File name:

Re MRV202407107 (PO0162).eml

Full analysis: https://app.any.run/tasks/463c21ec-bddf-42cd-b47c-622d3df5401a
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: August 06, 2024, 10:17:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
formbook
xloader
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with CRLF line terminators
MD5:

5BEC3CD36EC134ECF81300138A679F8E

SHA1:

5B0F4F19B8BADC1EE8B59955585DC6A1FFC49CA0

SHA256:

6963B9192DF3B889181DAE3940DAB7C3C074C4E3BCC4E8398AAF7627E82064EF

SSDEEP:

24576:AlHR6L7dpd3cNC2gPYF/VqlzfqtsMqWarjkEVmeLbCOa44wNN:Ky7T1IwlzxMqiEAeLDNN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • usd 47180.exe (PID: 2416)

    • FORMBOOK has been detected (YARA)

      • wab.exe (PID: 2080)
      • wmplayer.exe (PID: 2352)
      • DpiScaling.exe (PID: 2716)
      • DpiScaling.exe (PID: 2248)

    • Unusual execution from MS Outlook

      • OUTLOOK.EXE (PID: 2440)

    • Changes the autorun value in the registry

      • DpiScaling.exe (PID: 2804)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OUTLOOK.EXE (PID: 2440)
      • WinRAR.exe (PID: 2500)

    • Starts CMD.EXE for commands execution

      • usd 47180.exe (PID: 2416)

    • The process drops C-runtime libraries

      • OUTLOOK.EXE (PID: 2440)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2500)

    • The process executes VB scripts

      • usd 47180.exe (PID: 2416)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2500)
      • OUTLOOK.EXE (PID: 2440)

    • Checks supported languages

      • usd 47180.exe (PID: 2416)
      • wmplayer.exe (PID: 2352)
      • wab.exe (PID: 2080)
      • wab.exe (PID: 1276)
      • wab.exe (PID: 2012)

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 2440)
      • WinRAR.exe (PID: 2500)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
24
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe winrar.exe usd 47180.exe iexplore.exe no specs cmd.exe no specs aspnet_wp.exe no specs svchost.exe no specs calc.exe no specs csc.exe no specs ilasm.exe no specs iexplore.exe no specs ngen.exe no specs vbc.exe no specs wab.exe no specs #FORMBOOK wmplayer.exe no specs calc.exe no specs #FORMBOOK wab.exe no specs svchost.exe no specs wab.exe no specs dpiscaling.exe no specs dpiscaling.exe no specs dpiscaling.exe #FORMBOOK dpiscaling.exe no specs #FORMBOOK dpiscaling.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
192"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Version:
14.8.3761.0
328"C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\SysWOW64\DpiScaling.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\dpiscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
836"C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\SysWOW64\DpiScaling.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\dpiscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
856"C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1276"C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1344"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework IL assembler
Version:
4.8.3761.0 built by: NET48REL1
1444"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Version:
4.8.3761.0 built by: NET48REL1
1700"C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1712"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1796"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exeusd 47180.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
13 853
Read events
13 258
Write events
567
Delete events
28

Modification events

(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2440) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
6
Suspicious files
6
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5076.tmp.cvr
MD5:
SHA256:
2440OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_FCBD66B1CF5F8D43B4435262173B27C1.datxml
MD5:D58C02D47497EFF7B621405F528C201A
SHA256:F3322AFB6FE61BCB9A12C1C134340C87CF3A97F1BB0F7731067973D8563AC95A
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DF66B71A-17E0-4E58-A7EF-02F25D6B5233}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DATbinary
MD5:C4643157E488AC6D771054CAD7D50D84
SHA256:D4FF48EB72AA94E3BA215C87B198733048E75105D024CCA42960EF96A8E04EA6
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D161B0A728E1AA47B734315768DDF8AB.datxml
MD5:EC8CA8C4D9E4B21BF1DBC33B4FD27816
SHA256:B1230E47FEE2A9F664C82C590C242F764D50C542F8F773254B6CEAC9145F50EF
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:B17B63C5549F5E72045558C578D74A40
SHA256:B4100A56FCA36183F7830ED0A97FE403C1CC2DC464F580DA306ECC8B854671A4
2440OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:9C0C676315E3BB56E6879DA436A80EE8
SHA256:B833AE8266ABB3074BF8A74BBE61FFD90672FAC4D5CEE58B0C39406555EFB13F
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_99297DF9CDA81A4F9E0B19FEE059B8FF.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
2440OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_041EEB1ED2BF20438992590BEBF55DB6.datxml
MD5:0B5B8DC93D5CDF7CA798E0F70F9088E5
SHA256:BEC0EBA2EF9D67291F450ADA494386148A210A279927D160B50C238ADDC1DF8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2440
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
2440
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Re MRV202407107 (PO0162).eml