File name: | dbe |
Full analysis: | https://app.any.run/tasks/5d488f62-30ed-4370-a55f-90f005e4aa38 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | September 19, 2019, 08:49:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | BF30B4A3B54E398BAA94CAA778A6FB3A |
SHA1: | 5643733AC2924076D4605CC4800FAB41E7B68A4C |
SHA256: | DBE2797E8776D6F96E0A589549289399627EA027D018B398CB1341586792494B |
SSDEEP: | 6144:GR+xXuYPhT6+Z2ZUxtG5Lb0AcjcuPdvo0yu0RX0+Nz2wMo5asOebojdy:K5Y96+sZUxtqb0AcPPBo0y+0iDoIs |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:12:15 23:24:36+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 26112 |
InitializedDataSize: | 141824 |
UninitializedDataSize: | 2048 |
EntryPoint: | 0x34a5 |
OSVersion: | 4 |
ImageVersion: | 6 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Dec-2018 22:24:36 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 15-Dec-2018 22:24:36 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006409 | 0x00006600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41619 |
.rdata | 0x00008000 | 0x00001396 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.15491 |
.data | 0x0000A000 | 0x00020358 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.0044 |
.ndata | 0x0002B000 | 0x00010000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0003B000 | 0x00001F60 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.27381 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.2992 | 830 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.36858 | 1384 | UNKNOWN | English - United States | RT_ICON |
3 | 3.21047 | 744 | UNKNOWN | English - United States | RT_ICON |
4 | 2.92032 | 296 | UNKNOWN | English - United States | RT_ICON |
103 | 2.21733 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
104 | 2.6935 | 316 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
110 | 3.22336 | 872 | UNKNOWN | English - United States | RT_BITMAP |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3680 | "C:\Users\admin\AppData\Local\Temp\dbe.exe" | C:\Users\admin\AppData\Local\Temp\dbe.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3680 | dbe.exe | C:\Users\admin\AppData\Local\Temp\nso99C5.tmp | — | |
MD5:— | SHA256:— | |||
3680 | dbe.exe | C:\Users\admin\AppData\Roaming\channelName\missingtrackvolume\struct\insertcellsbar.xml | xml | |
MD5:D593FD2B7DF6991C460960494BF118B6 | SHA256:18762FA4013146695DD715C3E729D613F2C5818DBB9E5BF1E4D42C9ECD8AB54A | |||
3680 | dbe.exe | C:\Users\admin\AppData\Roaming\channelName\missingtrackvolume\struct\MFC80KOR.dll | executable | |
MD5:BF8C7FB08E1C470A573AAC9B1B711E1C | SHA256:11107A404EB329F14193CC33DF3E29FD19680E223019BC66601B3CD910F1315D | |||
3680 | dbe.exe | C:\Users\admin\AppData\Roaming\position\advanced\children\savemode\event-utils.js | text | |
MD5:1E4AC3F9EA0C61B9815675A38F75E71D | SHA256:3D83DD596CCE4BE1EE877D5AFEAC15BAC9016A7A9DCE0355854EA0AF082491C2 | |||
3680 | dbe.exe | C:\Users\admin\AppData\Local\Temp\pl\rule\inline\NotificationBox.css | text | |
MD5:D2D5AD4D7E300D1CDD14731E1667B6A6 | SHA256:DA7E82B79E6814D941C7BBC6E1DA713A05E4CAEB8C20E67AFA0A398E925D75D1 | |||
3680 | dbe.exe | C:\Users\admin\AppData\Local\Temp\canons.dll | executable | |
MD5:2AE5D410948624B091BFFEE8FE572969 | SHA256:49D58D394CFD697EA5D855B88CEDE6D70EB08EFFAFDE514D255493B3EC5EB645 | |||
3680 | dbe.exe | C:\Users\admin\AppData\Roaming\channelName\missingtrackvolume\struct\lcdefinename.png | image | |
MD5:628C9B04F5D582F429409915D36663CD | SHA256:2B9A26AE4D36E485BA087B6667E690250D53F96528DFCC1B91E7356200679482 | |||
3680 | dbe.exe | C:\Users\admin\AppData\Local\Temp\pl\rule\inline\dvVSETCD01N.HxK | xml | |
MD5:1EC66FF4382F851C730CC045A71A3ED0 | SHA256:32C2319F65706C6F46F740C8BB7E4ED3AA77EA6DC0BD216B13092A8EC50ECB89 | |||
3680 | dbe.exe | C:\Users\admin\AppData\Local\Temp\Ordeal | binary | |
MD5:4B5870CC15BB53B4D6A87DB0E3616EC9 | SHA256:5EC881C269F15460FC6CB2D9CC963A177885F4748288B86BFFFDE91009D2BE2A | |||
3680 | dbe.exe | C:\Users\admin\AppData\Local\Temp\pl\rule\inline\vjscsvrps.dll | executable | |
MD5:7217CD683C6CFD0CFBD35DC0D6ECBC7C | SHA256:E005228D21DD9494EBDC890A1617AED9633C653EE4D858DF5C99967EDAAD3AD2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 69.163.215.153:80 | http://www.runmywp.com/c203/?OPyLujS=0sg95cMwuQlYGd4YXDbUPdUjuEPUy2UVBeCddfwqseVou+OoLWQnZfGro6klxK0rzZcEow==&p0q=QfA04Nq8Bv9hjBY | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 69.163.215.153:80 | www.runmywp.com | New Dream Network, LLC | US | malicious |
— | — | 91.195.240.94:80 | www.billybits.com | SEDO GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.billybits.com |
| malicious |
dns.msftncsi.com |
| shared |
www.runmywp.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |