File name: | 61be5168cca3b1d728229f863b9f1162 |
Full analysis: | https://app.any.run/tasks/c2aff4fd-c576-47f2-97f5-eeac9dc59d25 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 19:36:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 61BE5168CCA3B1D728229F863B9F1162 |
SHA1: | 406403455110B5E12C4B77A45DF38672A5A9113E |
SHA256: | D8E0FD32EB51496E7F66B76FF106753742988DEE2974CF885825A6D9AA8EE5F3 |
SSDEEP: | 24576:TQGYT2NYwIeM8Q4eBAE5OdsoPUK3jhTi+sOo+spOYRo7tTK:TIuYheMp4zddskUkjhTi+kppOYRF |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
ProductVersion: | 63.77.84.95 |
---|---|
LegalCopyright: | Copyright (c) 2011-2022 by Ratojayo Inc All Rights Reserved. |
FileVersion: | 50.9.31.81 |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Static library |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 63.77.84.95 |
FileVersionNumber: | 50.9.31.81 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x141ea |
UninitializedDataSize: | - |
InitializedDataSize: | 155648 |
CodeSize: | 1235456 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2022:05:20 13:58:07+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 20-May-2022 11:58:07 |
Detected languages: |
|
Debug artifacts: |
|
FileVersion: | 50.9.31.81 |
LegalCopyright: | Copyright (c) 2011-2022 by Ratojayo Inc All Rights Reserved. |
ProductVersion: | 63.77.84.95 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 20-May-2022 11:58:07 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0012D8B8 | 0x0012DA00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.57236 |
.data | 0x0012F000 | 0x00003344 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.51235 |
.rsrc | 0x00133000 | 0x00020710 | 0x00020800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.29848 |
.reloc | 0x00154000 | 0x00002400 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.20061 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.79597 | 346 | UNKNOWN | Spanish - Spain (International sort) | RT_MANIFEST |
2 | 4.38018 | 16936 | UNKNOWN | Spanish - Spain (International sort) | RT_ICON |
3 | 4.53421 | 9640 | UNKNOWN | Spanish - Spain (International sort) | RT_ICON |
4 | 4.32183 | 4264 | UNKNOWN | Spanish - Spain (International sort) | RT_ICON |
5 | 4.46112 | 2440 | UNKNOWN | Spanish - Spain (International sort) | RT_ICON |
6 | 4.03535 | 1128 | UNKNOWN | Spanish - Spain (International sort) | RT_ICON |
11 | 3.27673 | 1080 | UNKNOWN | Spanish - Spain (International sort) | RT_STRING |
12 | 3.32711 | 1216 | UNKNOWN | Spanish - Spain (International sort) | RT_STRING |
13 | 3.3122 | 1300 | UNKNOWN | Spanish - Spain (International sort) | RT_STRING |
136 | 3.05439 | 248 | UNKNOWN | Spanish - Spain (International sort) | RT_DIALOG |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3912 | "C:\Users\admin\AppData\Local\Temp\61be5168cca3b1d728229f863b9f1162.exe" | C:\Users\admin\AppData\Local\Temp\61be5168cca3b1d728229f863b9f1162.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1964196 Modules
| |||||||||||||||
3024 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | — | 61be5168cca3b1d728229f863b9f1162.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
1556 | "C:\Windows\System32\msg.exe" | C:\Windows\System32\msg.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Message Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3468 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\System32\cmd.exe | — | msg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1172 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1172 | Explorer.EXE | GET | 302 | 3.140.13.188:80 | http://www.novusr.com/uu0p/?v6=e4XY/j8oNfDX/vZPiWytQAMAvJIq83Y1oMxBu+CmSf1+v3GlpkJVyJdXoLuvOsx0jiUB1A==&TX=V6o0QBMX | US | — | — | malicious |
1172 | Explorer.EXE | GET | 200 | 23.231.95.172:80 | http://www.watnefarms.com/uu0p/?v6=ot1/kmT2Omw0GVbYE5qa8wl/uWMf5XpS7bAC9++BFjK3AV5FF4nPR1fHUX+KI/RJXAwR7g==&TX=V6o0QBMX | US | html | 845 b | malicious |
1172 | Explorer.EXE | GET | 302 | 34.250.168.42:80 | http://www.supertiresandwheels.com/uu0p/?v6=qOfJtTh7h6EzBOuepfBHDKGSRl59kEfm4QFgVVCRa2CZjcaCn+Q0r0W3rKyHWAyI7WMweQ==&TX=V6o0QBMX | IE | html | 142 b | malicious |
1172 | Explorer.EXE | GET | 200 | 185.68.16.31:80 | http://www.wona-nyc.com/uu0p/?v6=6EEcCW2hQlWMxHlsiJ/GZrjouJMXic+r2ls54VYWqIK+WcgvNzWiKeTB7hOFPcAqzPP6+g==&TX=V6o0QBMX | UA | html | 1.50 Kb | malicious |
1172 | Explorer.EXE | GET | 403 | 15.197.142.173:80 | http://www.flipwatch.xyz/uu0p/?v6=snSF/BRZrGGH4qiAyiINSdYzeAunTsUuEOjGimgAYDiOT3cOHZjj6j1n5uw5x/I7/D7MLQ==&TX=V6o0QBMX | US | html | 118 b | malicious |
1172 | Explorer.EXE | GET | 404 | 50.31.177.150:80 | http://www.serprobumar.com/uu0p/?v6=U1JIds9TAcWkeuwFg6tq3uaJAw4d2UavUwZugaT2MIFFHTAbwkm2VLHnR9IWf58ZYrNx6g==&TX=V6o0QBMX | US | html | 708 b | suspicious |
1172 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.commercialsymposium.com/uu0p/?v6=CUMuWeqGSaOfyIUe8wAz0chyP+dgNRTm/4FMZsXJi2ufoHuAPUi4y4/rqCwx/Xs5XCqTWA==&TX=V6o0QBMX | US | html | 291 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1172 | Explorer.EXE | 185.68.16.31:80 | www.wona-nyc.com | Hosting Ukraine LTD | UA | malicious |
1172 | Explorer.EXE | 15.197.142.173:80 | www.flipwatch.xyz | Hewlett-Packard Company | US | malicious |
1172 | Explorer.EXE | 50.31.177.150:80 | www.serprobumar.com | Server Central Network | US | malicious |
1172 | Explorer.EXE | 23.231.95.172:80 | www.watnefarms.com | Eonix Corporation | US | malicious |
1172 | Explorer.EXE | 3.140.13.188:80 | www.novusr.com | — | US | malicious |
1172 | Explorer.EXE | 34.102.136.180:80 | www.commercialsymposium.com | — | US | whitelisted |
1172 | Explorer.EXE | 34.250.168.42:80 | www.supertiresandwheels.com | Amazon.com, Inc. | IE | malicious |
Domain | IP | Reputation |
---|---|---|
www.easeupp.com |
| unknown |
www.serprobumar.com |
| suspicious |
www.flipwatch.xyz |
| malicious |
www.wona-nyc.com |
| malicious |
www.supertiresandwheels.com |
| malicious |
www.novusr.com |
| malicious |
www.printfusion.net |
| unknown |
www.watnefarms.com |
| malicious |
www.bahamascargologistics.com |
| unknown |
www.commercialsymposium.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1172 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1172 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1172 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1172 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1172 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1172 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1172 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1172 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1172 | Explorer.EXE | Potentially Bad Traffic | ET INFO Request to .XYZ Domain with Minimal Headers |
1172 | Explorer.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |