File name: | 479BS21.exe |
Full analysis: | https://app.any.run/tasks/5c05cf38-3b7b-422e-af05-1b9124fc2fe7 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | April 24, 2019, 03:17:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 437AAE2924ED3AEC9525045760CBE550 |
SHA1: | 288942A1FDF0BAF92DD272740298D55FE142486A |
SHA256: | E2CE1872E8BE9A52760EE4E6CEF87C54B1C131AE2DF677FB33806E3B7460E98D |
SSDEEP: | 12288:+NnhrSNopWo0fefOo30ZexswGVihpTneBO7SrIBQCXoaqtWjdJZ2rC51/l:+rrrCGfOo3dZGgEysIBQKdJZ |
.exe | | | Win32 Executable Delphi generic (37.4) |
---|---|---|
.scr | | | Windows screen saver (34.5) |
.exe | | | Win32 Executable (generic) (11.9) |
.exe | | | Win16/32 Executable Delphi generic (5.4) |
.exe | | | Generic Win/DOS Executable (5.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 1992:02:16 12:00:59+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 459264 |
InitializedDataSize: | 283136 |
UninitializedDataSize: | - |
EntryPoint: | 0x71138 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.1.1.0 |
ProductVersionNumber: | 1.1.1.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | Update |
CompanyName: | GitHub |
FileDescription: | Update |
FileVersion: | 1.1.1.0 |
InternalName: | Update.exe |
LegalCopyright: | Copyright © GitHub 2013-2015 |
LegalTrademarks: | - |
OriginalFileName: | Update.exe |
ProductName: | Update |
ProductVersion: | 1.1.1.0 |
AssemblyVersion: | 1.1.1.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 16-Feb-1992 11:00:59 |
Detected languages: |
|
Comments: | Update |
CompanyName: | GitHub |
FileDescription: | Update |
FileVersion: | 1.1.1.0 |
InternalName: | Update.exe |
LegalCopyright: | Copyright © GitHub 2013-2015 |
LegalTrademarks: | - |
OriginalFilename: | Update.exe |
ProductName: | Update |
ProductVersion: | 1.1.1.0 |
Assembly Version: | 1.1.1.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 16-Feb-1992 11:00:59 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x00070180 | 0x00070200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.53701 |
DATA | 0x00072000 | 0x00007330 | 0x00007400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.79292 |
BSS | 0x0007A000 | 0x00000DD5 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0007B000 | 0x00002570 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.01493 |
.tls | 0x0007E000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0007F000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.195201 |
.reloc | 0x00080000 | 0x00007CB8 | 0x00007E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.64617 |
.rsrc | 0x00088000 | 0x000336B4 | 0x00033800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 7.52944 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.32305 | 828 | Latin 1 / Western European | English - United States | RT_VERSION |
2 | 2.80231 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
746 | 6.0153 | 7553 | Latin 1 / Western European | English - United States | RT_CURSOR |
747 | 7.41628 | 7553 | Latin 1 / Western European | English - United States | RT_CURSOR |
748 | 7.53846 | 7553 | Latin 1 / Western European | English - United States | RT_CURSOR |
advapi32.dll |
comctl32.dll |
comdlg32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1516 | "C:\Users\admin\AppData\Local\Temp\479BS21.exe" | C:\Users\admin\AppData\Local\Temp\479BS21.exe | — | explorer.exe |
User: admin Company: GitHub Integrity Level: MEDIUM Description: Update Exit code: 3221226540 Version: 1.1.1.0 | ||||
2076 | "C:\Users\admin\AppData\Local\Temp\479BS21.exe" | C:\Users\admin\AppData\Local\Temp\479BS21.exe | explorer.exe | |
User: admin Company: GitHub Integrity Level: HIGH Description: Update Exit code: 0 Version: 1.1.1.0 | ||||
3696 | "C:\Users\admin\AppData\Local\Temp\479BS21.exe" | C:\Users\admin\AppData\Local\Temp\479BS21.exe | — | 479BS21.exe |
User: admin Company: GitHub Integrity Level: HIGH Description: Update Exit code: 0 Version: 1.1.1.0 | ||||
3464 | "C:\Windows\System32\cscript.exe" | C:\Windows\System32\cscript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Version: 5.8.7600.16385 | ||||
3772 | /c del "C:\Users\admin\AppData\Local\Temp\479BS21.exe" | C:\Windows\System32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2744 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3700 | "C:\Program Files\Bmzfxv\hbcxftbpd8i8.exe" | C:\Program Files\Bmzfxv\hbcxftbpd8i8.exe | — | explorer.exe |
User: admin Company: GitHub Integrity Level: MEDIUM Description: Update Exit code: 3221226540 Version: 1.1.1.0 | ||||
3136 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | cscript.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
(PID) Process: | (3464) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | YJMLDBRX8PX |
Value: C:\Program Files\Bmzfxv\hbcxftbpd8i8.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3464 | cscript.exe | C:\Users\admin\AppData\Roaming\5KOR5UTE\5KOlogrc.ini | binary | |
MD5:5006D04B1F6E422ECA8F645E21CDBA19 | SHA256:5C5015428123CD8F48B5AB6BB0C7361F2CAE274A76E3C1EE73EBEF3441321D3F | |||
116 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Bmzfxv\hbcxftbpd8i8.exe | executable | |
MD5:437AAE2924ED3AEC9525045760CBE550 | SHA256:E2CE1872E8BE9A52760EE4E6CEF87C54B1C131AE2DF677FB33806E3B7460E98D | |||
2744 | DllHost.exe | C:\Program Files\Bmzfxv\hbcxftbpd8i8.exe | executable | |
MD5:437AAE2924ED3AEC9525045760CBE550 | SHA256:E2CE1872E8BE9A52760EE4E6CEF87C54B1C131AE2DF677FB33806E3B7460E98D | |||
3464 | cscript.exe | C:\Users\admin\AppData\Roaming\5KOR5UTE\5KOlogim.jpeg | image | |
MD5:E25F5B28EC19BED2C919A0663DEA119E | SHA256:C3D2C670C94E11E3D035FEA8C6F2A7A4A9F02280554F51B1D8B21B1B7C6888A7 | |||
3136 | Firefox.exe | C:\Users\admin\AppData\Roaming\5KOR5UTE\5KOlogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
3464 | cscript.exe | C:\Users\admin\AppData\Roaming\5KOR5UTE\5KOlogri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
3464 | cscript.exe | C:\Users\admin\AppData\Roaming\5KOR5UTE\5KOlogrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | — | 116.255.235.9:80 | http://www.scknstc.com/mo/?NVYduv=YrrN/gYJDKGwieKTCGD/sQdlW7fH7pRPE+qQxAJcBtLS3+cGL3bFiyWx8etlm4FwaElh8A==&wh=jLj85VmXCpXdi | CN | — | — | malicious |
116 | explorer.exe | GET | 301 | 185.230.62.177:80 | http://www.educateme101.com/mo/?NVYduv=Kf6bX4lc2+uAKA5PY5y5iZuJJXyrBF36B4ZJuEmW2lIaTvK0FVihl5wwuZf1GxaTZxaotA==&wh=jLj85VmXCpXdi | unknown | — | — | malicious |
116 | explorer.exe | POST | — | 74.208.236.197:80 | http://www.hemingwaydevere.com/mo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 68.65.121.96:80 | http://www.xinboz.com/mo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 68.65.121.96:80 | http://www.xinboz.com/mo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 180.166.211.84:80 | http://www.imayflower.com/mo/ | CN | — | — | malicious |
116 | explorer.exe | GET | 404 | 180.166.211.84:80 | http://www.imayflower.com/mo/?NVYduv=NptxKE1v7gP6OrE3IekszIu1xmRk/iegSERSt8qS+b6ooTCu1LGGCCOMybz4ARQ3Er3aZg==&wh=jLj85VmXCpXdi&sql=1 | CN | html | 1.14 Kb | malicious |
116 | explorer.exe | POST | — | 185.230.62.177:80 | http://www.educateme101.com/mo/ | unknown | — | — | malicious |
116 | explorer.exe | POST | — | 91.216.107.48:80 | http://www.lan-esport.com/mo/ | FR | — | — | malicious |
116 | explorer.exe | POST | — | 91.216.107.48:80 | http://www.lan-esport.com/mo/ | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 180.166.211.84:80 | www.imayflower.com | China Telecom (Group) | CN | malicious |
116 | explorer.exe | 116.255.235.9:80 | www.scknstc.com | CHINA UNICOM China169 Backbone | CN | malicious |
116 | explorer.exe | 185.230.62.177:80 | www.educateme101.com | — | — | malicious |
116 | explorer.exe | 74.208.236.197:80 | www.hemingwaydevere.com | 1&1 Internet SE | US | malicious |
116 | explorer.exe | 91.216.107.48:80 | www.lan-esport.com | ADISTA SAS | FR | malicious |
116 | explorer.exe | 68.65.121.96:80 | www.xinboz.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.scknstc.com |
| malicious |
www.hemingwaydevere.com |
| malicious |
www.imayflower.com |
| malicious |
www.rivaaciergroupe.com |
| unknown |
www.xinboz.com |
| malicious |
www.educateme101.com |
| malicious |
www.scouticorn.com |
| unknown |
www.lan-esport.com |
| malicious |
www.greenfieldlibrary.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |