| File name: | Paid Invoice Pdf.exe |
| Full analysis: | https://app.any.run/tasks/0240a020-66e5-4473-b182-75bad2f5706d |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | February 03, 2025, 09:04:10 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 1FC0248BFD3E90BF20CBD80C6EF6E55E |
| SHA1: | BEDFB92DB83D6C83C09E258BF17494CD54E757BC |
| SHA256: | 683E3979CC09DB086095CBE840901B82951DF941ED461F89A67B98BD0FFE5FF9 |
| SSDEEP: | 24576:RmqFpGrk06y9YPAyipOhru6gCF84m+1i/y5+1XmoADKQtXQ5Z5:RmqFpyk06y9YPAyipOhru6gCF84m+1iJ |
MALICIOUS
FORMBOOK has been detected (YARA)
- svchost.exe (PID: 372)
Connects to the CnC server
- explorer.exe (PID: 4488)
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 4488)
Uses Task Scheduler to run other applications
- Paid Invoice Pdf.exe (PID: 6260)
SUSPICIOUS
Process drops legitimate windows executable
- Paid Invoice Pdf.exe (PID: 6260)
Starts CMD.EXE for commands execution
- svchost.exe (PID: 372)
Starts a Microsoft application from unusual location
- Paid Invoice Pdf.exe (PID: 6260)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 4488)
Reads security settings of Internet Explorer
- Paid Invoice Pdf.exe (PID: 6260)
Deletes system .NET executable
- cmd.exe (PID: 5588)
Executable content was dropped or overwritten
- Paid Invoice Pdf.exe (PID: 6260)
INFO
Checks supported languages
- Paid Invoice Pdf.exe (PID: 6260)
Reads the computer name
- Paid Invoice Pdf.exe (PID: 6260)
Creates files or folders in the user directory
- Paid Invoice Pdf.exe (PID: 6260)
Process checks computer location settings
- Paid Invoice Pdf.exe (PID: 6260)
Manual execution by a user
- svchost.exe (PID: 372)
Reads the machine GUID from the registry
- Paid Invoice Pdf.exe (PID: 6260)
Create files in a temporary directory
- Paid Invoice Pdf.exe (PID: 6260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(372) svchost.exe
C2www.redgoodsgather.shop/egs9/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)alliancecigars.net
35893.pizza
selidik.cloud
evel789-aman.club
wqsbr5jc.vip
corretoraplanodesaude.shop
balikoltada.xyz
play-vanguard-nirvana.xyz
paktuaslotxcxrtp.xyz
retailzone1997.shop
jk77juta-official.cloud
godmoments.app
flippinforbidsfrear.cloud
234bets.net
cryptobiz.tech
construction-jobs-50157.bond
cuficdarbiesdarleen.cloud
t59bm675ri.skin
ondqwxl.top
kpde.xyz
apoiador.xyz
denotational.xyz
fat-removal-40622.bond
kqsamcsauqiagmma.xyz
online-advertising-68283.bond
mise96.xyz
pokerdom55.vip
arai.rest
marketplace20.click
kongou.systems
isbnu.shop
online-advertising-98154.bond
pepsico.llc
80072661.xyz
wholesalemeat.today
security-apps-16796.bond
remationservices26114.shop
kitchen-remodeling-14279.bond
betterskin.store
aigamestudio.xyz
uhsrgi.info
mentagekript.today
box-spring-bed-50031.bond
blood-flow.bond
653emd.top
venturelinks.net
trendysolutions.store
creativege.xyz
sellhome.live
petir99bro.xyz
maipingxiu.net
influencer-marketing-56510.bond
czlovesys.xyz
phpcrazy.net
hikingk.store
imstest.online
bet2024.shop
lord.land
gobg.net
armada77x.sbs
msytuv.info
buenosbufidinburez.cloud
transeo.xyz
deltaestates.online
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (72.2) |
|---|---|---|
| .scr | | | Windows screen saver (12.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.4) |
| .exe | | | Win32 Executable (generic) (4.4) |
| .exe | | | Generic Win/DOS Executable (1.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2045:10:27 14:51:56+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 818176 |
| InitializedDataSize: | 26112 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc9af6 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | Microsoft Corporation |
| FileDescription: | REKEY wizard |
| FileVersion: | 1.0.0.0 |
| InternalName: | DFbS.exe |
| LegalCopyright: | Copyright © Microsoft Corporation. All rights reserved. |
| LegalTrademarks: | - |
| OriginalFileName: | DFbS.exe |
| ProductName: | REKEY wizard |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
138
Monitored processes
13
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 372 | "C:\Windows\SysWOW64\svchost.exe" | C:\Windows\SysWOW64\svchost.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
Formbook(PID) Process(372) svchost.exe C2www.redgoodsgather.shop/egs9/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)alliancecigars.net 35893.pizza selidik.cloud evel789-aman.club wqsbr5jc.vip corretoraplanodesaude.shop balikoltada.xyz play-vanguard-nirvana.xyz paktuaslotxcxrtp.xyz retailzone1997.shop jk77juta-official.cloud godmoments.app flippinforbidsfrear.cloud 234bets.net cryptobiz.tech construction-jobs-50157.bond cuficdarbiesdarleen.cloud t59bm675ri.skin ondqwxl.top kpde.xyz apoiador.xyz denotational.xyz fat-removal-40622.bond kqsamcsauqiagmma.xyz online-advertising-68283.bond mise96.xyz pokerdom55.vip arai.rest marketplace20.click kongou.systems isbnu.shop online-advertising-98154.bond pepsico.llc 80072661.xyz wholesalemeat.today security-apps-16796.bond remationservices26114.shop kitchen-remodeling-14279.bond betterskin.store aigamestudio.xyz uhsrgi.info mentagekript.today box-spring-bed-50031.bond blood-flow.bond 653emd.top venturelinks.net trendysolutions.store creativege.xyz sellhome.live petir99bro.xyz maipingxiu.net influencer-marketing-56510.bond czlovesys.xyz phpcrazy.net hikingk.store imstest.online bet2024.shop lord.land gobg.net armada77x.sbs msytuv.info buenosbufidinburez.cloud transeo.xyz deltaestates.online | |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3524 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3736 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | Paid Invoice Pdf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 4488 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5588 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\SysWOW64\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6260 | "C:\Users\admin\AppData\Local\Temp\Paid Invoice Pdf.exe" | C:\Users\admin\AppData\Local\Temp\Paid Invoice Pdf.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: REKEY wizard Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 7068 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKKCQeaq" /XML "C:\Users\admin\AppData\Local\Temp\tmpB5E6.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | Paid Invoice Pdf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7076 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7132 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | Paid Invoice Pdf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 4294967295 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
Total events
906
Read events
906
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6260 | Paid Invoice Pdf.exe | C:\Users\admin\AppData\Roaming\BKKCQeaq.exe | executable | |
MD5:1FC0248BFD3E90BF20CBD80C6EF6E55E | SHA256:683E3979CC09DB086095CBE840901B82951DF941ED461F89A67B98BD0FFE5FF9 | |||
| 6260 | Paid Invoice Pdf.exe | C:\Users\admin\AppData\Local\Temp\tmpB5E6.tmp | xml | |
MD5:71836F7CC36FC4BD9A4EF628F0F2A6C7 | SHA256:724DBC82B69F4A6ACF60921FC4A8F974A5A62F8B354B178A86AEE5D40C80DF48 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
30
DNS requests
16
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1176 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1556 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4488 | explorer.exe | GET | 200 | 104.21.48.1:80 | http://www.234bets.net/egs9/?pN6LVP=vX8p3t&bR-H=bGMqDsej8qFTFPn7S0CtEG9ACKYAkbEUwZuBys8q/waq487qoMdZTMiO/Mb+rWpmJmbj | unknown | — | — | malicious |
1556 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5780 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
4488 | explorer.exe | GET | 429 | 104.21.80.1:80 | http://www.retailzone1997.shop/egs9/?bR-H=8vH5cMSLbUuyhRHxMOtGZzCp1x51CwPXxGNQs8y4e9875j3DBEI1irzXXKYGlSN50L3W&pN6LVP=vX8p3t | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1176 | svchost.exe | 20.190.160.17:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1176 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
5064 | SearchApp.exe | 2.21.65.153:443 | — | Akamai International B.V. | NL | unknown |
3052 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1076 | svchost.exe | 184.28.89.167:443 | go.microsoft.com | AKAMAI-AS | US | whitelisted |
3052 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
www.retailzone1997.shop |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4488 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
4488 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
4488 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |