File name:

d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6

Full analysis: https://app.any.run/tasks/60233bf1-bd38-42bd-8349-68d203d94ad3
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 22:17:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
formbook
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7B4D6F3B6A3B509738048774B20FAD27

SHA1:

4E96C226734AA7A5DF5910EFB87542BFB671674F

SHA256:

D26C248791D7C1347E8E21257AD5522C1E47E26E054A59BC61A50133E5D180D6

SSDEEP:

49152:+hiykchiQy+L/TQa6iEaLaAmZ6QhykJSQxaR+Kyyh+wmag3Fjag5VKCSQCX4sNsT:uFxl78pmhYH5op7X1KtegsbB4cR3SPW7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK has been detected (YARA)

      • d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe (PID: 2828)

  • SUSPICIOUS

    • Application launched itself

      • d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe (PID: 6544)

    • Executes application which crashes

      • d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe (PID: 2828)

  • INFO

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6536)

    • Reads the machine GUID from the registry

      • d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe (PID: 6544)

    • Reads the computer name

      • d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe (PID: 6544)

    • Reads the software policy settings

      • WerFault.exe (PID: 6536)

    • Checks supported languages

      • d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe (PID: 6544)

    • Checks proxy server information

      • WerFault.exe (PID: 6536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:12 08:23:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 855552
InitializedDataSize: 9216
UninitializedDataSize: -
EntryPoint: 0xd2cba
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.8.0.0
ProductVersionNumber: 2.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: SocketMulticast
CompanyName: SocketMulticast
FileDescription: SocketMulticast
FileVersion: 2.8
InternalName: CuUp.exe
LegalCopyright:
OriginalFileName: CuUp.exe
ProductVersion: 2.8
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe no specs #FORMBOOK d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6544"C:\Users\admin\AppData\Local\Temp\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe" C:\Users\admin\AppData\Local\Temp\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exeexplorer.exe
User:
admin
Company:
SocketMulticast
Integrity Level:
MEDIUM
Description:
SocketMulticast
Exit code:
0
Version:
2.8
Modules
Images
c:\users\admin\appdata\local\temp\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2828"C:\Users\admin\AppData\Local\Temp\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe"C:\Users\admin\AppData\Local\Temp\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe
d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe
User:
admin
Company:
SocketMulticast
Integrity Level:
MEDIUM
Description:
SocketMulticast
Exit code:
3221225477
Version:
2.8
Modules
Images
c:\users\admin\appdata\local\temp\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6536C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2828 -s 228C:\Windows\SysWOW64\WerFault.exe
d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 180
Read events
3 180
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
6536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_d26c248791d7c134_14843fdff5dc9e706e4050173a3823b391da631_e6b31635_dac40bd5-4585-401f-85e0-34b2db012911\Report.wer
MD5:
SHA256:
6536WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6.exe.2828.dmpbinary
MD5:4D61EDB5A88806D979266272DEE59539
SHA256:66F023A20BF5FEA4B76F03B2728E80EF11956AB849D0C817CFF6C59B6EA0CDFF
6536WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEder
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
6536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD4C8.tmp.dmpbinary
MD5:D6AE4B23563E48D403CD83BF5752B77E
SHA256:41DCCC67D82C00B0557FD9FE97C73604880B2D4B374254D0779A9E10EBBC7FEB
6536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD547.tmp.xmlxml
MD5:1091D239603AB0C243C0989AD85A8404
SHA256:17F6D351B083DD3BBCC7347C6FBC999DC9CCC0FD38B9A6A0F1FB94BF96E6F077
6536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD517.tmp.WERInternalMetadata.xmlxml
MD5:D4ED7C4E15C5044557D3986938711DA1
SHA256:58255624F53BE76A7205D9A9C59895C8F800C01EA2176CFAD98A5A9DF35156F0
6536WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
6536WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:4FBAE6EE788258C7E5F0DA67FD75312D
SHA256:479C082213A41F1D938B3F69242E055BFA54AD656700D9AA73070B4F075A008C
6536WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:CDDAA64EE8DD420FE4EBB1DD3B8D618F
SHA256:33A006704E8F062D868115B40759DF8BE2E02B43852DE656E764DC2B1707E86B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
33
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5156
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5156
svchost.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6536
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6236
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6236
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6536
WerFault.exe
GET
200
23.32.238.155:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5156
svchost.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5156
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.143
  • 23.32.238.155
  • 23.32.238.106
  • 2.19.198.43
  • 23.32.238.90
  • 23.32.238.123
  • 23.32.238.112
  • 23.32.238.153
  • 23.32.238.145
  • 23.32.238.115
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.170
  • 104.126.37.129
  • 104.126.37.179
  • 104.126.37.123
  • 104.126.37.137
  • 104.126.37.171
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6