File name:

file.exe

Full analysis: https://app.any.run/tasks/e44fe7a4-b7b3-4cb2-bc6c-59f78f0467f2
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: December 20, 2024, 15:02:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
formbook
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

25369CACD15FD28391F08B48AD5FDF4D

SHA1:

F091FD2F772D7C566BCCE4C046323EF02808F2DA

SHA256:

B54B6EF71478646451CA1905B93C380141B4DF637D73CB796AF0A391BA47F43E

SSDEEP:

24576:HhiykchiQy+L/TQa6iEaLaAmZ6QhykJSQxaR+Kyyh+wmag3FjPwusijyidDOmIXY:HhiykchiQy+L/TQa6iEaLaAmZ6QhykJF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK has been detected

      • cscript.exe (PID: 4716)

    • FORMBOOK has been detected (YARA)

      • cscript.exe (PID: 4716)

  • SUSPICIOUS

    • Application launched itself

      • file.exe (PID: 1476)

    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 4716)

  • INFO

    • Checks supported languages

      • file.exe (PID: 1476)
      • file.exe (PID: 3364)

    • Reads the machine GUID from the registry

      • file.exe (PID: 1476)

    • Reads the computer name

      • file.exe (PID: 3364)
      • file.exe (PID: 1476)

    • Manual execution by a user

      • autoconv.exe (PID: 2728)
      • autoconv.exe (PID: 5640)
      • cscript.exe (PID: 4716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(4716) cscript.exe
C2www.rendylittlediva.store/gd04/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)f5u8utd50.icu
ob-offer-33304.bond
aaf.zone
hoppersrack.store
nline-gaming-33476.bond
isionaryvault.online
ilitary-jobs-88516.bond
iyxym.info
eyes.xyz
refle.xyz
kinsmonlkey.shop
oruu.shop
est2x2.online
nline-advertising-77889.bond
hepresspoolai.xyz
anilaberg.online
reimutigleben.store
anguage-courses-22450.bond
zzt.xyz
kfn.lat
jrxy.bid
ulfcoastnow.net
utomatedcrypto.world
sr961263m.vip
ondonessex.net
sychology-degree-20222.bond
3312.buzz
rumpaicto.vip
8791.pink
lashlightled.life
omalkhali.info
ompaz.xyz
arehouse-inventory-88625.bond
uktasalon.info
ruck-driver-jobs-90329.bond
pd40.online
ilmguru.net
ealthcare-trends-56730.bond
ngersolllockwood.life
zwtpe.info
ifeeasystore.shop
bthlcatgini.forum
anausimoveis.net
ashion-degree-38474.bond
ooth-pain-14.sbs
otagyrency.shop
oyfriendtv.fyi
atchy14.online
aahoma4.info
eddybalm.store
rinc.xyz
romthefarm.xyz
est-control-jobs-69594.bond
90880a27.buzz
msqdhbbb2.shop
ncantosgraitzline.lat
emi.wtf
fficecleaning717.xyz
b25.lat
usicone.xyz
nfluencer-marketing-19257.bond
utties.xyz
pioxc.xyz
dlxlxw848.vip
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:12 23:09:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 750592
InitializedDataSize: 9216
UninitializedDataSize: -
EntryPoint: 0xb92fa
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.8.0.0
ProductVersionNumber: 2.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: SocketMulticast
CompanyName: SocketMulticast
FileDescription: SocketMulticast
FileVersion: 2.8
InternalName: PeZb.exe
LegalCopyright:
OriginalFileName: PeZb.exe
ProductVersion: 2.8
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file.exe no specs file.exe no specs autoconv.exe no specs autoconv.exe no specs #FORMBOOK cscript.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476"C:\Users\admin\Desktop\file.exe" C:\Users\admin\Desktop\file.exeexplorer.exe
User:
admin
Company:
SocketMulticast
Integrity Level:
MEDIUM
Description:
SocketMulticast
Exit code:
0
Version:
2.8
Modules
Images
c:\users\admin\desktop\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2728"C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto File System Conversion Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\autoconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3364"C:\Users\admin\Desktop\file.exe"C:\Users\admin\Desktop\file.exefile.exe
User:
admin
Company:
SocketMulticast
Integrity Level:
MEDIUM
Description:
SocketMulticast
Exit code:
0
Version:
2.8
Modules
Images
c:\users\admin\desktop\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3680/c del "C:\Users\admin\Desktop\file.exe"C:\Windows\SysWOW64\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4716"C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Formbook
(PID) Process(4716) cscript.exe
C2www.rendylittlediva.store/gd04/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)f5u8utd50.icu
ob-offer-33304.bond
aaf.zone
hoppersrack.store
nline-gaming-33476.bond
isionaryvault.online
ilitary-jobs-88516.bond
iyxym.info
eyes.xyz
refle.xyz
kinsmonlkey.shop
oruu.shop
est2x2.online
nline-advertising-77889.bond
hepresspoolai.xyz
anilaberg.online
reimutigleben.store
anguage-courses-22450.bond
zzt.xyz
kfn.lat
jrxy.bid
ulfcoastnow.net
utomatedcrypto.world
sr961263m.vip
ondonessex.net
sychology-degree-20222.bond
3312.buzz
rumpaicto.vip
8791.pink
lashlightled.life
omalkhali.info
ompaz.xyz
arehouse-inventory-88625.bond
uktasalon.info
ruck-driver-jobs-90329.bond
pd40.online
ilmguru.net
ealthcare-trends-56730.bond
ngersolllockwood.life
zwtpe.info
ifeeasystore.shop
bthlcatgini.forum
anausimoveis.net
ashion-degree-38474.bond
ooth-pain-14.sbs
otagyrency.shop
oyfriendtv.fyi
atchy14.online
aahoma4.info
eddybalm.store
rinc.xyz
romthefarm.xyz
est-control-jobs-69594.bond
90880a27.buzz
msqdhbbb2.shop
ncantosgraitzline.lat
emi.wtf
fficecleaning717.xyz
b25.lat
usicone.xyz
nfluencer-marketing-19257.bond
utties.xyz
pioxc.xyz
dlxlxw848.vip
5640"C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto File System Conversion Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\autoconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
188
Read events
188
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6092
svchost.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6092
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6092
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6092
svchost.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6092
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.164.34
  • 2.16.164.40
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.pd40.online
unknown
www.8791.pink
unknown
www.ondonessex.net
unknown
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted
www.isionaryvault.online
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file.exe