analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ#22.PDF.rar

Full analysis: https://app.any.run/tasks/c28be4c6-3e86-4752-86d9-7d8c7ee71d82
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: October 05, 2022, 04:47:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

19B88B5FA6EF7CE40892489422211127

SHA1:

453FEC7CA5ED8ADAAAB9FDA9BCE94FD7546BBAE2

SHA256:

1A7B9A97238B3F801668AF669C87E3C194C1C3E248B090ED6056D58DCFC3F71B

SSDEEP:

12288:f8UQaR6vWZobbiSuaAxCZj2N6v/QMwaLwl9VW:R1/ZKP5AxIj2OQqLwlC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • O7nbRCywJy9MTTb.exe (PID: 3028)
      • O7nbRCywJy9MTTb.exe (PID: 2288)
    • FORMBOOK detected by memory dumps

      • control.exe (PID: 3164)
  • SUSPICIOUS

    • Application launched itself

      • O7nbRCywJy9MTTb.exe (PID: 2288)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start winrar.exe no specs o7nbrcywjy9mttb.exe no specs o7nbrcywjy9mttb.exe no specs autoconv.exe no specs #FORMBOOK control.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3160"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ#22.PDF.rar"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2288"C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MatchingPairsGame
Exit code:
0
Version:
1.0.0.0
3028"C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exeO7nbRCywJy9MTTb.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MatchingPairsGame
Exit code:
0
Version:
1.0.0.0
1772"C:\Windows\System32\autoconv.exe"C:\Windows\System32\autoconv.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto File System Conversion Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3164"C:\Windows\System32\control.exe"C:\Windows\System32\control.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 121
Read events
1 103
Write events
18
Delete events
0

Modification events

(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RFQ#22.PDF.rar
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3160.39174\O7nbRCywJy9MTTb.exeexecutable
MD5:472E200EB4AC78B5E25A92DF5FAA2C91
SHA256:97712A0ACE47C1E90B8CE05DDAC5C78CC240ED613937C7E72FF17BA62261E21E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
656
WerFault.exe
104.208.16.94:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 104.208.16.94
whitelisted

Threats

No threats detected
No debug info