File name:

FedEx Express AWB#5305323204643.exe

Full analysis: https://app.any.run/tasks/b33c4b8f-2e18-4e13-9e94-4f96acb45516
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: December 02, 2024, 13:38:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
formbook
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

3AE40912766339837DA60E6A29E72791

SHA1:

F7A3E4560435770745D04A9ABF5AE4B88B29F2A9

SHA256:

A31BB86950434C10901F781EC299B84323CD6C199B557F39653CDC5557641B6D

SSDEEP:

24576:8RTXK/1EyhW3AoLVEz0MpchhLCVhy+4LkOBYt56VBNVB6eHZI2nqzXUdF:8RTXK/1EyhW3AoLVEz0MpchhLCVhy+4h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK has been detected (YARA)

      • mstsc.exe (PID: 6924)

  • SUSPICIOUS

    • Application launched itself

      • FedEx Express AWB#5305323204643.exe (PID: 5920)

    • Starts CMD.EXE for commands execution

      • mstsc.exe (PID: 6924)

  • INFO

    • Reads the computer name

      • FedEx Express AWB#5305323204643.exe (PID: 5920)

    • Checks supported languages

      • FedEx Express AWB#5305323204643.exe (PID: 5920)

    • Manual execution by a user

      • autochk.exe (PID: 6912)
      • mstsc.exe (PID: 6924)

    • .NET Reactor protector has been detected

      • FedEx Express AWB#5305323204643.exe (PID: 5920)

    • Reads the machine GUID from the registry

      • FedEx Express AWB#5305323204643.exe (PID: 5920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(6924) mstsc.exe
C2www.igitalsells-corner.xyz/g92s/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)utomation-tools-55205.bond
commerce-99094.bond
ufounoufeng.vip
arkknighttransport.net
et9ja.webcam
75511.vip
afiabmfkrk.online
lluminos.live
egitfxtrade.live
zn-lab.net
implifiedprojects.net
mjsnnn5716.shop
ecurity-service-28490.bond
andy888th.online
dno.xyz
ofl.xyz
enamind.net
ellnessdigitalmedia.store
mcreative.studio
wctoken-v2.icu
ochnonevpn.online
amewith.auction
groupsrl.net
piro.style
hdqyp.shop
76v.lat
dzywkanaporostrzes.pro
nitypath.website
slami.store
erseus-global.net
52pq293kt.skin
duxrib.xyz
utosub.xyz
otorcycle-loans-21363.bond
acho.store
lay44.bet
olka.xyz
eelthevibe.xyz
reezedrybreastmilk.net
ythicsportswear.online
tatspw.online
x-design-courses-91526.bond
inhngoc.photos
kuxepe.info
rjeffbarry.online
unnylogistics.pro
eaponreadiness.net
69nyccoffee.shop
atiao.asia
eekend-warriors.website
umematch.net
arrefour-banque.business
ehuatang.online
hhls370824.sbs
manate.ltd
oodstocks.sbs
essicafilho.online
nline-mba-94006.bond
hreekalyanam.online
nline-advertising-57293.bond
nline-advertising-77795.bond
otorcycle-loans-81246.bond
olar-battery-13607.bond
nfluencer-marketing-27273.bond
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:26 11:30:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 688128
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xa9f8e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation.
FileDescription: Picture Wizard
FileVersion: 1.0.0.0
InternalName: vBeK.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: vBeK.exe
ProductName: Picture Wizard
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fedex express awb#5305323204643.exe no specs fedex express awb#5305323204643.exe no specs fedex express awb#5305323204643.exe no specs autochk.exe no specs #FORMBOOK mstsc.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5920"C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exe" C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation.
Integrity Level:
MEDIUM
Description:
Picture Wizard
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fedex express awb#5305323204643.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6856"C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exe"C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exeFedEx Express AWB#5305323204643.exe
User:
admin
Company:
Microsoft Corporation.
Integrity Level:
MEDIUM
Description:
Picture Wizard
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fedex express awb#5305323204643.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6864"C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exe"C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exeFedEx Express AWB#5305323204643.exe
User:
admin
Company:
Microsoft Corporation.
Integrity Level:
MEDIUM
Description:
Picture Wizard
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fedex express awb#5305323204643.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6912"C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto Check Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\autochk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6924"C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Desktop Connection
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mstsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
Formbook
(PID) Process(6924) mstsc.exe
C2www.igitalsells-corner.xyz/g92s/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)utomation-tools-55205.bond
commerce-99094.bond
ufounoufeng.vip
arkknighttransport.net
et9ja.webcam
75511.vip
afiabmfkrk.online
lluminos.live
egitfxtrade.live
zn-lab.net
implifiedprojects.net
mjsnnn5716.shop
ecurity-service-28490.bond
andy888th.online
dno.xyz
ofl.xyz
enamind.net
ellnessdigitalmedia.store
mcreative.studio
wctoken-v2.icu
ochnonevpn.online
amewith.auction
groupsrl.net
piro.style
hdqyp.shop
76v.lat
dzywkanaporostrzes.pro
nitypath.website
slami.store
erseus-global.net
52pq293kt.skin
duxrib.xyz
utosub.xyz
otorcycle-loans-21363.bond
acho.store
lay44.bet
olka.xyz
eelthevibe.xyz
reezedrybreastmilk.net
ythicsportswear.online
tatspw.online
x-design-courses-91526.bond
inhngoc.photos
kuxepe.info
rjeffbarry.online
unnylogistics.pro
eaponreadiness.net
69nyccoffee.shop
atiao.asia
eekend-warriors.website
umematch.net
arrefour-banque.business
ehuatang.online
hhls370824.sbs
manate.ltd
oodstocks.sbs
essicafilho.online
nline-mba-94006.bond
hreekalyanam.online
nline-advertising-57293.bond
nline-advertising-77795.bond
otorcycle-loans-81246.bond
olar-battery-13607.bond
nfluencer-marketing-27273.bond
7064/c del "C:\Users\admin\AppData\Local\Temp\FedEx Express AWB#5305323204643.exe"C:\Windows\SysWOW64\cmd.exemstsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
136
Read events
136
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2632
svchost.exe
GET
200
2.17.0.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.17.0.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6260
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6932
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6932
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
92.123.104.62:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2632
svchost.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.17.0.227:80
www.microsoft.com
AKAMAI-AS
DK
whitelisted
2632
svchost.exe
2.17.0.227:80
www.microsoft.com
AKAMAI-AS
DK
whitelisted
4
System
192.168.100.255:137
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.62
  • 92.123.104.61
  • 92.123.104.59
  • 92.123.104.57
  • 92.123.104.55
  • 92.123.104.56
  • 92.123.104.63
  • 92.123.104.58
  • 92.123.104.52
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.176
whitelisted
google.com
  • 172.217.18.110
whitelisted
www.microsoft.com
  • 2.17.0.227
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FedEx Express AWB#5305323204643.exe