File name: | svhost.exe |
Full analysis: | https://app.any.run/tasks/684f9809-f012-43b2-92c6-00158b4fe9b7 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | August 13, 2019, 14:11:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 827156E633E18F8EABC3D7ADB7B94FEF |
SHA1: | 6CA24AC0DAD6B7BE4128F9C2DE624EA513438C23 |
SHA256: | C8267562616B9257CAD37631F513DC20C5549E2A69B427786F7976518E73F559 |
SSDEEP: | 12288:DihWL2ZoOunrvuJ0yokjU76AKtCw8+tfwFZse:DikLQoVr2J87XKv88MZT |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x338f |
UninitializedDataSize: | 2048 |
InitializedDataSize: | 186368 |
CodeSize: | 26624 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2018:12:15 23:24:46+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Dec-2018 22:24:46 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 15-Dec-2018 22:24:46 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006627 | 0x00006800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45178 |
.rdata | 0x00008000 | 0x000014A2 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.02518 |
.data | 0x0000A000 | 0x0002AFF8 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.03532 |
.ndata | 0x00035000 | 0x00010000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00045000 | 0x000028D8 | 0x00002A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.49628 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.2992 | 830 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 6.22067 | 2440 | UNKNOWN | English - United States | RT_ICON |
3 | 5.95079 | 1128 | UNKNOWN | English - United States | RT_ICON |
102 | 2.74309 | 184 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.50016 | 48 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1388 | "C:\Users\admin\AppData\Local\Temp\svhost.exe" | C:\Users\admin\AppData\Local\Temp\svhost.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1644 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | svhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1088 | "C:\Windows\System32\wlanext.exe" | C:\Windows\System32\wlanext.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wireless LAN 802.11 Extensibility Framework Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3464 | /c del "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | wlanext.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
128 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2460 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | wlanext.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
4092 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3344 | "C:\Program Files\Ymhlhw0\audiodgez5tat.exe" | C:\Program Files\Ymhlhw0\audiodgez5tat.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (1088) wlanext.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | YV10OR5XEL6 |
Value: C:\Program Files\Ymhlhw0\audiodgez5tat.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
1388 | svhost.exe | C:\Users\admin\AppData\Local\Temp\publisher\mtime\sserver\test10finally.il | text | |
MD5:DDA19CBE24048C95D0ADB07F6128A9AB | SHA256:7677173CE560ECDB675709B864083BF5923FFE576D390942FABCE4A3E705CB96 | |||
1388 | svhost.exe | C:\Users\admin\AppData\Local\Temp\comments\re\doc-ditroff | text | |
MD5:4632F84DFB3602231A066B7667F1051A | SHA256:0D86EE343B4009F54D0C5EC32742960C44E1982DBE17D019698059A03F569902 | |||
1388 | svhost.exe | C:\Users\admin\AppData\Roaming\bulk\prune\vnd.ms-cab-compressed.xml | xml | |
MD5:2E930219047AE4022A1768541DBE9051 | SHA256:B53ABCC635097BB290924F237D3D4584C9545CF7A40320E4A38CD39A3EC115B9 | |||
1388 | svhost.exe | C:\Users\admin\AppData\Local\Temp\comments\re\73.opends60.dll | binary | |
MD5:760AC20DAC6ED03099452C941215AAB6 | SHA256:577D2E6B2DCC7BA30B324907996877313700DA05A29CEA3D531CC2DA124C1903 | |||
1388 | svhost.exe | C:\Users\admin\AppData\Roaming\keyword\date1\detail\goback\imx1-clock.h | text | |
MD5:F2D039EFA9256F13EAACF693277784F0 | SHA256:A2DF5AA16BD855A2109B643424FF6581D7CA065AA4F1FC2A0305FD0AC6E5EFAE | |||
1388 | svhost.exe | C:\Users\admin\AppData\Local\Temp\publisher\mtime\sserver\winforms03162004fig10.gif | image | |
MD5:4F7780754758FBD0DBBA456956E768EE | SHA256:8547B95E538F4318186CC39F7251D78152DCBF930B017E607605D762A610B98E | |||
1388 | svhost.exe | C:\Users\admin\AppData\Local\Temp\harvestman.dll | executable | |
MD5:3541B8DC4CCF2E89FAB4DD71A3E1EE77 | SHA256:F8DB930F82294DCBBE0271F1E91BEAECE9FABBA262036428D13869597FBEF30C | |||
1088 | wlanext.exe | C:\Users\admin\AppData\Roaming\2-P4Q7E7\2-Plogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
1388 | svhost.exe | C:\Users\admin\AppData\Local\Temp\comments\re\RedCircle42,8,8.gif | image | |
MD5:3F227564002E08816324571F94B6F416 | SHA256:1A90938B319AECF48BDFD44BD41541351926CBC4579739FF0CF3C01C0241F4B5 | |||
1388 | svhost.exe | C:\Users\admin\AppData\Roaming\bulk\prune\co3449isnegativeinfinity.cs | text | |
MD5:5BBFB1E828E2C8382932FB9C44AB4EA6 | SHA256:5367E0DA5DE5A4159CBB209A5586FD8A0D1C421BF7C87AD65C5213FD2D4913D2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
128 | explorer.exe | GET | — | 61.188.37.244:80 | http://www.njlgmq.com/c191/?Q0A=ODEz2JwIj1JOy8wWo+EZCT03kPlsrzKDnX69xbHDWztE7xxVsyyq2RA5U0yMJ7MIT3EX7w==&0pq=FtI0wNn | CN | — | — | malicious |
128 | explorer.exe | GET | — | 34.231.113.65:80 | http://www.noelleandjonjon.com/c191/?Q0A=Ch9GMNhNZ1UZSNZEziAWGse7bp5AUha+h+jt/xJ2v1Vbg/gQqJ9nGSv5ooTW70PjtPhkDQ==&0pq=FtI0wNn | US | — | — | malicious |
128 | explorer.exe | GET | — | 47.107.46.6:80 | http://www.ysxxedu.com/c191/?Q0A=C4s2N2hZxEcDe2HW0jPs3UT9k69NPHXA7iUPxlNTrIRRfYZK8H8vTAKRqfl1cGhfo5XNrA==&0pq=FtI0wNn | CN | — | — | malicious |
128 | explorer.exe | POST | — | 199.192.26.170:80 | http://www.yodaug.com/c191/ | US | — | — | malicious |
128 | explorer.exe | POST | 404 | 199.192.26.170:80 | http://www.yodaug.com/c191/ | US | html | 292 b | malicious |
128 | explorer.exe | POST | — | 61.188.37.244:80 | http://www.njlgmq.com/c191/ | CN | — | — | malicious |
128 | explorer.exe | POST | — | 34.231.113.65:80 | http://www.noelleandjonjon.com/c191/ | US | — | — | malicious |
128 | explorer.exe | POST | — | 61.188.37.244:80 | http://www.njlgmq.com/c191/ | CN | — | — | malicious |
128 | explorer.exe | POST | 404 | 199.192.26.170:80 | http://www.yodaug.com/c191/ | US | html | 292 b | malicious |
128 | explorer.exe | GET | 404 | 199.192.26.170:80 | http://www.yodaug.com/c191/?Q0A=3cXexhlbdNhaWF8p7omae5CoNvhaQUS39hz/wOcDHm+1hbka6MsrUyilzYcnier7zMiN1w==&0pq=FtI0wNn | US | html | 328 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
128 | explorer.exe | 47.107.46.6:80 | www.ysxxedu.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
128 | explorer.exe | 61.188.37.244:80 | www.njlgmq.com | CHINANET SiChuan Telecom Internet Data Center | CN | malicious |
128 | explorer.exe | 199.192.26.170:80 | www.yodaug.com | — | US | malicious |
128 | explorer.exe | 34.231.113.65:80 | www.noelleandjonjon.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.njlgmq.com |
| malicious |
www.yodaug.com |
| malicious |
www.noelleandjonjon.com |
| malicious |
www.ysxxedu.com |
| malicious |
www.lofscc.online |
| unknown |
www.karmabypallavi.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
128 | explorer.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
128 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |