analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

mal

Full analysis: https://app.any.run/tasks/aeb7d338-7c8b-458d-a5ba-d93830178094
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 03:23:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B78C45D89A5512E57CFCEE073F746BDC

SHA1:

01246D4459FBEB136052F26DD04E25B7688BC277

SHA256:

1ADD04C4F6F527059AF44EB3905994A269931EE0BEB10779BEBE764641FB7282

SSDEEP:

768:Wa3F/hkj2X1R3rB4tJReuZCnTe0gCJh8+lxJeDQ:Wa3F/h6o1JrB4vUuEnTeNCtlxiQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 견적 품목 리스트.exe (PID: 1916)
      • 견적 품목 리스트.exe (PID: 2836)
      • filename1.exe (PID: 3376)
      • filename1.exe (PID: 2128)
      • _jd4stohlpwt.exe (PID: 3864)
      • filename1.exe (PID: 2856)
      • _jd4stohlpwt.exe (PID: 1712)
      • filename1.exe (PID: 1840)

    • Changes the autorun value in the registry

      • 견적 품목 리스트.exe (PID: 1916)
      • filename1.exe (PID: 3376)
      • NETSTAT.EXE (PID: 3764)
      • _jd4stohlpwt.exe (PID: 3864)
      • filename1.exe (PID: 2856)

    • Connects to CnC server

      • explorer.exe (PID: 372)

    • FORMBOOK was detected

      • explorer.exe (PID: 372)
      • Firefox.exe (PID: 3664)
      • NETSTAT.EXE (PID: 3764)

    • Actions looks like stealing of personal data

      • NETSTAT.EXE (PID: 3764)

    • Stealing of credential data

      • NETSTAT.EXE (PID: 3764)

    • Changes settings of System certificates

      • filename1.exe (PID: 1840)
      • filename1.exe (PID: 2128)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4092)
      • 견적 품목 리스트.exe (PID: 2836)
      • explorer.exe (PID: 372)
      • DllHost.exe (PID: 2744)
      • _jd4stohlpwt.exe (PID: 1712)

    • Application launched itself

      • 견적 품목 리스트.exe (PID: 1916)
      • filename1.exe (PID: 3376)
      • _jd4stohlpwt.exe (PID: 3864)
      • filename1.exe (PID: 2856)

    • Starts itself from another location

      • 견적 품목 리스트.exe (PID: 2836)

    • Reads Internet Cache Settings

      • filename1.exe (PID: 2128)
      • filename1.exe (PID: 1840)

    • Creates files in the user directory

      • filename1.exe (PID: 2128)
      • NETSTAT.EXE (PID: 3764)
      • filename1.exe (PID: 1840)

    • Uses NETSTAT.EXE to discover network connections

      • explorer.exe (PID: 372)

    • Starts CMD.EXE for commands execution

      • NETSTAT.EXE (PID: 3764)

    • Loads DLL from Mozilla Firefox

      • NETSTAT.EXE (PID: 3764)

    • Executed via COM

      • DllHost.exe (PID: 2744)

    • Creates files in the program directory

      • DllHost.exe (PID: 2744)

    • Adds / modifies Windows certificates

      • filename1.exe (PID: 2128)
      • filename1.exe (PID: 1840)

  • INFO

    • Manual execution by user

      • 견적 품목 리스트.exe (PID: 1916)
      • NETSTAT.EXE (PID: 3764)

    • Reads settings of System Certificates

      • filename1.exe (PID: 2128)
      • filename1.exe (PID: 1840)

    • Reads the hosts file

      • NETSTAT.EXE (PID: 3764)

    • Creates files in the user directory

      • Firefox.exe (PID: 3664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

MPEG

MPEGAudioVersion: 1
AudioLayer: 3
AudioBitrate: 96 kbps
SampleRate: 32000
ChannelMode: Single Channel
MSStereo: On
IntensityStereo: On
CopyrightFlag:
OriginalMedia:
Emphasis: None

Composite

Duration: 2.10 s (approx)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
15
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe 견적 품목 리스트.exe 견적 품목 리스트.exe filename1.exe filename1.exe #FORMBOOK netstat.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object _jd4stohlpwt.exe _jd4stohlpwt.exe filename1.exe filename1.exe spoolsv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4092"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\mal.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1916"C:\Users\admin\Desktop\견적 품목 리스트.exe" C:\Users\admin\Desktop\견적 품목 리스트.exe
explorer.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
2836"C:\Users\admin\Desktop\견적 품목 리스트.exe" C:\Users\admin\Desktop\견적 품목 리스트.exe
견적 품목 리스트.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
3376"C:\Users\admin\subfolder1\filename1.exe" C:\Users\admin\subfolder1\filename1.exe
견적 품목 리스트.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
2128"C:\Users\admin\subfolder1\filename1.exe" C:\Users\admin\subfolder1\filename1.exe
filename1.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
tint
Exit code:
0
Version:
1.00
3764"C:\Windows\System32\NETSTAT.EXE"C:\Windows\System32\NETSTAT.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2740/c del "C:\Users\admin\subfolder1\filename1.exe"C:\Windows\System32\cmd.exeNETSTAT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3664"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
NETSTAT.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2744C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
9 249
Read events
2 084
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
77
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
2128filename1.exeC:\Users\admin\AppData\Local\Temp\Cab2231.tmp
MD5:
SHA256:
2128filename1.exeC:\Users\admin\AppData\Local\Temp\Tar2232.tmp
MD5:
SHA256:
2128filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fder
MD5:7EDFA95BE4ED2446834630176880B200
SHA256:72BC58B52F64AB4CEE37C8E60435B66B3944567AF08DBF69DCC93DC0C43EF523
3764NETSTAT.EXEC:\Users\admin\AppData\Roaming\LKA23647\LKAlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
2128filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:B211134DC2B559A0A8FDD5600FCA0662
SHA256:471E7C400B878CF174F3D1E67CFBFF5B099378A6EAA8E4E5E346E7D6B681981E
2836견적 품목 리스트.exeC:\Users\admin\subfolder1\filename1.vbstext
MD5:FD0F0DF4863066534A70D7A57BA5FE07
SHA256:4AA3732E035B8C54983E0F82290C680856212E620A6A36A22B550004EA60CD63
4092WinRAR.exeC:\Users\admin\Desktop\견적 품목 리스트.exeexecutable
MD5:B38DF2E04686B781BA0ABCECEE9506DB
SHA256:5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6
2128filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:B57C025022970CD5DD642150C4395E4D
SHA256:D8A509873A009D5C2CE7FDAAB9EC3F83ED2EDF82DA3FC752113FDA7EBB1F26BA
2128filename1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:0C284C329859796AFDC6CCC5175428D0
SHA256:FE860E031C6DDBEE2BC435CA9D2C9BCAFD778D1EA3FF284D3D2C43E91A97CBBB
2836견적 품목 리스트.exeC:\Users\admin\subfolder1\filename1.exeexecutable
MD5:B38DF2E04686B781BA0ABCECEE9506DB
SHA256:5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
31
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
372
explorer.exe
GET
184.168.221.91:80
http://www.goforfootball.com/sa22/?9rfx9hDX=kzPpBLvn8rMiCf0lAslMPtRg/j5Py6K0V3qNlkw/YpyzLfzAYva/70so1x8LHgmZ9cru9w==&rZE=X4_4ANE82
US
malicious
372
explorer.exe
POST
162.213.250.169:80
http://www.allixanes.com/sa22/
US
malicious
372
explorer.exe
POST
184.168.221.91:80
http://www.goforfootball.com/sa22/
US
malicious
372
explorer.exe
GET
301
35.242.251.130:80
http://www.baribh.com/sa22/?9rfx9hDX=IDe74EdX1tMu3Io0WHkb2YSV0r0oUakV0rZ2YSNHGafdYlxyPzlEEy0P+41r6Agx+Gdyrg==&rZE=X4_4ANE82
US
malicious
372
explorer.exe
GET
404
162.213.250.169:80
http://www.allixanes.com/sa22/?9rfx9hDX=JMM0tJzek7OfGpItd7GZSDXDp6JdgYgBE5yHy+eQKsts3D1xYsicJlQH435XxcrMhotTVA==&rZE=X4_4ANE82
US
html
328 b
malicious
372
explorer.exe
POST
184.168.221.91:80
http://www.goforfootball.com/sa22/
US
malicious
372
explorer.exe
POST
404
162.213.250.169:80
http://www.allixanes.com/sa22/
US
html
295 b
malicious
2128
filename1.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
372
explorer.exe
POST
404
162.213.250.169:80
http://www.allixanes.com/sa22/
US
html
295 b
malicious
372
explorer.exe
POST
156.226.241.57:80
http://www.xingli60.com/sa22/
ZA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2128
filename1.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2128
filename1.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
2128
filename1.exe
13.107.42.12:443
hmhxvw.dm.files.1drv.com
Microsoft Corporation
US
suspicious
1840
filename1.exe
13.107.42.12:443
hmhxvw.dm.files.1drv.com
Microsoft Corporation
US
suspicious
372
explorer.exe
162.213.250.169:80
www.allixanes.com
Namecheap, Inc.
US
malicious
372
explorer.exe
185.47.245.223:80
www.xn--diseowebbadajoz-1qb.com
Grupo Loading Systems, S.L.
ES
malicious
1840
filename1.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
372
explorer.exe
35.242.251.130:80
www.baribh.com
US
malicious
372
explorer.exe
156.226.241.57:80
www.xingli60.com
MacroLAN
ZA
malicious
372
explorer.exe
184.168.221.91:80
www.goforfootball.com
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.42.13
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
hmhxvw.dm.files.1drv.com
  • 13.107.42.12
whitelisted
www.xn--diseowebbadajoz-1qb.com
  • 185.47.245.223
malicious
www.allixanes.com
  • 162.213.250.169
malicious
www.readytraffic4upgrade.download
unknown
www.goforfootball.com
  • 184.168.221.91
malicious
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
www.xingli60.com
  • 156.226.241.57
malicious
www.baribh.com
  • 35.242.251.130
malicious

Threats

PID
Process
Class
Message
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
19 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
mal