analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.zip

Full analysis: https://app.any.run/tasks/8070f80a-0a50-4da9-b2e3-78c4441e19a6
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: October 14, 2019, 14:19:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B3310E2292C110142D25BBD4AD6B342D

SHA1:

9D89FD4FC996DA5FEF2E65A975EF45446563D5FC

SHA256:

764F17B690D1FCDA21A28E6CD93C9AF4F190B62EFD31E311EE04FB686B04BD0F

SSDEEP:

6144:7seOcYlJOjAHkeF4XoQhH33RhWUPmlg/iWVlusz5TntXFZVEnwxVAgXKReYYprl:4yY3OmPGhKhCvVwszv1nEwYEYQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • omg.exe (PID: 3012)
      • omg.exe (PID: 1740)
      • zzd0txixqttpgvpx.exe (PID: 2420)
      • zzd0txixqttpgvpx.exe (PID: 3796)
    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • wscript.exe (PID: 2504)
      • Firefox.exe (PID: 2400)
    • Connects to CnC server

      • explorer.exe (PID: 352)
    • Changes the autorun value in the registry

      • wscript.exe (PID: 2504)
    • Actions looks like stealing of personal data

      • wscript.exe (PID: 2504)
    • Stealing of credential data

      • wscript.exe (PID: 2504)
  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 352)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2864)
      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 2040)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2504)
    • Application launched itself

      • omg.exe (PID: 3012)
      • zzd0txixqttpgvpx.exe (PID: 2420)
    • Creates files in the user directory

      • wscript.exe (PID: 2504)
    • Loads DLL from Mozilla Firefox

      • wscript.exe (PID: 2504)
    • Executed via COM

      • DllHost.exe (PID: 2040)
    • Creates files in the program directory

      • DllHost.exe (PID: 2040)
  • INFO

    • Manual execution by user

      • omg.exe (PID: 3012)
      • wscript.exe (PID: 2504)
    • Reads the hosts file

      • wscript.exe (PID: 2504)
    • Creates files in the user directory

      • Firefox.exe (PID: 2400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: f731f2a5f78eec5f656ecdacda2ad5a6841ae8cdc86996aa6421a02175f6eebb.bin
ZipUncompressedSize: 602112
ZipCompressedSize: 389795
ZipCRC: 0xe40a49b8
ZipModifyDate: 2019:10:14 14:12:23
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe omg.exe no specs omg.exe no specs #FORMBOOK wscript.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object zzd0txixqttpgvpx.exe no specs zzd0txixqttpgvpx.exe no specs raserver.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3012"C:\Users\admin\Desktop\omg.exe" C:\Users\admin\Desktop\omg.exeexplorer.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.08.0007
1740"C:\Users\admin\Desktop\omg.exe" C:\Users\admin\Desktop\omg.exeomg.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.08.0007
2504"C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3196/c del "C:\Users\admin\Desktop\omg.exe"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2400"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wscript.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2040C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2420"C:\Program Files\Qvn0ho\zzd0txixqttpgvpx.exe"C:\Program Files\Qvn0ho\zzd0txixqttpgvpx.exeexplorer.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.08.0007
3796"C:\Program Files\Qvn0ho\zzd0txixqttpgvpx.exe"C:\Program Files\Qvn0ho\zzd0txixqttpgvpx.exezzd0txixqttpgvpx.exe
User:
admin
Company:
MECHANUnderbreath
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.08.0007
Total events
3 047
Read events
3 029
Write events
18
Delete events
0

Modification events

(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2864) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sample.zip
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
5
Suspicious files
73
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2864.30704\f731f2a5f78eec5f656ecdacda2ad5a6841ae8cdc86996aa6421a02175f6eebb.binexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
352explorer.exeC:\Users\admin\Desktop\f731f2a5f78eec5f656ecdacda2ad5a6841ae8cdc86996aa6421a02175f6eebb.binexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
352explorer.exeC:\Users\admin\Desktop\omg.exeexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
2504wscript.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
2400Firefox.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
2504wscript.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logim.jpegimage
MD5:40642A616CBE1B6BAB58F3BB0CED442D
SHA256:0653EC0129810DECCA5D9F86EE4B1411E06F7B9FAA3EB8809F3BEE9E2FAE7759
352explorer.exeC:\Users\admin\AppData\Local\Temp\Qvn0ho\zzd0txixqttpgvpx.exeexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
2040DllHost.exeC:\Program Files\Qvn0ho\zzd0txixqttpgvpx.exeexecutable
MD5:791930ADD0FF2541AA7C619ADC09E6AD
SHA256:F731F2A5F78EEC5F656ECDACDA2AD5A6841AE8CDC86996AA6421A02175F6EEBB
2504wscript.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
2504wscript.exeC:\Users\admin\AppData\Roaming\892R8X6E\892logrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
14
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
POST
183.181.79.108:80
http://www.lovedogfoods.com/sg/
JP
malicious
352
explorer.exe
GET
404
63.250.33.119:80
http://www.verysinr.com/sg/?sZUTy8=4XOIsZC4wxsn0js0tLVXtVWJecNpjiM/SsI/6lQ0EZpU+DMsYxxtyJxJzsn6Gt78VambOQ==&3fr8=arfH5hThsV-LpPh
US
html
326 b
malicious
352
explorer.exe
GET
302
185.230.60.173:80
http://www.pinkblushphotography.com/sg/?sZUTy8=+DS8OlpUNTDjSzfpVYTCStRu7+JM5YbFptjLdynxIK3jlJ8tOeBWmKREtHh1rCiiwA7dgQ==&3fr8=arfH5hThsV-LpPh&sql=1
unknown
malicious
352
explorer.exe
POST
183.181.79.108:80
http://www.lovedogfoods.com/sg/
JP
malicious
352
explorer.exe
POST
183.181.79.108:80
http://www.lovedogfoods.com/sg/
JP
malicious
352
explorer.exe
POST
185.230.60.173:80
http://www.pinkblushphotography.com/sg/
unknown
malicious
352
explorer.exe
POST
185.230.60.173:80
http://www.pinkblushphotography.com/sg/
unknown
malicious
352
explorer.exe
POST
62.210.16.62:80
http://www.nicole-guihaume.com/sg/
FR
malicious
352
explorer.exe
GET
404
62.210.16.62:80
http://www.nicole-guihaume.com/sg/?sZUTy8=jVReqqoGI/i29nrV2EAUg1smkEQebSLK8GOwEfZtZXBdGEKElAMp9SGnCxropgDndHrkAw==&3fr8=arfH5hThsV-LpPh&sql=1
FR
html
290 b
malicious
352
explorer.exe
GET
444
52.213.55.157:80
http://www.tomaserrazuriz.com/sg/?sZUTy8=UNDVMmS1y8+V7IA7GAe6r4ZxQi5KNQylCHW1/yHFn5zyCOyZAeP4bheyqlOB7aljUMlt8Q==&3fr8=arfH5hThsV-LpPh&sql=1
IE
text
44 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
183.181.79.108:80
www.lovedogfoods.com
SAKURA Internet Inc.
JP
malicious
352
explorer.exe
185.230.60.173:80
www.pinkblushphotography.com
malicious
352
explorer.exe
62.210.16.62:80
www.nicole-guihaume.com
Online S.a.s.
FR
malicious
352
explorer.exe
63.250.33.119:80
www.verysinr.com
Frontline Data Services, Inc
US
malicious
352
explorer.exe
52.213.55.157:80
www.tomaserrazuriz.com
Amazon.com, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
www.verysinr.com
  • 63.250.33.119
malicious
www.lovedogfoods.com
  • 183.181.79.108
malicious
www.alexpitch.com
unknown
www.msdowe.com
unknown
www.pinkblushphotography.com
  • 185.230.60.173
malicious
www.casraras.com
unknown
www.loneraytapicerialyp.com
unknown
www.nicole-guihaume.com
  • 62.210.16.62
malicious
www.tomaserrazuriz.com
  • 52.213.55.157
  • 34.251.91.168
  • 52.214.224.110
malicious

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
12 ETPRO signatures available at the full report
No debug info