File name: | Drawing.exe |
Full analysis: | https://app.any.run/tasks/12f28fe0-2341-4ac9-b63c-c2638ecef19d |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 21:21:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | BC6C6181D07FF0968925BA7EC6C51434 |
SHA1: | 6332AADDE5592A1C85D09371327EF0F5AA9F15BE |
SHA256: | DC0ED0D428679DD6269A17CA9C6FD5D0AF9AC0CF62FD66C3ABF30736A0DF9AD2 |
SSDEEP: | 12288:xF5KQoJECexMqLyQEDaAc047JQAyeAud9LWN72ZawvEVzi:3IVoyQEDaASJQu5WN72ZTEU |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (49) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (20.9) |
.exe | | | Win64 Executable (generic) (18.5) |
.dll | | | Win32 Dynamic Link Library (generic) (4.4) |
.exe | | | Win32 Executable (generic) (3) |
AssemblyVersion: | 2.3.0.0 |
---|---|
ProductVersion: | 2.3.0.0 |
ProductName: | TFlow |
OriginalFileName: | Associa.exe |
LegalTrademarks: | - |
LegalCopyright: | - |
InternalName: | Associa.exe |
FileVersion: | 2.3.0.0 |
FileDescription: | TFlow |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.3.0.0 |
FileVersionNumber: | 2.3.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0xa3b1a |
UninitializedDataSize: | - |
InitializedDataSize: | 40960 |
CodeSize: | 663552 |
LinkerVersion: | 48 |
PEType: | PE32 |
TimeStamp: | 2022:05:20 13:07:15+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 20-May-2022 11:07:15 |
Comments: | - |
CompanyName: | - |
FileDescription: | TFlow |
FileVersion: | 2.3.0.0 |
InternalName: | Associa.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | Associa.exe |
ProductName: | TFlow |
ProductVersion: | 2.3.0.0 |
Assembly Version: | 2.3.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 20-May-2022 11:07:15 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x000A1BE8 | 0x000A2000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.88991 |
.rsrc | 0x000A4000 | 0x00006158 | 0x00008000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.70955 |
.reloc | 0x000AC000 | 0x0000000C | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.00881485 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.25375 | 740 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
2 | 3.50389 | 296 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 6.07411 | 3752 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 5.9453 | 2216 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 4.39914 | 1384 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 5.23863 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 5.45651 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 5.43434 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
32512 | 1.51664 | 20 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1988 | "C:\Users\admin\AppData\Local\Temp\Drawing.exe" | C:\Users\admin\AppData\Local\Temp\Drawing.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Description: TFlow Exit code: 0 Version: 2.3.0.0 | ||||
2132 | "C:\Users\admin\AppData\Local\Temp\Drawing.exe" | C:\Users\admin\AppData\Local\Temp\Drawing.exe | — | Drawing.exe |
User: admin Integrity Level: MEDIUM Description: TFlow Exit code: 0 Version: 2.3.0.0 | ||||
2544 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Formbook(PID) Process(2544) cmd.exe Modules (42)kernel32.dll advapi32.dll ws2_32.dll svchost.exe msiexec.exe wuauclt.exe lsass.exe wlanext.exe msg.exe lsm.exe dwm.exe help.exe chkdsk.exe cmmon32.exe nbtstat.exe spoolsv.exe rdpclip.exe control.exe taskhost.exe rundll32.exe systray.exe audiodg.exe wininit.exe services.exe autochk.exe autoconv.exe autofmt.exe cmstp.exe colorcpl.exe cscript.exe explorer.exe WWAHost.exe ipconfig.exe msdt.exe mstsc.exe NAPSTAT.EXE netsh.exe NETSTAT.EXE raserver.exe wscript.exe wuapp.exe cmd.exe Decoys and strings (143)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start launch-university.com stf-express.net chatuy.online moldeddoorsupplier.com advertising3.mobi fizn.xyz healingcenter.biz qweasdzxc06.xyz cateyeslook.top chicagobteakingmews.com 767522.com gdsthf.com francepro.tech nycapro.com hyrumdolan.com bedogrow.biz waterloorealestatelawyer.com mira-veranda.net kayrene.com jeffzima.com weeklyass.xyz marcomcareersite.com xnxx16.net conditionncet.com luckyday.club skyvisioncollege.net cyhweb.com 59lawrenceavenue.com financebusinessjobs.com go-fora.com applisy.com inspired-dreams.com timmyliu.xyz queeniris.net maestrocapitalpartners.com ioaconagra.com nicoleandsunny.com sanluda.com lindsayhclarke.com agapebusinessconsultingllc.com coastalvendinggroup.com on-tama-blog.com ysanciuu.com csjtc.com lifefitnessbybai.com certifiednursingconsultants.com apebeat.xyz verkopers-check.com esmeraldainn.com spadger.site 47tamarackdrive.com amazonshoot.com dseorlduva.com hollywoodhosieryfoundations.com subgroup185-mail.com toursumbar.com laboratorio-naturale.com earthly.contact 2321valleyst.com links1hallow.com liztrk.info le-mall.net llw21-wups.com silvermooninteriors.site f-end C2www.poacreativegallery.art/g1s5/ | ||||
4020 | /c del "C:\Users\admin\AppData\Local\Temp\Drawing.exe" | C:\Windows\System32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1176 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1988) Drawing.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1988) Drawing.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1988) Drawing.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1988) Drawing.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1176 | Explorer.EXE | GET | 301 | 34.117.168.233:80 | http://www.hollywoodhosieryfoundations.com/g1s5/?9rfPdxKx=/89FfQ7NibDo0WHwlxnTIU0p1hWM4zCtYP7V2sqSoGN9AKVnm4suSesmDT7x8spUljwZzQ==&2d6H=YnJ4ANEp | US | — | — | malicious |
1176 | Explorer.EXE | GET | — | 154.37.3.192:80 | http://www.inspired-dreams.com/g1s5/?9rfPdxKx=R9XsoMjKHQk/Kw2EZ+Q7a/gqdq83nm/dk15tYhAvNo/tCXO6W6BE3dn6XBZau7JPT7L4uQ==&2d6H=YnJ4ANEp | US | — | — | malicious |
1176 | Explorer.EXE | GET | 404 | 210.157.78.52:80 | http://www.queeniris.net/g1s5/?9rfPdxKx=pIEGSCWUV0p8Dmee6QXkWNdiXNxHKCEejEa+hGPCpgybEaN4oq3t2nnH9W2MZkHeBBYnhg==&2d6H=YnJ4ANEp | JP | html | 2.75 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1176 | Explorer.EXE | 154.37.3.192:80 | www.inspired-dreams.com | TULIP SYSTEMS, INC. | US | malicious |
1176 | Explorer.EXE | 34.117.168.233:80 | www.hollywoodhosieryfoundations.com | — | US | malicious |
1176 | Explorer.EXE | 210.157.78.52:80 | www.queeniris.net | FUJITSU LIMITED | JP | malicious |
Domain | IP | Reputation |
---|---|---|
www.queeniris.net |
| malicious |
www.inspired-dreams.com |
| unknown |
www.hollywoodhosieryfoundations.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1176 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |