MSI2E01.tmp | MSI2E01.tmp | |
User: SYSTEM Company: PiOnEEr Integrity Level: SYSTEM Exit code: 0 Version: 1.00 | ||||
3844 | "C:\Windows\Installer\MSI2E01.tmp" | C:\Windows\Installer\MSI2E01.tmp | — | MSI2E01.tmp |
User: SYSTEM Company: PiOnEEr Integrity Level: SYSTEM Exit code: 0 Version: 1.00 | ||||
3032 | "C:\Windows\System32\audiodg.exe" | C:\Windows\System32\audiodg.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Audio Device Graph Isolation Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3732 | /c del "C:\Windows\Installer\MSI2E01.tmp" | C:\Windows\System32\cmd.exe | — | audiodg.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
252 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | ctfmon.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2252 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFFBA00C17E17F28AB.TMP | — | |
MD5:— | SHA256:— | |||
2240 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
2252 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:BDA0B18B2C5BACEF6564CF78FBFEEB98 | SHA256:0DFD46790745469C16F315B0D1CB8D628EDBB6E5A5C74A50ECF38591224A39AC | |||
2216 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\Config.Msi\1527e7.rbs | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFB2CE57F7F5CDE2E0.TMP | — | |
MD5:— | SHA256:— | |||
2240 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:C0FB8DAFA2BDB0B65F57D894DB90D158 | SHA256:179B4507D5E3C2C9EA1A4B50FBA947D2D52142ECDC5C54D55A0EBDC75EB9CFE8 | |||
2240 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:188C7EE0F19E555041E7151415671F49 | SHA256:2CED5759E1823FE5A532850164FC5501522E73A82A0247314EC6AF1017578AFB | |||
2252 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{a741b095-4e1e-46fc-a116-3ee15927c055}_OnDiskSnapshotProp | binary | |
MD5:BDA0B18B2C5BACEF6564CF78FBFEEB98 | SHA256:0DFD46790745469C16F315B0D1CB8D628EDBB6E5A5C74A50ECF38591224A39AC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
252 | explorer.exe | GET | — | 116.62.65.122:80 | http://www.rongfn.com/ch/?Wx=EZAeHaU8DxYZj7L3zBfc1diHYcj069MslCkKdeIIWTgsN0tr+Vc9MbO8eAGl5XQkDkr9sA==&CPx=lhnx&sql=1 | CN | — | — | malicious |
252 | explorer.exe | GET | — | 35.246.6.109:80 | http://www.pelotaxelmundo.com/ch/?Wx=IuyqOhv3Bw1dAc9JoGHZUYxPqg0Y8/wmTCzawfajS5bNk+Z+VeCNuaZhlvffg0a4smka7A==&CPx=lhnx&sql=1 | US | — | — | malicious |
252 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.pelotaxelmundo.com/ch/ | US | — | — | malicious |
252 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.pelotaxelmundo.com/ch/ | US | — | — | malicious |
252 | explorer.exe | GET | 301 | 89.238.73.29:80 | http://www.cryptbtc.com/ch/?Wx=b3TwIfAoNqXSeyCjnzp92NUGovUzyAx3Rn0bAC93ITBh5XXmDctEOPsFC6v/ZM6UZHBgKA==&CPx=lhnx | DE | html | 325 b | unknown |
252 | explorer.exe | POST | — | 116.62.65.122:80 | http://www.rongfn.com/ch/ | CN | — | — | malicious |
— | — | GET | — | 199.192.23.100:80 | http://www.kervax.com/ch/?Wx=0BnHzfNJGEpa+1AdOV0dNyS1nffdL3u9hZirk4P94qQEohloHJJVj8TKxLIp2Xc664AgmA==&CPx=lhnx | US | — | — | malicious |
252 | explorer.exe | POST | — | 116.62.65.122:80 | http://www.rongfn.com/ch/ | CN | — | — | malicious |
252 | explorer.exe | POST | — | 116.62.65.122:80 | http://www.rongfn.com/ch/ | CN | — | — | malicious |
252 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.pelotaxelmundo.com/ch/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 116.62.65.122:80 | www.rongfn.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
252 | explorer.exe | 89.238.73.29:80 | www.cryptbtc.com | manitu GmbH | DE | unknown |
252 | explorer.exe | 116.62.65.122:80 | www.rongfn.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
252 | explorer.exe | 35.246.6.109:80 | www.pelotaxelmundo.com | — | US | malicious |
— | — | 45.58.41.210:80 | www.freeplatz.com | Atlantic.net, Inc. | US | malicious |
252 | explorer.exe | 45.58.41.210:80 | www.freeplatz.com | Atlantic.net, Inc. | US | malicious |
— | — | 199.192.23.100:80 | — | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.cryptbtc.com |
| unknown |
www.stormbattle.com |
| unknown |
dns.msftncsi.com |
| shared |
www.rongfn.com |
| malicious |
www.pelotaxelmundo.com |
| malicious |
www.freeplatz.com |
| malicious |
www.heartlandresaerch.com |
| unknown |
www.ckpvktkj.com |
| unknown |
www.profile-hones.date |
| unknown |
www.kervax.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |