File name: | 000450978.z |
Full analysis: | https://app.any.run/tasks/e233a8f2-b8b1-4f10-b8f1-c3c7235b2294 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | February 19, 2019, 09:00:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | D2AE5B9775646F68E851C318B93BC1BE |
SHA1: | 310C54A6666E344D7B33451F0C0F5DF820C9CF1E |
SHA256: | 4DC363E46FA9B087D78B77E6271F72BD3B11A7B880952033CC3C96D45E27E7C9 |
SSDEEP: | 6144:WWQvPjl5CCvYi4N7J81wg0wwir/Yij0V3QiqRhR59MY23jehEboQPd:WH3jTC0/qJ86w7jC6D9e3jn0QPd |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2836 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\000450978.z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2748 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.34685\000450978.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.34685\000450978.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: MESOPODIUM Exit code: 0 Version: 1.01.0003 | ||||
2456 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.34685\000450978.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.34685\000450978.exe | — | 000450978.exe |
User: admin Integrity Level: MEDIUM Description: MESOPODIUM Exit code: 0 Version: 1.01.0003 | ||||
2788 | "C:\Windows\System32\audiodg.exe" | C:\Windows\System32\audiodg.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Audio Device Graph Isolation Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3696 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.34685\000450978.exe" | C:\Windows\System32\cmd.exe | — | audiodg.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3420 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | audiodg.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\000450978.z.rar | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList |
Operation: | write | Name: | a |
Value: WinRAR.exe | |||
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a |
PID | Process | Filename | Type | |
---|---|---|---|---|
2748 | 000450978.exe | C:\Users\admin\AppData\Local\Temp\~DF95E8AA09BA8D4B1A.TMP | binary | |
MD5:A492CAEBFCE5021D715F4FEAA38F6BA6 | SHA256:10750F6497A16178A1CF9DBF80A3625CFBE005C6E34EEB3609BB6EFCD1568FF7 | |||
2836 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2836.34685\000450978.exe | executable | |
MD5:290C078341504D9F5B20DA6557223F06 | SHA256:CBB3E8E4722C16264DA072B477257F0DF9DEE5106535A6A87DBB81F2C44F3337 | |||
2788 | audiodg.exe | C:\Users\admin\AppData\Roaming\N98OS2QE\N98logrc.ini | binary | |
MD5:4B6CE0D9026E996FD95A749AE35238BC | SHA256:2E4B3BE3E33A025A92991759AF12231661DA82330FBCA2E8E5D994DC68A2F8B8 | |||
2788 | audiodg.exe | C:\Users\admin\AppData\Roaming\N98OS2QE\N98logim.jpeg | image | |
MD5:E1DAE61ED623EE0F311CD496ECB8F701 | SHA256:C311AB17A62CCB9A4D99320080BCB689E1A92AA824B5931EBB0B5F3DB2C62998 | |||
3420 | Firefox.exe | C:\Users\admin\AppData\Roaming\N98OS2QE\N98logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
2788 | audiodg.exe | C:\Users\admin\AppData\Roaming\N98OS2QE\N98logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
2788 | audiodg.exe | C:\Users\admin\AppData\Roaming\N98OS2QE\N98logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | — | 204.11.56.48:80 | http://www.gamingconsolenetwork.com/kd/?Lh54A=BxS8eNHVgWLybuyGxx4TfLkbPNW8sWxDqFQyD7zGpVpg8+i1L5T4X43/+1ee42tPltKIXA==&URpX=D8TpFTbpXv5 | VG | — | — | malicious |
116 | explorer.exe | GET | 301 | 66.235.200.2:80 | http://www.galeforcetech-nw.com/kd/?Lh54A=ZMY1XubB8bNxPiz8+XgMc2900i3yA1TEm7iu6rHl0FB+RZn9S70Ay6qrWSii1TYdtePhqQ==&URpX=D8TpFTbpXv5&sql=1 | US | — | — | malicious |
116 | explorer.exe | GET | — | 95.128.113.25:80 | http://www.nstxuae.com/kd/?Lh54A=OyXRA/b5eRDO1SIc/0uBJcZOqtRSEAb3CwTOJhh9rgK2vPJcgmrsdhlVjEiaEb1bVMDCUw==&URpX=D8TpFTbpXv5&sql=1 | SE | — | — | malicious |
116 | explorer.exe | POST | — | 66.235.200.2:80 | http://www.galeforcetech-nw.com/kd/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 66.235.200.2:80 | http://www.galeforcetech-nw.com/kd/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 66.235.200.2:80 | http://www.galeforcetech-nw.com/kd/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 95.128.113.25:80 | http://www.nstxuae.com/kd/ | SE | — | — | malicious |
116 | explorer.exe | POST | — | 95.128.113.25:80 | http://www.nstxuae.com/kd/ | SE | — | — | malicious |
116 | explorer.exe | POST | — | 95.128.113.25:80 | http://www.nstxuae.com/kd/ | SE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 204.11.56.48:80 | www.gamingconsolenetwork.com | Confluence Networks Inc | VG | malicious |
— | — | 66.235.200.2:80 | www.galeforcetech-nw.com | — | US | malicious |
116 | explorer.exe | 66.235.200.2:80 | www.galeforcetech-nw.com | — | US | malicious |
116 | explorer.exe | 95.128.113.25:80 | www.nstxuae.com | Forss Webservice AB | SE | malicious |
Domain | IP | Reputation |
---|---|---|
www.dyor5xmdns5.com |
| unknown |
www.floordynasty.com |
| unknown |
www.gamingconsolenetwork.com |
| malicious |
www.31bp.com |
| unknown |
dns.msftncsi.com |
| shared |
www.cvprd.info |
| unknown |
www.galeforcetech-nw.com |
| malicious |
www.biographical-ex.com |
| unknown |
www.hr-zhou.com |
| unknown |
www.fuseforces.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |