analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FinCERT_BAPB_MLW2019052001.zip

Full analysis: https://app.any.run/tasks/5b77781c-6a12-4528-ab61-832b023e97c0
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: May 20, 2019, 10:35:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
trojan
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B7FF2DD4399EC4F52716165B2A8016FE

SHA1:

D7218E938E1AEB2E017348720AEE6133E0778566

SHA256:

3C4570155FD02A458055D4B9596C0CE4B8A6D7754D474847961A26CB91E23B9C

SSDEEP:

12288:Gbw/Ly9ZId9biyqeoxEW/dAN+pcWs3ZnDYqIuIu:Gc/+Zu5oxEEdAN+pcWs31YMT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Specifications PO#7376153353.scr (PID: 3396)
      • Specifications PO#7376153353.scr (PID: 2496)
    • FORMBOOK was detected

      • explorer.exe (PID: 116)
    • Changes the autorun value in the registry

      • cmstp.exe (PID: 3160)
    • Formbook was detected

      • Firefox.exe (PID: 2156)
      • cmstp.exe (PID: 3160)
    • Actions looks like stealing of personal data

      • cmstp.exe (PID: 3160)
    • Connects to CnC server

      • explorer.exe (PID: 116)
    • Stealing of credential data

      • cmstp.exe (PID: 3160)
  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 116)
      • OUTLOOK.EXE (PID: 3364)
      • cmstp.exe (PID: 3160)
    • Starts application with an unusual extension

      • explorer.exe (PID: 116)
      • Specifications PO#7376153353.scr (PID: 2496)
    • Application launched itself

      • Specifications PO#7376153353.scr (PID: 2496)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3000)
      • DllHost.exe (PID: 1424)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3364)
      • explorer.exe (PID: 116)
    • Executed via COM

      • DllHost.exe (PID: 1424)
    • Starts CMD.EXE for commands execution

      • cmstp.exe (PID: 3160)
    • Loads DLL from Mozilla Firefox

      • cmstp.exe (PID: 3160)
  • INFO

    • Manual execution by user

      • OUTLOOK.EXE (PID: 3364)
      • Specifications PO#7376153353.scr (PID: 2496)
      • WinRAR.exe (PID: 1868)
      • WinRAR.exe (PID: 3000)
      • cmstp.exe (PID: 3160)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3612)
      • explorer.exe (PID: 116)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3364)
    • Creates files in the user directory

      • Firefox.exe (PID: 2156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:05:20 11:40:15
ZipCRC: 0xe50f1749
ZipCompressedSize: 249628
ZipUncompressedSize: 359747
ZipFileName: [Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
11
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe winrar.exe no specs specifications po#7376153353.scr no specs specifications po#7376153353.scr no specs winrar.exe Copy/Move/Rename/Delete/Link Object #FORMBOOK cmstp.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3612"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019052001.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3364"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1868"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Specifications PO#7376153353.z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2496"C:\Users\admin\Desktop\Specifications PO#7376153353.scr" /SC:\Users\admin\Desktop\Specifications PO#7376153353.screxplorer.exe
User:
admin
Company:
boilover4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.04.0001
3396C:\Users\admin\Desktop\Specifications PO#7376153353.scr" /SC:\Users\admin\Desktop\Specifications PO#7376153353.scrSpecifications PO#7376153353.scr
User:
admin
Company:
boilover4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.04.0001
3000"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Specifications PO#7376153353.z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1424C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3160"C:\Windows\System32\cmstp.exe"C:\Windows\System32\cmstp.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
1204/c del "C:\Users\admin\Desktop\Specifications PO#7376153353.scr"C:\Windows\System32\cmd.execmstp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
6 079
Read events
5 256
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
80
Text files
25
Unknown types
10

Dropped files

PID
Process
Filename
Type
3364OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR334D.tmp.cvr
MD5:
SHA256:
3364OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp360D.tmp
MD5:
SHA256:
3364OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\OZGOJ0WT\Specifications PO#7376153353 (2).z\:Zone.Identifier:$DATA
MD5:
SHA256:
116explorer.exeC:\Users\admin\Desktop\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.emleml
MD5:E10B101E4EE904576BCC5886D0231E91
SHA256:BEA309477A4DC57CB4E579229FDCFC78A8D88B1EF42AAAC87BACA2D9CCE2FD7D
116explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019052020190521\index.datdat
MD5:7DDCE8ECC345C2703EB1280F15E2BDEA
SHA256:9001A29565C3D1F1E28FA3A976C4005DF9EBBA8D7D0EA2A6AF5AAED24E4B45FC
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3612.6291\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.emleml
MD5:E10B101E4EE904576BCC5886D0231E91
SHA256:BEA309477A4DC57CB4E579229FDCFC78A8D88B1EF42AAAC87BACA2D9CCE2FD7D
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\[Content_Attachment] ITEM SPECIFICATIONS PO#7376153353.eml.lnklnk
MD5:AC521EAFF9D0CFBA15DA9A6958C9B07D
SHA256:67A6EB6A44B11C4683E938E434653A483D5926E6746742869D996A2D8A5CDF40
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:7165E7D672B832DFD6F37B8FED2D3BEA
SHA256:20F0EC8F88E71CAA004A76CF749E0824172F8B453672A90DD2460AD1499E5EDC
1868WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1868.9454\Specifications PO#7376153353.scr
MD5:
SHA256:
3364OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:4733521CEA0D609BFC4B639C0849BC90
SHA256:F53D6CD4EA0C420DCE7D5CA030944E50D55B4FD5E743E50F7028130293FBCDB1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
10
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3364
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
116
explorer.exe
GET
404
172.217.23.147:80
http://www.trans-vision1.com/as/?ZNyLQJ5p=cj1+ykD9txvswXFv8x21H6vIiG+AxJEtbyX43MaDgWFXdTlwih0wBTSk0iAtNxtIG8Lc5w==&jLSd6=TX2HMz9HzbFXJf
US
html
1.63 Kb
malicious
116
explorer.exe
POST
217.160.0.195:80
http://www.amphibricks.store/as/
DE
malicious
116
explorer.exe
POST
217.160.0.195:80
http://www.amphibricks.store/as/
DE
malicious
116
explorer.exe
POST
217.160.0.195:80
http://www.amphibricks.store/as/
DE
malicious
116
explorer.exe
POST
46.4.104.126:80
http://www.vuzaninfotech.com/as/
DE
malicious
116
explorer.exe
GET
301
46.4.104.126:80
http://www.vuzaninfotech.com/as/?ZNyLQJ5p=iHqEUX2Hpq5Mq4ZzQdCe1AryMx1HH+sw8T5m2fGabXvkcLknp6Bz8IRs8M9OGafMzKfrLQ==&jLSd6=TX2HMz9HzbFXJf&sql=1
DE
html
358 b
malicious
116
explorer.exe
POST
46.4.104.126:80
http://www.vuzaninfotech.com/as/
DE
malicious
116
explorer.exe
POST
46.4.104.126:80
http://www.vuzaninfotech.com/as/
DE
malicious
116
explorer.exe
GET
404
217.160.0.195:80
http://www.amphibricks.store/as/?ZNyLQJ5p=pdLLd/Uld83zppTBugfvzV3qU/DT8DH6cCvgfxBrhLUtUwT//jVKVHZ9RU7djtXETdxmzw==&jLSd6=TX2HMz9HzbFXJf&sql=1
DE
html
823 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
116
explorer.exe
217.160.0.195:80
www.amphibricks.store
1&1 Internet SE
DE
malicious
116
explorer.exe
172.217.23.147:80
www.trans-vision1.com
Google Inc.
US
whitelisted
217.160.0.195:80
www.amphibricks.store
1&1 Internet SE
DE
malicious
116
explorer.exe
46.4.104.126:80
www.vuzaninfotech.com
Hetzner Online GmbH
DE
malicious
46.4.104.126:80
www.vuzaninfotech.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.trans-vision1.com
  • 172.217.23.147
malicious
www.199septonne.com
unknown
www.ilc2018.info
unknown
www.runscan2156.win
unknown
www.vuzaninfotech.com
  • 46.4.104.126
malicious
www.live-roulettes-casino.com
unknown
www.alittletouchofeverything.com
unknown
www.hgrnonline.com
unknown
www.amphibricks.store
  • 217.160.0.195
malicious

Threats

PID
Process
Class
Message
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
7 ETPRO signatures available at the full report
No debug info