analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FinCERT_BAPB_MLW2019052001.zip

Full analysis: https://app.any.run/tasks/2a030b60-86f6-495d-b641-09798b671638
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: May 20, 2019, 10:30:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B7FF2DD4399EC4F52716165B2A8016FE

SHA1:

D7218E938E1AEB2E017348720AEE6133E0778566

SHA256:

3C4570155FD02A458055D4B9596C0CE4B8A6D7754D474847961A26CB91E23B9C

SSDEEP:

12288:Gbw/Ly9ZId9biyqeoxEW/dAN+pcWs3ZnDYqIuIu:Gc/+Zu5oxEEdAN+pcWs31YMT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Specifications PO#7376153353.scr (PID: 3332)
      • Specifications PO#7376153353.scr (PID: 3812)
    • FORMBOOK was detected

      • explorer.exe (PID: 2044)
    • Connects to CnC server

      • explorer.exe (PID: 2044)
    • Changes the autorun value in the registry

      • colorcpl.exe (PID: 3484)
    • Formbook was detected

      • colorcpl.exe (PID: 3484)
      • Firefox.exe (PID: 2360)
    • Actions looks like stealing of personal data

      • colorcpl.exe (PID: 3484)
    • Stealing of credential data

      • colorcpl.exe (PID: 3484)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • explorer.exe (PID: 2044)
      • OUTLOOK.EXE (PID: 1816)
    • Creates files in the user directory

      • explorer.exe (PID: 2044)
      • OUTLOOK.EXE (PID: 1816)
      • colorcpl.exe (PID: 3484)
    • Starts application with an unusual extension

      • explorer.exe (PID: 2044)
      • Specifications PO#7376153353.scr (PID: 3332)
    • Application launched itself

      • Specifications PO#7376153353.scr (PID: 3332)
    • Starts CMD.EXE for commands execution

      • colorcpl.exe (PID: 3484)
    • Loads DLL from Mozilla Firefox

      • colorcpl.exe (PID: 3484)
  • INFO

    • Manual execution by user

      • OUTLOOK.EXE (PID: 1816)
      • WinRAR.exe (PID: 3708)
      • Specifications PO#7376153353.scr (PID: 3332)
      • colorcpl.exe (PID: 3484)
    • Dropped object may contain Bitcoin addresses

      • explorer.exe (PID: 2044)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1816)
    • Creates files in the user directory

      • Firefox.exe (PID: 2360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:05:20 11:40:15
ZipCRC: 0xe50f1749
ZipCompressedSize: 249628
ZipUncompressedSize: 359747
ZipFileName: [Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe winrar.exe no specs specifications po#7376153353.scr no specs specifications po#7376153353.scr no specs #FORMBOOK colorcpl.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2716"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019052001.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1816"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3708"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Specifications PO#7376153353.z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3332"C:\Users\admin\Desktop\Specifications PO#7376153353.scr" /SC:\Users\admin\Desktop\Specifications PO#7376153353.screxplorer.exe
User:
admin
Company:
boilover4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.04.0001
3812C:\Users\admin\Desktop\Specifications PO#7376153353.scr" /SC:\Users\admin\Desktop\Specifications PO#7376153353.scrSpecifications PO#7376153353.scr
User:
admin
Company:
boilover4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.04.0001
3484"C:\Windows\System32\colorcpl.exe"C:\Windows\System32\colorcpl.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Color Control Panel
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836/c del "C:\Users\admin\Desktop\Specifications PO#7376153353.scr"C:\Windows\System32\cmd.execolorcpl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2044C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2360"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
colorcpl.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Total events
5 897
Read events
5 083
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
84
Text files
25
Unknown types
7

Dropped files

PID
Process
Filename
Type
2716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2716.27753\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml
MD5:
SHA256:
1816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR6E3E.tmp.cvr
MD5:
SHA256:
1816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp7014.tmp
MD5:
SHA256:
2044explorer.exeC:\Users\admin\Desktop\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.emleml
MD5:E10B101E4EE904576BCC5886D0231E91
SHA256:BEA309477A4DC57CB4E579229FDCFC78A8D88B1EF42AAAC87BACA2D9CCE2FD7D
3708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3708.30235\Specifications PO#7376153353.scr
MD5:
SHA256:
1816OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E792BD7ED245F6A450D78CD2DDA46850
SHA256:BE1069B5251F55A83A8A87E19AADC651572FB8CA5E854BC088AD0322E7F41BC6
2044explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml.lnklnk
MD5:3BB46D733C79953C33EFB51A3A5A55C7
SHA256:BF2EF0533A43524CB92263096416BDD0C88B401A1E7291994F340E8DA395F5E6
2044explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019052020190521\index.datdat
MD5:E0CF89355848B65AAF11B805423A4FDC
SHA256:B8F41A616CD83114A9F06E012350718BA57DB5D216524A01CBEBD82559CA81C1
2044explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:B11A03AED34B638CDE3E580008996BF5
SHA256:A4FC0929B8858E30044541A6F0095E75328D1C6A88FF710B7778C0B4A0C94D47
1816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DNTFTN9G\Specifications PO#7376153353.zcompressed
MD5:7B10AF6ADBB108AE3D95D5187A317B96
SHA256:70FCF4DA8CDBD078C6C592CD3E4642B44CC1545DE8889EAC0EB01C5D12BA2130
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
10
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1816
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2044
explorer.exe
GET
404
199.192.26.4:80
http://www.craxiny.com/as/?_RpDvB=i6iWcllMeOMlE1B/hCwSmm3rpLRGMSmTycj75IQYfNO7j760xX9G4g5dz3VkfQRR2rqMSA==&5j=NVYduv
US
html
326 b
malicious
2044
explorer.exe
GET
404
217.160.0.195:80
http://www.amphibricks.store/as/?_RpDvB=pdLLd/Uld83zppTBugfvzV3qU/DT8DH6cCvgfxBrhLUtUwT//jVKVHZ9RU7djtXETdxmzw==&5j=NVYduv
DE
html
823 b
malicious
2044
explorer.exe
GET
301
59.106.152.68:80
http://www.keian-smile.com/as/?_RpDvB=fGhF7T8oXAktrvdEPyK8pkF2zkAo4u5BM0QZJhhJltbkiM271g99qPz8/7Tmyk2TUH6pPA==&5j=NVYduv
JP
malicious
2044
explorer.exe
POST
404
199.192.26.4:80
http://www.craxiny.com/as/
US
html
291 b
malicious
2044
explorer.exe
POST
199.192.26.4:80
http://www.craxiny.com/as/
US
malicious
2044
explorer.exe
POST
404
199.192.26.4:80
http://www.craxiny.com/as/
US
html
291 b
malicious
2044
explorer.exe
POST
59.106.152.68:80
http://www.keian-smile.com/as/
JP
malicious
2044
explorer.exe
POST
59.106.152.68:80
http://www.keian-smile.com/as/
JP
malicious
2044
explorer.exe
POST
59.106.152.68:80
http://www.keian-smile.com/as/
JP
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2044
explorer.exe
59.106.152.68:80
www.keian-smile.com
SAKURA Internet Inc.
JP
malicious
2044
explorer.exe
217.160.0.195:80
www.amphibricks.store
1&1 Internet SE
DE
malicious
1816
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2044
explorer.exe
199.192.26.4:80
www.craxiny.com
US
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.amphibricks.store
  • 217.160.0.195
malicious
www.craxiny.com
  • 199.192.26.4
malicious
www.transparent-funding.com
unknown
www.keian-smile.com
  • 59.106.152.68
malicious
www.marcusism.com
unknown
www.qhdcex.com
unknown
www.488rax.info
unknown
www.igorgalanin.net
unknown
www.topgurutools.com
unknown

Threats

PID
Process
Class
Message
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
2044
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
7 ETPRO signatures available at the full report
No debug info