| File name: | MVSANTAIRIS.exe |
| Full analysis: | https://app.any.run/tasks/13371232-0ca7-4d70-b8d1-42fdd66cea9c |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | March 07, 2025, 04:57:53 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 3BEDB40FA879B7CE8190CB04AF1223FE |
| SHA1: | AFB9D84F50D7D30E4878ACB096DE6C0CD48FB6FD |
| SHA256: | E45B701A7306AA4A47751B8166E369A719AC19648F37EFB1A6D949DE36A3D1AF |
| SSDEEP: | 24576:L14PoU4/DtjrPgYCuLOKjbMNwuyLKLOwn2MrP64QZ8BLpv26:L14PoUqDZrPgYCuLOKjbMNwuyLKLOwnB |
MALICIOUS
Uses Task Scheduler to run other applications
- MVSANTAIRIS.exe (PID: 864)
FORMBOOK has been detected
- control.exe (PID: 5512)
FORMBOOK has been detected (YARA)
- control.exe (PID: 5512)
SUSPICIOUS
Reads security settings of Internet Explorer
- MVSANTAIRIS.exe (PID: 864)
Application launched itself
- MVSANTAIRIS.exe (PID: 864)
Starts CMD.EXE for commands execution
- control.exe (PID: 5512)
INFO
Creates files or folders in the user directory
- MVSANTAIRIS.exe (PID: 864)
Reads the computer name
- MVSANTAIRIS.exe (PID: 864)
- MVSANTAIRIS.exe (PID: 5280)
Reads the machine GUID from the registry
- MVSANTAIRIS.exe (PID: 864)
Checks supported languages
- MVSANTAIRIS.exe (PID: 864)
- MVSANTAIRIS.exe (PID: 5280)
Process checks computer location settings
- MVSANTAIRIS.exe (PID: 864)
Manual execution by a user
- control.exe (PID: 5512)
Create files in a temporary directory
- MVSANTAIRIS.exe (PID: 864)
Checks proxy server information
- slui.exe (PID: 5124)
Reads the software policy settings
- slui.exe (PID: 5124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(5512) control.exe
C2www.sjdasfjnivrew.click/mg63/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)ukv3.online
oemarket.store
oyez.xyz
mbraboutique.store
qu7c.info
omark.xyz
fajeed.bet
yrix.store
tpmampir123.autos
odescnxseyuge395.top
anadrip.coffee
ission-medienkompetenz.net
lotherbuyqh.info
ollyjstudioeur.shop
isemanagersystem.xyz
racarizasi.net
iretelecom.click
acke.online
uwei.channel
inopaola.shop
exorilupavano.click
onstruction-services-44244.bond
rewgame.info
dvxuhw272.vip
earesimpsonjudge.net
iscpicks.net
sed-cars-after.sbs
irstfyxerstation.info
azablanka.info
lot99betix.shop
im-peinture.info
en-pioneer.cloud
ybnco.xyz
ehn.asia
0687.best
aundry-detergent-lightning.sbs
bcsecuredebit.info
bzhbc.xyz
lasterz.xyz
ylle.shop
arehouse-jobs-ww-j2.today
griculture-jobs-53223.bond
bpay.info
unslewinway.qpon
ilco.store
qslot89.vip
xzt.store
eesautosalesnc.net
ebra.services
hrnvegoldbiz.qpon
yty152.vip
ptimateitsolutions-uae.store
onstitutionshq.net
extgentechlearn.info
ape.codes
ygo.fun
s-gamerclub.shop
nso.work
unriserendering.net
ividhaven.store
eam-uxcnxcxd.life
utorate.app
dtgr.xyz
asd.xyz
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:07 03:35:36+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 598016 |
| InitializedDataSize: | 5120 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x93f36 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.2.2 |
| ProductVersionNumber: | 1.1.2.2 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | ExternalDSL |
| CompanyName: | WF_SINCOS |
| FileDescription: | WF LOGIN |
| FileVersion: | 1.1.2.2 |
| InternalName: | VKbR.exe |
| LegalCopyright: | WF_SINCOS 2024 (C) |
| LegalTrademarks: | ExternalDSL |
| OriginalFileName: | VKbR.exe |
| ProductName: | WF-LOGIN |
| ProductVersion: | 1.1.2.2 |
| AssemblyVersion: | 1.1.0.0 |
Total processes
126
Monitored processes
9
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 864 | "C:\Users\admin\Desktop\MVSANTAIRIS.exe" | C:\Users\admin\Desktop\MVSANTAIRIS.exe | — | explorer.exe | |||||||||||
User: admin Company: WF_SINCOS Integrity Level: MEDIUM Description: WF LOGIN Exit code: 0 Version: 1.1.2.2 Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4408 | /c del "C:\Users\admin\Desktop\MVSANTAIRIS.exe" | C:\Windows\SysWOW64\cmd.exe | — | control.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5024 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5124 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5280 | "C:\Users\admin\Desktop\MVSANTAIRIS.exe" | C:\Users\admin\Desktop\MVSANTAIRIS.exe | — | MVSANTAIRIS.exe | |||||||||||
User: admin Company: WF_SINCOS Integrity Level: MEDIUM Description: WF LOGIN Exit code: 0 Version: 1.1.2.2 Modules
| |||||||||||||||
| 5512 | "C:\Windows\SysWOW64\control.exe" | C:\Windows\SysWOW64\control.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
Formbook(PID) Process(5512) control.exe C2www.sjdasfjnivrew.click/mg63/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)ukv3.online oemarket.store oyez.xyz mbraboutique.store qu7c.info omark.xyz fajeed.bet yrix.store tpmampir123.autos odescnxseyuge395.top anadrip.coffee ission-medienkompetenz.net lotherbuyqh.info ollyjstudioeur.shop isemanagersystem.xyz racarizasi.net iretelecom.click acke.online uwei.channel inopaola.shop exorilupavano.click onstruction-services-44244.bond rewgame.info dvxuhw272.vip earesimpsonjudge.net iscpicks.net sed-cars-after.sbs irstfyxerstation.info azablanka.info lot99betix.shop im-peinture.info en-pioneer.cloud ybnco.xyz ehn.asia 0687.best aundry-detergent-lightning.sbs bcsecuredebit.info bzhbc.xyz lasterz.xyz ylle.shop arehouse-jobs-ww-j2.today griculture-jobs-53223.bond bpay.info unslewinway.qpon ilco.store qslot89.vip xzt.store eesautosalesnc.net ebra.services hrnvegoldbiz.qpon yty152.vip ptimateitsolutions-uae.store onstitutionshq.net extgentechlearn.info ape.codes ygo.fun s-gamerclub.shop nso.work unriserendering.net ividhaven.store eam-uxcnxcxd.life utorate.app dtgr.xyz asd.xyz | |||||||||||||||
| 5892 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UEkEisvOSoI" /XML "C:\Users\admin\AppData\Local\Temp\tmp8A8.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | MVSANTAIRIS.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6828 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 879
Read events
3 879
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 864 | MVSANTAIRIS.exe | C:\Users\admin\AppData\Roaming\UEkEisvOSoI.exe | executable | |
MD5:3BEDB40FA879B7CE8190CB04AF1223FE | SHA256:E45B701A7306AA4A47751B8166E369A719AC19648F37EFB1A6D949DE36A3D1AF | |||
| 864 | MVSANTAIRIS.exe | C:\Users\admin\AppData\Local\Temp\tmp8A8.tmp | xml | |
MD5:97C6ACDD4B49583FD64D3514532F4317 | SHA256:2150C557E03C61D9D7336BAB95769DBC94CBE993D302DA9AEA5C8BAAAF5ECD25 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
5508 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5124 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
www.isemanagersystem.xyz |
| unknown |
www.ebra.services |
| malicious |
www.azablanka.info |
| unknown |
www.ygo.fun |
| unknown |
www.uwei.channel |
| unknown |