File name:

r.exe

Full analysis: https://app.any.run/tasks/1a135893-9e18-4a4d-9649-419157a88de6
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: July 11, 2022, 08:41:11
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
formbook
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AD0D26A6018E26A169EAB0A2DE77495B

SHA1:

011B177911D80AA8C37C22BB39A94CFC2E1C1BF5

SHA256:

89C2C5C42CF22ED5A5B9B69627008025926F6B9BD163686D53B8FCDAC3F191E4

SSDEEP:

3072:7HIDBpqnt5jOltgtW8OdbWB48znk3XVhYMO9FlmXhumKCvQZy/oTUCF:76BpUt03gkbW+yk3FhYMO9FKNKCKUC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK detected by memory dumps

      • cmmon32.exe (PID: 5852)

  • SUSPICIOUS

    • Executed via COM

      • rundll32.exe (PID: 2700)

    • Checks supported languages

      • r.exe (PID: 2596)

    • Reads the computer name

      • r.exe (PID: 2596)

    • Reads Environment values

      • cmmon32.exe (PID: 5852)

  • INFO

    • Checks supported languages

      • cmmon32.exe (PID: 5852)

    • Reads settings of System Certificates

      • cmmon32.exe (PID: 5852)

    • Reads the computer name

      • cmmon32.exe (PID: 5852)

    • Manual execution by user

      • cmmon32.exe (PID: 5852)

    • Reads the software policy settings

      • cmmon32.exe (PID: 5852)

    • Dropped object may contain Bitcoin addresses

      • cmmon32.exe (PID: 5852)

    • Checks Windows Trust Settings

      • cmmon32.exe (PID: 5852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1f870
UninitializedDataSize: -
InitializedDataSize: -
CodeSize: 174080
LinkerVersion: 10
PEType: PE32
TimeStamp: 2003:12:20 03:35:52+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Dec-2003 02:35:52

DOS Header

Magic number: MZ
Bytes on last page of file: 0x5245
Pages in file: 0x00E8
Relocations: 0x0000
Size of header: 0x5800
Min extra paragraphs: 0xE883
Max extra paragraphs: 0x8B09
Initial SS value: 0x83C8
Initial SP value: 0x3CC0
Checksum: 0x008B
Initial IP value: 0xC103
Initial CS value: 0xC083
Overlay number: 0xFF08
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 1
Time date stamp: 20-Dec-2003 02:35:52
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002A650
0x0002A800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.30658
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start r.exe no specs #FORMBOOK cmmon32.exe explorer.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2596"C:\Users\admin\Desktop\r.exe" C:\Users\admin\Desktop\r.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2700C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -EmbeddingC:\WINDOWS\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3548C:\WINDOWS\Explorer.EXEC:\WINDOWS\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
5852"C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Monitor
Exit code:
0
Version:
7.2.16299.15 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
5852cmmon32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\CO4CFRDU\8var[1].htmhtml
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D69465F1F863309D16D16856AE998DC1binary
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\G91AFSNL\8var[1].htmhtml
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\0R23F2I3\8var[1].htmhtml
MD5:3EA1C8D079B38532A6E01A96216BA5E2
SHA256:87A9323AC85CE28867D5D7CE590C8F29B8D1A999961FCA71BB33ADEF48683691
5852cmmon32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D69465F1F863309D16D16856AE998DC1der
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\CO4CFRDU\8var[2].htmhtml
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1SUK09Q\8var[1].htmhtml
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\0R23F2I3\8var[2].htmhtml
MD5:
SHA256:
5852cmmon32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:EC8FF3B1DED0246437B1472C69DD1811
SHA256:E634C2D1ED20E0638C95597ADF4C9D392EBAB932D3353F18AF1E4421F4BB9CAB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
55
DNS requests
73
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5852
cmmon32.exe
GET
199.192.27.55:80
http://www.sunamiros.com/8var/?Cr4TFn=0VEp9t&Al=C3P9NJxFIvhkkqDHymdtSz8HD/+QQA2ui33c+Uqqv5jZVuEpHvB1RHZUFjk=
US
malicious
5852
cmmon32.exe
GET
162.0.215.46:80
http://www.laweggheads.com/8var/?Al=R1Ds/hLJAjAHrseZDJTrvzN+bsRuwhTe6zDcSZM+0uQZMN/NHTy2SZT2E1Q=&Cr4TFn=0VEp9t
CA
unknown
5852
cmmon32.exe
GET
301
198.185.159.144:80
http://www.allindetailingllc.com/8var/?Al=7bny1NboG+0eqltzesIrx/6aKUMnmZ7iMUFUhRviNaZjMvNYAtKSGPmgozo=&Cr4TFn=0VEp9t
US
malicious
5852
cmmon32.exe
GET
199.192.27.55:80
http://www.sunamiros.com/8var/?Cr4TFn=0VEp9t&Al=C3P9NJxFIvhkkqDHymdtSz8HD/+QQA2ui33c+Uqqv5jZVuEpHvB1RHZUFjk=
US
malicious
5852
cmmon32.exe
GET
301
198.185.159.144:80
http://www.allindetailingllc.com/8var/?Al=7bny1NboG+0eqltzesIrx/6aKUMnmZ7iMUFUhRviNaZjMvNYAtKSGPmgozo=&Cr4TFn=0VEp9t
US
malicious
5852
cmmon32.exe
GET
200
34.102.136.180:80
http://www.c3ds.club/8var/?Al=lvXq2ZvlKgkZIDfLSmNTAdnLkjW8N2OtlkybkqBAdnrsI1i3rgkHaN4LD6E=&Cr4TFn=0VEp9t
US
html
2.49 Kb
malicious
2200
svchost.exe
GET
200
2.21.164.198:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
der
814 b
whitelisted
5852
cmmon32.exe
GET
404
184.168.106.44:80
http://www.parasinternational.xyz/8var/?Al=dyZ2ErKmwOdrNSowwwUbup5niP4oI3j/+DU2xKHx8GrQefFeUzmg/rsAZvc=&Cr4TFn=0VEp9t
US
html
73.8 Kb
malicious
5852
cmmon32.exe
GET
500
173.82.210.38:80
http://www.ntyake.com/8var/?Cr4TFn=0VEp9t&Al=UZ51ZmknB7OXfXdZoo+8XXFX+Y6uGDfp0ll1JLtAHVD+pu52OrmjDw384mk=
US
html
280 b
malicious
5852
cmmon32.exe
GET
403
172.67.202.252:80
http://www.slotsformula.com/8var/?Cr4TFn=0VEp9t&Al=kejjAPdgfGOQP9vlfbMw5PJmKYY0gpfs4fibZYrlHSPv7oZ6FB5rWiqOWdE=
US
html
12.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4576
WaaSMedic.exe
52.140.118.28:443
Microsoft Corporation
IN
suspicious
2200
svchost.exe
20.44.239.154:443
settings-win.data.microsoft.com
US
suspicious
5852
cmmon32.exe
199.192.27.55:80
www.sunamiros.com
US
malicious
5852
cmmon32.exe
34.102.136.180:80
www.c3ds.club
US
whitelisted
5852
cmmon32.exe
184.168.106.44:80
www.parasinternational.xyz
GoDaddy.com, LLC
US
malicious
5852
cmmon32.exe
173.82.210.38:80
www.ntyake.com
MULTACOM CORPORATION
US
malicious
5852
cmmon32.exe
198.185.159.144:80
www.allindetailingllc.com
Squarespace, Inc.
US
malicious
2200
svchost.exe
2.21.164.198:80
Wind Telecomunicazioni SpA
unknown
5852
cmmon32.exe
74.208.236.10:80
www.24kenterprisellc.com
1&1 Internet SE
US
malicious
5852
cmmon32.exe
172.67.202.252:80
www.slotsformula.com
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.44.239.154
whitelisted
time.windows.com
  • 40.119.148.38
whitelisted
www.sunamiros.com
  • 199.192.27.55
malicious
www.readymademarket.xyz
  • 208.91.197.91
malicious
www.jkctoymall.com
  • 101.36.112.119
malicious
www.c3ds.club
  • 34.102.136.180
malicious
www.amdcloudautomation.com
unknown
www.parasinternational.xyz
  • 184.168.106.44
malicious
www.ntyake.com
  • 173.82.210.38
malicious
www.newlifega.church
  • 66.96.134.21
unknown

Threats

PID
Process
Class
Message
5852
cmmon32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
Potentially Bad Traffic
ET INFO Observed DNS Query to .life TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .life TLD
5852
cmmon32.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.life Domain
5852
cmmon32.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.life Domain
No debug info