analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice.zip

Full analysis: https://app.any.run/tasks/05bbbbc9-6c7e-422b-b55d-e07e825ebdee
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: January 11, 2019, 13:54:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C67581E15AF240D9193C4392C5A6C0AB

SHA1:

12106A629A9077C469A2DD1BC860DE56506D270B

SHA256:

31ABC8107DA5808B4E7CB1B7C5B23B08BBF24C333BE518C2CC49126ECBEAA0CB

SSDEEP:

6144:DPKPTtom0xhznbkhenBCmLlgIMnEzFlsnJOPiPh2upjba:DeUboeBCWgdEBlsnJOKPh2q2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bin_outputDE0069F.exe (PID: 2460)
      • rrhxmtbdx.exe (PID: 3768)
    • Formbook was detected

      • systray.exe (PID: 3132)
      • Firefox.exe (PID: 2324)
    • Connects to CnC server

      • explorer.exe (PID: 116)
      • chrome.exe (PID: 3896)
    • FORMBOOK was detected

      • explorer.exe (PID: 116)
      • chrome.exe (PID: 3896)
    • Changes the autorun value in the registry

      • systray.exe (PID: 3132)
    • Actions looks like stealing of personal data

      • systray.exe (PID: 3132)
    • Loads dropped or rewritten executable

      • systray.exe (PID: 3132)
    • Stealing of credential data

      • cmd.exe (PID: 3852)
      • systray.exe (PID: 3132)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2816)
      • WinRAR.exe (PID: 3196)
      • systray.exe (PID: 3132)
      • explorer.exe (PID: 116)
      • DllHost.exe (PID: 3056)
    • Starts CMD.EXE for commands execution

      • systray.exe (PID: 3132)
    • Application launched itself

      • WinRAR.exe (PID: 2816)
    • Creates files in the user directory

      • systray.exe (PID: 3132)
    • Loads DLL from Mozilla Firefox

      • systray.exe (PID: 3132)
    • Creates files in the program directory

      • DllHost.exe (PID: 3056)
  • INFO

    • Creates files in the user directory

      • Firefox.exe (PID: 2324)
    • Application launched itself

      • chrome.exe (PID: 3896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: bin_outputDE0069F.exe
ZipUncompressedSize: 434176
ZipCompressedSize: 277367
ZipCRC: 0x725f088c
ZipModifyDate: 2019:01:10 17:47:01
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
29
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe bin_outputde0069f.exe no specs #FORMBOOK systray.exe cmd.exe no specs winrar.exe #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs cmd.exe Copy/Move/Rename/Delete/Link Object rrhxmtbdx.exe no specs spoolsv.exe no specs #FORMBOOK chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2816"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2460"C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exeWinRAR.exe
User:
admin
Company:
SiEmens
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.01.0009
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2816.47360\bin_outputde0069f.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3132"C:\Windows\System32\systray.exe"C:\Windows\System32\systray.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3824/c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exe"C:\Windows\System32\cmd.exesystray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3196"C:\Program Files\WinRAR\WinRAR.exe" -elevate2816C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2324"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
systray.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3852/c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /VC:\Windows\System32\cmd.exe
systray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3056C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3768"C:\Program Files\Scvh\rrhxmtbdx.exe"C:\Program Files\Scvh\rrhxmtbdx.exeexplorer.exe
User:
admin
Company:
SiEmens
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.01.0009
Modules
Images
c:\program files\scvh\rrhxmtbdx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
1 806
Read events
1 570
Write events
232
Delete events
4

Modification events

(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2816) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Invoice.zip
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
6
Suspicious files
151
Text files
117
Unknown types
17

Dropped files

PID
Process
Filename
Type
2460bin_outputDE0069F.exeC:\Users\admin\AppData\Local\Temp\~DF648B227F4E59F7BE.TMP
MD5:
SHA256:
3196WinRAR.exeC:\bin_outputDE0069F.exeexecutable
MD5:C83B3A601B8E5206949276B60044FF92
SHA256:5E10AD8089D61C2FA3D81000D40BD544AD7EA8EB01DDCB4005D5305593635A2F
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.47360\bin_outputDE0069F.exeexecutable
MD5:C83B3A601B8E5206949276B60044FF92
SHA256:5E10AD8089D61C2FA3D81000D40BD544AD7EA8EB01DDCB4005D5305593635A2F
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Invoice\bin_outputDE0069F.exeexecutable
MD5:C83B3A601B8E5206949276B60044FF92
SHA256:5E10AD8089D61C2FA3D81000D40BD544AD7EA8EB01DDCB4005D5305593635A2F
3132systray.exeC:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
3768rrhxmtbdx.exeC:\Users\admin\AppData\Local\Temp\~DF9D2BAB31E1D3C3B4.TMP
MD5:
SHA256:
3132systray.exeC:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogrg.inibinary
MD5:662CFC0604D7F53153C80EE6AB8931D6
SHA256:9881E9C578289EABFFEB84A3D87B255C732CD7D8AF087F71E2D970AB5F704840
3132systray.exeC:\Users\admin\AppData\Local\Temp\bx4l_r.zipcompressed
MD5:10C809CDC0FF1B7A4A26FEC1D1370EE8
SHA256:065A83AB4E942FE61837CBF10739C381F76C9BE41448969AE5F4BAF90285C324
3132systray.exeC:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogim.jpegimage
MD5:61ADA35FBCFB8CAC5A5FF84F56548A55
SHA256:EAF6876C3077B52858D8DA580B38E76BCFD7544D6B322AF6AA8CD9AA5E7F96CA
2324Firefox.exeC:\Users\admin\AppData\Roaming\06AQ2U3E\06Alogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
41
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
explorer.exe
GET
301
52.95.163.53:80
http://www.estudioleip.com/pu/?jFiDr=CuK9hiXhgKh9hCRCeTYI1tijR4ukXM/THf1IwdVH6K6kfCiAxEWKPttNBMSz+RdDUTmpig==&PpQ=_6pd7BMXcny8W
US
malicious
116
explorer.exe
POST
199.192.23.212:80
http://www.smaleg.com/pu/
US
malicious
116
explorer.exe
GET
200
199.192.23.212:80
http://www.smaleg.com/pu/?jFiDr=vXuibUm4TQE+I6m+UECb88u3ORXCsRxi2fdyQje/2DEOfiQ7PCUpBbEZF90f4o2zbRBmdQ==&PpQ=_6pd7BMXcny8W&sql=1
US
binary
323 Kb
malicious
3896
chrome.exe
POST
49.50.76.88:80
http://www.uttampradesh.net/pu/
IN
malicious
116
explorer.exe
POST
404
199.192.23.212:80
http://www.smaleg.com/pu/
US
html
288 b
malicious
116
explorer.exe
POST
404
199.192.23.212:80
http://www.smaleg.com/pu/
US
html
288 b
malicious
3896
chrome.exe
GET
200
52.40.132.39:80
http://www.6620elginlane.com/pu/?UL=jZUXFTbpTpHdyl&yhp8=44GhTh/FfifmkqVTNmVV9lqBExRXVmfr+dAzt83KlxurG2dxvSJotyA7G0NlVwcBWo/ZVA==
US
html
13.7 Kb
malicious
116
explorer.exe
POST
52.95.163.53:80
http://www.estudioleip.com/pu/
US
malicious
116
explorer.exe
POST
52.95.163.53:80
http://www.estudioleip.com/pu/
US
malicious
3896
chrome.exe
POST
404
199.192.23.212:80
http://www.smaleg.com/pu/
US
html
288 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3896
chrome.exe
172.217.23.163:443
www.gstatic.com
Google Inc.
US
whitelisted
116
explorer.exe
23.20.239.12:80
www.walkiestalkie.com
Amazon.com, Inc.
US
shared
116
explorer.exe
199.192.23.212:80
www.smaleg.com
US
malicious
3896
chrome.exe
172.217.18.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3896
chrome.exe
172.217.18.13:443
accounts.google.com
Google Inc.
US
whitelisted
3896
chrome.exe
216.58.207.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3896
chrome.exe
172.217.22.3:443
www.google.de
Google Inc.
US
whitelisted
3896
chrome.exe
172.217.22.110:443
apis.google.com
Google Inc.
US
whitelisted
3896
chrome.exe
172.217.18.14:443
play.google.com
Google Inc.
US
whitelisted
3896
chrome.exe
216.58.206.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.impartruck.com
unknown
www.walkiestalkie.com
  • 23.20.239.12
shared
www.smaleg.com
  • 199.192.23.212
malicious
www.viewyourwebsitedraft.com
unknown
www.miraclesoda.win
unknown
www.geniosvirtual.com
unknown
clientservices.googleapis.com
  • 216.58.207.35
whitelisted
www.gstatic.com
  • 172.217.23.163
whitelisted
safebrowsing.googleapis.com
  • 172.217.18.106
whitelisted
www.google.de
  • 172.217.22.3
whitelisted

Threats

PID
Process
Class
Message
116
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
8 ETPRO signatures available at the full report
No debug info