analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

견적 품목 리스트.exe

Full analysis: https://app.any.run/tasks/8a49177d-c81b-4a53-9989-aa58bdccb452
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: March 31, 2020, 09:21:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B38DF2E04686B781BA0ABCECEE9506DB

SHA1:

23E1444E1145BD57D305593FB4623770097CE8A5

SHA256:

5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6

SSDEEP:

1536:S3lP4hxpJeOObvDwf+g0wA569HwKn369x:UQHpJyvDwUc3o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • 견적 품목 리스트.exe (PID: 3568)
      • filename1.exe (PID: 2928)
      • ftl0wnnehd4_r.exe (PID: 2068)
      • dwm.exe (PID: 1092)
      • filename1.exe (PID: 1016)
    • Actions looks like stealing of personal data

      • dwm.exe (PID: 1092)
    • FORMBOOK was detected

      • dwm.exe (PID: 1092)
      • explorer.exe (PID: 372)
      • Firefox.exe (PID: 3884)
    • Connects to CnC server

      • explorer.exe (PID: 372)
    • Stealing of credential data

      • dwm.exe (PID: 1092)
    • Changes settings of System certificates

      • filename1.exe (PID: 2484)
      • filename1.exe (PID: 2660)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • dwm.exe (PID: 1092)
    • Reads Internet Cache Settings

      • filename1.exe (PID: 2484)
      • filename1.exe (PID: 2660)
    • Executable content was dropped or overwritten

      • 견적 품목 리스트.exe (PID: 3592)
      • DllHost.exe (PID: 2916)
      • ftl0wnnehd4_r.exe (PID: 3156)
    • Application launched itself

      • filename1.exe (PID: 2928)
      • 견적 품목 리스트.exe (PID: 3568)
      • ftl0wnnehd4_r.exe (PID: 2068)
      • filename1.exe (PID: 1016)
    • Creates files in the user directory

      • filename1.exe (PID: 2484)
      • dwm.exe (PID: 1092)
      • filename1.exe (PID: 2660)
    • Executed via COM

      • DllHost.exe (PID: 2916)
    • Creates files in the program directory

      • DllHost.exe (PID: 2916)
    • Loads DLL from Mozilla Firefox

      • dwm.exe (PID: 1092)
    • Starts itself from another location

      • ftl0wnnehd4_r.exe (PID: 3156)
    • Adds / modifies Windows certificates

      • filename1.exe (PID: 2660)
      • filename1.exe (PID: 2484)
  • INFO

    • Reads the hosts file

      • dwm.exe (PID: 1092)
    • Manual execution by user

      • dwm.exe (PID: 1092)
    • Reads settings of System Certificates

      • filename1.exe (PID: 2484)
      • filename1.exe (PID: 2660)
    • Creates files in the user directory

      • Firefox.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll | Win32 Dynamic Link Library (generic) (6.7)
.exe | Win32 Executable (generic) (4.6)
.exe | Generic Win/DOS Executable (2)
.exe | DOS Executable Generic (2)

EXIF

EXE

OriginalFileName: Clockosci4.exe
InternalName: Clockosci4
ProductVersion: 1
FileVersion: 1
ProductName: Mehit2
FileDescription: tint
CompanyName: WONDerware
Comments: WONDerware
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x1318
UninitializedDataSize: -
InitializedDataSize: 8192
CodeSize: 90112
LinkerVersion: 6
PEType: PE32
TimeStamp: 2013:10:08 14:38:38+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-Oct-2013 12:38:38
Detected languages:
  • English - United States
Comments: WONDerware
CompanyName: WONDerware
FileDescription: tint
ProductName: Mehit2
FileVersion: 1.00
ProductVersion: 1.00
InternalName: Clockosci4
OriginalFilename: Clockosci4.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 08-Oct-2013 12:38:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00015754
0x00016000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.78484
.data
0x00017000
0x00000B90
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00018000
0x00000944
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.00491

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.16623
644
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
2.57965
304
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
1.76987
744
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
2.07177
296
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
15
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start 견적 품목 리스트.exe 견적 품목 리스트.exe filename1.exe filename1.exe #FORMBOOK dwm.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object ftl0wnnehd4_r.exe #FORMBOOK firefox.exe no specs ftl0wnnehd4_r.exe filename1.exe filename1.exe autofmt.exe no specs cmstp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3568"C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe" C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe
explorer.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
3592"C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe" C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe
견적 품목 리스트.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
2928"C:\Users\admin\subfolder1\filename1.exe" C:\Users\admin\subfolder1\filename1.exe
견적 품목 리스트.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
2484"C:\Users\admin\subfolder1\filename1.exe" C:\Users\admin\subfolder1\filename1.exe
filename1.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
1092"C:\Windows\System32\dwm.exe"C:\Windows\System32\dwm.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2272/c del "C:\Users\admin\subfolder1\filename1.exe"C:\Windows\System32\cmd.exedwm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2916C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2068"C:\Program Files\H9ra4d\ftl0wnnehd4_r.exe"C:\Program Files\H9ra4d\ftl0wnnehd4_r.exe
explorer.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
3884"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
dwm.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
7 916
Read events
780
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
86
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
2484filename1.exeC:\Users\admin\AppData\Local\Temp\CabCB18.tmp
MD5:
SHA256:
2484filename1.exeC:\Users\admin\AppData\Local\Temp\TarCB19.tmp
MD5:
SHA256:
372explorer.exeC:\Users\admin\AppData\Local\Temp\H9ra4d\ftl0wnnehd4_r.exe
MD5:
SHA256:
2484filename1.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MH99SGTD.txttext
MD5:78DD84CDCF65FB390590066C67D1EACC
SHA256:0B77970778B69BAB67BBE6C82EDADF6E02E45AA3B4A910B46F1FBEBE850F1D81
2484filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:237E471E5F8016808FC5EDCD4F7CC76E
SHA256:FE77CB97BFF1FA666E25115104A87776BBBBEA5234A26D229A42F2B5A0200DD9
2484filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:BD3E6667B327AA6EDA3166F5A4F44E98
SHA256:2FB2FC82FB248AC8004656690111F59B3E6A9A97104841F5F2D8FCCE2ECB4B6C
3592견적 품목 리스트.exeC:\Users\admin\subfolder1\filename1.exeexecutable
MD5:B38DF2E04686B781BA0ABCECEE9506DB
SHA256:5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6
1092dwm.exeC:\Users\admin\AppData\Roaming\LKA23647\LKAlogrc.inibinary
MD5:46D8B6AA478B9CA743122F9F9BA4DF19
SHA256:D48034BD8D645FDD26D26AF805B886CA4B27DF19489E4CD7F9E6AD8B64D32264
2484filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:8EE81AA04D1B50E2F9ECF3A6054CECA9
SHA256:04F9DD5FD9A70C0869669691930D4C242BFE052FD1D8A12DC0B46C41A4C82C13
3592견적 품목 리스트.exeC:\Users\admin\subfolder1\filename1.vbstext
MD5:FD0F0DF4863066534A70D7A57BA5FE07
SHA256:4AA3732E035B8C54983E0F82290C680856212E620A6A36A22B550004EA60CD63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
15
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
372
explorer.exe
GET
157.7.107.191:80
http://www.breeze-iwaki.com/sa22/?Cj=aVqR6HAn633a0CJFb0zvWIwAu17MGRwlbJTZA4hrfRuurzoYvuYHiLkWVclGBilhP00shQ==&b8T=uTBXnRYHHPXdF
JP
malicious
372
explorer.exe
GET
50.63.202.45:80
http://www.ontariobrokers.info/sa22/?Cj=NsNsxeA2nb3jQHfJSP58UUflimdpAUL5lqMT4jMzDco4Ozfg1kDhAmftq0BCI9VpKhrFHg==&b8T=uTBXnRYHHPXdF&sql=1
US
malicious
2484
filename1.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.0 Kb
whitelisted
2484
filename1.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
372
explorer.exe
GET
302
23.20.239.12:80
http://www.plusbeds.com/sa22/?Cj=lPwp5NrjOoVoVBkEecE+isN8ya94pn6NdE0iH+RvZlOOoLUHnShieybD+s46RTHoD6jJlA==&b8T=uTBXnRYHHPXdF&sql=1
US
html
184 b
shared
372
explorer.exe
POST
23.20.239.12:80
http://www.plusbeds.com/sa22/
US
shared
372
explorer.exe
POST
23.20.239.12:80
http://www.plusbeds.com/sa22/
US
shared
372
explorer.exe
POST
23.20.239.12:80
http://www.plusbeds.com/sa22/
US
shared
372
explorer.exe
POST
50.63.202.45:80
http://www.ontariobrokers.info/sa22/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2484
filename1.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
2660
filename1.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
2660
filename1.exe
13.107.42.12:443
hmhxvw.dm.files.1drv.com
Microsoft Corporation
US
suspicious
2484
filename1.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
372
explorer.exe
23.20.239.12:80
www.plusbeds.com
Amazon.com, Inc.
US
shared
2484
filename1.exe
13.107.42.12:443
hmhxvw.dm.files.1drv.com
Microsoft Corporation
US
suspicious
372
explorer.exe
50.63.202.45:80
www.ontariobrokers.info
GoDaddy.com, LLC
US
malicious
372
explorer.exe
157.7.107.191:80
www.breeze-iwaki.com
GMO Internet,Inc
JP
malicious
1052
svchost.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.42.13
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
hmhxvw.dm.files.1drv.com
  • 13.107.42.12
whitelisted
www.breeze-iwaki.com
  • 157.7.107.191
malicious
www.plusbeds.com
  • 23.20.239.12
shared
www.999-proxy.com
unknown
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
www.siqingbateer.com
unknown
www.ontariobrokers.info
  • 50.63.202.45
malicious
www.sk836.com
unknown

Threats

PID
Process
Class
Message
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
7 ETPRO signatures available at the full report
No debug info