File name: | Requisition.exe |
Full analysis: | https://app.any.run/tasks/66f13d1e-23da-4c4c-83b7-a70aa5c7b3fc |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 23, 2019, 09:20:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | A8CD3E399BFBDB89D39C9CD8E186EC71 |
SHA1: | 112846B37CCA133F58B8F899C6C8BB354715D9C9 |
SHA256: | ADBCA6E785CEED4623CBF46BE1932DCC845715A65B05C66A1273D9D3EE5C85D0 |
SSDEEP: | 6144:poBoAD7Fuauo6TSyMR0CVZe9hDJTFWKNmzyUPILOTPtU6GHwxic/RfUN:pQb4auhS96TFWamllTPtU6GHw4c2 |
.exe | | | Win32 Executable Microsoft Visual Basic 6 (84.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (6.7) |
.exe | | | Win32 Executable (generic) (4.6) |
.exe | | | Generic Win/DOS Executable (2) |
.exe | | | DOS Executable Generic (2) |
OriginalFileName: | Escalin10.exe |
---|---|
InternalName: | Escalin10 |
ProductVersion: | 7.08.0006 |
FileVersion: | 7.08.0006 |
ProductName: | laeotropic6 |
LegalTrademarks: | marsena |
LegalCopyright: | Pederson5 |
FileDescription: | oneline3 |
CompanyName: | Upsets9 |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 7.8.0.6 |
FileVersionNumber: | 7.8.0.6 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 7.8 |
OSVersion: | 4 |
EntryPoint: | 0x10d8 |
UninitializedDataSize: | - |
InitializedDataSize: | 28672 |
CodeSize: | 544768 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2010:05:24 18:00:56+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-May-2010 16:00:56 |
Detected languages: |
|
CompanyName: | Upsets9 |
FileDescription: | oneline3 |
LegalCopyright: | Pederson5 |
LegalTrademarks: | marsena |
ProductName: | laeotropic6 |
FileVersion: | 7.08.0006 |
ProductVersion: | 7.08.0006 |
InternalName: | Escalin10 |
OriginalFilename: | Escalin10.exe |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000B0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 24-May-2010 16:00:56 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00084CE0 | 0x00085000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.05911 |
.data | 0x00086000 | 0x00000D7C | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00087000 | 0x000050E4 | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.11711 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.31501 | 724 | Unicode (UTF 16LE) | English - United States | RT_VERSION |
30001 | 4.63641 | 5672 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30002 | 4.87513 | 3752 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30003 | 5.47673 | 2216 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30004 | 5.46096 | 1736 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30005 | 4.08457 | 3240 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30006 | 4.03091 | 1864 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30007 | 3.6034 | 872 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3076 | "C:\Users\admin\AppData\Local\Temp\Requisition.exe" | C:\Users\admin\AppData\Local\Temp\Requisition.exe | — | explorer.exe |
User: admin Company: Upsets9 Integrity Level: MEDIUM Description: oneline3 Exit code: 0 Version: 7.08.0006 | ||||
3736 | C:\Users\admin\AppData\Local\Temp\Requisition.exe" | C:\Users\admin\AppData\Local\Temp\Requisition.exe | — | Requisition.exe |
User: admin Company: Upsets9 Integrity Level: MEDIUM Description: oneline3 Exit code: 0 Version: 7.08.0006 | ||||
2168 | "C:\Windows\System32\msdt.exe" | C:\Windows\System32\msdt.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3200 | /c del "C:\Users\admin\AppData\Local\Temp\Requisition.exe" | C:\Windows\System32\cmd.exe | — | msdt.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
672 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | "C:\Program Files\Qehd0_r\autochkezl0rt.exe" | C:\Program Files\Qehd0_r\autochkezl0rt.exe | — | explorer.exe |
User: admin Company: Upsets9 Integrity Level: MEDIUM Description: oneline3 Exit code: 0 Version: 7.08.0006 | ||||
3276 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | msdt.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
2128 | C:\Program Files\Qehd0_r\autochkezl0rt.exe" | C:\Program Files\Qehd0_r\autochkezl0rt.exe | — | autochkezl0rt.exe |
User: admin Company: Upsets9 Integrity Level: MEDIUM Description: oneline3 Version: 7.08.0006 | ||||
1416 | /c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /V | C:\Windows\System32\cmd.exe | msdt.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2168 | msdt.exe | C:\Users\admin\AppData\Roaming\8L471-RE\8L4logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3076 | Requisition.exe | C:\Users\admin\AppData\Local\Temp\~DF103E093967B7BA44.TMP | binary | |
MD5:88AB6CF722689693E2F108D845FE8D80 | SHA256:449701DD8948E37ABF2AA57813172684EEAE10DED0FBE4E56F03149C675E98B8 | |||
2028 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Qehd0_r\autochkezl0rt.exe | executable | |
MD5:A8CD3E399BFBDB89D39C9CD8E186EC71 | SHA256:ADBCA6E785CEED4623CBF46BE1932DCC845715A65B05C66A1273D9D3EE5C85D0 | |||
3276 | Firefox.exe | C:\Users\admin\AppData\Roaming\8L471-RE\8L4logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
2168 | msdt.exe | C:\Users\admin\AppData\Roaming\8L471-RE\8L4logim.jpeg | image | |
MD5:23F70FE65E7DABA2D497A98C1CC5EC47 | SHA256:A2581E7A5B8EC71D7BD58944EA1A959A8F1C94B7EECF34363548CE7A5A486097 | |||
672 | DllHost.exe | C:\Program Files\Qehd0_r\autochkezl0rt.exe | executable | |
MD5:A8CD3E399BFBDB89D39C9CD8E186EC71 | SHA256:ADBCA6E785CEED4623CBF46BE1932DCC845715A65B05C66A1273D9D3EE5C85D0 | |||
2168 | msdt.exe | C:\Users\admin\AppData\Roaming\8L471-RE\8L4logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
2168 | msdt.exe | C:\Users\admin\AppData\Roaming\8L471-RE\8L4logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 | |||
2168 | msdt.exe | C:\Users\admin\AppData\Local\Temp\d8rdor.zip | compressed | |
MD5:10C809CDC0FF1B7A4A26FEC1D1370EE8 | SHA256:065A83AB4E942FE61837CBF10739C381F76C9BE41448969AE5F4BAF90285C324 | |||
2168 | msdt.exe | C:\Users\admin\AppData\Roaming\8L471-RE\8L4logrg.ini | binary | |
MD5:662CFC0604D7F53153C80EE6AB8931D6 | SHA256:9881E9C578289EABFFEB84A3D87B255C732CD7D8AF087F71E2D970AB5F704840 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2028 | explorer.exe | GET | — | 66.34.171.60:80 | http://www.gorrior.com/ke/?Sh=lzeHIDUQbOddk4M1cpEbFl2YXzy/UtZMFHAyurRc1//8k/x9hOoy2H/nKJGhMztKsd+kbA==&RX=dnfLCv8pAL-tIvY&sql=1 | US | — | — | malicious |
2028 | explorer.exe | POST | — | 66.34.171.60:80 | http://www.gorrior.com/ke/ | US | — | — | malicious |
2028 | explorer.exe | POST | 404 | 162.213.250.187:80 | http://www.symtual.com/ke/ | US | html | 289 b | malicious |
2028 | explorer.exe | POST | — | 66.34.171.60:80 | http://www.gorrior.com/ke/ | US | — | — | malicious |
2028 | explorer.exe | GET | 404 | 104.200.20.162:80 | http://www.executedhealth.com/ke/?Sh=tEtDcxxqC+rjcRgIe1aIz3SBeLXiBdGwVTgbbiJJxDE2f4Q9iGC5U+94HPn6XhqL62jXhQ==&RX=dnfLCv8pAL-tIvY | US | html | 10.0 Kb | malicious |
2028 | explorer.exe | POST | 404 | 162.213.250.187:80 | http://www.symtual.com/ke/ | US | html | 289 b | malicious |
2028 | explorer.exe | POST | — | 66.34.171.60:80 | http://www.gorrior.com/ke/ | US | — | — | malicious |
2028 | explorer.exe | GET | 200 | 108.177.174.142:80 | http://www.ahjcw.com/ke/?Sh=YAqxOYNwGJF8RTIgl/bBBzSelDf0XiHRFbWpoMYOQEg4tqB6w3z3RSQ0b2Y0uWXKC8KW/g==&RX=dnfLCv8pAL-tIvY | US | html | 724 b | malicious |
2028 | explorer.exe | POST | — | 104.200.20.162:80 | http://www.executedhealth.com/ke/ | US | — | — | malicious |
2028 | explorer.exe | POST | — | 104.200.20.162:80 | http://www.executedhealth.com/ke/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2028 | explorer.exe | 108.177.174.142:80 | www.ahjcw.com | Nobis Technology Group, LLC | US | malicious |
2028 | explorer.exe | 162.213.250.187:80 | www.symtual.com | Namecheap, Inc. | US | malicious |
2028 | explorer.exe | 66.34.171.60:80 | www.gorrior.com | CoreSpace, Inc. | US | malicious |
2028 | explorer.exe | 104.200.20.162:80 | www.executedhealth.com | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.ahjcw.com |
| malicious |
www.gorrior.com |
| malicious |
www.strongmusclenow.com |
| unknown |
www.9games.site |
| unknown |
www.iamtheceoofmy.life |
| unknown |
www.symtual.com |
| malicious |
www.executedhealth.com |
| malicious |
www.theangrybit.online |
| unknown |
www.frip.ltd |
| unknown |
www.tv17833.info |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |