File name: | 견적 품목 리스트.exe |
Full analysis: | https://app.any.run/tasks/8a49177d-c81b-4a53-9989-aa58bdccb452 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 31, 2020, 09:21:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B38DF2E04686B781BA0ABCECEE9506DB |
SHA1: | 23E1444E1145BD57D305593FB4623770097CE8A5 |
SHA256: | 5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6 |
SSDEEP: | 1536:S3lP4hxpJeOObvDwf+g0wA569HwKn369x:UQHpJyvDwUc3o |
.exe | | | Win32 Executable Microsoft Visual Basic 6 (84.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (6.7) |
.exe | | | Win32 Executable (generic) (4.6) |
.exe | | | Generic Win/DOS Executable (2) |
.exe | | | DOS Executable Generic (2) |
OriginalFileName: | Clockosci4.exe |
---|---|
InternalName: | Clockosci4 |
ProductVersion: | 1 |
FileVersion: | 1 |
ProductName: | Mehit2 |
FileDescription: | tint |
CompanyName: | WONDerware |
Comments: | WONDerware |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 1 |
OSVersion: | 4 |
EntryPoint: | 0x1318 |
UninitializedDataSize: | - |
InitializedDataSize: | 8192 |
CodeSize: | 90112 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2013:10:08 14:38:38+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Oct-2013 12:38:38 |
Detected languages: |
|
Comments: | WONDerware |
CompanyName: | WONDerware |
FileDescription: | tint |
ProductName: | Mehit2 |
FileVersion: | 1.00 |
ProductVersion: | 1.00 |
InternalName: | Clockosci4 |
OriginalFilename: | Clockosci4.exe |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 08-Oct-2013 12:38:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00015754 | 0x00016000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.78484 |
.data | 0x00017000 | 0x00000B90 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00018000 | 0x00000944 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.00491 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.16623 | 644 | Unicode (UTF 16LE) | English - United States | RT_VERSION |
30001 | 2.57965 | 304 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30002 | 1.76987 | 744 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30003 | 2.07177 | 296 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3568 | "C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe" | C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe | explorer.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
3592 | "C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe" | C:\Users\admin\AppData\Local\Temp\견적 품목 리스트.exe | 견적 품목 리스트.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
2928 | "C:\Users\admin\subfolder1\filename1.exe" | C:\Users\admin\subfolder1\filename1.exe | 견적 품목 리스트.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
2484 | "C:\Users\admin\subfolder1\filename1.exe" | C:\Users\admin\subfolder1\filename1.exe | filename1.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
1092 | "C:\Windows\System32\dwm.exe" | C:\Windows\System32\dwm.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2272 | /c del "C:\Users\admin\subfolder1\filename1.exe" | C:\Windows\System32\cmd.exe | — | dwm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
372 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2916 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2068 | "C:\Program Files\H9ra4d\ftl0wnnehd4_r.exe" | C:\Program Files\H9ra4d\ftl0wnnehd4_r.exe | explorer.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
3884 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | dwm.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2484 | filename1.exe | C:\Users\admin\AppData\Local\Temp\CabCB18.tmp | — | |
MD5:— | SHA256:— | |||
2484 | filename1.exe | C:\Users\admin\AppData\Local\Temp\TarCB19.tmp | — | |
MD5:— | SHA256:— | |||
372 | explorer.exe | C:\Users\admin\AppData\Local\Temp\H9ra4d\ftl0wnnehd4_r.exe | — | |
MD5:— | SHA256:— | |||
2484 | filename1.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MH99SGTD.txt | text | |
MD5:78DD84CDCF65FB390590066C67D1EACC | SHA256:0B77970778B69BAB67BBE6C82EDADF6E02E45AA3B4A910B46F1FBEBE850F1D81 | |||
2484 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:237E471E5F8016808FC5EDCD4F7CC76E | SHA256:FE77CB97BFF1FA666E25115104A87776BBBBEA5234A26D229A42F2B5A0200DD9 | |||
2484 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | der | |
MD5:BD3E6667B327AA6EDA3166F5A4F44E98 | SHA256:2FB2FC82FB248AC8004656690111F59B3E6A9A97104841F5F2D8FCCE2ECB4B6C | |||
3592 | 견적 품목 리스트.exe | C:\Users\admin\subfolder1\filename1.exe | executable | |
MD5:B38DF2E04686B781BA0ABCECEE9506DB | SHA256:5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6 | |||
1092 | dwm.exe | C:\Users\admin\AppData\Roaming\LKA23647\LKAlogrc.ini | binary | |
MD5:46D8B6AA478B9CA743122F9F9BA4DF19 | SHA256:D48034BD8D645FDD26D26AF805B886CA4B27DF19489E4CD7F9E6AD8B64D32264 | |||
2484 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | binary | |
MD5:8EE81AA04D1B50E2F9ECF3A6054CECA9 | SHA256:04F9DD5FD9A70C0869669691930D4C242BFE052FD1D8A12DC0B46C41A4C82C13 | |||
3592 | 견적 품목 리스트.exe | C:\Users\admin\subfolder1\filename1.vbs | text | |
MD5:FD0F0DF4863066534A70D7A57BA5FE07 | SHA256:4AA3732E035B8C54983E0F82290C680856212E620A6A36A22B550004EA60CD63 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
372 | explorer.exe | GET | — | 157.7.107.191:80 | http://www.breeze-iwaki.com/sa22/?Cj=aVqR6HAn633a0CJFb0zvWIwAu17MGRwlbJTZA4hrfRuurzoYvuYHiLkWVclGBilhP00shQ==&b8T=uTBXnRYHHPXdF | JP | — | — | malicious |
372 | explorer.exe | GET | — | 50.63.202.45:80 | http://www.ontariobrokers.info/sa22/?Cj=NsNsxeA2nb3jQHfJSP58UUflimdpAUL5lqMT4jMzDco4Ozfg1kDhAmftq0BCI9VpKhrFHg==&b8T=uTBXnRYHHPXdF&sql=1 | US | — | — | malicious |
2484 | filename1.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
1052 | svchost.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.0 Kb | whitelisted |
2484 | filename1.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
372 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.plusbeds.com/sa22/?Cj=lPwp5NrjOoVoVBkEecE+isN8ya94pn6NdE0iH+RvZlOOoLUHnShieybD+s46RTHoD6jJlA==&b8T=uTBXnRYHHPXdF&sql=1 | US | html | 184 b | shared |
372 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.plusbeds.com/sa22/ | US | — | — | shared |
372 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.plusbeds.com/sa22/ | US | — | — | shared |
372 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.plusbeds.com/sa22/ | US | — | — | shared |
372 | explorer.exe | POST | — | 50.63.202.45:80 | http://www.ontariobrokers.info/sa22/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2484 | filename1.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
2660 | filename1.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
2660 | filename1.exe | 13.107.42.12:443 | hmhxvw.dm.files.1drv.com | Microsoft Corporation | US | suspicious |
2484 | filename1.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
372 | explorer.exe | 23.20.239.12:80 | www.plusbeds.com | Amazon.com, Inc. | US | shared |
2484 | filename1.exe | 13.107.42.12:443 | hmhxvw.dm.files.1drv.com | Microsoft Corporation | US | suspicious |
372 | explorer.exe | 50.63.202.45:80 | www.ontariobrokers.info | GoDaddy.com, LLC | US | malicious |
372 | explorer.exe | 157.7.107.191:80 | www.breeze-iwaki.com | GMO Internet,Inc | JP | malicious |
1052 | svchost.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ocsp.digicert.com |
| whitelisted |
hmhxvw.dm.files.1drv.com |
| whitelisted |
www.breeze-iwaki.com |
| malicious |
www.plusbeds.com |
| shared |
www.999-proxy.com |
| unknown |
www.download.windowsupdate.com |
| whitelisted |
www.siqingbateer.com |
| unknown |
www.ontariobrokers.info |
| malicious |
www.sk836.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |