File name: | Re_ Fw_ Orders HT-21 HT-22 HT-23 and HT-24.eml.msg |
Full analysis: | https://app.any.run/tasks/b95dbb08-a073-4a76-8cc7-eb5b3e0b70aa |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | July 17, 2019, 05:06:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 1804738A234001B18023ED0A1D987745 |
SHA1: | 072248EC850957C58DF60F2D206385F80A5B00F6 |
SHA256: | 3CD4B087D1413C5DE1E89567CA6607716AC1A751777842D316B0251B42299570 |
SSDEEP: | 6144:jnwmV4kLoD/0SsdoCbZ50MI1bjF9UDlD9Bpd1hnXB9zh80JXl1ZL:EUxw/56XKbjTUDlD9Bpd1hnXV8q |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2868 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Re_ Fw_ Orders HT-21 HT-22 HT-23 and HT-24.eml.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2484 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\scan_orderlist.pdf.z" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4092 | "C:\Users\admin\Desktop\scan_orderlist.pdf.arj.exe" | C:\Users\admin\Desktop\scan_orderlist.pdf.arj.exe | — | explorer.exe |
User: admin Company: PRESQUEISLE Integrity Level: MEDIUM Description: outbaked10 Exit code: 0 Version: 1.05.0005 | ||||
2984 | C:\Users\admin\Desktop\scan_orderlist.pdf.arj.exe" | C:\Users\admin\Desktop\scan_orderlist.pdf.arj.exe | — | scan_orderlist.pdf.arj.exe |
User: admin Company: PRESQUEISLE Integrity Level: MEDIUM Description: outbaked10 Exit code: 0 Version: 1.05.0005 | ||||
300 | "C:\Windows\System32\autochk.exe" | C:\Windows\System32\autochk.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto Check Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2768 | "C:\Windows\System32\NAPSTAT.EXE" | C:\Windows\System32\NAPSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Access Protection Client UI Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3616 | /c del "C:\Users\admin\Desktop\scan_orderlist.pdf.arj.exe" | C:\Windows\System32\cmd.exe | — | NAPSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3028 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NAPSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 67.0.4 | ||||
3648 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2868 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRAC4D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2868 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:F34827E6EF8620152F07BC897CB7E8E9 | SHA256:6DF78422C8CD85351E9F094A3860CB3FD0936CE045D597D1E7EB4FC6FE3BE856 | |||
2868 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_3FB77F51CFAD4C42B7681511CA9E3C13.dat | xml | |
MD5:807EF0FC900FEB3DA82927990083D6E7 | SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913 | |||
2868 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3SPXWDOZ\scan_orderlist pdf.z | compressed | |
MD5:38F7F44D830CB9ED7453C66E49525D09 | SHA256:6BA796BC831D3643199472E45601D3F8FE5A0D09BAF733CA910CC196FBE8EFAC | |||
2868 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D949C672-2E22-40B5-AFDD-BD4F93BB1A22}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 | |||
2868 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_40B13E8EA29F5A46A3C6AF168C7ED731.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2484 | WinRAR.exe | C:\Users\admin\Desktop\scan_orderlist.pdf.arj.exe | executable | |
MD5:7037E5ACB437DF2EB85EFB8268E2E368 | SHA256:44F1E7F18CA91C5B92EB373F98A9947E38970EBDD00E3B6346D9CE6341FEC0D3 | |||
2768 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\0415T74-\041logrc.ini | binary | |
MD5:BB0BE4A1590C6350E4EC2974BB1C098B | SHA256:7BED4626B2F3BE5F8A0D8C5A62509A6DEFCF3C3755A174232563906D8E72800F | |||
284 | explorer.exe | C:\Users\admin\Desktop\scan_orderlist.pdf.z | compressed | |
MD5:38F7F44D830CB9ED7453C66E49525D09 | SHA256:6BA796BC831D3643199472E45601D3F8FE5A0D09BAF733CA910CC196FBE8EFAC | |||
284 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:E3DEBC255882A856B6060F464EF5A8ED | SHA256:C6BBE95DDDA98E38BFBE29A5AADF37A52AE3336F2419E67E8652196981A73F83 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
284 | explorer.exe | GET | 302 | 116.126.87.41:80 | http://www.xn--2i0b75t9wjorjmwe.net/l33/?zZq4AN=1niNeTCn0jKiIV8BDVRx9A/ge6jZqcX9jCXONuILogaAwOZypL1W2jtq2quzIcM46DqRwQ==&T6Q=OvRHThj0ZdnxWJ | KR | — | — | malicious |
2868 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
284 | explorer.exe | GET | — | 184.95.34.196:80 | http://www.ikatpinggangsekolah.com/l33/?zZq4AN=avqyND3OTwU1m5yk1GEHGfyW5b76PBOcsUlSM0fHFLMKM6hAMiwPhviQgBuWGG/r16PkHA==&T6Q=OvRHThj0ZdnxWJ&sql=1 | US | — | — | malicious |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.fotoloto.com/l33/ | US | — | — | shared |
284 | explorer.exe | POST | — | 37.17.224.128:80 | http://www.productact.com/l33/ | DE | — | — | malicious |
284 | explorer.exe | POST | — | 37.17.224.128:80 | http://www.productact.com/l33/ | DE | — | — | malicious |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.etauae.com/l33/ | US | — | — | shared |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.etauae.com/l33/ | US | — | — | shared |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.fotoloto.com/l33/ | US | — | — | shared |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.etauae.com/l33/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
284 | explorer.exe | 37.17.224.128:80 | www.productact.com | First Colo GmbH | DE | malicious |
284 | explorer.exe | 23.20.239.12:80 | www.etauae.com | Amazon.com, Inc. | US | shared |
284 | explorer.exe | 116.126.87.41:80 | www.xn--2i0b75t9wjorjmwe.net | SK Broadband Co Ltd | KR | malicious |
284 | explorer.exe | 184.95.34.196:80 | www.ikatpinggangsekolah.com | SECURED SERVERS LLC | US | malicious |
2868 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
— | — | 23.20.239.12:80 | www.etauae.com | Amazon.com, Inc. | US | shared |
284 | explorer.exe | 162.213.249.180:80 | www.mansiobbok.info | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.xn--2i0b75t9wjorjmwe.net |
| malicious |
www.etauae.com |
| shared |
www.productact.com |
| malicious |
www.fotoloto.com |
| shared |
www.ikatpinggangsekolah.com |
| malicious |
www.mansiobbok.info |
| malicious |
www.kqhgh.com |
| unknown |
www.trollingpotus.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |