File name:

Re MRV202407107 (PO0162).eml

Full analysis: https://app.any.run/tasks/463c21ec-bddf-42cd-b47c-622d3df5401a
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: August 06, 2024, 10:17:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
formbook
xloader
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with CRLF line terminators
MD5:

5BEC3CD36EC134ECF81300138A679F8E

SHA1:

5B0F4F19B8BADC1EE8B59955585DC6A1FFC49CA0

SHA256:

6963B9192DF3B889181DAE3940DAB7C3C074C4E3BCC4E8398AAF7627E82064EF

SSDEEP:

24576:AlHR6L7dpd3cNC2gPYF/VqlzfqtsMqWarjkEVmeLbCOa44wNN:Ky7T1IwlzxMqiEAeLDNN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Outlook

      • OUTLOOK.EXE (PID: 2440)

    • FORMBOOK has been detected (YARA)

      • DpiScaling.exe (PID: 2716)
      • DpiScaling.exe (PID: 2248)
      • wab.exe (PID: 2080)
      • wmplayer.exe (PID: 2352)

    • Changes the autorun value in the registry

      • DpiScaling.exe (PID: 2804)

    • Starts Visual C# compiler

      • usd 47180.exe (PID: 2416)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • OUTLOOK.EXE (PID: 2440)

    • Process drops legitimate windows executable

      • OUTLOOK.EXE (PID: 2440)
      • WinRAR.exe (PID: 2500)

    • The process executes VB scripts

      • usd 47180.exe (PID: 2416)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2500)

    • Starts CMD.EXE for commands execution

      • usd 47180.exe (PID: 2416)

  • INFO

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 2440)
      • WinRAR.exe (PID: 2500)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2500)
      • OUTLOOK.EXE (PID: 2440)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2500)

    • Checks supported languages

      • wab.exe (PID: 2080)
      • wab.exe (PID: 2012)
      • wab.exe (PID: 1276)
      • wmplayer.exe (PID: 2352)
      • usd 47180.exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
24
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe winrar.exe usd 47180.exe iexplore.exe no specs cmd.exe no specs aspnet_wp.exe no specs svchost.exe no specs calc.exe no specs csc.exe no specs ilasm.exe no specs iexplore.exe no specs ngen.exe no specs vbc.exe no specs wab.exe no specs #FORMBOOK wmplayer.exe no specs calc.exe no specs #FORMBOOK wab.exe no specs svchost.exe no specs wab.exe no specs dpiscaling.exe no specs dpiscaling.exe no specs dpiscaling.exe #FORMBOOK dpiscaling.exe no specs #FORMBOOK dpiscaling.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
192"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Version:
14.8.3761.0
328"C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\SysWOW64\DpiScaling.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
836"C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\SysWOW64\DpiScaling.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
856"C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1276"C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1344"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework IL assembler
Version:
4.8.3761.0 built by: NET48REL1
1444"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Version:
4.8.3761.0 built by: NET48REL1
1700"C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1712"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1796"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
6
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5076.tmp.cvr
MD5:
SHA256:
2440OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DF66B71A-17E0-4E58-A7EF-02F25D6B5233}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:B17B63C5549F5E72045558C578D74A40
SHA256:B4100A56FCA36183F7830ED0A97FE403C1CC2DC464F580DA306ECC8B854671A4
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_63F4E52B2C3DF640BACB2FADA51CBE21.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D161B0A728E1AA47B734315768DDF8AB.datxml
MD5:EC8CA8C4D9E4B21BF1DBC33B4FD27816
SHA256:B1230E47FEE2A9F664C82C590C242F764D50C542F8F773254B6CEAC9145F50EF
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5EWDCL3R\usd 47180.rarcompressed
MD5:364D5B5D04B67A26C7733460A3C66C3C
SHA256:17EEE8DA9A4AA7590796A6EC58D3A4F7C428CEE8C6922A12A69823D3A08B8D41
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_FCBD66B1CF5F8D43B4435262173B27C1.datxml
MD5:D58C02D47497EFF7B621405F528C201A
SHA256:F3322AFB6FE61BCB9A12C1C134340C87CF3A97F1BB0F7731067973D8563AC95A
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_99297DF9CDA81A4F9E0B19FEE059B8FF.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5EWDCL3R\usd 47180.rar:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2440
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
2440
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Re MRV202407107 (PO0162).eml