| URL: | http://141.98.10.123/2535/IGCC.exe |
| Full analysis: | https://app.any.run/tasks/1a0e6f6b-4216-4e3c-b074-e45a539712f1 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | November 01, 2023, 17:52:21 |
| OS: | Windows 11 Professional (build: 22000, 64 bit) |
| Tags: | |
| Indicators: | |
| SHA1: | B9AD3644A9603D8A55460512130D75C745B9964E |
| SHA256: | 7F7455A28AD98C7517050F572783EAB29D0CF7681725E821182A27CD8528072F |
| SSDEEP: | 3:N1KpvdLPGRWQ3JAn:Cj2WQ3JA |
MALICIOUS
FORMBOOK has been detected (YARA)
- ipconfig.exe (PID: 6896)
Drops the executable file immediately after the start
- IGCC.exe (PID: 1072)
- IGCC.exe (PID: 6392)
SUSPICIOUS
Application launched itself
- dulzbez.exe (PID: 2976)
- dulzbez.exe (PID: 6468)
Reads the Internet Settings
- CHXSmartScreen.exe (PID: 4988)
Cleans NTFS data stream (Zone Identifier)
- chrome.exe (PID: 5372)
Process uses IPCONFIG to get network configuration information
- explorer.exe (PID: 4320)
Starts CMD.EXE for commands execution
- ipconfig.exe (PID: 6896)
INFO
Application launched itself
- chrome.exe (PID: 5372)
Checks supported languages
- dulzbez.exe (PID: 7096)
- CHXSmartScreen.exe (PID: 4988)
- dulzbez.exe (PID: 4684)
- IGCC.exe (PID: 1072)
- dulzbez.exe (PID: 6468)
- dulzbez.exe (PID: 2976)
- IGCC.exe (PID: 6392)
Reads the computer name
- dulzbez.exe (PID: 7096)
- CHXSmartScreen.exe (PID: 4988)
- dulzbez.exe (PID: 4684)
Drops the executable file immediately after the start
- chrome.exe (PID: 2168)
- chrome.exe (PID: 5372)
The process uses the downloaded file
- chrome.exe (PID: 2064)
- chrome.exe (PID: 6664)
- chrome.exe (PID: 7164)
- explorer.exe (PID: 4320)
- chrome.exe (PID: 5244)
- chrome.exe (PID: 5372)
- chrome.exe (PID: 4336)
Manual execution by a user
- ipconfig.exe (PID: 6896)
- IGCC.exe (PID: 1072)
- mstsc.exe (PID: 4044)
Create files in a temporary directory
- IGCC.exe (PID: 1072)
- IGCC.exe (PID: 6392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(6896) ipconfig.exe
C2www.sarthaksrishticreation.com/sy22/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)vinteligencia.com
displayfridges.fun
completetip.com
giallozafferrano.com
jizihao1.com
mysticheightstrail.com
fourseasonslb.com
kjnala.shop
mosiacwall.com
vandistreet.com
gracefullytouchedartistry.com
hbiwhwr.shop
mfmz.net
hrmbrillianz.com
funwarsztat.com
polewithcandy.com
ourrajasthan.com
wilhouettteamerica.com
johnnystintshop.com
asgnelwin.com
alcmcyu.com
thwmlohr.click
gypseascuba.com
mysonisgaythemovie.com
sunriseautostorellc.com
fuhouse.link
motorcycleglassesshop.com
vaskaworldairways.com
qixservice.online
b2b-scaling.com
03ss.vip
trishpintar.com
gk84.com
omclaval.com
emeeycarwash.com
wb7mnp.com
kimgj.com
278809.com
summitstracecolumbus.com
dryadai.com
vistcreative.com
weoliveorder.com
kwamitikki.com
cjk66.online
travisline.pro
mercardosupltda.shop
sunspotplumbing.com
podplugca.com
leontellez.com
fzturf.com
docomo-mobileconsulting.com
apneabirmingham.info
rollesgraciejiujitsu.com
sx15k.com
kebobcapital.com
91967.net
claudiaduverglas.com
zhperviepixie.com
oliwas.xyz
flowersinspace.tech
uadmxqby.click
greatbaitusa.com
drpenawaraircondhargarahmah.com
sofbks.top
Total processes
157
Monitored processes
42
Malicious processes
2
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1072 | "C:\Users\admin\Downloads\IGCC.exe" | C:\Users\admin\Downloads\IGCC.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1112 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1820,i,12078036866767416591,1810779389929658958,131072 /prefetch:8 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 1152 | /c del "C:\Users\admin\AppData\Local\Temp\dulzbez.exe" | C:\Windows\SysWOW64\cmd.exe | — | ipconfig.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1324 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1520 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.50 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffa1de0aa60,0x7ffa1de0aa70,0x7ffa1de0aa80 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 1876 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1820,i,12078036866767416591,1810779389929658958,131072 /prefetch:8 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 2000 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | dulzbez.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2000 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3620 --field-trial-handle=1820,i,12078036866767416591,1810779389929658958,131072 /prefetch:2 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 2020 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1820,i,12078036866767416591,1810779389929658958,131072 /prefetch:1 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 2064 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1820,i,12078036866767416591,1810779389929658958,131072 /prefetch:8 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
Total events
30 401
Read events
30 251
Write events
135
Delete events
15
Modification events
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 1 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | metricsid_installdate |
Value: 0 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | metricsid_enableddate |
Value: 0 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | lastrun |
Value: 13312742764618736 | |||
| (PID) Process: | (5372) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | version |
Value: 107.0.5304.88 | |||
Executable files
6
Suspicious files
79
Text files
17
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History-journal | — | |
MD5:— | SHA256:— | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat | binary | |
MD5:858B51004CDB48854BA078F75A43ECFB | SHA256:78A581395DB475C3703E4EEF3E3067BC30404B0B4685D10A768BBE1463883FE5 | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State | binary | |
MD5:AE2C675854ACD73EA1F9882E0F83F72D | SHA256:7990923D2B4B4345CF0A724EF23838857D7584E2AC336F478A451E722C7E5F9C | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:AD16A55C96E06675C15954F022181932 | SHA256:824D82D3D6790BD728C5141913859D1439492D513EFDF1D69E8A5FFB98655E89 | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5372 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
49
DNS requests
31
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2624 | svchost.exe | HEAD | 200 | 104.119.108.127:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | — | — | — |
2168 | chrome.exe | GET | 200 | 142.250.186.138:443 | https://optimizationguide-pa.googleapis.com/downloads?name=1697470715&target=OPTIMIZATION_TARGET_PAGE_ENTITIES | unknown | — | 32.4 Mb | — |
2168 | chrome.exe | POST | 200 | 142.250.186.78:443 | https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw | unknown | binary | 261 b | — |
2168 | chrome.exe | POST | 200 | 142.250.185.238:443 | https://safebrowsing.google.com/safebrowsing/clientreport/malware?client=googlechrome&appver=112.0.5615.50&pver=4.0&key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw | unknown | — | — | — |
5000 | OfficeC2RClient.exe | GET | 200 | 52.113.194.132:443 | https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16626.20134/Production/CC?&EcsCanary=1&Clientid=%7b80C2A92B-EDEE-479E-8470-DBC6C547F2FB%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16626.20134&MsoVersion=16.0.16626.20134&ProcessName=officec2rclient.exe&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=22000&Channel=CC&InstallType=C2R&SessionId=%7bD1317A6A-F117-43AD-815E-02603490DCEE%7d&LabMachine=false | unknown | text | 76.8 Kb | — |
5644 | svchost.exe | POST | 200 | 20.190.160.22:443 | https://login.live.com/RST2.srf | unknown | xml | 1.29 Kb | — |
5644 | svchost.exe | POST | 200 | 20.190.160.22:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | — |
2168 | chrome.exe | POST | 200 | 142.250.186.141:443 | https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard | unknown | ini | 17 b | — |
2624 | svchost.exe | GET | 200 | 104.119.108.127:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | binary | 55 b | — |
2168 | chrome.exe | GET | 200 | 141.98.10.123:80 | http://141.98.10.123/2535/IGCC.exe | unknown | executable | 361 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2168 | chrome.exe | 141.98.10.123:80 | — | UAB Host Baltic | LT | unknown |
3668 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
5372 | chrome.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6692 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
2168 | chrome.exe | 142.250.186.141:443 | accounts.google.com | GOOGLE | US | whitelisted |
2168 | chrome.exe | 142.250.186.78:443 | sb-ssl.google.com | GOOGLE | US | whitelisted |
2624 | svchost.exe | 104.119.108.127:443 | fs.microsoft.com | AKAMAI-AS | DE | unknown |
5000 | OfficeC2RClient.exe | 52.109.28.46:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | GB | unknown |
1292 | svchost.exe | 2.16.164.35:80 | — | Akamai International B.V. | NL | unknown |
2168 | chrome.exe | 142.250.184.196:443 | www.google.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
accounts.google.com |
| shared |
sb-ssl.google.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
www.google.com |
| whitelisted |
optimizationguide-pa.googleapis.com |
| whitelisted |
safebrowsing.google.com |
| whitelisted |
login.live.com |
| whitelisted |
ecs.office.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
mrodevicemgr.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2168 | chrome.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
2168 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2168 | chrome.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
1292 | svchost.exe | Misc activity | ET INFO Microsoft Connection Test |
1292 | svchost.exe | Misc activity | ET INFO Microsoft Connection Test |
1292 | svchost.exe | Misc activity | ET INFO Microsoft Connection Test |