| File name: | Documents.exe |
| Full analysis: | https://app.any.run/tasks/d684f15f-d03b-4355-a5f2-6f06402b4ddc |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | December 19, 2023, 09:09:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 9685B04C347963E4C2E020693B011BA3 |
| SHA1: | 1A8958E2578EE0B8A621CAF3B734485810799398 |
| SHA256: | 659A4586010D7F595E7E25372C8590ED8321E9DE68C316BF50999CFABD48C000 |
| SSDEEP: | 24576:em3XuNysO1CVEE1LX+KfL9xZVoyIiVbkc+RPHHHPqVvTo:em3XuNysO1CVEE1LX+KfJxZVoypVbkcS |
MALICIOUS
FORMBOOK has been detected (YARA)
- wlanext.exe (PID: 2212)
Connects to the CnC server
- explorer.exe (PID: 2004)
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 2004)
SUSPICIOUS
Application launched itself
- Documents.exe (PID: 3004)
Starts CMD.EXE for commands execution
- wlanext.exe (PID: 2212)
INFO
Checks supported languages
- Documents.exe (PID: 3004)
- Documents.exe (PID: 2984)
Reads the computer name
- Documents.exe (PID: 3004)
- Documents.exe (PID: 2984)
Reads the machine GUID from the registry
- Documents.exe (PID: 3004)
Manual execution by a user
- wlanext.exe (PID: 2212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(2212) wlanext.exe
C2www.car-insurance-27673.bond/gd12/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)createonline.art
opencreativecloud.com
xiaoyidream.com
u4xp.site
gw9.site
xhellox.com
barafinancialservices.com
atarasiisekatu.xyz
blacksmiths-35530.bond
gooogleform.click
racebeadlocks.com
xn--jpq206curflu0c.com
lotteri.icu
lemarcou.com
far31.site
martinwellness.com
wanli320.top
28enterprise.com
hu3llacanina.com
quagz.com
melbatowing.top
kinovav.online
xuanjiwang.xyz
zjuf2.site
pcwander.com
2f10vkw5.shop
thunder-bull.com
titanturfgrass.com
taodaishu.com
logantowing.top
metaexpresscompany.com
elixircruises.info
towingwellington-ky.top
bluif.xyz
fh4910.com
misstroublexx.com
floridahomebuyer.us
4icecream.com
99crown-sports.com
pangxieztztzt.com
rickvaccaro.com
vservd.online
shooting-studio.mom
stalinjr.com
manxrallyradio.com
plantopiausa.com
mcmillen.app
modernessntls.com
b9rdt.site
mil565.vip
rose55.site
alfawaves.shop
canicrossnerja.com
tube3hub.com
hntntsw.com
jwpi0.site
martlmarkus.net
shufiya.com
thebamboobeddingcompany.com
bibinga.com
usekodius.com
ar16391.com
jyaman3touhei.com
n32ct4x.sbs
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:18 09:46:54+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 881152 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd918e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | QLNK.Common |
| FileVersion: | 1.0.0.0 |
| InternalName: | FLhhK.exe |
| LegalCopyright: | Copyright © 2016 |
| LegalTrademarks: | - |
| OriginalFileName: | FLhhK.exe |
| ProductName: | QLNK.Common |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
35
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2092 | /c del "C:\Users\admin\AppData\Local\Temp\Documents.exe" | C:\Windows\SysWOW64\cmd.exe | — | wlanext.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2212 | "C:\Windows\SysWOW64\wlanext.exe" | C:\Windows\SysWOW64\wlanext.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wireless LAN 802.11 Extensibility Framework Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(2212) wlanext.exe C2www.car-insurance-27673.bond/gd12/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)createonline.art opencreativecloud.com xiaoyidream.com u4xp.site gw9.site xhellox.com barafinancialservices.com atarasiisekatu.xyz blacksmiths-35530.bond gooogleform.click racebeadlocks.com xn--jpq206curflu0c.com lotteri.icu lemarcou.com far31.site martinwellness.com wanli320.top 28enterprise.com hu3llacanina.com quagz.com melbatowing.top kinovav.online xuanjiwang.xyz zjuf2.site pcwander.com 2f10vkw5.shop thunder-bull.com titanturfgrass.com taodaishu.com logantowing.top metaexpresscompany.com elixircruises.info towingwellington-ky.top bluif.xyz fh4910.com misstroublexx.com floridahomebuyer.us 4icecream.com 99crown-sports.com pangxieztztzt.com rickvaccaro.com vservd.online shooting-studio.mom stalinjr.com manxrallyradio.com plantopiausa.com mcmillen.app modernessntls.com b9rdt.site mil565.vip rose55.site alfawaves.shop canicrossnerja.com tube3hub.com hntntsw.com jwpi0.site martlmarkus.net shufiya.com thebamboobeddingcompany.com bibinga.com usekodius.com ar16391.com jyaman3touhei.com n32ct4x.sbs | |||||||||||||||
| 2984 | "C:\Users\admin\AppData\Local\Temp\Documents.exe" | C:\Users\admin\AppData\Local\Temp\Documents.exe | — | Documents.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: QLNK.Common Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3004 | "C:\Users\admin\AppData\Local\Temp\Documents.exe" | C:\Users\admin\AppData\Local\Temp\Documents.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: QLNK.Common Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
172
Read events
167
Write events
5
Delete events
0
Modification events
| (PID) Process: | (2004) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000000425B8FBD140304D952DBE1156DB516600000000020000000000106600000001000020000000DB7CFDADD20035B54FE72E91B52C386E688080B10C096541937D15768230E9B4000000000E8000000002000020000000FC5BD8C24841EC802021354E72CCCB98F326B765B114F6B99237B0E53C70855230000000E5259FA42E3216E6ABD96FBA3A6491DBFE5EABB7874FD90C6180CAAA39FCB4DA5097AFD783F475C120AF35A7DAD783F44000000017650D25D4C3008FF427790B98E977F1147A37B555438BA5F03FADACC116CEA191D18AD610A15D4BB60F12EF1F1AF002B029515D03AC7340FF8EFA43530BF5CD | |||
| (PID) Process: | (2004) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
4
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2004 | explorer.exe | GET | 302 | 185.230.60.173:80 | http://www.misstroublexx.com/gd12/?uRmXV=i11CadPCxNrOZrQTig0DPmA5opbEzNq4T3uBd2bnPxZVuN6ZVGstpCwJYuBT25kF7diJxw==&4hqHUv=W60Dk6cPXBCp6Xr0 | unknown | — | — | unknown |
2004 | explorer.exe | GET | 404 | 192.185.5.246:80 | http://www.manxrallyradio.com/gd12/?uRmXV=FqJd1i88LA4Bg7AlkSdX8wGoqPIPaM809PGGUtg/PKYhyjgDQ2Cw6SlzCaXLvqiRgKgJAQ==&4hqHUv=W60Dk6cPXBCp6Xr0 | unknown | html | 746 b | unknown |
2004 | explorer.exe | GET | 403 | 23.227.38.74:80 | http://www.thunder-bull.com/gd12/?uRmXV=YLiXYXNn6ac7L5A80u2TeIGErL+iBSAC/dFoFC8wLSjsqTQja/kQbGzPqNlmGB6DxuJIDw==&4hqHUv=W60Dk6cPXBCp6Xr0 | unknown | html | 4.41 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
352 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1220 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
2004 | explorer.exe | 192.185.5.246:80 | www.manxrallyradio.com | UNIFIEDLAYER-AS-1 | US | unknown |
2004 | explorer.exe | 185.230.60.173:80 | www.misstroublexx.com | Wix.com Ltd. | US | whitelisted |
2004 | explorer.exe | 23.227.38.74:80 | www.thunder-bull.com | CLOUDFLARENET | CA | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.manxrallyradio.com |
| unknown |
www.misstroublexx.com |
| unknown |
www.2f10vkw5.shop |
| unknown |
www.thunder-bull.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2004 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |