| File name: | rrQoyBbW6gDv6AY.exe |
| Full analysis: | https://app.any.run/tasks/696dc6f8-16a5-4215-91ff-b629611e86fd |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | March 24, 2025, 16:34:35 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | B477C258B8A2AF1FD0D9A1DA66AE572B |
| SHA1: | 9DEBADCFEA532D972D448ADEC9B84D0B35E3CDC9 |
| SHA256: | 77295A1C2D8172B2A2EB3F5F20A2880C168DD10F01830227E4F9AE6D4A5C9A19 |
| SSDEEP: | 24576:wZI/a8Te1Ab0GMnhyFcUc/MU2ZRDdzp62LlfALdxjzo5oOZNPEy7py7B9orn:wZI/a8Te1Ab0GMnhyFcUc/Z2ZRDdt62j |
MALICIOUS
FORMBOOK has been detected (YARA)
- raserver.exe (PID: 4620)
FORMBOOK has been detected
- raserver.exe (PID: 4620)
Uses Task Scheduler to run other applications
- rrQoyBbW6gDv6AY.exe (PID: 5380)
SUSPICIOUS
Process drops legitimate windows executable
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Starts a Microsoft application from unusual location
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Executable content was dropped or overwritten
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Deletes system .NET executable
- cmd.exe (PID: 4068)
Starts CMD.EXE for commands execution
- raserver.exe (PID: 4620)
Reads security settings of Internet Explorer
- rrQoyBbW6gDv6AY.exe (PID: 5380)
INFO
Reads the computer name
- rrQoyBbW6gDv6AY.exe (PID: 5380)
- RegSvcs.exe (PID: 728)
Reads the machine GUID from the registry
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Checks supported languages
- rrQoyBbW6gDv6AY.exe (PID: 5380)
- RegSvcs.exe (PID: 728)
Creates files or folders in the user directory
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Process checks computer location settings
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Manual execution by a user
- raserver.exe (PID: 4620)
Checks proxy server information
- slui.exe (PID: 6652)
Reads the software policy settings
- slui.exe (PID: 6652)
Create files in a temporary directory
- rrQoyBbW6gDv6AY.exe (PID: 5380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(4620) raserver.exe
C2www.enelog.xyz/a03d/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)nfluencer-marketing-13524.bond
cebepu.info
lphatechblog.xyz
haoyun.website
itiz.xyz
orld-visa-center.online
si.art
alata.xyz
mmarketing.xyz
elnqdjc.shop
ensentoto.cloud
voyagu.info
onvert.today
1fuli9902.shop
otelhafnia.info
rumpchiefofstaff.store
urvivalflashlights.shop
0090.pizza
ings-hu-13.today
oliticalpatriot.net
5970.pizza
arimatch-in.legal
eepvid.xyz
bfootball.net
otorcycle-loans-19502.bond
nline-advertising-34790.bond
behm.info
aportsystems.store
agiararoma.net
agfov4u.xyz
9769.mobi
ome-renovation-86342.bond
kkkk.shop
duxrib.xyz
xurobo.info
leurdivin.online
ive-neurozoom.store
ndogaming.online
dj1.lat
yselection.xyz
52628.xyz
lsaadmart.store
oftware-download-92806.bond
avid-hildebrand.info
orashrine.store
erpangina-treatment-views.sbs
ategorie-polecane-831.buzz
oonlightshadow.shop
istromarmitaria.online
gmgslzdc.sbs
asglobalaz.shop
locarry.store
eleefmestreech.online
inggraphic.pro
atidiri.fun
olourclubbet.shop
eatbox.store
romatografia.online
encortex.beauty
8oosnny.xyz
72266.vip
aja168e.live
fath.shop
argloscaremedia.info
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2104:06:09 17:25:04+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 641024 |
| InitializedDataSize: | 2560 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9e6ba |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Compatibility Database |
| FileVersion: | 1.0.0.0 |
| InternalName: | IFQE.exe |
| LegalCopyright: | Copyright © Microsoft Corporation. All rights reserved. |
| LegalTrademarks: | - |
| OriginalFileName: | IFQE.exe |
| ProductName: | Compatibility Database |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
135
Monitored processes
10
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 728 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | rrQoyBbW6gDv6AY.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2384 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | rrQoyBbW6gDv6AY.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 4294967295 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 4068 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\SysWOW64\cmd.exe | — | raserver.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4620 | "C:\Windows\SysWOW64\raserver.exe" | C:\Windows\SysWOW64\raserver.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Remote Assistance COM Server Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
Formbook(PID) Process(4620) raserver.exe C2www.enelog.xyz/a03d/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)nfluencer-marketing-13524.bond cebepu.info lphatechblog.xyz haoyun.website itiz.xyz orld-visa-center.online si.art alata.xyz mmarketing.xyz elnqdjc.shop ensentoto.cloud voyagu.info onvert.today 1fuli9902.shop otelhafnia.info rumpchiefofstaff.store urvivalflashlights.shop 0090.pizza ings-hu-13.today oliticalpatriot.net 5970.pizza arimatch-in.legal eepvid.xyz bfootball.net otorcycle-loans-19502.bond nline-advertising-34790.bond behm.info aportsystems.store agiararoma.net agfov4u.xyz 9769.mobi ome-renovation-86342.bond kkkk.shop duxrib.xyz xurobo.info leurdivin.online ive-neurozoom.store ndogaming.online dj1.lat yselection.xyz 52628.xyz lsaadmart.store oftware-download-92806.bond avid-hildebrand.info orashrine.store erpangina-treatment-views.sbs ategorie-polecane-831.buzz oonlightshadow.shop istromarmitaria.online gmgslzdc.sbs asglobalaz.shop locarry.store eleefmestreech.online inggraphic.pro atidiri.fun olourclubbet.shop eatbox.store romatografia.online encortex.beauty 8oosnny.xyz 72266.vip aja168e.live fath.shop argloscaremedia.info | |||||||||||||||
| 5008 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5380 | "C:\Users\admin\Desktop\rrQoyBbW6gDv6AY.exe" | C:\Users\admin\Desktop\rrQoyBbW6gDv6AY.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Compatibility Database Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 6108 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6632 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\axBrppA" /XML "C:\Users\admin\AppData\Local\Temp\tmp12AA.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | rrQoyBbW6gDv6AY.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6652 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 875
Read events
3 875
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5380 | rrQoyBbW6gDv6AY.exe | C:\Users\admin\AppData\Roaming\axBrppA.exe | executable | |
MD5:B477C258B8A2AF1FD0D9A1DA66AE572B | SHA256:77295A1C2D8172B2A2EB3F5F20A2880C168DD10F01830227E4F9AE6D4A5C9A19 | |||
| 5380 | rrQoyBbW6gDv6AY.exe | C:\Users\admin\AppData\Local\Temp\tmp12AA.tmp | xml | |
MD5:2D457FD7A6F9BB0ED79B9DE16E0C5D2F | SHA256:E6ECE48F5F8BB79C7CFC8566239E606E22A0CA3BF4FC9BBA0E052D7553D97625 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
50
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 20.109.210.53:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
1128 | SIHClient.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
1128 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 13.85.23.206:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.160.5:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1056 | backgroundTaskHost.exe | 20.103.156.88:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1128 | SIHClient.exe | 20.12.23.50:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1128 | SIHClient.exe | 23.48.23.177:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |