File name: | RFQ#22.PDF.rar |
Full analysis: | https://app.any.run/tasks/c28be4c6-3e86-4752-86d9-7d8c7ee71d82 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 05, 2022, 04:47:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 19B88B5FA6EF7CE40892489422211127 |
SHA1: | 453FEC7CA5ED8ADAAAB9FDA9BCE94FD7546BBAE2 |
SHA256: | 1A7B9A97238B3F801668AF669C87E3C194C1C3E248B090ED6056D58DCFC3F71B |
SSDEEP: | 12288:f8UQaR6vWZobbiSuaAxCZj2N6v/QMwaLwl9VW:R1/ZKP5AxIj2OQqLwlC |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3160 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ#22.PDF.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
2288 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: MatchingPairsGame Exit code: 0 Version: 1.0.0.0 | ||||
3028 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe | — | O7nbRCywJy9MTTb.exe |
User: admin Integrity Level: MEDIUM Description: MatchingPairsGame Exit code: 0 Version: 1.0.0.0 | ||||
1772 | "C:\Windows\System32\autoconv.exe" | C:\Windows\System32\autoconv.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto File System Conversion Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3164 | "C:\Windows\System32\control.exe" | C:\Windows\System32\control.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\RFQ#22.PDF.rar | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe | executable | |
MD5:472E200EB4AC78B5E25A92DF5FAA2C91 | SHA256:97712A0ACE47C1E90B8CE05DDAC5C78CC240ED613937C7E72FF17BA62261E21E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
656 | WerFault.exe | 104.208.16.94:443 | watson.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |