| File name: | quotation sheet.exe |
| Full analysis: | https://app.any.run/tasks/6e15c5cc-5605-4acc-be1c-346ce439be95 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | March 05, 2024, 14:00:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 3EBE6033AB56EC44820916D7AECAB658 |
| SHA1: | A4E5E0D9311403E08D037EFE1B91D8E29549E65E |
| SHA256: | E30684F6C5692278A639A64202C45A4B11392EB58FBA23CBC9E9A19BAD0BC4FC |
| SSDEEP: | 24576:k2xeahXbwEfUiGBhQRTbdLxjSgQSHIqndR9pZyJ+H60s1HbJ/BW2iBW2zBW2bBW0:k2xeGbwEfUiGBhQRTbdLxjSgQSHIqndx |
MALICIOUS
Drops the executable file immediately after the start
- quotation sheet.exe (PID: 3672)
FORMBOOK has been detected (YARA)
- mstsc.exe (PID: 3952)
SUSPICIOUS
Application launched itself
- quotation sheet.exe (PID: 3672)
Starts CMD.EXE for commands execution
- mstsc.exe (PID: 3952)
INFO
Checks supported languages
- quotation sheet.exe (PID: 3672)
- quotation sheet.exe (PID: 3536)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1164)
Reads the computer name
- quotation sheet.exe (PID: 3536)
Manual execution by a user
- mstsc.exe (PID: 3952)
Reads the Internet Settings
- explorer.exe (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(3952) mstsc.exe
C2www.miscov.com/k2k/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)delta9.systems
postmanga.com
dtprovv.com
cheforex.com
xn----7sbbaiqv2bfwdegk8a.com
wedgetailaustralia.com
worshipbanddevotions.com
29dk.men
alexrosedecker.com
tryingfun.com
wecardpal.com
matelephonie.com
linjakaivo.com
gngnepal.com
globalsheet.com
pitchmebro.com
testautomation216.com
sterlinglandmanagement.com
columbusphoenixcyclery.com
rvhtye.men
wwwzzvip6.com
balatonproperties.com
happyhourcakes.com
alyssamariebody.com
meulikeus.com
universobancos.com
floffff.com
lekkedifferent.com
naked-indians.com
zxyhun.info
standardcbuk.com
mobitechguru.com
icamp19.com
micromaxelectric.net
534544.com
aeneas-formation-securite.com
mantechsecurityservices.com
alosoolmaids.com
reviveus.co.uk
inspiredsnobtravel.com
dariyonjoseph.com
hackinat.com
ozyurtlargrup.com
28daiyun.com
geared2gotours.com
zybermart.live
meraki-doula.com
jerseytrend.com
clubmasterreduziert.com
cx20333.com
xuwuge.net
zhengdatianqing.com
takyphone.com
tuyidu.com
kingsheathcc.com
fullbraz-br.com
theylovemysmile.com
crenativemedia.com
oil4healing.com
mts-industrieservice.com
parfum-par-nature.com
xhtd227.com
beyereyedjoellplankchids.win
30nama2.net
TRiD
| .exe | | | Win32 Executable Microsoft Visual Basic 6 (90.6) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (4.9) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2008:07:26 11:40:25+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 667648 |
| InitializedDataSize: | 12288 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1210 |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | LIBERA |
| ProductName: | CACIOTtonaLibera5 |
| FileVersion: | 1 |
| ProductVersion: | 1 |
| InternalName: | cONTRORAX |
| OriginalFileName: | cONTRORAX.exe |
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1164 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3536 | "C:\Users\admin\AppData\Local\Temp\quotation sheet.exe" | C:\Users\admin\AppData\Local\Temp\quotation sheet.exe | — | quotation sheet.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 3672 | "C:\Users\admin\AppData\Local\Temp\quotation sheet.exe" | C:\Users\admin\AppData\Local\Temp\quotation sheet.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 3720 | /c del "C:\Users\admin\AppData\Local\Temp\quotation sheet.exe" | C:\Windows\System32\cmd.exe | — | mstsc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3952 | "C:\Windows\System32\mstsc.exe" | C:\Windows\System32\mstsc.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Connection Exit code: 0 Version: 6.3.9600.16415 (winblue_gdr_oob.131001-0952) Modules
Formbook(PID) Process(3952) mstsc.exe C2www.miscov.com/k2k/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)delta9.systems postmanga.com dtprovv.com cheforex.com xn----7sbbaiqv2bfwdegk8a.com wedgetailaustralia.com worshipbanddevotions.com 29dk.men alexrosedecker.com tryingfun.com wecardpal.com matelephonie.com linjakaivo.com gngnepal.com globalsheet.com pitchmebro.com testautomation216.com sterlinglandmanagement.com columbusphoenixcyclery.com rvhtye.men wwwzzvip6.com balatonproperties.com happyhourcakes.com alyssamariebody.com meulikeus.com universobancos.com floffff.com lekkedifferent.com naked-indians.com zxyhun.info standardcbuk.com mobitechguru.com icamp19.com micromaxelectric.net 534544.com aeneas-formation-securite.com mantechsecurityservices.com alosoolmaids.com reviveus.co.uk inspiredsnobtravel.com dariyonjoseph.com hackinat.com ozyurtlargrup.com 28daiyun.com geared2gotours.com zybermart.live meraki-doula.com jerseytrend.com clubmasterreduziert.com cx20333.com xuwuge.net zhengdatianqing.com takyphone.com tuyidu.com kingsheathcc.com fullbraz-br.com theylovemysmile.com crenativemedia.com oil4healing.com mts-industrieservice.com parfum-par-nature.com xhtd227.com beyereyedjoellplankchids.win 30nama2.net | |||||||||||||||
Total events
319
Read events
318
Write events
1
Delete events
0
Modification events
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DBDD10622BD67741A42163F361389C47000000000200000000001066000000010000200000001B01FAC560709E064321873EBB6B092BACBE1184C8D0266B3BA6B8E0918C10C1000000000E80000000020000200000009CA79E1C241A2DE5FC3C0D8F7DBCB8CD9ECD514C00A7BB8EF859AE260212E997300000007E95D343960645D6F75CD51FF24784F27EE8E9E14142BFB72B4CB18A0EFD9B8703D5A7CDC4FCE4618F0076E5467B09C640000000D06E18142D9FE937CB2856C3DC9193664F652E047980BF9C26370951FDD76F167CF0AF0F1935C2CCC471535A20C00D002C347633FDBE65F6C9F88C39B6060D00 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
4
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1164 | explorer.exe | 49.13.77.253:80 | www.naked-indians.com | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.naked-indians.com |
| unknown |
dns.msftncsi.com |
| shared |
www.zxyhun.info |
| unknown |
www.fullbraz-br.com |
| unknown |