| File name: | Quote Request.exe |
| Full analysis: | https://app.any.run/tasks/fb37f3c3-25db-4093-9162-494d560d41c2 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | October 22, 2023, 08:40:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 010C9D1A915B7550181014F34ED12A80 |
| SHA1: | 687BB9AA1047C3D19E76570E130D5EFE76A9A336 |
| SHA256: | CCD3D1EC6D5B5723225B7D0C6488DE099B2B22C5B70BC1C521C148160F5997CC |
| SSDEEP: | 12288:2OW1vjJGGna1q5IscdEjcdja5VySGJE6awd6jQH171BFM2AYOMgKqhxgyVMwl1:2OW1LJ1na1Or0E4dj4+Ei/BFMlRMgt4M |
MALICIOUS
FORMBOOK has been detected (YARA)
- cmd.exe (PID: 2300)
SUSPICIOUS
Application launched itself
- Quote Request.exe (PID: 1612)
- cmd.exe (PID: 2300)
Starts CMD.EXE for commands execution
- explorer.exe (PID: 1944)
- cmd.exe (PID: 2300)
INFO
Reads the machine GUID from the registry
- Quote Request.exe (PID: 1612)
Reads the computer name
- Quote Request.exe (PID: 1612)
- Quote Request.exe (PID: 2592)
Checks supported languages
- Quote Request.exe (PID: 2592)
- Quote Request.exe (PID: 1612)
Manual execution by a user
- cmd.exe (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(2300) cmd.exe
C2www.withpdf.net/5nd2/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)soulalchemyhub.com
geisa24.online
1c0v9.xyz
marcomarzadori-shop.com
yarn360.net
coding-bootcamps-57448.bond
kjtrhtsd.top
83b52.com
xiaomadou8.com
d4rk23.com
abdg1.com
clientunlimited.com
29981e.shop
scshuixie.fun
erxbet171.com
yiyageshafa.com
salju4d5.com
valentinpfaffenwimmer.com
profitecnicaingenieria.com
dohafintech.net
ziparcher.net
104ppp.vip
oxidize.site
fabulosus.net
jbkey.digital
licihang.net
tube-9.com
tuokesi.com
saletime.site
1xbet-officials8.top
babakex.com
mmdu4u.cfd
leasingservices.net
menglite.com
petgiftball.com
upsidedowntextonline.com
playconnectfour.com
7rwawb.cfd
wiswhempps.com
komoro-honjin.com
memberbonus.xyz
outilla.site
lwnmagazine.com
9570138.com
castler.link
qjw2.com
dyjtcf8.com
used-car-11089.bond
leathervibes.store
dgrblart.info
freshcasino-rezak.top
queensyoungdemocrat.nyc
nbgyd.net
craft2transport.space
chefdirectfoods.com
chat8.top
uniquednm.com
windbornecreations.com
dbplastering.com
kimmikcap.com
yqwenba.com
202398618.com
prostorabota.online
delivous.info
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| AssemblyVersion: | 0.7.0.0 |
|---|---|
| ProductVersion: | 0.54.0.0 |
| ProductName: | 新增 |
| OriginalFileName: | fLX.exe |
| LegalTrademarks: | Terra |
| LegalCopyright: | - |
| InternalName: | fLX.exe |
| FileVersion: | 0.54.0.0 |
| FileDescription: | FormDesigner |
| CompanyName: | - |
| Comments: | Repairer BC |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 0.54.0.0 |
| FileVersionNumber: | 0.54.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x92f4a |
| UninitializedDataSize: | - |
| InitializedDataSize: | 13312 |
| CodeSize: | 593920 |
| LinkerVersion: | 48 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2023:10:09 01:25:36+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Total processes
34
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1612 | "C:\Users\admin\AppData\Local\Temp\Quote Request.exe" | C:\Users\admin\AppData\Local\Temp\Quote Request.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: FormDesigner Exit code: 0 Version: 0.54.0.0 Modules
| |||||||||||||||
| 1944 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2300 | "C:\Windows\SysWOW64\cmd.exe" | C:\Windows\SysWOW64\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
Formbook(PID) Process(2300) cmd.exe C2www.withpdf.net/5nd2/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)soulalchemyhub.com geisa24.online 1c0v9.xyz marcomarzadori-shop.com yarn360.net coding-bootcamps-57448.bond kjtrhtsd.top 83b52.com xiaomadou8.com d4rk23.com abdg1.com clientunlimited.com 29981e.shop scshuixie.fun erxbet171.com yiyageshafa.com salju4d5.com valentinpfaffenwimmer.com profitecnicaingenieria.com dohafintech.net ziparcher.net 104ppp.vip oxidize.site fabulosus.net jbkey.digital licihang.net tube-9.com tuokesi.com saletime.site 1xbet-officials8.top babakex.com mmdu4u.cfd leasingservices.net menglite.com petgiftball.com upsidedowntextonline.com playconnectfour.com 7rwawb.cfd wiswhempps.com komoro-honjin.com memberbonus.xyz outilla.site lwnmagazine.com 9570138.com castler.link qjw2.com dyjtcf8.com used-car-11089.bond leathervibes.store dgrblart.info freshcasino-rezak.top queensyoungdemocrat.nyc nbgyd.net craft2transport.space chefdirectfoods.com chat8.top uniquednm.com windbornecreations.com dbplastering.com kimmikcap.com yqwenba.com 202398618.com prostorabota.online delivous.info | |||||||||||||||
| 2592 | "C:\Users\admin\AppData\Local\Temp\Quote Request.exe" | C:\Users\admin\AppData\Local\Temp\Quote Request.exe | — | Quote Request.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: FormDesigner Exit code: 0 Version: 0.54.0.0 Modules
| |||||||||||||||
| 2720 | /c del "C:\Users\admin\AppData\Local\Temp\Quote Request.exe" | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
112
Read events
107
Write events
5
Delete events
0
Modification events
| (PID) Process: | (1944) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9 | |||
| (PID) Process: | (1944) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1944 | explorer.exe | GET | 404 | 43.224.152.167:80 | http://www.dyjtcf8.com/5nd2/?Sj=3INbFeGp0DDjuSM+WMcSsuSI9cVSqXX5il4jdpKrSX69nnenIgRLc+/o8GmsPQteZwm1aA==&RX=dnC4Xxj0WnSXYzF | unknown | html | 146 b | unknown |
1944 | explorer.exe | GET | 302 | 213.186.33.5:80 | http://www.outilla.site/5nd2/?Sj=5qP8NfS0ToCdq/4r2DbOhoLbCtVSJrPLvIrt2qcaDhNhMeoM62bcAZHoKadYe5GO/vC1rg==&RX=dnC4Xxj0WnSXYzF | unknown | html | 138 b | unknown |
1944 | explorer.exe | GET | 403 | 15.197.148.33:80 | http://www.chefdirectfoods.com/5nd2/?Sj=l/HsBIzQBRoWA7Rrzf39eYTBFrKWDfQyHFwDbrjx35wStbnzwiCFykVHBnPNaYc2zqtPcA==&RX=dnC4Xxj0WnSXYzF | unknown | html | 150 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1956 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
324 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1944 | explorer.exe | 213.186.33.5:80 | www.outilla.site | OVH SAS | FR | unknown |
1944 | explorer.exe | 15.197.148.33:80 | www.chefdirectfoods.com | AMAZON-02 | US | unknown |
1944 | explorer.exe | 43.224.152.167:80 | www.dyjtcf8.com | West263 International Limited | SG | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.outilla.site |
| unknown |
www.chefdirectfoods.com |
| unknown |
www.dyjtcf8.com |
| unknown |