File name: | Purchase Order.arj |
Full analysis: | https://app.any.run/tasks/9d32b584-863a-468b-8aa7-4e4f45388e0a |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | November 15, 2018, 10:54:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 8E7AC1F05894DCF6EE37A74013012AE4 |
SHA1: | 50FE653F624F4264CEA4967E30BE64D0B38AB246 |
SHA256: | 6248CE89DE74766D0E4A1E17BBFDF2379F644BF7C6A724E6F0D08FE0EECC0258 |
SSDEEP: | 3072:BEQlpclrYal2pho+0HjUGaZIk7VJLc9wXHRgAaZpViHVqgG:BNKYal0hoJAhVJgqXHRBaZpV2zG |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3440 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Purchase Order.arj.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3492 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3440.29664\Purchase Order.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3440.29664\Purchase Order.exe | — | WinRAR.exe |
User: admin Company: lexus Integrity Level: MEDIUM Description: lexus Exit code: 0 Version: 3.01.0009 | ||||
3096 | "C:\Windows\System32\rundll32.exe" | C:\Windows\System32\rundll32.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2920 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa3440.29664\Purchase Order.exe" | C:\Windows\System32\cmd.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3036 | "C:\Users\admin\Desktop\Purchase Order.exe" | C:\Users\admin\Desktop\Purchase Order.exe | — | explorer.exe |
User: admin Company: lexus Integrity Level: MEDIUM Description: lexus Exit code: 0 Version: 3.01.0009 | ||||
2568 | "C:\Windows\System32\msiexec.exe" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1604 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
800 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4008 | "C:\Program Files\Mib8x\Cookies8pr.exe" | C:\Program Files\Mib8x\Cookies8pr.exe | — | explorer.exe |
User: admin Company: lexus Integrity Level: MEDIUM Description: lexus Exit code: 0 Version: 3.01.0009 | ||||
3944 | "C:\Windows\System32\raserver.exe" | C:\Windows\System32\raserver.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Remote Assistance COM Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Purchase Order.arj.rar | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3440) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1604) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList |
Operation: | write | Name: | a |
Value: WinRAR.exe | |||
(PID) Process: | (1604) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a |
PID | Process | Filename | Type | |
---|---|---|---|---|
3492 | Purchase Order.exe | C:\Users\admin\AppData\Local\Temp\~DF7A8E4187DDA1F19F.TMP | — | |
MD5:— | SHA256:— | |||
3440 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.33216\Purchase Order.exe | — | |
MD5:— | SHA256:— | |||
3036 | Purchase Order.exe | C:\Users\admin\AppData\Local\Temp\~DF65952AA47F85ED11.TMP | — | |
MD5:— | SHA256:— | |||
3440 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3440.29664\Purchase Order.exe | executable | |
MD5:A66C424561A0BEC72B26D60EF6F89F08 | SHA256:BB13134A94DB7D51E1459DB9087CA1A9F0DCB01A15A69FB7CC3A5BA08823B0E6 | |||
3096 | rundll32.exe | C:\Users\admin\AppData\Roaming\LMO8QCRE\LMOlogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
800 | DllHost.exe | C:\Program Files\Mib8x\Cookies8pr.exe | executable | |
MD5:A66C424561A0BEC72B26D60EF6F89F08 | SHA256:BB13134A94DB7D51E1459DB9087CA1A9F0DCB01A15A69FB7CC3A5BA08823B0E6 | |||
1604 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Purchase Order.arj.rar.lnk | lnk | |
MD5:AC0A025239BFB78810C7B865ED09A603 | SHA256:B4BE9F90EC070B4E7C31EB7C5B8F4DADB4DC820E03A676A3BEB24EC0F53EFC99 | |||
1604 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:D452B4348AE100623699834CF01CF004 | SHA256:DE376493BC9454A36B7F981FC367BB41B2C268AB1BA6FB571092FEFEE3975924 | |||
1604 | explorer.exe | C:\Users\admin\Desktop\Purchase Order.exe | executable | |
MD5:A66C424561A0BEC72B26D60EF6F89F08 | SHA256:BB13134A94DB7D51E1459DB9087CA1A9F0DCB01A15A69FB7CC3A5BA08823B0E6 | |||
1604 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:6C21A219A7DA3CCD7A195D2B08221EBA | SHA256:D0D5C02A802BDAAB26E4706EF49872F2607C40846A89D650E9B0570F47388434 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1604 | explorer.exe | POST | — | 47.254.39.76:80 | http://www.zhuizhai.site/uc/ | US | — | — | malicious |
1604 | explorer.exe | POST | — | 199.192.21.143:80 | http://www.sezop.com/uc/ | US | — | — | malicious |
1604 | explorer.exe | GET | — | 51.255.102.144:80 | http://www.dentistry-apple.com/uc/?KnJHv=vQ62Y96vJbHz2CgShJfup2mhn1AxM1ZNaogWBHTfwRu/Ys9s6l7v4QF6jcXQDRlhKJKZpA==&ppv=K2KdTZix8vZDAFKP | FR | — | — | malicious |
1604 | explorer.exe | POST | — | 199.192.21.143:80 | http://www.sezop.com/uc/ | US | — | — | malicious |
1604 | explorer.exe | POST | — | 47.254.39.76:80 | http://www.zhuizhai.site/uc/ | US | — | — | malicious |
1604 | explorer.exe | GET | 403 | 47.254.39.76:80 | http://www.zhuizhai.site/uc/?KnJHv=3CZTDHn4u0xx0D9ZJAa1wC1JYCuuoDGZd9kjSBl1n8AxfdxGv7OFiAsqh3n3RWCEM+c3rg==&ppv=K2KdTZix8vZDAFKP&sql=1 | US | html | 724 b | malicious |
1604 | explorer.exe | POST | 404 | 199.192.21.143:80 | http://www.sezop.com/uc/ | US | html | 287 b | malicious |
1604 | explorer.exe | GET | 404 | 199.192.21.143:80 | http://www.sezop.com/uc/?KnJHv=zg1s9sLMXWbjwxN8cTinTb+bqQMqR9FxD0rKLxMvrlZtVXAVSUsJNdRjsBstTRhACiUHSw==&ppv=K2KdTZix8vZDAFKP&sql=1 | US | html | 326 b | malicious |
1604 | explorer.exe | GET | 302 | 54.208.56.179:80 | http://www.clscammers.com/uc/?KnJHv=0CLUVPlbpIPwqcDS6LIOuvsVHT2eSl5h11r/r+vjFCNnSAX6B3GUHJ9Sm+eW0v5PNOCDFA==&ppv=K2KdTZix8vZDAFKP | US | html | 186 b | malicious |
1604 | explorer.exe | POST | — | 199.192.21.143:80 | http://www.sezop.com/uc/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1604 | explorer.exe | 199.192.21.143:80 | www.sezop.com | — | US | malicious |
1604 | explorer.exe | 47.254.39.76:80 | www.zhuizhai.site | Alibaba (China) Technology Co., Ltd. | US | malicious |
1604 | explorer.exe | 54.208.56.179:80 | www.clscammers.com | Amazon.com, Inc. | US | malicious |
1604 | explorer.exe | 51.255.102.144:80 | www.dentistry-apple.com | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.kxaww.loan |
| unknown |
www.clscammers.com |
| malicious |
www.zhuizhai.site |
| malicious |
dns.msftncsi.com |
| shared |
www.sezop.com |
| malicious |
www.jkgfiuyfujhnow.online |
| unknown |
www.dentistry-apple.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1604 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |