File name: | sample.zip |
Full analysis: | https://app.any.run/tasks/ceee711e-2d7d-4b9d-9832-abfd92cd1bcf |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 09, 2019, 18:57:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A549CA865410281651EA193821C840B4 |
SHA1: | A53298257234F4F03D4DECBDBB4F101AA45BF72F |
SHA256: | 664B8B716AA93A382169ED1BF7D46D3F24C89693A7559E213386F09617D108C4 |
SSDEEP: | 49152:abVC9A+ityAhirzBSqaggH+V6swknZEiN9Xxn1j1dYarDhUaCjpaZGpRi/D:SMAtQAM3s47sQZtZx1jZU6E/iL |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ad95f2cfcef3f27f0b7f57235108cb3855160fa8363c50ac82b9c712abb50436.bin |
---|---|
ZipUncompressedSize: | 5258618 |
ZipCompressedSize: | 2932102 |
ZipCRC: | 0x8f6714c4 |
ZipModifyDate: | 2019:10:09 18:57:02 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1708 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\dfjhdfjsdgjksd.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1944 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2944 | C:\Users\admin\AppData\Local\Temp\APPS.exe | C:\Users\admin\AppData\Local\Temp\APPS.exe | — | EQNEDT32.EXE |
User: admin Company: LaKala Integrity Level: MEDIUM Description: Incmpatibilities Tester Summaryin Infogrames Exit code: 0 | ||||
2360 | "C:\Windows\System32\autochk.exe" | C:\Windows\System32\autochk.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto Check Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1408 | "C:\Windows\System32\nbtstat.exe" | C:\Windows\System32\nbtstat.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP NetBios Information Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1812 | /c del "C:\Users\admin\AppData\Local\Temp\APPS.exe" | C:\Windows\System32\cmd.exe | — | nbtstat.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
236 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2888 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | nbtstat.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1708 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1708.46712\ad95f2cfcef3f27f0b7f57235108cb3855160fa8363c50ac82b9c712abb50436.bin | — | |
MD5:— | SHA256:— | |||
236 | explorer.exe | C:\Users\admin\Desktop\ad95f2cfcef3f27f0b7f57235108cb3855160fa8363c50ac82b9c712abb50436.bin | — | |
MD5:— | SHA256:— | |||
236 | explorer.exe | C:\Users\admin\Desktop\dfjhdfjsdgjksd.doc | — | |
MD5:— | SHA256:— | |||
236 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019092020190921\index.dat | — | |
MD5:— | SHA256:— | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8147.tmp.cvr | — | |
MD5:— | SHA256:— | |||
236 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019100920191010\index.dat | dat | |
MD5:BC5A813A761A5AB5633171F8AA41A0BC | SHA256:6B40ECE41F99B383480D6C2B774A26000350D837325280C8135B0507AFDD043C | |||
1944 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\APPS.exe | executable | |
MD5:7A226AD8287358DAB94078A68AE86482 | SHA256:A7EBD14221173546D732E1AAAA0B065DCFC6B52287FC02CE3C1442E8CC162B66 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:223B7F9788E04E6A2BE3676F7BA32F42 | SHA256:8C6E6111DD1E7C4F5707CB5798CBD5A08F95F8803EF9C1155CEEE33CC10F52A1 | |||
236 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\dfjhdfjsdgjksd.doc.lnk | lnk | |
MD5:EAF8469725B19188936CAE536D8681A1 | SHA256:9311F5D1FD2385C6C6CF02A5899BE983D7580026137D011767A6609245121B7D | |||
2972 | WINWORD.EXE | C:\Users\admin\Desktop\~$jhdfjsdgjksd.doc | pgc | |
MD5:2B987B74DA32AA03B1006D41F9783BEB | SHA256:672DACB3C684B2A3BBF8FBFFB76C88E0CC1A8F4B5A3FE714CA2BD350C20A1630 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
236 | explorer.exe | GET | — | 104.233.144.35:80 | http://www.depdon.com/lv/?Wx=oYmyD1EPh9lisvu5gS6k02Qj9+nAkGXYa+DzKE6VIfuUOSZxawtEEcmQslLBQZaASA359Q==&v2=lhnxV&sql=1 | US | — | — | malicious |
236 | explorer.exe | GET | — | 184.168.221.62:80 | http://www.monzastay.com/lv/?Wx=RImbpUNXckn0XbKrGmnySSVTo2Ci0DqcIwBttGzgOeJ4MFXVjjiYV30ItESdaPDlA9UzXw==&v2=lhnxV | US | — | — | malicious |
236 | explorer.exe | GET | — | 198.54.117.217:80 | http://www.hiddenhedonism.com/lv/?Wx=TtXFDlShZhOPCKZrOGb4ti1yAyDk3fOyZfqEPSWKu/3xfC7Edp9wXVAwRdoi58ux2I+0FA==&v2=lhnxV&sql=1 | US | — | — | malicious |
236 | explorer.exe | POST | — | 198.54.117.217:80 | http://www.hiddenhedonism.com/lv/ | US | — | — | malicious |
236 | explorer.exe | GET | — | 207.148.248.143:80 | http://www.allforensics.com/lv/?Wx=HrZypzIbaH+QzmXx54TvdqgZ/FptgsfRPoMCK4Y5sqn07lTyg2TE/HHuq+9rQkYYhqTFPQ==&v2=lhnxV&sql=1 | US | — | — | malicious |
236 | explorer.exe | POST | — | 104.233.144.35:80 | http://www.depdon.com/lv/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 104.233.144.35:80 | http://www.depdon.com/lv/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 198.54.117.217:80 | http://www.hiddenhedonism.com/lv/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 207.148.248.143:80 | http://www.allforensics.com/lv/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 207.148.248.143:80 | http://www.allforensics.com/lv/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1944 | EQNEDT32.EXE | 169.255.56.103:443 | alwetengroup.com | Web4Africa | ZA | malicious |
236 | explorer.exe | 198.54.117.217:80 | www.hiddenhedonism.com | Namecheap, Inc. | US | malicious |
236 | explorer.exe | 104.233.144.35:80 | www.depdon.com | PEG TECH INC | US | malicious |
— | — | 104.233.144.35:80 | www.depdon.com | PEG TECH INC | US | malicious |
236 | explorer.exe | 184.168.221.62:80 | www.monzastay.com | GoDaddy.com, LLC | US | malicious |
— | — | 207.148.248.143:80 | www.allforensics.com | The Endurance International Group, Inc. | US | malicious |
236 | explorer.exe | 207.148.248.143:80 | www.allforensics.com | The Endurance International Group, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
alwetengroup.com |
| malicious |
www.monzastay.com |
| malicious |
www.elementares-experten.com |
| unknown |
www.hiddenhedonism.com |
| malicious |
www.tv16543.info |
| unknown |
www.vbvhjx.com |
| unknown |
www.wardenmon.com |
| unknown |
www.depdon.com |
| malicious |
www.catechesisacco.com |
| unknown |
www.tushenli.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |