| File name: | yeni sifariş pdf xxxcz.exe |
| Full analysis: | https://app.any.run/tasks/aed383bc-c0fd-42df-9c03-4b2c5b524d99 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | July 18, 2023, 08:12:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | FF93F5596000A0EC1D8A0467977EF200 |
| SHA1: | 8FB1C9AE59A6B4A5F2580CC9538B37CB56588224 |
| SHA256: | B2C1A9091F518029DBAC23FAB825BE576244E2B8D07A82FEA5B93778072DD6C7 |
| SSDEEP: | 12288:75dPG2fJqow+kz6xL4qHcGQa8aq21RgoJOiqBO778N+E68aD:ZJoz6xL4MEaJmC7Z8 |
MALICIOUS
Uses Task Scheduler to run other applications
- yeni sifariş pdf xxxcz.exe (PID: 3296)
FORMBOOK detected by memory dumps
- rdpclip.exe (PID: 2068)
SUSPICIOUS
Reads the Internet Settings
- yeni sifariş pdf xxxcz.exe (PID: 3296)
Executable content was dropped or overwritten
- yeni sifariş pdf xxxcz.exe (PID: 3296)
Starts CMD.EXE for commands execution
- rdpclip.exe (PID: 2068)
INFO
Creates files or folders in the user directory
- yeni sifariş pdf xxxcz.exe (PID: 3296)
Reads the computer name
- yeni sifariş pdf xxxcz.exe (PID: 3296)
- RegSvcs.exe (PID: 4028)
Checks supported languages
- yeni sifariş pdf xxxcz.exe (PID: 3296)
- RegSvcs.exe (PID: 4028)
The process checks LSA protection
- yeni sifariş pdf xxxcz.exe (PID: 3296)
Create files in a temporary directory
- yeni sifariş pdf xxxcz.exe (PID: 3296)
Reads the machine GUID from the registry
- yeni sifariş pdf xxxcz.exe (PID: 3296)
Manual execution by a user
- rdpclip.exe (PID: 2068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(2068) rdpclip.exe
C2www.6pg.shop/md05/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)18873.biz
blparkinsons.uk
londonsanifloengineer.co.uk
hmstravelsllc.com
copietomb.online
driverrehab.store
ascent-social-labs.com
bulletsync.app
kirm.net
carys.online
c1u8z.com
37973.site
staizitto.com
by4388.com
heavenly-hideaways.co.uk
roobydog.co.uk
abuelitaskitchensupply.com
northmusic.africa
inning.one
solardance.net
koora-hotel.xyz
hyg6888.com
charleegray.online
premierpetuc.com
cobballplusin.com
vrkagroup.africa
iron.icu
antastie.co.uk
almanea.today
artrainer.app
kwarxs.com
europesettle.com
providerblitz.com
cjdao.net
cqxinsili.com
enjoytheshopping.ru
lfgprofts.click
rangertrucksales.com
subbs.net
fortsmithbakerydistrict.com
sicpoa.xyz
capitalonequicksilvercard.com
jollyshopping.shop
cj78hn78xa2f.com
julietsmarketing.com
b5913.com
akexpressremovalslondon.co.uk
creekwoodparkinfo.com
autogenie.biz
adicozy.com
kindaunknown.com
investindoeminvestir.com
fatlossweekly.com
incog.top
micdavevtuportal.africa
elingsoncpas.com
thevicattravisso.com
10081967.xyz
notarysuccessacademy.net
koyercloud.com
nightsonline.co.uk
astitchwhimsy.com
605306.com
allcircutis.com
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| AssemblyVersion: | 1.0.0.0 |
|---|---|
| ProductVersion: | 1.0.0.0 |
| ProductName: | QuanLiDoanVien |
| OriginalFileName: | aBzU.exe |
| LegalTrademarks: | - |
| LegalCopyright: | Copyright © 2020 |
| InternalName: | aBzU.exe |
| FileVersion: | 1.0.0.0 |
| FileDescription: | QuanLiDoanVien |
| CompanyName: | - |
| Comments: | - |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0xa61a2 |
| UninitializedDataSize: | - |
| InitializedDataSize: | 2048 |
| CodeSize: | 672256 |
| LinkerVersion: | 48 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2103:04:26 12:06:06+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 26-Apr-2103 12:06:06 |
| Debug artifacts: |
|
| Comments: | - |
| CompanyName: | - |
| FileDescription: | QuanLiDoanVien |
| FileVersion: | 1.0.0.0 |
| InternalName: | aBzU.exe |
| LegalCopyright: | Copyright © 2020 |
| LegalTrademarks: | - |
| OriginalFilename: | aBzU.exe |
| ProductName: | QuanLiDoanVien |
| ProductVersion: | 1.0.0.0 |
| Assembly Version: | 1.0.0.0 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 26-Apr-2103 12:06:06 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00002000 | 0x000A41A8 | 0x000A4200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.49361 |
.rsrc | 0x000A8000 | 0x000005B4 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.09688 |
.reloc | 0x000AA000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
Imports
mscoree.dll |
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1424 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\System32\cmd.exe | — | rdpclip.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2068 | "C:\Windows\System32\rdpclip.exe" | C:\Windows\System32\rdpclip.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: RDP Clip Monitor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(2068) rdpclip.exe C2www.6pg.shop/md05/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)18873.biz blparkinsons.uk londonsanifloengineer.co.uk hmstravelsllc.com copietomb.online driverrehab.store ascent-social-labs.com bulletsync.app kirm.net carys.online c1u8z.com 37973.site staizitto.com by4388.com heavenly-hideaways.co.uk roobydog.co.uk abuelitaskitchensupply.com northmusic.africa inning.one solardance.net koora-hotel.xyz hyg6888.com charleegray.online premierpetuc.com cobballplusin.com vrkagroup.africa iron.icu antastie.co.uk almanea.today artrainer.app kwarxs.com europesettle.com providerblitz.com cjdao.net cqxinsili.com enjoytheshopping.ru lfgprofts.click rangertrucksales.com subbs.net fortsmithbakerydistrict.com sicpoa.xyz capitalonequicksilvercard.com jollyshopping.shop cj78hn78xa2f.com julietsmarketing.com b5913.com akexpressremovalslondon.co.uk creekwoodparkinfo.com autogenie.biz adicozy.com kindaunknown.com investindoeminvestir.com fatlossweekly.com incog.top micdavevtuportal.africa elingsoncpas.com thevicattravisso.com 10081967.xyz notarysuccessacademy.net koyercloud.com nightsonline.co.uk astitchwhimsy.com 605306.com allcircutis.com | |||||||||||||||
| 3296 | "C:\Users\admin\AppData\Local\Temp\yeni sifariş pdf xxxcz.exe" | C:\Users\admin\AppData\Local\Temp\yeni sifariş pdf xxxcz.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: QuanLiDoanVien Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3480 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sDVzEcVQ" /XML "C:\Users\admin\AppData\Local\Temp\tmp821B.tmp" | C:\Windows\System32\schtasks.exe | — | yeni sifariş pdf xxxcz.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4028 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | yeni sifariş pdf xxxcz.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
Total events
214
Read events
206
Write events
8
Delete events
0
Modification events
| (PID) Process: | (3296) yeni sifariş pdf xxxcz.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3296) yeni sifariş pdf xxxcz.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3296) yeni sifariş pdf xxxcz.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3296) yeni sifariş pdf xxxcz.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3296 | yeni sifariş pdf xxxcz.exe | C:\Users\admin\AppData\Local\Temp\tmp821B.tmp | xml | |
MD5:8A016231084FA751D3F3039CCE2D11B0 | SHA256:7527D8D59CD281F5ABB973902CEA7AC1B0E914FD431E38421B69023F5BE288C6 | |||
| 3296 | yeni sifariş pdf xxxcz.exe | C:\Users\admin\AppData\Roaming\sDVzEcVQ.exe | executable | |
MD5:FF93F5596000A0EC1D8A0467977EF200 | SHA256:B2C1A9091F518029DBAC23FAB825BE576244E2B8D07A82FEA5B93778072DD6C7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2640 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |