File name:

6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe

Full analysis: https://app.any.run/tasks/7d139b44-43e5-445b-a856-d25ea531f2e0
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: June 05, 2024, 13:50:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
formbook
xloader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8170ED5DEB6AD823FC7AE0B4D3C0CB4D

SHA1:

B851FDA5941039C70879C1C5AAAFE7EE98F1D4F6

SHA256:

6305683C82227F88452F652423871426259657F45FC89AD8802B3E92B49E0380

SSDEEP:

49152:a6WNkebmEFhOHGo4uh68QqyxBXSCXPGms1lw3F0YmKDSd0ujsE58Vq84wE8hnHkq:V4kEm2O0uh68QqoBXSCXPGms1lw3F0Y5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK has been detected (YARA)

      • 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe (PID: 6300)

    • Drops the executable file immediately after the start

      • 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe (PID: 6300)

  • SUSPICIOUS

    • Executes application which crashes

      • 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe (PID: 6300)

  • INFO

    • Checks supported languages

      • 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe (PID: 6300)

    • Reads mouse settings

      • 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe (PID: 6300)

    • Checks proxy server information

      • WerFault.exe (PID: 6408)

    • Reads the software policy settings

      • WerFault.exe (PID: 6408)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6408)

    • Create files in a temporary directory

      • 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe (PID: 6300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(6300) 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe
C2www.1wxir.com/da29/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)kas-travel.com
hy1618.net
biosrch.com
sharvellestudio.com
56416.ooo
953700958.com
500051.com
clic.coach
veriosg.xyz
aptsafety.com
cucinaconestilo.com
sercettopper.com
diycoldplungetub.com
hostingopinion.com
mediatechnologysolutions.com
nodogwifnohat.com
ethpiee.com
tragaperrasbares.com
bbbcf.top
jtxu6.top
sorgulama95.shop
myconc.pro
okb-ar.net
thanhdoanacademy.com
rlyadventures.com
maestrolipari.com
digitaluxsolution.com
zituahmed.com
h5yfdgtg.top
whalesnorkelingmirissa.online
indxriim-firsaxtllari.com
fopoliswhlvtjv.top
iransarafan.com
usedata.monster
mnasjdqw66775jqwe09qwjsqwx.vip
aphropay.com
myfreedomlyfe.com
vytennow.com
micheleditrana.com
babycarrot.fun
maltepede.site
618dfyy21.com
flickzbiz.fun
sshihi.top
xsports108.com
ideiastransformadoras.com
aerotyneholdings.com
expandyourbusinessdigital.com
crown777login.com
wheepexpress.com
openshiftstore.com
xzdkzsaczp.xyz
cycmedb.com
9sh3j02g8j.com
cemeku.sydney
functionalfossils.com
kenguru.ink
classicsty.com
directadz.com
scuffedwrapz.com
oxmoz.art
rusticstores.com
vietcadao.com
ai-infinite.net
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:30 10:14:40+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581632
InitializedDataSize: 503296
UninitializedDataSize: -
EntryPoint: 0x2800a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.1.5.1
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 3.1.5.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FORMBOOK 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe svchost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6300"C:\Users\admin\AppData\Local\Temp\6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe" C:\Users\admin\AppData\Local\Temp\6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Version:
3.1.5.1
Modules
Images
c:\users\admin\appdata\local\temp\6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Formbook
(PID) Process(6300) 6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe
C2www.1wxir.com/da29/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)kas-travel.com
hy1618.net
biosrch.com
sharvellestudio.com
56416.ooo
953700958.com
500051.com
clic.coach
veriosg.xyz
aptsafety.com
cucinaconestilo.com
sercettopper.com
diycoldplungetub.com
hostingopinion.com
mediatechnologysolutions.com
nodogwifnohat.com
ethpiee.com
tragaperrasbares.com
bbbcf.top
jtxu6.top
sorgulama95.shop
myconc.pro
okb-ar.net
thanhdoanacademy.com
rlyadventures.com
maestrolipari.com
digitaluxsolution.com
zituahmed.com
h5yfdgtg.top
whalesnorkelingmirissa.online
indxriim-firsaxtllari.com
fopoliswhlvtjv.top
iransarafan.com
usedata.monster
mnasjdqw66775jqwe09qwjsqwx.vip
aphropay.com
myfreedomlyfe.com
vytennow.com
micheleditrana.com
babycarrot.fun
maltepede.site
618dfyy21.com
flickzbiz.fun
sshihi.top
xsports108.com
ideiastransformadoras.com
aerotyneholdings.com
expandyourbusinessdigital.com
crown777login.com
wheepexpress.com
openshiftstore.com
xzdkzsaczp.xyz
cycmedb.com
9sh3j02g8j.com
cemeku.sydney
functionalfossils.com
kenguru.ink
classicsty.com
directadz.com
scuffedwrapz.com
oxmoz.art
rusticstores.com
vietcadao.com
ai-infinite.net
6332"C:\Users\admin\AppData\Local\Temp\6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe" C:\Windows\SysWOW64\svchost.exe6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
6408C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6300 -s 748C:\Windows\SysWOW64\WerFault.exe
6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 798
Read events
3 798
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6408WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_6305683c82227f88_17d5beda346a6c057df4fec1f5912c3dbd78c_4a5b88dc_f2264fe5-37d7-4a10-8dbb-9e0f4403bed5\Report.wer
MD5:
SHA256:
63006305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exeC:\Users\admin\AppData\Local\Temp\oxmanshipbinary
MD5:F59247A2828278377359E2F5BE925669
SHA256:392C174760D65447E3A66D67A07A4739A20981455D6704793B5ABB356AF34DED
6408WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe.6300.dmpdmp
MD5:0977B51C2E67489E6FF41135A0B59DAC
SHA256:2600F363B611C7D4946031C5707FC52136B5B4C756C6FFBA92E1AAADC47E4386
6408WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:23E663AD81C9272BE5114F8C7E4DD1D5
SHA256:E8A891BD9CC0448A7E7A33E03CF14A184069FEE7BF1E2EB853FE06E517562948
6408WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3D56.tmp.xmlxml
MD5:31EB27CBB14629CE40FB9B46CE2F9097
SHA256:A84237DFE4A3BB0E54FBA3954229EA805CB70DB3A63C59E89D22928992D97009
63006305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exeC:\Users\admin\AppData\Local\Temp\aut35E3.tmpbinary
MD5:F5946D464F60E29BDCDA3624899A534C
SHA256:6A282838D43EA1E488BDC8F900E2F9FD1CBF3C15EC6348671D05DD909CBC8F38
63006305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exeC:\Users\admin\AppData\Local\Temp\aut35C3.tmpbinary
MD5:7C46DEB592E83BB7C79BA4D0448E2B8A
SHA256:C999315FE349E4CCEA21CCE0997C90F61C039AEA8D83E4B20D0BDF56817E89E4
63006305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exeC:\Users\admin\AppData\Local\Temp\supergroupstext
MD5:3B0590D2C81D7471A2AB8AE373A338A1
SHA256:B7389DE1B8F119672AB5B765DD008E15F1FA3DEDC62CFF2F814E08B6AAD0D73F
6408WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3CF7.tmp.WERInternalMetadata.xmlxml
MD5:19F7F419A20F14CCBFE28DBBEE94F4BA
SHA256:ADA529DA4C4BF4E3A99CD85F0B0D39D066E5C13FC11571840C39C544445E46D0
6408WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3B31.tmp.dmpbinary
MD5:F9EED20F5B3AA88D7492F49A48BD3C18
SHA256:D3062963727A8DED37F8F551355C27D5F7CB1A3286CD4BCD290A374E31D2F787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
55
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6408
WerFault.exe
GET
200
23.213.230.81:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5076
svchost.exe
GET
23.217.131.226:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5076
svchost.exe
GET
200
23.213.230.81:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
6036
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
5456
svchost.exe
GET
200
23.217.131.226:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4680
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
6408
WerFault.exe
GET
200
23.217.131.226:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
7144
SIHClient.exe
GET
200
23.217.131.226:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
7144
SIHClient.exe
GET
200
23.217.131.226:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
5076
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
2288
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5076
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6408
WerFault.exe
20.42.65.92:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5076
svchost.exe
23.213.230.81:80
crl.microsoft.com
Akamai International B.V.
CA
unknown
6408
WerFault.exe
23.213.230.81:80
crl.microsoft.com
Akamai International B.V.
CA
unknown
5076
svchost.exe
23.217.131.226:80
www.microsoft.com
Joint Stock Company TransTeleCom
RU
unknown

DNS requests

Domain
IP
Reputation
watson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.213.230.81
  • 23.213.230.73
whitelisted
www.microsoft.com
  • 23.217.131.226
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r.bing.com
  • 95.101.63.217
  • 95.101.63.233
  • 2.17.113.72
  • 95.101.63.224
  • 95.101.63.225
  • 2.17.113.74
  • 95.101.63.234
  • 95.101.63.218
  • 95.101.63.219
whitelisted
go.microsoft.com
  • 184.30.154.152
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6305683c82227f88452f652423871426259657f45fc89ad8802b3e92b49e0380.exe