analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.zip

Full analysis: https://app.any.run/tasks/10dc57bf-f4bd-4780-8db6-d97d58d5f31a
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 14:14:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B3310E2292C110142D25BBD4AD6B342D

SHA1:

9D89FD4FC996DA5FEF2E65A975EF45446563D5FC

SHA256:

764F17B690D1FCDA21A28E6CD93C9AF4F190B62EFD31E311EE04FB686B04BD0F

SSDEEP:

6144:7seOcYlJOjAHkeF4XoQhH33RhWUPmlg/iWVlusz5TntXFZVEnwxVAgXKReYYprl:4yY3OmPGhKhCvVwszv1nEwYEYQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • omg.exe (PID: 2504)
      • omg.exe (PID: 2580)
      • advhftbpe60dc.exe (PID: 3936)

    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • msiexec.exe (PID: 4028)
      • Firefox.exe (PID: 3896)

    • Connects to CnC server

      • explorer.exe (PID: 352)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 4028)

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 4028)

    • Stealing of credential data

      • msiexec.exe (PID: 4028)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 4028)

    • Application launched itself

      • omg.exe (PID: 2504)

    • Executed via COM

      • DllHost.exe (PID: 4040)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 4040)

    • Creates files in the program directory

      • DllHost.exe (PID: 4040)

    • Loads DLL from Mozilla Firefox

      • msiexec.exe (PID: 4028)

    • Creates files in the user directory

      • msiexec.exe (PID: 4028)

  • INFO

    • Manual execution by user

      • msiexec.exe (PID: 4028)
      • omg.exe (PID: 2504)

    • Reads the hosts file

      • msiexec.exe (PID: 4028)

    • Creates files in the user directory

      • Firefox.exe (PID: 3896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:14 14:12:23
ZipCRC: 0xe40a49b8
ZipCompressedSize: 389795
ZipUncompressedSize: 602112
ZipFileName: f731f2a5f78eec5f656ecdacda2ad5a6841ae8cdc86996aa6421a02175f6eebb.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs omg.exe no specs omg.exe no specs #FORMBOOK msiexec.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object advhftbpe60dc.exe no specs #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2456"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2504"C:\Users\admin\Desktop\omg.exe" C:\Users\admin\Desktop\omg.exeexplorer.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.08.0007
2580"C:\Users\admin\Desktop\omg.exe" C:\Users\admin\Desktop\omg.exeomg.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.08.0007
4028"C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2200/c del "C:\Users\admin\Desktop\omg.exe"C:\Windows\System32\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4040C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3936"C:\Program Files\G0ph\advhftbpe60dc.exe"C:\Program Files\G0ph\advhftbpe60dc.exeexplorer.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Version:
1.08.0007
3896"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
msiexec.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
3 060
Read events
3 038
Write events
22
Delete events
0

Modification events

(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sample.zip
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
Executable files
4
Suspicious files
73
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2456.1071\f731f2a5f78eec5f656ecdacda2ad5a6841ae8cdc86996aa6421a02175f6eebb.bin
MD5:
SHA256:
4028msiexec.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
352explorer.exeC:\Users\admin\AppData\Local\Temp\G0ph\advhftbpe60dc.exeexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
352explorer.exeC:\Users\admin\Desktop\f731f2a5f78eec5f656ecdacda2ad5a6841ae8cdc86996aa6421a02175f6eebb.binexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
4040DllHost.exeC:\Program Files\G0ph\advhftbpe60dc.exeexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
352explorer.exeC:\Users\admin\Desktop\omg.exeexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
4028msiexec.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logim.jpegimage
MD5:5DF0C5A563978C9580ABBD932E51F88B
SHA256:37B78FB97203B0D1864D6FE31EB1F559F1213E42371E6EF5C4BFB2638E19FD48
3896Firefox.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
4028msiexec.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
4028msiexec.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
301
54.152.17.83:80
http://www.colleenblake.com/sg/?3f9L=RKYwUGtsyxq/LqeValKDRIGed7Ogr0G53QEm84mZqi7V+lhB2HOfDGYAy/BElzROWa8c2g==&BbBX=LhTpETx8Zdn&sql=1
US
html
176 b
malicious
352
explorer.exe
POST
54.152.17.83:80
http://www.colleenblake.com/sg/
US
malicious
352
explorer.exe
POST
54.152.17.83:80
http://www.colleenblake.com/sg/
US
malicious
352
explorer.exe
POST
54.152.17.83:80
http://www.colleenblake.com/sg/
US
malicious
352
explorer.exe
GET
302
213.186.33.5:80
http://www.freenfield.com/sg/?3f9L=Sm+YPTeSv3486SfJgEujGF5Gek30Oxw53f6RJd3EbhL1PPilrZfqOaJHRsSa5Pf7xeKhsg==&BbBX=LhTpETx8Zdn
FR
html
154 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
54.152.17.83:80
www.colleenblake.com
Amazon.com, Inc.
US
malicious
352
explorer.exe
213.186.33.5:80
www.freenfield.com
OVH SAS
FR
malicious
54.152.17.83:80
www.colleenblake.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.freenfield.com
  • 213.186.33.5
malicious
www.avalonpersonaltraining.com
unknown
www.colleenblake.com
  • 54.152.17.83
  • 54.209.151.119
malicious
www.alexpitch.com
unknown

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.zip