File name: | New Order 2434722 .exe |
Full analysis: | https://app.any.run/tasks/c8381a24-2604-45c3-a00a-10fca956a169 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | April 15, 2019, 10:02:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0FA336240F32F069745BB562065ADD71 |
SHA1: | F77F17AA181C7D643AAF6A623A6B95AF122EB35D |
SHA256: | A8FC7F726F2515CA03E1BB82474B1FBD21EC54A2E6780E36055B6AB55C223EFF |
SSDEEP: | 24576:uxnNXo47koDO8j3fKQxzikocQeMQa/lIeus:uxNXh/goJnsQY4s |
.exe | | | InstallShield setup (53.2) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (17.5) |
.scr | | | Windows screen saver (16.1) |
.exe | | | Win32 Executable (generic) (5.5) |
.exe | | | Win16/32 Executable Delphi generic (2.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x69c14 |
UninitializedDataSize: | - |
InitializedDataSize: | 419840 |
CodeSize: | 429568 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1991:12:30 03:38:15+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Dec-1991 02:38:15 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 30-Dec-1991 02:38:15 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x00068C5C | 0x00068E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.52751 |
DATA | 0x0006A000 | 0x0000CE88 | 0x0000D000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.80036 |
BSS | 0x00077000 | 0x00000CB9 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00078000 | 0x00002138 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.97309 |
.tls | 0x0007B000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0007C000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.200582 |
.reloc | 0x0007D000 | 0x00006FEC | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.64753 |
.rsrc | 0x00084000 | 0x00050304 | 0x00050400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.158 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.76302 | 90 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
2 | 7.71494 | 4279 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 2.02763 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 2.14702 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 1.40901 | 67624 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 1.71034 | 16936 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 2.91604 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
988 | 5.2325 | 5595 | Latin 1 / Western European | English - United States | RT_CURSOR |
989 | 7.31748 | 5595 | Latin 1 / Western European | English - United States | RT_CURSOR |
990 | 7.36042 | 5595 | Latin 1 / Western European | English - United States | RT_CURSOR |
advapi32.dll |
comctl32.dll |
comdlg32.dll |
gdi32.dll |
kernel32.dll |
oleaut32.dll |
user32.dll |
version.dll |
winmm.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2484 | "C:\Users\admin\AppData\Local\Temp\New Order 2434722 .exe" | C:\Users\admin\AppData\Local\Temp\New Order 2434722 .exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1436 | "C:\Users\admin\AppData\Local\Temp\New Order 2434722 .exe" | C:\Users\admin\AppData\Local\Temp\New Order 2434722 .exe | — | New Order 2434722 .exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4008 | "C:\Windows\System32\NETSTAT.EXE" | C:\Windows\System32\NETSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3608 | /c del "C:\Users\admin\AppData\Local\Temp\New Order 2434722 .exe" | C:\Windows\System32\cmd.exe | — | NETSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2044 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2524 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NETSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 | ||||
3176 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1848 | "C:\Program Files\Jjtyl\IconCacheehd0sz9.exe" | C:\Program Files\Jjtyl\IconCacheehd0sz9.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
4008 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\LMRO6DTE\LMRlogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2044 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Jjtyl\IconCacheehd0sz9.exe | executable | |
MD5:0FA336240F32F069745BB562065ADD71 | SHA256:A8FC7F726F2515CA03E1BB82474B1FBD21EC54A2E6780E36055B6AB55C223EFF | |||
2524 | Firefox.exe | C:\Users\admin\AppData\Roaming\LMRO6DTE\LMRlogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
4008 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\LMRO6DTE\LMRlogim.jpeg | image | |
MD5:72E15A8B62BD897635A92B2D90D0A4BE | SHA256:8F9ED95D0116E9236FCD962786BFD0577472E0B1B9AF0664D42E95A449F1F01B | |||
4008 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\LMRO6DTE\LMRlogri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
3176 | DllHost.exe | C:\Program Files\Jjtyl\IconCacheehd0sz9.exe | executable | |
MD5:0FA336240F32F069745BB562065ADD71 | SHA256:A8FC7F726F2515CA03E1BB82474B1FBD21EC54A2E6780E36055B6AB55C223EFF | |||
4008 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\LMRO6DTE\LMRlogrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2044 | explorer.exe | GET | 200 | 217.76.156.252:80 | http://www.realmarketing4marketers.com/p1/?Y4sDANL=2/d+z0ZlP+JX/IMkKCyYMDptiHSNY3J/9x8bjoSeq+p4/ziXcRLzFYAAtLcS076S0KPxrg==&cj=UTplG6hXL8ot | PT | — | — | malicious |
2044 | explorer.exe | GET | — | 67.23.239.67:80 | http://www.ofertasmiempleo.com/p1/?Y4sDANL=I8q35t9gTzRahzpVrjraMUP3Eqg8eS8mbM3B0N2TbY7bCyADe2hs/i5/nASPTtF2nZFQtQ==&cj=UTplG6hXL8ot&sql=1 | US | — | — | malicious |
2044 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.saigoncomputer.com/p1/?Y4sDANL=7hSEnVUHbtI5ItUJi8rNkcKhnnlyCwi8CWdrARKyO5xh+OFXCl+4x2sWvOcU6EbFsR2nwA==&cj=UTplG6hXL8ot&sql=1 | US | html | 190 b | shared |
2044 | explorer.exe | POST | — | 47.92.77.118:80 | http://www.8zhacar.com/p1/ | CN | — | — | malicious |
2044 | explorer.exe | POST | — | 192.169.226.125:80 | http://www.dominicanrepubliccatamaran.com/p1/ | US | — | — | malicious |
2044 | explorer.exe | GET | 404 | 47.92.77.118:80 | http://www.8zhacar.com/p1/?Y4sDANL=7UXBwg0+mzcitZAmM2e2RS03ORZvY3eNFLzpjl3u/jgCzS+mTyG60VdQnERI8cBW4fjyIw==&cj=UTplG6hXL8ot&sql=1 | CN | html | 210 b | malicious |
2044 | explorer.exe | POST | — | 47.92.77.118:80 | http://www.8zhacar.com/p1/ | CN | — | — | malicious |
2044 | explorer.exe | POST | — | 67.23.239.67:80 | http://www.ofertasmiempleo.com/p1/ | US | — | — | malicious |
2044 | explorer.exe | POST | — | 192.169.226.125:80 | http://www.dominicanrepubliccatamaran.com/p1/ | US | — | — | malicious |
2044 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.saigoncomputer.com/p1/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2044 | explorer.exe | 23.20.239.12:80 | www.saigoncomputer.com | Amazon.com, Inc. | US | shared |
2044 | explorer.exe | 217.76.156.252:80 | www.realmarketing4marketers.com | 1&1 Internet SE | PT | malicious |
2044 | explorer.exe | 192.169.226.125:80 | www.dominicanrepubliccatamaran.com | GoDaddy.com, LLC | US | malicious |
2044 | explorer.exe | 213.186.33.5:80 | www.tech-on-me.com | OVH SAS | FR | malicious |
2044 | explorer.exe | 47.92.77.118:80 | www.8zhacar.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
— | — | 47.92.77.118:80 | www.8zhacar.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
2044 | explorer.exe | 67.23.239.67:80 | www.ofertasmiempleo.com | HostDime.com, Inc. | US | malicious |
— | — | 213.186.33.5:80 | www.tech-on-me.com | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
www.custombbqsmokergrill.com |
| unknown |
www.realmarketing4marketers.com |
| malicious |
www.beachfrontpropertyvallarta.com |
| unknown |
www.anewmole.com |
| unknown |
www.saigoncomputer.com |
| shared |
www.dominicanrepubliccatamaran.com |
| malicious |
www.todaysappliancerepair.biz |
| unknown |
www.yo669.com |
| unknown |
www.8zhacar.com |
| malicious |
www.milumilu1688.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2044 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |