File name:

Re MRV202407107 (PO0162).eml

Full analysis: https://app.any.run/tasks/463c21ec-bddf-42cd-b47c-622d3df5401a
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: August 06, 2024, 10:17:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
formbook
xloader
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with CRLF line terminators
MD5:

5BEC3CD36EC134ECF81300138A679F8E

SHA1:

5B0F4F19B8BADC1EE8B59955585DC6A1FFC49CA0

SHA256:

6963B9192DF3B889181DAE3940DAB7C3C074C4E3BCC4E8398AAF7627E82064EF

SSDEEP:

24576:AlHR6L7dpd3cNC2gPYF/VqlzfqtsMqWarjkEVmeLbCOa44wNN:Ky7T1IwlzxMqiEAeLDNN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • usd 47180.exe (PID: 2416)

    • FORMBOOK has been detected (YARA)

      • wmplayer.exe (PID: 2352)
      • wab.exe (PID: 2080)
      • DpiScaling.exe (PID: 2248)
      • DpiScaling.exe (PID: 2716)

    • Unusual execution from MS Outlook

      • OUTLOOK.EXE (PID: 2440)

    • Changes the autorun value in the registry

      • DpiScaling.exe (PID: 2804)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OUTLOOK.EXE (PID: 2440)
      • WinRAR.exe (PID: 2500)

    • Starts CMD.EXE for commands execution

      • usd 47180.exe (PID: 2416)

    • The process executes VB scripts

      • usd 47180.exe (PID: 2416)

    • The process drops C-runtime libraries

      • OUTLOOK.EXE (PID: 2440)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2500)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2500)
      • OUTLOOK.EXE (PID: 2440)

    • Checks supported languages

      • usd 47180.exe (PID: 2416)
      • wab.exe (PID: 2012)
      • wmplayer.exe (PID: 2352)
      • wab.exe (PID: 2080)
      • wab.exe (PID: 1276)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2500)
      • OUTLOOK.EXE (PID: 2440)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
24
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe winrar.exe usd 47180.exe iexplore.exe no specs cmd.exe no specs aspnet_wp.exe no specs svchost.exe no specs calc.exe no specs csc.exe no specs ilasm.exe no specs iexplore.exe no specs ngen.exe no specs vbc.exe no specs wab.exe no specs #FORMBOOK wmplayer.exe no specs calc.exe no specs #FORMBOOK wab.exe no specs svchost.exe no specs wab.exe no specs dpiscaling.exe no specs dpiscaling.exe no specs dpiscaling.exe #FORMBOOK dpiscaling.exe no specs #FORMBOOK dpiscaling.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
192"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Version:
14.8.3761.0
328"C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\SysWOW64\DpiScaling.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\dpiscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
836"C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\SysWOW64\DpiScaling.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\dpiscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
856"C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1276"C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1344"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework IL assembler
Version:
4.8.3761.0 built by: NET48REL1
1444"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Version:
4.8.3761.0 built by: NET48REL1
1700"C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1712"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1796"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
13 853
Read events
13 258
Write events
567
Delete events
28

Modification events

(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
6
Suspicious files
6
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5076.tmp.cvr
MD5:
SHA256:
2440OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:B17B63C5549F5E72045558C578D74A40
SHA256:B4100A56FCA36183F7830ED0A97FE403C1CC2DC464F580DA306ECC8B854671A4
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_A9A9179254FC36489913F6D014C6790C.datxml
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_63F4E52B2C3DF640BACB2FADA51CBE21.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5EWDCL3R\usd 47180 (2).rarcompressed
MD5:364D5B5D04B67A26C7733460A3C66C3C
SHA256:17EEE8DA9A4AA7590796A6EC58D3A4F7C428CEE8C6922A12A69823D3A08B8D41
2500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2500.26622\usd 47180\jli.dllexecutable
MD5:7CB14EC343301A79B60FAE69AD418453
SHA256:D9FFD9536D9037570F1F270185108D88F7AF84203FCF7FE9E48080FD86B53320
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5EWDCL3R\usd 47180.rar:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2500.26622\usd 47180\msvcpcore.dllbinary
MD5:043C998AF20F678E721382C61E401389
SHA256:65E6FC8ADBE6A11AC7DFA44EAB4AC9FB2C2C39107029478DB20F582ED2347804
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_041EEB1ED2BF20438992590BEBF55DB6.datxml
MD5:0B5B8DC93D5CDF7CA798E0F70F9088E5
SHA256:BEC0EBA2EF9D67291F450ADA494386148A210A279927D160B50C238ADDC1DF8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2440
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
2440
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Re MRV202407107 (PO0162).eml