File name: | Invoice.zip |
Full analysis: | https://app.any.run/tasks/05bbbbc9-6c7e-422b-b55d-e07e825ebdee |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 11, 2019, 13:54:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C67581E15AF240D9193C4392C5A6C0AB |
SHA1: | 12106A629A9077C469A2DD1BC860DE56506D270B |
SHA256: | 31ABC8107DA5808B4E7CB1B7C5B23B08BBF24C333BE518C2CC49126ECBEAA0CB |
SSDEEP: | 6144:DPKPTtom0xhznbkhenBCmLlgIMnEzFlsnJOPiPh2upjba:DeUboeBCWgdEBlsnJOKPh2q2 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | bin_outputDE0069F.exe |
---|---|
ZipUncompressedSize: | 434176 |
ZipCompressedSize: | 277367 |
ZipCRC: | 0x725f088c |
ZipModifyDate: | 2019:01:10 17:47:01 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2816 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
2460 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exe | — | WinRAR.exe | |||||||||||
User: admin Company: SiEmens Integrity Level: MEDIUM Exit code: 0 Version: 4.01.0009 Modules
| |||||||||||||||
3132 | "C:\Windows\System32\systray.exe" | C:\Windows\System32\systray.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Systray .exe stub Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3824 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exe" | C:\Windows\System32\cmd.exe | — | systray.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3196 | "C:\Program Files\WinRAR\WinRAR.exe" -elevate2816 | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: HIGH Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2324 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | systray.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 Modules
| |||||||||||||||
3852 | /c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /V | C:\Windows\System32\cmd.exe | systray.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3056 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3768 | "C:\Program Files\Scvh\rrhxmtbdx.exe" | C:\Program Files\Scvh\rrhxmtbdx.exe | — | explorer.exe | |||||||||||
User: admin Company: SiEmens Integrity Level: MEDIUM Exit code: 0 Version: 4.01.0009 Modules
|
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Invoice.zip | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2816) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
Operation: | write | Name: | a |
Value: WinRAR.exe | |||
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a |
PID | Process | Filename | Type | |
---|---|---|---|---|
2460 | bin_outputDE0069F.exe | C:\Users\admin\AppData\Local\Temp\~DF648B227F4E59F7BE.TMP | — | |
MD5:— | SHA256:— | |||
3196 | WinRAR.exe | C:\bin_outputDE0069F.exe | executable | |
MD5:C83B3A601B8E5206949276B60044FF92 | SHA256:5E10AD8089D61C2FA3D81000D40BD544AD7EA8EB01DDCB4005D5305593635A2F | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exe | executable | |
MD5:C83B3A601B8E5206949276B60044FF92 | SHA256:5E10AD8089D61C2FA3D81000D40BD544AD7EA8EB01DDCB4005D5305593635A2F | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Invoice\bin_outputDE0069F.exe | executable | |
MD5:C83B3A601B8E5206949276B60044FF92 | SHA256:5E10AD8089D61C2FA3D81000D40BD544AD7EA8EB01DDCB4005D5305593635A2F | |||
3132 | systray.exe | C:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3768 | rrhxmtbdx.exe | C:\Users\admin\AppData\Local\Temp\~DF9D2BAB31E1D3C3B4.TMP | — | |
MD5:— | SHA256:— | |||
3132 | systray.exe | C:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogrg.ini | binary | |
MD5:662CFC0604D7F53153C80EE6AB8931D6 | SHA256:9881E9C578289EABFFEB84A3D87B255C732CD7D8AF087F71E2D970AB5F704840 | |||
3132 | systray.exe | C:\Users\admin\AppData\Local\Temp\bx4l_r.zip | compressed | |
MD5:10C809CDC0FF1B7A4A26FEC1D1370EE8 | SHA256:065A83AB4E942FE61837CBF10739C381F76C9BE41448969AE5F4BAF90285C324 | |||
3132 | systray.exe | C:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogim.jpeg | image | |
MD5:61ADA35FBCFB8CAC5A5FF84F56548A55 | SHA256:EAF6876C3077B52858D8DA580B38E76BCFD7544D6B322AF6AA8CD9AA5E7F96CA | |||
2324 | Firefox.exe | C:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 301 | 52.95.163.53:80 | http://www.estudioleip.com/pu/?jFiDr=CuK9hiXhgKh9hCRCeTYI1tijR4ukXM/THf1IwdVH6K6kfCiAxEWKPttNBMSz+RdDUTmpig==&PpQ=_6pd7BMXcny8W | US | — | — | malicious |
116 | explorer.exe | POST | — | 199.192.23.212:80 | http://www.smaleg.com/pu/ | US | — | — | malicious |
116 | explorer.exe | GET | 200 | 199.192.23.212:80 | http://www.smaleg.com/pu/?jFiDr=vXuibUm4TQE+I6m+UECb88u3ORXCsRxi2fdyQje/2DEOfiQ7PCUpBbEZF90f4o2zbRBmdQ==&PpQ=_6pd7BMXcny8W&sql=1 | US | binary | 323 Kb | malicious |
3896 | chrome.exe | POST | — | 49.50.76.88:80 | http://www.uttampradesh.net/pu/ | IN | — | — | malicious |
116 | explorer.exe | POST | 404 | 199.192.23.212:80 | http://www.smaleg.com/pu/ | US | html | 288 b | malicious |
116 | explorer.exe | POST | 404 | 199.192.23.212:80 | http://www.smaleg.com/pu/ | US | html | 288 b | malicious |
3896 | chrome.exe | GET | 200 | 52.40.132.39:80 | http://www.6620elginlane.com/pu/?UL=jZUXFTbpTpHdyl&yhp8=44GhTh/FfifmkqVTNmVV9lqBExRXVmfr+dAzt83KlxurG2dxvSJotyA7G0NlVwcBWo/ZVA== | US | html | 13.7 Kb | malicious |
116 | explorer.exe | POST | — | 52.95.163.53:80 | http://www.estudioleip.com/pu/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 52.95.163.53:80 | http://www.estudioleip.com/pu/ | US | — | — | malicious |
3896 | chrome.exe | POST | 404 | 199.192.23.212:80 | http://www.smaleg.com/pu/ | US | html | 288 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3896 | chrome.exe | 172.217.23.163:443 | www.gstatic.com | Google Inc. | US | whitelisted |
116 | explorer.exe | 23.20.239.12:80 | www.walkiestalkie.com | Amazon.com, Inc. | US | shared |
116 | explorer.exe | 199.192.23.212:80 | www.smaleg.com | — | US | malicious |
3896 | chrome.exe | 172.217.18.106:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3896 | chrome.exe | 172.217.18.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
3896 | chrome.exe | 216.58.207.35:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3896 | chrome.exe | 172.217.22.3:443 | www.google.de | Google Inc. | US | whitelisted |
3896 | chrome.exe | 172.217.22.110:443 | apis.google.com | Google Inc. | US | whitelisted |
3896 | chrome.exe | 172.217.18.14:443 | play.google.com | Google Inc. | US | whitelisted |
3896 | chrome.exe | 216.58.206.3:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.impartruck.com |
| unknown |
www.walkiestalkie.com |
| shared |
www.smaleg.com |
| malicious |
www.viewyourwebsitedraft.com |
| unknown |
www.miraclesoda.win |
| unknown |
www.geniosvirtual.com |
| unknown |
clientservices.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
www.google.de |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |