analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BL-Shipping Document.z

Full analysis: https://app.any.run/tasks/0538be3f-7b19-4fa6-899f-bad8fa995932
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: April 15, 2019, 14:08:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
opendir
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

7F661B3BCB97F60BF0A2E14A1E0250BD

SHA1:

534D39327BF46B9610A2C37BCA8358521E2BD329

SHA256:

379D004FDAEC6621395A116D8204EDEDC39DE34EE304788BE6A722F0C0C3740A

SSDEEP:

6144:bay3UP6ry+qzjd8pRv+2YtSA7bTpKhA1qyRGIrk7frlRoQjUPoJfGsRG9QL:bay3k62+cGpN+Tssbt9TrkDsI2oJfG0L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BL-Shipping Document.exe (PID: 1708)
      • app.exe (PID: 2892)
      • BL-Shipping Document.exe (PID: 3656)
      • app.exe (PID: 2204)
    • Changes the autorun value in the registry

      • app.exe (PID: 2204)
      • rundll32.exe (PID: 3620)
    • FORMBOOK was detected

      • explorer.exe (PID: 2044)
    • Connects to CnC server

      • explorer.exe (PID: 2044)
    • Formbook was detected

      • rundll32.exe (PID: 3620)
      • Firefox.exe (PID: 3456)
    • Actions looks like stealing of personal data

      • rundll32.exe (PID: 3620)
    • Stealing of credential data

      • rundll32.exe (PID: 3620)
  • SUSPICIOUS

    • Application launched itself

      • app.exe (PID: 2204)
    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 3620)
      • BL-Shipping Document.exe (PID: 3656)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3864)
      • cmd.exe (PID: 3696)
    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 2044)
    • Creates files in the user directory

      • rundll32.exe (PID: 3620)
      • cmd.exe (PID: 3696)
    • Loads DLL from Mozilla Firefox

      • rundll32.exe (PID: 3620)
  • INFO

    • Creates files in the user directory

      • Firefox.exe (PID: 3456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
11
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe bl-shipping document.exe cmd.exe bl-shipping document.exe cmd.exe no specs app.exe app.exe no specs #FORMBOOK rundll32.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BL-Shipping Document.z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3656"C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.32650\BL-Shipping Document.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.32650\BL-Shipping Document.exe
WinRAR.exe
User:
admin
Company:
ukojovacosocahoqozomusew
Integrity Level:
MEDIUM
Description:
imolowuv
Exit code:
0
Version:
7.10.14.17
3696"C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.32650\BL-Shipping Document.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exe"C:\Windows\System32\cmd.exe
BL-Shipping Document.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1708"C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.34761\BL-Shipping Document.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.34761\BL-Shipping Document.exe
WinRAR.exe
User:
admin
Company:
ukojovacosocahoqozomusew
Integrity Level:
MEDIUM
Description:
imolowuv
Exit code:
0
Version:
7.10.14.17
3076"C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exe"C:\Windows\System32\cmd.exeBL-Shipping Document.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2204"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exe
cmd.exe
User:
admin
Company:
ukojovacosocahoqozomusew
Integrity Level:
MEDIUM
Description:
imolowuv
Exit code:
0
Version:
7.10.14.17
2892"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exeapp.exe
User:
admin
Company:
ukojovacosocahoqozomusew
Integrity Level:
MEDIUM
Description:
imolowuv
Exit code:
0
Version:
7.10.14.17
3620"C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
368/c del "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exe"C:\Windows\System32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2044C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
543
Read events
521
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
73
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3864.34761\BL-Shipping Document.exeexecutable
MD5:BC8787CE0212B9306C503301C72407E1
SHA256:53C88F93E26CFA364E823EDBB6C1E3F4A9AEF63B12591A16939C10FA9314562B
3696cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\app.exeexecutable
MD5:BC8787CE0212B9306C503301C72407E1
SHA256:53C88F93E26CFA364E823EDBB6C1E3F4A9AEF63B12591A16939C10FA9314562B
3620rundll32.exeC:\Users\admin\AppData\Roaming\03RA4AUE\03Rlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
3864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3864.32650\BL-Shipping Document.exeexecutable
MD5:BC8787CE0212B9306C503301C72407E1
SHA256:53C88F93E26CFA364E823EDBB6C1E3F4A9AEF63B12591A16939C10FA9314562B
3620rundll32.exeC:\Users\admin\AppData\Roaming\03RA4AUE\03Rlogim.jpegimage
MD5:7667DCE86401AFD8AF4CB85B4CB90347
SHA256:438B7E636C35717804737C998B4357EA2D4AAC702C704B9D0B95398EFEBB7E79
3456Firefox.exeC:\Users\admin\AppData\Roaming\03RA4AUE\03Rlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
3620rundll32.exeC:\Users\admin\AppData\Roaming\03RA4AUE\03Rlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
3620rundll32.exeC:\Users\admin\AppData\Roaming\03RA4AUE\03Rlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
29
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2044
explorer.exe
GET
121.199.250.36:80
http://www.huachen119.com/ro/?Rz7tLz=WKuDpcI9W5zFJbnZ6d553j0+8nfgLZ3KQkMDWGm+MuuTJLxVNMLPGNeaenq9axCmt3qDkA==&QLr=uTH8ThkX1pklN&sql=1
CN
malicious
2044
explorer.exe
GET
208.91.197.27:80
http://www.tm1-code.com/ro/?Rz7tLz=GISzHsH0UyWg1Ye5UuUBAdH9/OKhc3QR+dh+ZeCqgr/v9iLCRqBfOxnytd3NRXmmbPkinQ==&QLr=uTH8ThkX1pklN&sql=1
US
malicious
2044
explorer.exe
GET
301
104.31.69.194:80
http://www.mostgeneral.com/ro/?Rz7tLz=0AjbJv8+mPstSALz+oIMGvpfs9JG2/wGprW+xCVKvI0MZbXK294EsSlsfNmvmuXGF0jZ/Q==&QLr=uTH8ThkX1pklN&sql=1
US
malicious
2044
explorer.exe
POST
162.244.253.67:80
http://www.kerrytittle.com/ro/
US
malicious
2044
explorer.exe
POST
121.199.250.36:80
http://www.huachen119.com/ro/
CN
malicious
2044
explorer.exe
POST
104.31.69.194:80
http://www.mostgeneral.com/ro/
US
malicious
2044
explorer.exe
GET
162.244.253.67:80
http://www.kerrytittle.com/ro/?Rz7tLz=03cRoNTnW4UXXHIo30b6FUHQqzIRRjArkTJ7sGzHd9kjwpJog2oN3LrzmrRTmHzhaUJUGg==&QLr=uTH8ThkX1pklN&sql=1
US
malicious
2044
explorer.exe
POST
104.31.69.194:80
http://www.mostgeneral.com/ro/
US
malicious
2044
explorer.exe
GET
404
67.23.236.205:80
http://www.tecno-escuela.com/ro/?Rz7tLz=SmuCI7LN0x1XSUkLnCey/CoJkNXkHJxcA3+laKMfx104o/efRKnluWovVv4w5ijtTF7KgQ==&QLr=uTH8ThkX1pklN&sql=1
US
html
320 b
malicious
2044
explorer.exe
POST
208.91.197.27:80
http://www.tm1-code.com/ro/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2044
explorer.exe
208.91.197.27:80
www.tm1-code.com
Confluence Networks Inc
US
malicious
2044
explorer.exe
67.23.236.205:80
www.tecno-escuela.com
HostDime.com, Inc.
US
malicious
2044
explorer.exe
68.65.121.44:80
www.tiboxe.com
Namecheap, Inc.
US
malicious
2044
explorer.exe
162.244.253.67:80
www.kerrytittle.com
Handy Networks, LLC
US
malicious
2044
explorer.exe
104.31.69.194:80
www.mostgeneral.com
Cloudflare Inc
US
shared
2044
explorer.exe
121.199.250.36:80
www.huachen119.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
2044
explorer.exe
34.200.200.95:80
www.bioscience-jobs.net
Amazon.com, Inc.
US
malicious
34.200.200.95:80
www.bioscience-jobs.net
Amazon.com, Inc.
US
malicious
2044
explorer.exe
192.0.78.203:80
www.globalartistdigitall.com
Automattic, Inc
US
malicious

DNS requests

Domain
IP
Reputation
www.tiboxe.com
  • 68.65.121.44
malicious
www.huachen119.com
  • 121.199.250.36
malicious
www.launchdeals.services
unknown
www.mostgeneral.com
  • 104.31.69.194
  • 104.31.68.194
malicious
www.tm1-code.com
  • 208.91.197.27
malicious
www.kerrytittle.com
  • 162.244.253.67
malicious
www.tecno-escuela.com
  • 67.23.236.205
malicious
www.bioscience-jobs.net
  • 34.200.200.95
  • 3.94.104.205
malicious
www.laptopmasterysecrets.com
unknown
www.globalartistdigitall.com
  • 192.0.78.203
  • 192.0.78.188
malicious

Threats

PID
Process
Class
Message
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
21 ETPRO signatures available at the full report
Process
Message
BL-Shipping Document.exe
*** Status originated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\id_parser.cpp, line 590
BL-Shipping Document.exe
*** Status propagated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
BL-Shipping Document.exe
*** Status originated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\id_parser.cpp, line 590
BL-Shipping Document.exe
*** Status propagated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
app.exe
*** Status originated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\id_parser.cpp, line 590
app.exe
*** Status propagated: -1072365543 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147