File name: | Proforma Invoice.exe |
Full analysis: | https://app.any.run/tasks/7e2fb693-e0ee-48e1-b928-66cf6c62d6a3 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 24, 2019, 11:29:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 6649129098CAA5F9397A1DF582FEC1BB |
SHA1: | EA0232FFA0D8C0B71B4FB35DFBD381D03C6F3063 |
SHA256: | 9D8EEDA2C397ED38C99999881EBC1AE4EAEFF581189956AF092878002622F447 |
SSDEEP: | 12288:y1fHjCHB1yZvRnwcXwxXr7ypm4eSs1k2s5YqK7:GAB1yZvRnwcXw7KeSsQY9 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:05:24 03:58:32+02:00 |
PEType: | PE32 |
LinkerVersion: | 8 |
CodeSize: | 259072 |
InitializedDataSize: | 350208 |
UninitializedDataSize: | - |
EntryPoint: | 0x413be |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | ListDir |
CompanyName: | - |
FileDescription: | ListDir |
FileVersion: | 1.0.0.0 |
InternalName: | ListDir.exe |
LegalCopyright: | Copyright © 2009 |
LegalTrademarks: | - |
OriginalFileName: | ListDir.exe |
ProductName: | ListDir |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-May-2019 01:58:32 |
Comments: | ListDir |
CompanyName: | - |
FileDescription: | ListDir |
FileVersion: | 1.0.0.0 |
InternalName: | ListDir.exe |
LegalCopyright: | Copyright © 2009 |
LegalTrademarks: | - |
OriginalFilename: | ListDir.exe |
ProductName: | ListDir |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 24-May-2019 01:58:32 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0003F3C4 | 0x0003F400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95011 |
.rsrc | 0x00042000 | 0x0005546C | 0x00055600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.7535 |
.reloc | 0x00098000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
2 | 7.91463 | 27540 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 7.87658 | 11631 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 4.91967 | 296 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 5.52031 | 488 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 5.50697 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 5.11998 | 1640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 5.18944 | 2664 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 4.96162 | 3560 | Latin 1 / Western European | UNKNOWN | RT_ICON |
10 | 5.07979 | 5864 | Latin 1 / Western European | UNKNOWN | RT_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3056 | "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.exe" | C:\Users\admin\AppData\Local\Temp\Proforma Invoice.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: ListDir Exit code: 0 Version: 1.0.0.0 | ||||
3148 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\starssound.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2952 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1876 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\stopenergy.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2816 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BooHAxnTjmIN" /XML "C:\Users\admin\AppData\Local\Temp\tmpA988.tmp" | C:\Windows\System32\schtasks.exe | — | Proforma Invoice.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3676 | "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.exe" | C:\Users\admin\AppData\Local\Temp\Proforma Invoice.exe | — | Proforma Invoice.exe |
User: admin Integrity Level: MEDIUM Description: ListDir Exit code: 0 Version: 1.0.0.0 | ||||
2208 | "C:\Windows\System32\wuauclt.exe" | C:\Windows\System32\wuauclt.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Version: 7.5.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2980 | /c del "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.exe" | C:\Windows\System32\cmd.exe | — | wuauclt.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2896 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\starssound.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2956 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR97F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{389A53B2-EB07-4237-A049-383BF162EBC9}.tmp | — | |
MD5:— | SHA256:— | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CAEBFC7C-1734-4BE3-8BA6-331383CF36EC}.tmp | — | |
MD5:— | SHA256:— | |||
1876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4B7A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{87282B04-9461-432A-9A89-8630E2791BA4}.tmp | — | |
MD5:— | SHA256:— | |||
1876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5F25ADE2-9064-4ACC-8ECD-2B0D355973D1}.tmp | — | |
MD5:— | SHA256:— | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFD45.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{18DD7313-3764-4144-859A-2E25D38A59D7}.tmp | — | |
MD5:— | SHA256:— | |||
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:6FE3BE5266683F078ACE9FCE594C386D | SHA256:0A373809980C6DE3FF962E60CCBEA931446627F1551DEBB05CC111F7A68B855E | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\starssound.rtf.LNK | lnk | |
MD5:8474A07F2128E9D488D9078F6F2BD3C9 | SHA256:6314D70E0A1BB0C482DF2CF0894891B479801BC9536616E9C4D2CC1F17A2CA2C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
252 | explorer.exe | POST | — | 85.233.160.22:80 | http://www.limordollar.com/ak77/ | GB | — | — | malicious |
252 | explorer.exe | POST | — | 85.233.160.22:80 | http://www.limordollar.com/ak77/ | GB | — | — | malicious |
252 | explorer.exe | GET | 200 | 85.233.160.22:80 | http://www.limordollar.com/ak77/?_Df4AN=pAVhzMkpk0mkamOER64mVrJ1yPnr+64es6MGrbcV3aCKgQHtRP4se699Yd7rHYXOwJlUHQ==&rLw=g818FTbp0f | GB | html | 491 b | malicious |
252 | explorer.exe | GET | 301 | 35.246.6.109:80 | http://www.bookroseroom.com/ak77/?_Df4AN=Y37b2pSw/EOHuHSKq01Os1T+KdYjLbfToGY50al1C95DIkdHLv3lV1JBzY5sdkVCp9Dl3g==&rLw=g818FTbp0f | US | — | — | malicious |
252 | explorer.exe | GET | 200 | 198.187.30.17:80 | http://www.discountclick.info/ak77/?_Df4AN=Buu56UTaTqtSsibq+MpAZXqn1/hVIFk6d9ttzuiG6xkdue37aKxAyLNLnsm0REyA35hEtw==&rLw=g818FTbp0f&sql=1 | US | binary | 323 Kb | malicious |
252 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.bookroseroom.com/ak77/ | US | — | — | malicious |
252 | explorer.exe | POST | — | 192.0.78.25:80 | http://www.steviedandrea.com/ak77/ | US | — | — | malicious |
252 | explorer.exe | GET | 404 | 154.210.164.153:80 | http://www.wafangdian9.com/ak77/?_Df4AN=fiEcaBtG8ujBg071OMkQLWdfqtSOcV687FWpmsv9zMxP2IM6JZcBHcCYHqVJOfD2YF92tQ==&rLw=g818FTbp0f | US | html | 2.53 Kb | malicious |
252 | explorer.exe | POST | — | 85.233.160.22:80 | http://www.limordollar.com/ak77/ | GB | — | — | malicious |
252 | explorer.exe | POST | 404 | 198.187.30.17:80 | http://www.discountclick.info/ak77/ | US | html | 298 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
252 | explorer.exe | 154.210.164.153:80 | www.wafangdian9.com | MULTACOM CORPORATION | US | malicious |
— | — | 192.0.78.25:80 | www.steviedandrea.com | Automattic, Inc | US | malicious |
252 | explorer.exe | 85.233.160.22:80 | www.limordollar.com | Namesco Limited | GB | malicious |
252 | explorer.exe | 192.0.78.25:80 | www.steviedandrea.com | Automattic, Inc | US | malicious |
252 | explorer.exe | 198.187.30.17:80 | www.discountclick.info | Namecheap, Inc. | US | malicious |
252 | explorer.exe | 35.246.6.109:80 | www.bookroseroom.com | — | US | malicious |
— | — | 85.233.160.22:80 | www.limordollar.com | Namesco Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
www.wafangdian9.com |
| unknown |
www.discountclick.info |
| malicious |
www.coinweekend.com |
| unknown |
www.limordollar.com |
| malicious |
www.bookroseroom.com |
| malicious |
www.formanspools.com |
| unknown |
www.steviedandrea.com |
| malicious |
www.qlajq.win |
| unknown |
www.1fypc7rmkce.biz |
| unknown |
www.knightsbridge-internet.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |