File name: | Payment Details pdf.exe |
Full analysis: | https://app.any.run/tasks/d830e87a-f6d5-4bf0-a7fb-15d6706ce33a |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | August 12, 2022, 19:27:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 1189EEC958A44BB5834F0A2A51E69F16 |
SHA1: | F5C254FC49374F66898AA91D856A81ED7CCF20D6 |
SHA256: | 9DB7ECE2184B1D22F94206FD18D539E2DA6BB438E02AF04794A3FCB0B483D7DF |
SSDEEP: | 12288:sDt3gmitQLp9ZAhY+7rW2IBXuatoP1MBnHxJj46g:iHFLpAh/7CdrtoP+BHxXg |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2073:03:17 21:08:38+01:00 |
PEType: | PE32 |
LinkerVersion: | 48 |
CodeSize: | 939520 |
InitializedDataSize: | 169472 |
UninitializedDataSize: | - |
EntryPoint: | 0xe743a |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | Microsoft |
FileDescription: | Post Service |
FileVersion: | 1.0.0.0 |
InternalName: | WellKnownSidT.exe |
LegalCopyright: | Copyright © 2020 |
LegalTrademarks: | - |
OriginalFileName: | WellKnownSidT.exe |
ProductName: | Post Service |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Feb-1937 13:40:22 |
Comments: | - |
CompanyName: | Microsoft |
FileDescription: | Post Service |
FileVersion: | 1.0.0.0 |
InternalName: | WellKnownSidT.exe |
LegalCopyright: | Copyright © 2020 |
LegalTrademarks: | - |
OriginalFilename: | WellKnownSidT.exe |
ProductName: | Post Service |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 09-Feb-1937 13:40:22 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x000E5440 | 0x000E5600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.99849 |
.rsrc | 0x000E8000 | 0x000293E4 | 0x00029400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.50628 |
.reloc | 0x00112000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.31216 | 844 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
2 | 3.61063 | 67624 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 4.41371 | 38056 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 4.30681 | 21640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 3.80498 | 16936 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 4.60285 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 4.05262 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 4.87061 | 2440 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 4.60882 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3512 | "C:\Users\admin\AppData\Local\Temp\Payment Details pdf.exe" | C:\Users\admin\AppData\Local\Temp\Payment Details pdf.exe | — | Explorer.EXE |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Post Service Exit code: 0 Version: 1.0.0.0 | ||||
2432 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | Payment Details pdf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
2736 | "C:\Windows\System32\wuauclt.exe" | C:\Windows\System32\wuauclt.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Version: 7.6.7601.24542 (win7sp1_ldr_escrow.191209-2211) Formbook(PID) Process(2736) wuauclt.exe C2www.hocseohanoi.com/o85a/ Decoys and strings (143)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start lvmh.store grantrec.online pinkglam.net springreno.com moneynappress.com disclegends.net taizonee9.app 3365826.com asdmohs19.website atlantapolicy.com rioinvestmentrd.com alltriciashomemadegoodies.com duanvidentcenter.com whitelabelcasino.xyz uptick.business kickverseblade.store malmotairi.com nazhan.site nehimiah.world aero-bell.com pertinhodevoce.com haohaiyq.com 99012305.com matsukihira-arte.com reviviobizzo.xyz lexindx.com yongalcxa.digital starair.co foreveryoungforever.com caktreecapital.com 1stecfed-assist.com americascoolest.com febmakl.online exclusivewebmasters.com tamplariedanielnica.net housz.net hailisoft.net sentec-usa.com faithhopelovejoy.com yonjia.net telepathymachine.com hhsm.net cleanubble.co.uk hualong5000.com cs4a.net battlegroundsesportsindia.com roymunene.com thesilverserpent.co.uk expertchatter.com meexnetwork.com watch-episodes.site wilxzter.space palma-mallorca.email advmedialpt.com yhlzj.com restaurantecasa.net envisiongraphx.online atlassian.website fesf.net womenvibrators.com klantings002.sbs slpsmv.xyz bong79.asia goodchoose.space f-end Modules (42)kernel32.dll advapi32.dll ws2_32.dll svchost.exe msiexec.exe wuauclt.exe lsass.exe wlanext.exe msg.exe lsm.exe dwm.exe help.exe chkdsk.exe cmmon32.exe nbtstat.exe spoolsv.exe rdpclip.exe control.exe taskhost.exe rundll32.exe systray.exe audiodg.exe wininit.exe services.exe autochk.exe autoconv.exe autofmt.exe cmstp.exe colorcpl.exe cscript.exe explorer.exe WWAHost.exe ipconfig.exe msdt.exe mstsc.exe NAPSTAT.EXE netsh.exe NETSTAT.EXE raserver.exe wscript.exe wuapp.exe cmd.exe | ||||
3104 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\System32\cmd.exe | — | wuauclt.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
588 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (588) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000006BB2ECFD1CAEB540958CB09A96FF7FDD00000000020000000000106600000001000020000000E15E2B71A484ED0EA08F042A59F6FA73E3F89D20F8380ED57BAFE9A11E6C9D93000000000E8000000002000020000000B598B55010B55B9E7244200F60FD8DEFA16F7DC9E764BC49DEEE3A707C19D62130000000468163E9AEE270A05C46537024F9E1F48DDD27F8ECAF8B69DCE736023A01B1CA18BD8358E055AA27D1F6DFD54B01D9D940000000B4711ED102A70839C61FE8CD0EBEB2BC8289002B29BDDDB5564422EFD6E8749EFC672983EEBA94841A57DC7D4E94FDF2F12C14C2255409CFACA778485F504DA9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
588 | Explorer.EXE | GET | 200 | 104.167.70.83:80 | http://www.cs4a.net/o85a/?jB=ZtRZTwG8KuXQ3bYg6hoJdfpCWzxX72Vi/yafqxc0F/3Zf8h0slwyG9cN5+LzI++dycVPzg==&pNJ=Nv1DCv_ | US | html | 1.82 Kb | malicious |
588 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.atlantapolicy.com/o85a/?jB=8LuqLTHDC0wWOSYP9kau3LdIEE/AN5bNFJwGr4BQhrxS+F8u+hxPMRdZWNjypKZCVvQi2w==&pNJ=Nv1DCv_ | US | html | 291 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
588 | Explorer.EXE | 34.102.136.180:80 | www.atlantapolicy.com | — | US | whitelisted |
588 | Explorer.EXE | 104.167.70.83:80 | www.cs4a.net | eSited Solutions | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.cs4a.net |
| malicious |
www.atlantapolicy.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
588 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
588 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
588 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
588 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
588 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
588 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
588 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
588 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |