analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

booking order,doc.exe

Full analysis: https://app.any.run/tasks/11d85699-e765-43c6-a4c0-bc25cbe3bced
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: March 31, 2020, 09:26:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

70EF854FA71F15F16ACF492D4EEF3714

SHA1:

4600BBED731C161262BA4CDE6CE77BD63531F445

SHA256:

6A690F7BAED1B42A2A1503838FD5EF1E0C231ED85036E77180CDC6AABC19615E

SSDEEP:

768:keAkyTNqb2juxTbbItkxxVGyjNxSuG1GHWAbspYvsluw8SHWBUlGgQC:kLrTUbyuNbbb9NxSl1GHWAbJsKSHWst

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • cmd.exe (PID: 2272)
    • Runs app for hidden code execution

      • explorer.exe (PID: 372)
    • FORMBOOK was detected

      • cmd.exe (PID: 2272)
      • explorer.exe (PID: 372)
      • Firefox.exe (PID: 2392)
    • Connects to CnC server

      • explorer.exe (PID: 372)
    • Actions looks like stealing of personal data

      • cmd.exe (PID: 2272)
    • Stealing of credential data

      • cmd.exe (PID: 2272)
    • Changes settings of System certificates

      • booking order,doc.exe (PID: 2152)
  • SUSPICIOUS

    • Application launched itself

      • booking order,doc.exe (PID: 3736)
      • cmd.exe (PID: 2272)
    • Reads Internet Cache Settings

      • booking order,doc.exe (PID: 2152)
    • Creates files in the user directory

      • booking order,doc.exe (PID: 2152)
      • cmd.exe (PID: 2272)
    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 372)
      • cmd.exe (PID: 2272)
    • Creates files in the program directory

      • DllHost.exe (PID: 1232)
    • Executable content was dropped or overwritten

      • explorer.exe (PID: 372)
      • DllHost.exe (PID: 1232)
    • Loads DLL from Mozilla Firefox

      • cmd.exe (PID: 2272)
    • Executed via COM

      • DllHost.exe (PID: 1232)
    • Adds / modifies Windows certificates

      • booking order,doc.exe (PID: 2152)
  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2272)
    • Reads the hosts file

      • cmd.exe (PID: 2272)
    • Creates files in the user directory

      • Firefox.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll | Win32 Dynamic Link Library (generic) (6.7)
.exe | Win32 Executable (generic) (4.6)
.exe | Generic Win/DOS Executable (2)
.exe | DOS Executable Generic (2)

EXIF

EXE

OriginalFileName: Inderzoner.exe
InternalName: Inderzoner
ProductVersion: 1
FileVersion: 1
ProductName: dermato
FileDescription: ASTRAK
CompanyName: WONDerware
Comments: WONDerware
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x1320
UninitializedDataSize: -
InitializedDataSize: 8192
CodeSize: 90112
LinkerVersion: 6
PEType: PE32
TimeStamp: 2009:07:24 23:41:42+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jul-2009 21:41:42
Detected languages:
  • English - United States
Comments: WONDerware
CompanyName: WONDerware
FileDescription: ASTRAK
ProductName: dermato
FileVersion: 1.00
ProductVersion: 1.00
InternalName: Inderzoner
OriginalFilename: Inderzoner.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 24-Jul-2009 21:41:42
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001575C
0x00016000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.83903
.data
0x00017000
0x00000B90
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00018000
0x00000948
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.01558

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.16794
648
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
2.57965
304
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
1.76987
744
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
2.07177
296
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start booking order,doc.exe no specs booking order,doc.exe #FORMBOOK cmd.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3736"C:\Users\admin\AppData\Local\Temp\booking order,doc.exe" C:\Users\admin\AppData\Local\Temp\booking order,doc.exeexplorer.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
ASTRAK
Exit code:
0
Version:
1.00
2152"C:\Users\admin\AppData\Local\Temp\booking order,doc.exe" C:\Users\admin\AppData\Local\Temp\booking order,doc.exe
booking order,doc.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
ASTRAK
Exit code:
0
Version:
1.00
2272"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3504/c del "C:\Users\admin\AppData\Local\Temp\booking order,doc.exe"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1232C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2392"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
cmd.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
3 654
Read events
94
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
83
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2152booking order,doc.exeC:\Users\admin\AppData\Local\Temp\CabDD97.tmp
MD5:
SHA256:
2152booking order,doc.exeC:\Users\admin\AppData\Local\Temp\TarDD98.tmp
MD5:
SHA256:
2152booking order,doc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72der
MD5:F26B1B29960D99AD1C44E71E3D2ABE4C
SHA256:7910B27AFDEE20EA27C4FA19221B1B63E00235E261E1A3FB9F1FB3456CBBB7AC
2152booking order,doc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:E550DA03AEE5B546B436CD553D3233B9
SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7
2152booking order,doc.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\XT6LR0C7.txttext
MD5:1E590C472FDD0DE98DD490A798175427
SHA256:D12281FA5C0BEBF1BFC79B4AC6DF4AC47CFFF7D8F106BC94F77C3BDC2058D684
2152booking order,doc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:46542CF24CB62A4DA376833A15D6168D
SHA256:53BF22329EE48012549DF9DD39622E263ACB61A02104985C0CE9CDF576550656
2152booking order,doc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29binary
MD5:7219664533D2808F60890809E0F0A250
SHA256:2DB6FD6DFB25686343C5C179F2C625EEF6845C44B022659E52C20BAE816C3483
2272cmd.exeC:\Users\admin\AppData\Roaming\LQ6318DR\LQ6logrc.inibinary
MD5:6A2D8FD600948CEFEA9C615AF9607BD5
SHA256:8A8A84891ECB2032320D1C0DE99FDCD94100DF10F352D9F96FD1B2433CD4D45B
2152booking order,doc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29der
MD5:75D636BF532AFFBC75F461235C3B4D5C
SHA256:727247C8DCAC2B6B8A4F5890F1BCE6F8AF87B49BC38F97308E706A6A313B66AF
2152booking order,doc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72binary
MD5:858154E61BE654768473E66B94AA7F82
SHA256:5376C9375F9896E302BC500A58644EFE932E1B8369D42D2373E3801E611E7AD7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
16
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
booking order,doc.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc
US
der
472 b
whitelisted
372
explorer.exe
GET
198.54.117.217:80
http://www.gameday2piscataway.com/k4d/?GFO=t6Y9eddWCapCcwvas2PQSZVgMQE1RmAWtO7be5no4Eloa9mmX8LTTskUG0/Z9qcIlClKOw==&ml1DU=fZOTinMXcnyhZn&sql=1
US
malicious
2152
booking order,doc.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2152
booking order,doc.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFOOHQjK5IlqCAAAAAAyCmA%3D
US
der
471 b
whitelisted
372
explorer.exe
GET
302
23.20.239.12:80
http://www.sdchengfeng.com/k4d/?GFO=R3hz34VPv3utn4apDTuemE8VJK9nV12PzXpfLhzcn3fkpjUmBOU7BlLLkZBTTmAP0htPKA==&ml1DU=fZOTinMXcnyhZn
US
html
187 b
shared
372
explorer.exe
POST
198.54.117.217:80
http://www.gameday2piscataway.com/k4d/
US
malicious
372
explorer.exe
POST
192.64.116.61:80
http://www.nercox.com/k4d/
US
malicious
372
explorer.exe
POST
23.20.239.12:80
http://www.sdchengfeng.com/k4d/
US
shared
372
explorer.exe
GET
404
74.208.236.128:80
http://www.integrousconstruction.com/k4d/?GFO=TmDIOpRYmhzsq5P4fz1pvldUJZWT0g5o/PPlW6GnIgVnAHj3cJqoxfm5/CNemMKkVL9LLw==&ml1DU=fZOTinMXcnyhZn
US
html
1.33 Kb
malicious
372
explorer.exe
POST
404
192.64.116.61:80
http://www.nercox.com/k4d/
US
html
291 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2152
booking order,doc.exe
172.217.23.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2152
booking order,doc.exe
172.217.16.206:443
drive.google.com
Google Inc.
US
whitelisted
2152
booking order,doc.exe
172.217.16.161:443
doc-14-5o-docs.googleusercontent.com
Google Inc.
US
whitelisted
372
explorer.exe
198.54.117.217:80
www.gameday2piscataway.com
Namecheap, Inc.
US
malicious
372
explorer.exe
23.20.239.12:80
www.sdchengfeng.com
Amazon.com, Inc.
US
shared
372
explorer.exe
74.208.236.128:80
www.integrousconstruction.com
1&1 Internet SE
US
malicious
372
explorer.exe
192.64.116.61:80
www.nercox.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.16.206
shared
ocsp.pki.goog
  • 172.217.23.99
whitelisted
doc-14-5o-docs.googleusercontent.com
  • 172.217.16.161
shared
www.integrousconstruction.com
  • 74.208.236.128
malicious
www.glowhuas.com
unknown
www.gameday2piscataway.com
  • 198.54.117.217
  • 198.54.117.218
  • 198.54.117.211
  • 198.54.117.216
  • 198.54.117.212
  • 198.54.117.210
  • 198.54.117.215
malicious
www.nercox.com
  • 192.64.116.61
malicious
www.divetoken.com
unknown
www.modapills.com
unknown
www.iioup.com
unknown

Threats

PID
Process
Class
Message
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
9 ETPRO signatures available at the full report
No debug info