| File name: | REVISED PO009988.exe |
| Full analysis: | https://app.any.run/tasks/8e38a2a7-7ee3-4008-bff0-64034052e692 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | April 16, 2025, 13:47:56 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | BA5B2FBBDA46BC857101B8737700F671 |
| SHA1: | D07D211AEB27C0FB7FDEF5956791FCCFED6494F1 |
| SHA256: | BE838FC4E67ED12838F4D0EC554524D54E80A03A3949CED4EDFB958EDBCB24B8 |
| SSDEEP: | 24576:f6y4apoDrZeiTwFAMDwR1nKI/DoRpFBjt+iXHmltru14qu0h:Sy4apoHZZTwFAMDwR1nKI/DoRpFBjthD |
MALICIOUS
Executing a file with an untrusted certificate
- REVISED PO009988.exe (PID: 668)
Uses Task Scheduler to run other applications
- REVISED PO009988.exe (PID: 668)
FORMBOOK has been detected (YARA)
- msdt.exe (PID: 5344)
Connects to the CnC server
- explorer.exe (PID: 5492)
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 5492)
SUSPICIOUS
Executable content was dropped or overwritten
- REVISED PO009988.exe (PID: 668)
Reads security settings of Internet Explorer
- REVISED PO009988.exe (PID: 668)
- ShellExperienceHost.exe (PID: 6228)
The process executes VB scripts
- REVISED PO009988.exe (PID: 668)
Starts CMD.EXE for commands execution
- msdt.exe (PID: 5344)
Deletes system .NET executable
- cmd.exe (PID: 3888)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 5492)
INFO
Checks supported languages
- REVISED PO009988.exe (PID: 668)
- vbc.exe (PID: 6040)
- ShellExperienceHost.exe (PID: 6228)
Reads the computer name
- REVISED PO009988.exe (PID: 668)
- vbc.exe (PID: 6040)
- ShellExperienceHost.exe (PID: 6228)
Creates files or folders in the user directory
- REVISED PO009988.exe (PID: 668)
.NET Reactor protector has been detected
- REVISED PO009988.exe (PID: 668)
Create files in a temporary directory
- REVISED PO009988.exe (PID: 668)
Process checks computer location settings
- REVISED PO009988.exe (PID: 668)
- ShellExperienceHost.exe (PID: 6228)
Manual execution by a user
- msdt.exe (PID: 5344)
Reads the machine GUID from the registry
- REVISED PO009988.exe (PID: 668)
- ShellExperienceHost.exe (PID: 6228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(5344) msdt.exe
C2www.cav154.vip/bi14/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)ilansocials.online
rishticodiegfortyseven.online
ostase-ba.cfd
cinema.tech
omprasyacol.store
esir.shop
umhyal3gvbpl.xyz
lurv.wtf
aospin-sms.xyz
itness-apps-workout1.sbs
reshcarluxury.shop
3xq3.cyou
erraceheatpassion.lifestyle
octurasys.net
ilyrug.net
yj889.xyz
railertof.net
4270766.xyz
sduoduo11.sbs
oeboom.net
27.social
onceiveremarknumber.lifestyle
lectric-cars-topics.sbs
helondonsculptureprize.net
odkinpodcast.online
uori-usa-store.shop
e-s.net
yk8.xyz
4khm.top
inrars.net
angshopbb25l.top
efrigerators-71721.bond
rdiamond.shop
etpass.info
tuber.vip
xtoolbox-report.net
enkyo.fun
qih.tech
8hng.top
luearcmanufacturing.net
xiyfc.info
ertad.xyz
89wins.world
takefish.run
rendzystore.net
3212.art
owerzone188.shop
etforge.tech
onbaliilezzetustalari.xyz
reativ-server.net
o-smartphones-cc82f689.bond
igocorporation.online
xjxp.town
loot.tel
2hmyznrex.xyz
nivy.shop
202.loan
tv5pp.top
elehot.info
zieply.xyz
60vf6.cfd
rg-hctgic.vip
andweg.shop
8295.locker
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2053:12:01 03:59:24+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 645632 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9f9c2 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | GarageManager |
| FileVersion: | 1.0.0.0 |
| InternalName: | qVBv.exe |
| LegalCopyright: | Copyright © 2025 |
| LegalTrademarks: | - |
| OriginalFileName: | qVBv.exe |
| ProductName: | GarageManager |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
141
Monitored processes
13
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 668 | "C:\Users\admin\AppData\Local\Temp\REVISED PO009988.exe" | C:\Users\admin\AppData\Local\Temp\REVISED PO009988.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: GarageManager Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 728 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2244 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3888 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" | C:\Windows\SysWOW64\cmd.exe | — | msdt.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4696 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aorjhXHEYJs" /XML "C:\Users\admin\AppData\Local\Temp\tmp1867.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | REVISED PO009988.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5344 | "C:\Windows\SysWOW64\msdt.exe" | C:\Windows\SysWOW64\msdt.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
Formbook(PID) Process(5344) msdt.exe C2www.cav154.vip/bi14/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)ilansocials.online rishticodiegfortyseven.online ostase-ba.cfd cinema.tech omprasyacol.store esir.shop umhyal3gvbpl.xyz lurv.wtf aospin-sms.xyz itness-apps-workout1.sbs reshcarluxury.shop 3xq3.cyou erraceheatpassion.lifestyle octurasys.net ilyrug.net yj889.xyz railertof.net 4270766.xyz sduoduo11.sbs oeboom.net 27.social onceiveremarknumber.lifestyle lectric-cars-topics.sbs helondonsculptureprize.net odkinpodcast.online uori-usa-store.shop e-s.net yk8.xyz 4khm.top inrars.net angshopbb25l.top efrigerators-71721.bond rdiamond.shop etpass.info tuber.vip xtoolbox-report.net enkyo.fun qih.tech 8hng.top luearcmanufacturing.net xiyfc.info ertad.xyz 89wins.world takefish.run rendzystore.net 3212.art owerzone188.shop etforge.tech onbaliilezzetustalari.xyz reativ-server.net o-smartphones-cc82f689.bond igocorporation.online xjxp.town loot.tel 2hmyznrex.xyz nivy.shop 202.loan tv5pp.top elehot.info zieply.xyz 60vf6.cfd rg-hctgic.vip andweg.shop 8295.locker | |||||||||||||||
| 5492 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5720 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
10 126
Read events
10 036
Write events
47
Delete events
43
Modification events
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005027C |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005027C |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search |
| Operation: | write | Name: | TraySearchBoxVisible |
Value: 1 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search |
| Operation: | write | Name: | TraySearchBoxVisibleOnAnyMonitor |
Value: 1 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\TrayButtonClicked |
| Operation: | write | Name: | ClockButton |
Value: 14 | |||
| (PID) Process: | (6228) ShellExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\yYpHriFUdyS-r81lKl88jPGlZr-M05PzoCQ_A6O0gXA\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Voices |
| Operation: | write | Name: | DefaultTokenId |
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM | |||
| (PID) Process: | (6228) ShellExperienceHost.exe | Key: | \REGISTRY\A\{cbe592b4-7fe2-204e-6278-32a0f2edb312}\LocalState\ClockFlyoutCache |
| Operation: | delete value | Name: | 20240727 |
Value: | |||
| (PID) Process: | (6228) ShellExperienceHost.exe | Key: | \REGISTRY\A\{cbe592b4-7fe2-204e-6278-32a0f2edb312}\LocalState\ClockFlyoutCache |
| Operation: | delete value | Name: | 20240719 |
Value: | |||
| (PID) Process: | (6228) ShellExperienceHost.exe | Key: | \REGISTRY\A\{cbe592b4-7fe2-204e-6278-32a0f2edb312}\LocalState\ClockFlyoutCache |
| Operation: | delete value | Name: | 20240712 |
Value: | |||
| (PID) Process: | (6228) ShellExperienceHost.exe | Key: | \REGISTRY\A\{cbe592b4-7fe2-204e-6278-32a0f2edb312}\LocalState\ClockFlyoutCache |
| Operation: | delete value | Name: | 20240630 |
Value: | |||
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5492 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat | binary | |
MD5:E49C56350AEDF784BFE00E444B879672 | SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E | |||
| 668 | REVISED PO009988.exe | C:\Users\admin\AppData\Local\Temp\tmp1867.tmp | xml | |
MD5:B9568E6C10C3AA687BE2FFA277BF517D | SHA256:10D8D626D6AC184D13D2DE71FCE88F7A494D0611C83E9893B3E59CD6130110A1 | |||
| 668 | REVISED PO009988.exe | C:\Users\admin\AppData\Roaming\aorjhXHEYJs.exe | executable | |
MD5:BA5B2FBBDA46BC857101B8737700F671 | SHA256:BE838FC4E67ED12838F4D0EC554524D54E80A03A3949CED4EDFB958EDBCB24B8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
17
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2392 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2392 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5492 | explorer.exe | GET | 404 | 23.248.248.75:80 | http://www.4khm.top/bi14/?VtxHLZm=IffLXlc/dW+jSPaC3kOc0P6nUKBz2hxue8LfMNg1NntMjcjVHGHxwHrKV+H5B74PQ9qK&Hzr=TdytdZfP | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6544 | svchost.exe | 20.190.159.68:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2392 | SIHClient.exe | 4.245.163.56:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2392 | SIHClient.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
5492 | explorer.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
5492 | explorer.exe | Potentially Bad Traffic | ET HUNTING Request to .TOP Domain with Minimal Headers |
5492 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |