File name: | mal |
Full analysis: | https://app.any.run/tasks/aeb7d338-7c8b-458d-a5ba-d93830178094 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 31, 2020, 03:23:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B78C45D89A5512E57CFCEE073F746BDC |
SHA1: | 01246D4459FBEB136052F26DD04E25B7688BC277 |
SHA256: | 1ADD04C4F6F527059AF44EB3905994A269931EE0BEB10779BEBE764641FB7282 |
SSDEEP: | 768:Wa3F/hkj2X1R3rB4tJReuZCnTe0gCJh8+lxJeDQ:Wa3F/h6o1JrB4vUuEnTeNCtlxiQ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
MPEGAudioVersion: | 1 |
---|---|
AudioLayer: | 3 |
AudioBitrate: | 96 kbps |
SampleRate: | 32000 |
ChannelMode: | Single Channel |
MSStereo: | On |
IntensityStereo: | On |
CopyrightFlag: | |
OriginalMedia: | |
Emphasis: | None |
Duration: | 2.10 s (approx) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4092 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\mal.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1916 | "C:\Users\admin\Desktop\견적 품목 리스트.exe" | C:\Users\admin\Desktop\견적 품목 리스트.exe | explorer.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
2836 | "C:\Users\admin\Desktop\견적 품목 리스트.exe" | C:\Users\admin\Desktop\견적 품목 리스트.exe | 견적 품목 리스트.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
3376 | "C:\Users\admin\subfolder1\filename1.exe" | C:\Users\admin\subfolder1\filename1.exe | 견적 품목 리스트.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
2128 | "C:\Users\admin\subfolder1\filename1.exe" | C:\Users\admin\subfolder1\filename1.exe | filename1.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: tint Exit code: 0 Version: 1.00 | ||||
3764 | "C:\Windows\System32\NETSTAT.EXE" | C:\Windows\System32\NETSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2740 | /c del "C:\Users\admin\subfolder1\filename1.exe" | C:\Windows\System32\cmd.exe | — | NETSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
372 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3664 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NETSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
2744 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2128 | filename1.exe | C:\Users\admin\AppData\Local\Temp\Cab2231.tmp | — | |
MD5:— | SHA256:— | |||
2128 | filename1.exe | C:\Users\admin\AppData\Local\Temp\Tar2232.tmp | — | |
MD5:— | SHA256:— | |||
2128 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | der | |
MD5:7EDFA95BE4ED2446834630176880B200 | SHA256:72BC58B52F64AB4CEE37C8E60435B66B3944567AF08DBF69DCC93DC0C43EF523 | |||
3764 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\LKA23647\LKAlogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2128 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | der | |
MD5:B211134DC2B559A0A8FDD5600FCA0662 | SHA256:471E7C400B878CF174F3D1E67CFBFF5B099378A6EAA8E4E5E346E7D6B681981E | |||
2836 | 견적 품목 리스트.exe | C:\Users\admin\subfolder1\filename1.vbs | text | |
MD5:FD0F0DF4863066534A70D7A57BA5FE07 | SHA256:4AA3732E035B8C54983E0F82290C680856212E620A6A36A22B550004EA60CD63 | |||
4092 | WinRAR.exe | C:\Users\admin\Desktop\견적 품목 리스트.exe | executable | |
MD5:B38DF2E04686B781BA0ABCECEE9506DB | SHA256:5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6 | |||
2128 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | binary | |
MD5:B57C025022970CD5DD642150C4395E4D | SHA256:D8A509873A009D5C2CE7FDAAB9EC3F83ED2EDF82DA3FC752113FDA7EBB1F26BA | |||
2128 | filename1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:0C284C329859796AFDC6CCC5175428D0 | SHA256:FE860E031C6DDBEE2BC435CA9D2C9BCAFD778D1EA3FF284D3D2C43E91A97CBBB | |||
2836 | 견적 품목 리스트.exe | C:\Users\admin\subfolder1\filename1.exe | executable | |
MD5:B38DF2E04686B781BA0ABCECEE9506DB | SHA256:5E9A72BA9DB211ADDC4A0408A838310BC264D620658B8C640F2E845E740F1CD6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
372 | explorer.exe | GET | — | 184.168.221.91:80 | http://www.goforfootball.com/sa22/?9rfx9hDX=kzPpBLvn8rMiCf0lAslMPtRg/j5Py6K0V3qNlkw/YpyzLfzAYva/70so1x8LHgmZ9cru9w==&rZE=X4_4ANE82 | US | — | — | malicious |
372 | explorer.exe | POST | — | 162.213.250.169:80 | http://www.allixanes.com/sa22/ | US | — | — | malicious |
372 | explorer.exe | POST | — | 184.168.221.91:80 | http://www.goforfootball.com/sa22/ | US | — | — | malicious |
372 | explorer.exe | GET | 301 | 35.242.251.130:80 | http://www.baribh.com/sa22/?9rfx9hDX=IDe74EdX1tMu3Io0WHkb2YSV0r0oUakV0rZ2YSNHGafdYlxyPzlEEy0P+41r6Agx+Gdyrg==&rZE=X4_4ANE82 | US | — | — | malicious |
372 | explorer.exe | GET | 404 | 162.213.250.169:80 | http://www.allixanes.com/sa22/?9rfx9hDX=JMM0tJzek7OfGpItd7GZSDXDp6JdgYgBE5yHy+eQKsts3D1xYsicJlQH435XxcrMhotTVA==&rZE=X4_4ANE82 | US | html | 328 b | malicious |
372 | explorer.exe | POST | — | 184.168.221.91:80 | http://www.goforfootball.com/sa22/ | US | — | — | malicious |
372 | explorer.exe | POST | 404 | 162.213.250.169:80 | http://www.allixanes.com/sa22/ | US | html | 295 b | malicious |
2128 | filename1.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
372 | explorer.exe | POST | 404 | 162.213.250.169:80 | http://www.allixanes.com/sa22/ | US | html | 295 b | malicious |
372 | explorer.exe | POST | — | 156.226.241.57:80 | http://www.xingli60.com/sa22/ | ZA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2128 | filename1.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2128 | filename1.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
2128 | filename1.exe | 13.107.42.12:443 | hmhxvw.dm.files.1drv.com | Microsoft Corporation | US | suspicious |
1840 | filename1.exe | 13.107.42.12:443 | hmhxvw.dm.files.1drv.com | Microsoft Corporation | US | suspicious |
372 | explorer.exe | 162.213.250.169:80 | www.allixanes.com | Namecheap, Inc. | US | malicious |
372 | explorer.exe | 185.47.245.223:80 | www.xn--diseowebbadajoz-1qb.com | Grupo Loading Systems, S.L. | ES | malicious |
1840 | filename1.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
372 | explorer.exe | 35.242.251.130:80 | www.baribh.com | — | US | malicious |
372 | explorer.exe | 156.226.241.57:80 | www.xingli60.com | MacroLAN | ZA | malicious |
372 | explorer.exe | 184.168.221.91:80 | www.goforfootball.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ocsp.digicert.com |
| whitelisted |
hmhxvw.dm.files.1drv.com |
| whitelisted |
www.xn--diseowebbadajoz-1qb.com |
| malicious |
www.allixanes.com |
| malicious |
www.readytraffic4upgrade.download |
| unknown |
www.goforfootball.com |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
www.xingli60.com |
| malicious |
www.baribh.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |