File name: | FinCERT_BAPB_MLW2019052001.zip |
Full analysis: | https://app.any.run/tasks/0963340e-1078-4487-8253-8f950fc3e709 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2019, 10:41:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B7FF2DD4399EC4F52716165B2A8016FE |
SHA1: | D7218E938E1AEB2E017348720AEE6133E0778566 |
SHA256: | 3C4570155FD02A458055D4B9596C0CE4B8A6D7754D474847961A26CB91E23B9C |
SSDEEP: | 12288:Gbw/Ly9ZId9biyqeoxEW/dAN+pcWs3ZnDYqIuIu:Gc/+Zu5oxEEdAN+pcWs31YMT |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:05:20 11:40:15 |
ZipCRC: | 0xe50f1749 |
ZipCompressedSize: | 249628 |
ZipUncompressedSize: | 359747 |
ZipFileName: | [Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019052001.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3236 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content_Attachment] Order - Order List.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2404 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Scan 000PO11026444.gz" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1760 | "C:\Users\admin\Desktop\Scan 000PO11026444.bat" | C:\Users\admin\Desktop\Scan 000PO11026444.bat | — | explorer.exe |
User: admin Company: UNTOILING Integrity Level: MEDIUM Exit code: 0 Version: 1.09.0005 | ||||
2212 | C:\Users\admin\Desktop\Scan 000PO11026444.bat" | C:\Users\admin\Desktop\Scan 000PO11026444.bat | — | Scan 000PO11026444.bat |
User: admin Company: UNTOILING Integrity Level: MEDIUM Exit code: 0 Version: 1.09.0005 | ||||
936 | "C:\Windows\System32\autochk.exe" | C:\Windows\System32\autochk.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto Check Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2052 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3216 | /c del "C:\Users\admin\Desktop\Scan 000PO11026444.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3816 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | cmd.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3376.40357\[Content_Attachment] Order - Order List.eml | — | |
MD5:— | SHA256:— | |||
3236 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR2C86.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3236 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp2F75.tmp | — | |
MD5:— | SHA256:— | |||
3236 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SI3M3KJ7\Scan 000PO11026444 (2).gz\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
116 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019052020190521\index.dat | dat | |
MD5:0008EB7286EA22358B670B0E83DF14F0 | SHA256:08654EBE9213BDA1543C417F4692C2CE968AFFEB7F54E535F7E1EE146F45B15C | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:3C9B8F6E87E7192B0934A989C7C72508 | SHA256:3EB822EA65E7D12E55C8C9A9B180526786AA5D3AC8B48C275ACB7D605260476E | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\[Content_Attachment] Order - Order List.eml.lnk | lnk | |
MD5:CB5E228CBB5A0592F62F3E2E01E915BE | SHA256:352460A1F95CB131CA8C31A1EE8BDE8894A31BBE1795ADDEDDD433243149C29C | |||
116 | explorer.exe | C:\Users\admin\Desktop\[Content_Attachment] Order - Order List.eml | eml | |
MD5:7F1028EC063B15A33F2CA6F50B78DE4E | SHA256:0E26FA5E621452C983D7718FC0DA7D86F35EA90FC9500BDBAAF51BABE9DCE522 | |||
2404 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2404.43838\Scan 000PO11026444.bat | — | |
MD5:— | SHA256:— | |||
3236 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:FEB3F184E0FCC962798421BB4E46060D | SHA256:76C9BFD32441229A85CA4B68763345C409ED67C6F21322BEEFB2DEAB25B196C0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | — | 23.20.239.12:80 | http://www.nd27.com/an/?Br5=AjFTIqvcgEaob4ZAIeIt5zUY5xaH3WiofDWif5tPhRXp5rJwwyFSSeYLlYw2JVG5yy4mIA==&I6F=4hitRzQ8q0 | US | — | — | shared |
116 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.matrimonyyou.com/an/?Br5=FzgDlnNc3hYGVwSVZbANYo43DFZ+Sm1Wf6K7n/rax76A+GAStB0Uq/5wI/oFw0pnZ+F07w==&I6F=4hitRzQ8q0&sql=1 | US | html | 188 b | shared |
116 | explorer.exe | POST | — | 172.120.128.42:80 | http://www.hbkcdz.com/an/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.matrimonyyou.com/an/ | US | — | — | shared |
3236 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
116 | explorer.exe | POST | — | 199.34.228.75:80 | http://www.mbchic.com/an/ | US | — | — | malicious |
116 | explorer.exe | GET | — | 199.34.228.75:80 | http://www.mbchic.com/an/?Br5=/JfnjqAmwgt7evulAvZgxUOb06ynN0d0LMkZpJRAFL0bNVv36DXTMSdw3EEJo18+g19aDQ==&I6F=4hitRzQ8q0&sql=1 | US | — | — | malicious |
116 | explorer.exe | POST | — | 199.34.228.75:80 | http://www.mbchic.com/an/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 199.34.228.75:80 | http://www.mbchic.com/an/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.matrimonyyou.com/an/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3236 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
— | — | 23.20.239.12:80 | www.nd27.com | Amazon.com, Inc. | US | shared |
116 | explorer.exe | 23.20.239.12:80 | www.nd27.com | Amazon.com, Inc. | US | shared |
— | — | 199.34.228.75:80 | www.mbchic.com | Weebly, Inc. | US | malicious |
116 | explorer.exe | 199.34.228.75:80 | www.mbchic.com | Weebly, Inc. | US | malicious |
116 | explorer.exe | 172.120.128.42:80 | www.hbkcdz.com | EGIHosting | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.nd27.com |
| shared |
www.lecorps.info |
| unknown |
www.mbchic.com |
| malicious |
www.coyotitawilhoit.info |
| unknown |
www.apptraffic4updates.date |
| unknown |
www.matrimonyyou.com |
| shared |
www.hbkcdz.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |