analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://terigilbe.cf/cpanel/doc/coco.exe

Full analysis: https://app.any.run/tasks/ffd6cc81-b550-40c2-8cab-0c3d6f188316
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: April 23, 2019, 11:39:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
trojan
formbook
stealer
Indicators:
MD5:

1F981B196F88F43D661790C3DF03188E

SHA1:

7FCFDBD5D025BD69D095C9DD3B914EA8497B5E70

SHA256:

A2BBF42A5B5FB1D3D582CC1941FE06C88BF206E6ABC5CFF8D22549DBBF02D521

SSDEEP:

3:N1KKAcxgLGjE/X7w:CK5gaE/8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • coco.exe (PID: 852)
    • Downloads executable files from the Internet

      • chrome.exe (PID: 2536)
    • FORMBOOK was detected

      • explorer.exe (PID: 2036)
    • Formbook was detected

      • ipconfig.exe (PID: 2756)
      • Firefox.exe (PID: 2772)
    • Connects to CnC server

      • explorer.exe (PID: 2036)
    • Changes the autorun value in the registry

      • ipconfig.exe (PID: 2756)
    • Actions looks like stealing of personal data

      • ipconfig.exe (PID: 2756)
    • Stealing of credential data

      • ipconfig.exe (PID: 2756)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2536)
    • Uses IPCONFIG.EXE to discover IP address

      • explorer.exe (PID: 2036)
    • Starts CMD.EXE for commands execution

      • ipconfig.exe (PID: 2756)
    • Creates files in the user directory

      • ipconfig.exe (PID: 2756)
    • Loads DLL from Mozilla Firefox

      • ipconfig.exe (PID: 2756)
  • INFO

    • Creates files in the user directory

      • chrome.exe (PID: 2536)
      • Firefox.exe (PID: 2772)
    • Application launched itself

      • chrome.exe (PID: 2536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
16
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs coco.exe no specs #FORMBOOK ipconfig.exe cmd.exe no specs explorer.exe no specs chrome.exe no specs chrome.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2536"C:\Program Files\Google\Chrome\Application\chrome.exe" http://terigilbe.cf/cpanel/doc/coco.exeC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
1140"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fa10f18,0x6fa10f28,0x6fa10f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2800 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3716"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=904,5059443428091262702,2540024473480929749,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11955287170698732282 --mojo-platform-channel-handle=976 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
2368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,5059443428091262702,2540024473480929749,131072 --enable-features=PasswordImport --service-pipe-token=6625046335958437559 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6625046335958437559 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
2644"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,5059443428091262702,2540024473480929749,131072 --enable-features=PasswordImport --service-pipe-token=7162453006450246452 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7162453006450246452 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
932"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,5059443428091262702,2540024473480929749,131072 --enable-features=PasswordImport --service-pipe-token=17455526685576979937 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17455526685576979937 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2628"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=904,5059443428091262702,2540024473480929749,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14501372247316129372 --mojo-platform-channel-handle=3956 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
852"C:\Users\admin\Downloads\coco.exe" C:\Users\admin\Downloads\coco.exechrome.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2756"C:\Windows\System32\ipconfig.exe"C:\Windows\System32\ipconfig.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 245
Read events
1 064
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
106
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\867a6416-798d-480f-b1e0-6bfb8ac6ac17.tmp
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2036
explorer.exe
POST
192.64.114.89:80
http://www.zinrop.com/co/
US
malicious
2536
chrome.exe
GET
200
185.189.149.207:80
http://terigilbe.cf/cpanel/doc/coco.exe
CH
executable
268 Kb
suspicious
2036
explorer.exe
POST
404
192.64.114.89:80
http://www.zinrop.com/co/
US
html
290 b
malicious
2036
explorer.exe
GET
301
46.101.73.58:80
http://www.mdsolutionsuk.com/co/?3f9=YlM0DHTPPje&6lop4BMX=EUrf71wC6tycdVCrsoEQMJFnbCi2nv7lIcfzrfGuS2mIGEj9pJhJNRYA2MsreOBSHDcWEQ==
GB
html
343 b
malicious
2036
explorer.exe
GET
404
192.64.114.89:80
http://www.zinrop.com/co/?6lop4BMX=ubcOqtCJ4/n1L6iT7q5Y6MToH9a96M2rdN6Zm8/Ue4ty0icNzrbE899ta8XgbGtOXJaS+g==&3f9=YlM0DHTPPje
US
html
326 b
malicious
2036
explorer.exe
POST
192.64.114.89:80
http://www.zinrop.com/co/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2536
chrome.exe
172.217.22.78:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2536
chrome.exe
172.217.21.237:443
accounts.google.com
Google Inc.
US
whitelisted
2536
chrome.exe
216.58.206.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted
185.189.149.207:80
terigilbe.cf
SOFTplus Entwicklungen GmbH
CH
suspicious
2536
chrome.exe
172.217.18.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2536
chrome.exe
172.217.22.68:443
www.google.com
Google Inc.
US
whitelisted
2536
chrome.exe
216.58.207.67:443
www.gstatic.com
Google Inc.
US
whitelisted
2536
chrome.exe
172.217.16.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2036
explorer.exe
46.101.73.58:80
www.mdsolutionsuk.com
Digital Ocean, Inc.
GB
malicious
2536
chrome.exe
216.58.206.14:443
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
terigilbe.cf
  • 185.189.149.207
unknown
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 172.217.21.237
shared
sb-ssl.google.com
  • 172.217.22.78
whitelisted
www.google.com
  • 172.217.22.68
whitelisted
ssl.gstatic.com
  • 216.58.206.3
whitelisted
www.gstatic.com
  • 216.58.207.67
whitelisted
www.mdsolutionsuk.com
  • 46.101.73.58
unknown
clients1.google.com
  • 216.58.206.14
whitelisted
www.zinrop.com
  • 192.64.114.89
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
2536
chrome.exe
Misc activity
ET INFO Packed Executable Download
2536
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2536
chrome.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
4 ETPRO signatures available at the full report
No debug info