File name: | Scan_00003984849905654356.exe |
Full analysis: | https://app.any.run/tasks/3edac6bc-077f-48aa-bdd7-f8c04eda2591 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 20, 2020, 09:11:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 29EAA8092A2847B8B13922F9E97441A0 |
SHA1: | 36EF99ADB92E1ED025A47C5EDB9A8A373DBAFB0E |
SHA256: | 9C24CB754BA7BD9C72075BB67B4254763A891A0086316F9217C3F247D84CFF61 |
SSDEEP: | 6144:UPAObj0k20+ZfFzB5xNb47b1AMGXX9WjMilj/OojjE7T1DpnwmNfSle8Vdv3j/:UP1bY8+ZfFzBtbYAt9EMiF/o7pFwmNfC |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x10b79 |
UninitializedDataSize: | - |
InitializedDataSize: | 48128 |
CodeSize: | 170496 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2020:10:16 07:39:34+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 16-Oct-2020 05:39:34 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 16-Oct-2020 05:39:34 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002999B | 0x00029A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45123 |
.rdata | 0x0002B000 | 0x00007208 | 0x00007400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.25789 |
.data | 0x00033000 | 0x00002DA8 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.90187 |
.gfids | 0x00036000 | 0x000000B8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.937667 |
.rsrc | 0x00037000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0 |
.reloc | 0x00038000 | 0x00001460 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.42537 |
KERNEL32.dll |
RESUTILS.dll |
SETUPAPI.dll |
SHELL32.dll |
ole32.dll |
rtutils.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2540 | "C:\Users\admin\AppData\Local\Temp\Scan_00003984849905654356.exe" | C:\Users\admin\AppData\Local\Temp\Scan_00003984849905654356.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3792 | "C:\Users\admin\AppData\Local\Temp\Scan_00003984849905654356.exe" | C:\Users\admin\AppData\Local\Temp\Scan_00003984849905654356.exe | — | Scan_00003984849905654356.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1084 | "C:\Windows\System32\NAPSTAT.EXE" | C:\Windows\System32\NAPSTAT.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Access Protection Client UI Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2528 | /c del "C:\Users\admin\AppData\Local\Temp\Scan_00003984849905654356.exe" | C:\Windows\System32\cmd.exe | — | NAPSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
392 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (392) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | P:\Hfref\nqzva\NccQngn\Ybpny\Grzc\Fpna_00003984849905654356.rkr |
Value: 00000000000000000000000020000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000 | |||
(PID) Process: | (392) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | HRZR_PGYFRFFVBA |
Value: 00000000680000009C000000451346001000000033000000218616007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0E57600FFFFFFFF70DB3A00FFFFFFFF70599D7500000000000000003CE57600857599750004000000000000A0E57600FFFFFFFF70DB3A00FFFFFFFFD0333B00D4343B0068DB3A006CE576002FB14E7680B08176ACF27600381E4F7614634F76A0173800A0E57600B87A390070000000BD0EB51780E57600BE6A4F76A0173800A0E5760000000000ACE776006F624F76A0173800A0E5760000000400000000807C624F76A017380063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E00670011000000483D3800403D380073006F00660074005C00690064E600002D0EB51768E60000D50DB5171CE6760082914F7668E67600E4080000C90DB51730E67600B69C4F76E80823024C06000048E6760011000000483D3800403D38000000000040B0817648E6760078042302B8E60000810DB51768E6760082914F76B8E676006CE6760027954F7600000000E408230294E67600CD944F76E408230240E7760058042302E1944F76000000005804230240E776009CE676001000000033000000218616007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0E57600FFFFFFFF70DB3A00FFFFFFFF70599D7500000000000000003CE57600857599750004000000000000A0E57600FFFFFFFF70DB3A00FFFFFFFFD0333B00D4343B0068DB3A006CE576002FB14E7680B08176ACF27600381E4F7614634F76A0173800A0E57600B87A390070000000BD0EB51780E57600BE6A4F76A0173800A0E5760000000000ACE776006F624F76A0173800A0E5760000000400000000807C624F76A017380063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E00670011000000483D3800403D380073006F00660074005C00690064E600002D0EB51768E60000D50DB5171CE6760082914F7668E67600E4080000C90DB51730E67600B69C4F76E80823024C06000048E6760011000000483D3800403D38000000000040B0817648E6760078042302B8E60000810DB51768E6760082914F76B8E676006CE6760027954F7600000000E408230294E67600CD944F76E408230240E7760058042302E1944F76000000005804230240E776009CE676001000000033000000218616007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0E57600FFFFFFFF70DB3A00FFFFFFFF70599D7500000000000000003CE57600857599750004000000000000A0E57600FFFFFFFF70DB3A00FFFFFFFFD0333B00D4343B0068DB3A006CE576002FB14E7680B08176ACF27600381E4F7614634F76A0173800A0E57600B87A390070000000BD0EB51780E57600BE6A4F76A0173800A0E5760000000000ACE776006F624F76A0173800A0E5760000000400000000807C624F76A017380063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E00670011000000483D3800403D380073006F00660074005C00690064E600002D0EB51768E60000D50DB5171CE6760082914F7668E67600E4080000C90DB51730E67600B69C4F76E80823024C06000048E6760011000000483D3800403D38000000000040B0817648E6760078042302B8E60000810DB51768E6760082914F76B8E676006CE6760027954F7600000000E408230294E67600CD944F76E408230240E7760058042302E1944F76000000005804230240E776009CE67600 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
392 | explorer.exe | GET | — | 160.153.136.3:80 | http://www.seperationclothing.com/er3b/?RZrTL8lX=dzNblkBqx+qp2eVy3Sb83br3I5gLnqMOJIw9rFx0psuJp5PunASTWNrs3GJ+JYU20sgkKg==&2d9L_=hv1HZl3xgVE4-j4p | US | — | — | malicious |
392 | explorer.exe | GET | — | 162.241.194.27:80 | http://www.somosdelight.com/er3b/?RZrTL8lX=YoMQEKmfTaNHSjMZM1eI/Hx2LK+ZmCkd8iAHqbgAT6c40jkPpYrFB3wUzS1N7Gle70w1eQ==&2d9L_=hv1HZl3xgVE4-j4p | US | — | — | suspicious |
392 | explorer.exe | GET | 302 | 103.224.182.242:80 | http://www.eaplsy.com/er3b/?RZrTL8lX=OBdQFVEAGYAqZRY9YZn3lM80aC/Rs3+BiL/hx5BCycWbsCCsa4qF0rDqPS8g5JEdMDdcwg==&2d9L_=hv1HZl3xgVE4-j4p | AU | — | — | malicious |
392 | explorer.exe | GET | 302 | 216.58.207.83:80 | http://www.popart.church/er3b/?RZrTL8lX=V6kdgMs4AJRqFFlBL1Q7Ahy66df/iUMzMtHFX0HYxjoXIqNb7NPopeWY0hm3S806F8OPVw==&2d9L_=hv1HZl3xgVE4-j4p | US | html | 221 b | malicious |
392 | explorer.exe | GET | 301 | 192.0.78.25:80 | http://www.deanartpg.com/er3b/?RZrTL8lX=RDkSf1A9d1CTwNSiq3Xt5Vj8+gcW5eT09GU06fUPlAkDR4RyRgtKyp7Lj5TeYs0NQHpzeg==&2d9L_=hv1HZl3xgVE4-j4p | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
392 | explorer.exe | 160.153.136.3:80 | www.seperationclothing.com | GoDaddy.com, LLC | US | malicious |
392 | explorer.exe | 192.0.78.25:80 | www.deanartpg.com | Automattic, Inc | US | malicious |
392 | explorer.exe | 216.58.207.83:80 | www.popart.church | Google Inc. | US | whitelisted |
392 | explorer.exe | 162.241.194.27:80 | www.somosdelight.com | CyrusOne LLC | US | suspicious |
392 | explorer.exe | 103.224.182.242:80 | www.eaplsy.com | Trellian Pty. Limited | AU | malicious |
Domain | IP | Reputation |
---|---|---|
www.seperationclothing.com |
| malicious |
www.deanartpg.com |
| malicious |
www.popart.church |
| malicious |
www.eaplsy.com |
| malicious |
www.somosdelight.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |