File name: | acb58cf1f819372ca5f461636f47ef790ec5d2748a5eaa3676104e46cdca1b19 |
Full analysis: | https://app.any.run/tasks/8d467123-8735-4f66-898a-7a272c2f895d |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 06, 2018, 12:54:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0 |
MD5: | 6D7ADA8915023EB188F47444A77D169D |
SHA1: | F87023A7C0DE6B0FF4B0B2B799E58F41B938C332 |
SHA256: | ACB58CF1F819372CA5F461636F47EF790EC5D2748A5EAA3676104E46CDCA1B19 |
SSDEEP: | 12288:TEqy7sSW7kNUhBiTL1wuG2YVkp455oaomdIbTbq:TE5wzAQUTO/2SkpWon |
.msi | | | Microsoft Installer (100) |
---|
Security: | None |
---|---|
Words: | - |
Pages: | 100 |
ModifyDate: | 2013:05:21 11:56:44 |
RevisionNumber: | {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E} |
LastModifiedBy: | devuser |
Template: | ;0 |
Comments: | - |
Keywords: | - |
Author: | www.exetomsi.com |
Subject: | - |
Title: | Exe to msi converter free |
Software: | Windows Installer |
CreateDate: | 2012:09:21 09:56:09 |
LastPrinted: | 2012:09:21 09:56:09 |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\acb58cf1f819372ca5f461636f47ef790ec5d2748a5eaa3676104e46cdca1b19.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2252 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2156 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2620 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003AC" "00000488" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | "C:\Windows\Installer\MSIDA38.tmp" | C:\Windows\Installer\MSIDA38.tmp | msiexec.exe | |
User: admin Integrity Level: MEDIUM Description: right.Properties Exit code: 0 Version: 1.0.0.0 | ||||
3204 | "C:\Windows\Installer\MSIDA38.tmp" | C:\Windows\Installer\MSIDA38.tmp | MSIDA38.tmp | |
User: SYSTEM Integrity Level: SYSTEM Description: right.Properties Exit code: 0 Version: 1.0.0.0 | ||||
2816 | "C:\Windows\System32\wscript.exe" | C:\Windows\System32\wscript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3316 | /c del "C:\Windows\Installer\MSIDA38.tmp" | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
236 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3136 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | wscript.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2252 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:56A1802A388CE1D933D447A5D3D22BBD | SHA256:8315B939A6947D0DE78F9F9DE380228FF454EF09EDD48F5B52AAA993923C7A39 | |||
2620 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:0B1CEBF94A208D495B4DD2DC69AC89F6 | SHA256:968F25EBD53B15B7897DA2D8009A27426CA64774418CEE352FFF477F7C33D37A | |||
2156 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF37D8F6B8F86EF487.TMP | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\Config.Msi\13c7fa.rbs | — | |
MD5:— | SHA256:— | |||
2252 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF5B5DD80EAC7A744B.TMP | — | |
MD5:— | SHA256:— | |||
2620 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
2252 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{7a71f1a3-823d-4445-845c-6483412a3f00}_OnDiskSnapshotProp | binary | |
MD5:56A1802A388CE1D933D447A5D3D22BBD | SHA256:8315B939A6947D0DE78F9F9DE380228FF454EF09EDD48F5B52AAA993923C7A39 | |||
2620 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:D075B9CCC870FACDC63AC194D74A1279 | SHA256:3371347C9D7A8FD2E32AF6B41B3C4C4F4B597B36861C868E92069C17A6E9D8D4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
236 | explorer.exe | GET | 301 | 91.216.107.156:80 | http://www.midiomalinea.com/ai/?oLv=KbWunvhw/zpXP5wW0UeZ7BJvggAhLiR/U+yWF01r9OQaPoLd46pZ4MbN2sk8HpOuCMpePQ==&mLVDc=WZzhBBv0x0QLaRG | FR | html | 429 b | malicious |
236 | explorer.exe | GET | 500 | 160.153.32.192:80 | http://www.brickellwatches.com/ai/?oLv=vANF0Oa22qgZseUw97TB+Swa2IWzfYKx3GaNAFricu5mcpvlFr62mhXvJ/dKFT11hcAXHQ==&mLVDc=WZzhBBv0x0QLaRG&sql=1 | US | html | 686 b | malicious |
236 | explorer.exe | GET | — | 173.236.183.227:80 | http://www.seattlepetadventures.com/ai/?oLv=+NF6fKO4+sNoFSvA9ydZPX2tEAxFaECdmO6MFoZMYbf7UBOz4BWLqkgGlYhSyAJHhQSHSw==&mLVDc=WZzhBBv0x0QLaRG&sql=1 | US | — | — | malicious |
236 | explorer.exe | POST | — | 160.153.32.192:80 | http://www.brickellwatches.com/ai/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 160.153.32.192:80 | http://www.brickellwatches.com/ai/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 160.153.32.192:80 | http://www.brickellwatches.com/ai/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
236 | explorer.exe | 160.153.32.192:80 | www.brickellwatches.com | GoDaddy.com, LLC | US | malicious |
236 | explorer.exe | 173.236.183.227:80 | www.seattlepetadventures.com | New Dream Network, LLC | US | malicious |
236 | explorer.exe | 91.216.107.156:80 | www.midiomalinea.com | ADISTA SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
www.uaevas.com |
| unknown |
www.midiomalinea.com |
| malicious |
www.solutionfull.com |
| malicious |
www.christianmarketinggifts.com |
| unknown |
www.theapschool.com |
| unknown |
www.riseupfloridakeys.com |
| unknown |
www.brickellwatches.com |
| malicious |
www.seattlepetadventures.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
236 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
Process | Message |
---|---|
MSIDA38.tmp |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
MSIDA38.tmp |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
MSIDA38.tmp |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
MSIDA38.tmp |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
MSIDA38.tmp |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
MSIDA38.tmp |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
MSIDA38.tmp |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
MSIDA38.tmp |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
vgacjt.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
vgacjt.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|