File name: | arrrrikfb.exe |
Full analysis: | https://app.any.run/tasks/1457e337-1169-48e3-8773-44503343eb0f |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 19, 2019, 10:23:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 9FC28C351D32040104059E11A7984FEA |
SHA1: | 3E5814120EE95A0DF6FA8251F47D8DA3F8A611ED |
SHA256: | 5FF8009942C8D11A64221B326487ACDE65A0874B49F63D57F0B0C6BF390FD250 |
SSDEEP: | 6144:eawOeZGSh7oX8yNADuttGfeAamBYsHIt5hqtYWPZH+Kaq3F3p2Lp0KSC5JH5edsW:zXDUCT+HI9qTB+bq3F3I0s5dgqVo |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (62) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.3) |
.dll | | | Win32 Dynamic Link Library (generic) (5.5) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Win16/32 Executable Delphi generic (1.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:05:12 22:18:37+02:00 |
PEType: | PE32 |
LinkerVersion: | 8 |
CodeSize: | 269824 |
InitializedDataSize: | 691200 |
UninitializedDataSize: | - |
EntryPoint: | 0x43dde |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-May-2019 20:18:37 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 12-May-2019 20:18:37 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00041DE4 | 0x00041E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.93937 |
.rsrc | 0x00044000 | 0x000A8964 | 0x000A8A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.64644 |
.reloc | 0x000EE000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
0 | 2.69055 | 90 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
1 | 2.25632 | 270376 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 4.21757 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.17718 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.57015 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 2.51177 | 67624 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 2.93647 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
119 | 7.83374 | 320000 | Latin 1 / Western European | German - Germany | RT_HTML |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
728 | "C:\Users\admin\Desktop\arrrrikfb.exe" | C:\Users\admin\Desktop\arrrrikfb.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2176 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | arrrrikfb.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3604 | "C:\Windows\System32\NAPSTAT.EXE" | C:\Windows\System32\NAPSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Access Protection Client UI Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\System32\cmd.exe | — | NAPSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3536 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NAPSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000050E80DDE601AC4419077F1A266F7DC30000000000200000000001066000000010000200000003F83A771961B52F67D495B00F9A83C0528F9416860D173C360C169081E7ACB59000000000E80000000020000200000001D47918765DA2872FBDC062C47BD868A47FADF8B46CC9856338FB23B1BE6DE5830000000F1811E74B480F9E0A4BCFB8ECEC32A4A9B2E2303D005CEDE91B626A8CB1C77958A2CD7077FE7CE648A21C8494A885EE04000000049D602BAF5919EE00C73EFD23791042475C8F016D3990C68D5DA84EF063F7F22FB386509578E21C5497E3E64CF843EF994A964B8415547F1F365C14D8960D264 | |||
(PID) Process: | (3604) NAPSTAT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | VNX8AR58_L |
Value: C:\Program Files\Oq4nhrht8\ttvhht5jd.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3604 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\1K12621E\1K1logrc.ini | binary | |
MD5:5006D04B1F6E422ECA8F645E21CDBA19 | SHA256:5C5015428123CD8F48B5AB6BB0C7361F2CAE274A76E3C1EE73EBEF3441321D3F | |||
3604 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\1K12621E\1K1logim.jpeg | image | |
MD5:8D6BB270CBF8A5B3540EA76A6D88B257 | SHA256:DD78AFC5233D26BE5FE2EF32DFDFEFABB60A4B78EC16B06D3C4800B127D2D205 | |||
3604 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\1K12621E\1K1logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
3604 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\1K12621E\1K1logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 | |||
3536 | Firefox.exe | C:\Users\admin\AppData\Roaming\1K12621E\1K1logrf.ini | binary | |
MD5:2F245469795B865BDD1B956C23D7893D | SHA256:1662D01A2D47B875A34FC7A8CD92E78CB2BA7F34023C7FD2639CBB10B8D94361 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | — | 203.114.74.40:80 | http://www.pusatsmm.com/ar/?Ar2=gOx7O1z2CjtaijW956sY5IrcYtxDr7OExHMplX/42EW9GCoglEXvl1kys2Do4fqG2uQPsg==&_jG4N=hBclaNlx48&sql=1 | ID | — | — | malicious |
116 | explorer.exe | GET | 404 | 66.96.147.159:80 | http://www.testci20190222014255.com/ar/?Ar2=neWfLw9/OV85BjCM5wKXxzwoM+tcf9ODCfGOAYwIRkfGa2VdmKGkY1/wCxRVVc99xyXOYg==&_jG4N=hBclaNlx48 | US | html | 863 b | malicious |
116 | explorer.exe | POST | — | 203.114.74.40:80 | http://www.pusatsmm.com/ar/ | ID | — | — | malicious |
116 | explorer.exe | POST | — | 203.114.74.40:80 | http://www.pusatsmm.com/ar/ | ID | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 66.96.147.159:80 | www.testci20190222014255.com | The Endurance International Group, Inc. | US | malicious |
116 | explorer.exe | 203.114.74.40:80 | www.pusatsmm.com | NewMedia Express Pte Ltd | ID | malicious |
Domain | IP | Reputation |
---|---|---|
www.testci20190222014255.com |
| malicious |
www.pusatsmm.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |