analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SWIFT_COPY_856.ace

Full analysis: https://app.any.run/tasks/e921c162-dc2d-4e41-ba29-7ad3b469b77b
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 09:04:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/octet-stream
File info: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5:

D42251C5A118B397951F53BA1B09E460

SHA1:

F017D032784C73B6B94F5E646D1CB40CCB45EE58

SHA256:

2D1C8F574F21589BD55F6E822D78335F4FB96A7509148712E7067594E5215D1E

SSDEEP:

6144:adnB4c0/qibum3dpg7cw8X04DqkjdD3ztNCZwb:XOi5W7Ok4DdjRzrCW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SWIFT_COPY_856.scr (PID: 2848)
      • SWIFT_COPY_856.scr (PID: 3356)
      • SWIFT_COPY_856.scr (PID: 4044)

    • FORMBOOK was detected

      • explorer.exe (PID: 284)

    • Changes the autorun value in the registry

      • rdpclip.exe (PID: 2624)

    • Formbook was detected

      • rdpclip.exe (PID: 2624)
      • Firefox.exe (PID: 2796)

    • Connects to CnC server

      • explorer.exe (PID: 284)

    • Actions looks like stealing of personal data

      • rdpclip.exe (PID: 2624)

    • Stealing of credential data

      • rdpclip.exe (PID: 2624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2980)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2980)
      • SWIFT_COPY_856.scr (PID: 2848)
      • SWIFT_COPY_856.scr (PID: 3356)

    • Application launched itself

      • SWIFT_COPY_856.scr (PID: 2848)
      • SWIFT_COPY_856.scr (PID: 3356)

    • Loads DLL from Mozilla Firefox

      • rdpclip.exe (PID: 2624)

    • Starts CMD.EXE for commands execution

      • rdpclip.exe (PID: 2624)

    • Creates files in the user directory

      • rdpclip.exe (PID: 2624)

  • INFO

    • Creates files in the user directory

      • Firefox.exe (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ace | ACE compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
8
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start winrar.exe swift_copy_856.scr no specs swift_copy_856.scr no specs swift_copy_856.scr no specs #FORMBOOK rdpclip.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SWIFT_COPY_856.ace"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2848"C:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scrWinRAR.exe
User:
admin
Company:
NARA
Integrity Level:
MEDIUM
Description:
MOB
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia2980.26241\swift_copy_856.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3356"C:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scrSWIFT_COPY_856.scr
User:
admin
Company:
NARA
Integrity Level:
MEDIUM
Description:
MOB
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia2980.26241\swift_copy_856.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
4044"C:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scrSWIFT_COPY_856.scr
User:
admin
Company:
NARA
Integrity Level:
MEDIUM
Description:
MOB
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia2980.26241\swift_copy_856.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2624"C:\Windows\System32\rdpclip.exe"C:\Windows\System32\rdpclip.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
RDP Clip Monitor
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rdpclip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3388/c del "C:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.scr"C:\Windows\System32\cmd.exerdpclip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2796"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
rdpclip.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
482
Read events
446
Write events
36
Delete events
0

Modification events

(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SWIFT_COPY_856.ace
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(284) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ace\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(284) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ace\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
1
Suspicious files
73
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2980.26241\SWIFT_COPY_856.screxecutable
MD5:DC9E62C6454451886B67B2628E0AB8DB
SHA256:A81BBF7CB76D53460F2270F3CCF7A540CF390C02E593588E649C4D8770D4979E
2624rdpclip.exeC:\Users\admin\AppData\Roaming\4NL07UBE\4NLlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
2848SWIFT_COPY_856.scrC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
3356SWIFT_COPY_856.scrC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
2624rdpclip.exeC:\Users\admin\AppData\Roaming\4NL07UBE\4NLlogim.jpegimage
MD5:45C51B84B25183876811A379542D5FE0
SHA256:F74ECC3B9500E82B04AA02BB27BC55BC2CED7C65A5637D12C94861269E8233DB
2796Firefox.exeC:\Users\admin\AppData\Roaming\4NL07UBE\4NLlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
2624rdpclip.exeC:\Users\admin\AppData\Roaming\4NL07UBE\4NLlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
2624rdpclip.exeC:\Users\admin\AppData\Roaming\4NL07UBE\4NLlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
26
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
284
explorer.exe
GET
88.214.207.96:80
http://www.maccheronicini.com/pe/?PB=s1tnAVSUiInLtxGBFy8WOBpIfbg81+XIthL6ti59XpWaTbVwUAT653hwZKjmaJCHHyggRQ==&00=Jz9L_rMX&sql=1
GB
malicious
284
explorer.exe
GET
301
104.154.23.229:80
http://www.napalandman.net/pe/?PB=W9sGz4OoQAk2r1FrqsHeEjLoHC1tn2Jzv/4esmYgXyCsn5Vz0UO8gXGscJvcOIex5f8NfA==&00=Jz9L_rMX&sql=1
US
malicious
284
explorer.exe
GET
209.99.64.43:80
http://www.tattoodedication.com/pe/?PB=N1ch3/b1sYv/hU9TQ/GnVRpLgi+LXR8/wLTAkNvEhxjgg7Ce3PifzJ3Q1qsWxN/ChGyUmg==&00=Jz9L_rMX&sql=1
US
malicious
284
explorer.exe
POST
104.154.23.229:80
http://www.napalandman.net/pe/
US
malicious
284
explorer.exe
POST
209.99.64.43:80
http://www.tattoodedication.com/pe/
US
malicious
284
explorer.exe
POST
104.154.23.229:80
http://www.napalandman.net/pe/
US
malicious
284
explorer.exe
POST
88.214.207.96:80
http://www.maccheronicini.com/pe/
GB
malicious
284
explorer.exe
POST
104.154.23.229:80
http://www.napalandman.net/pe/
US
malicious
284
explorer.exe
POST
217.160.0.173:80
http://www.lifemasterclass.info/pe/
DE
malicious
284
explorer.exe
GET
301
192.237.132.248:80
http://www.thenorthernlightsmusic.com/pe/?PB=TOfyfpYrAhc21K2hDYkifELHovYA4dP8aqEcz4CyRmzPSy/hDocWRtM9N9fSKe8LU0s6UA==&00=Jz9L_rMX&sql=1
US
html
209 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
284
explorer.exe
213.186.33.5:80
www.alexandre-allard.com
OVH SAS
FR
malicious
284
explorer.exe
104.154.23.229:80
www.napalandman.net
Google Inc.
US
malicious
284
explorer.exe
209.99.64.43:80
www.tattoodedication.com
Confluence Networks Inc
US
malicious
284
explorer.exe
88.214.207.96:80
www.maccheronicini.com
NatCoWeb Corp.
GB
malicious
284
explorer.exe
45.192.106.247:80
www.godspee.com
MacroLAN
ZA
malicious
284
explorer.exe
192.237.132.248:80
www.thenorthernlightsmusic.com
Rackspace Ltd.
US
malicious
284
explorer.exe
217.160.0.173:80
www.lifemasterclass.info
1&1 Internet SE
DE
malicious
284
explorer.exe
23.20.239.12:80
www.coffindepot.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
www.hailougou.com
unknown
www.alexandre-allard.com
  • 213.186.33.5
malicious
www.napalandman.net
  • 104.154.23.229
malicious
www.tattoodedication.com
  • 209.99.64.43
malicious
www.maccheronicini.com
  • 88.214.207.96
malicious
www.abetterupdates.win
unknown
www.thenorthernlightsmusic.com
  • 192.237.132.248
malicious
www.lifemasterclass.info
  • 217.160.0.173
malicious
www.medi-strains.net
unknown
www.godspee.com
  • 45.192.106.247
malicious

Threats

PID
Process
Class
Message
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
21 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SWIFT_COPY_856.ace