File name: | RFQ-0984776.gz |
Full analysis: | https://app.any.run/tasks/ca4008d9-1399-42a3-b439-0ca265c54c75 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | July 17, 2019, 19:23:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | E6718D361D355242BCF908D50D361D1E |
SHA1: | A694997CFFC60D408617A5C559D7F24E9C730440 |
SHA256: | 8895AD2E8078600B637C0AF7D12FAB7C1A08745984E1F468FF66EF2856B35809 |
SSDEEP: | 6144:U0uLYAcm+nrmd6MzO0cB6mPltn5jQNyp4b1426rAIGbZ882pfz:Sc4+nM066lDjQU4542QAK8Sb |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ-0984776.gz" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3228 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.45430\RFQ-0984776.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.45430\RFQ-0984776.exe | — | WinRAR.exe |
User: admin Company: COMPOSITOUS Integrity Level: MEDIUM Description: Merer8 Exit code: 0 Version: 1.03.0009 | ||||
2384 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.45430\RFQ-0984776.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.45430\RFQ-0984776.exe | — | RFQ-0984776.exe |
User: admin Company: COMPOSITOUS Integrity Level: MEDIUM Description: Merer8 Exit code: 0 Version: 1.03.0009 | ||||
2336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\scottglass.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\heredev.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3392 | "C:\Windows\System32\msiexec.exe" | C:\Windows\System32\msiexec.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3324 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.45430\RFQ-0984776.exe" | C:\Windows\System32\cmd.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
124 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3108 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | msiexec.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 67.0.4 | ||||
3264 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8E02.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR913E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2880 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.45430\RFQ-0984776.exe | executable | |
MD5:D01F27802CA76B466FB48D2CD2C4B791 | SHA256:CE96063DEDE768A085D5894103CD09E4DB3BDAD876A0EB0224F00A819F9A3DF2 | |||
2336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\heredev.rtf.LNK | lnk | |
MD5:0F92FF513718AE0C0449D97856E7FAA4 | SHA256:38998382B96AE6E956AE989A6AED46F47573A9A9C6839B757F0C793BFFD0474A | |||
2336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:EAACF3A7C8B1FDB0FAA336700F2912F0 | SHA256:B769101524A057AE18964AF8CBD23928170F57228B816534D191B28E51B0DE26 | |||
124 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071720190718\index.dat | dat | |
MD5:52AA960883C06D73701E81706849DB8B | SHA256:F57A99EBFCA0F7ED298BC36DDFD336029C9A306256B2E6B6E2B73EB52E56DF07 | |||
124 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:3C9B7A99E3E3CE302E81C91C75931D13 | SHA256:11C6CBD88C0BBCE7043DFDFCD7ACB4569CA19E6FB856ACB0856929067C621154 | |||
124 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:CAD209F3C0DFEA8B2137B497A17B737C | SHA256:6B1472D592495C17377F1B4B2F9F62CAD3D94ADDD473ABCF4E3E13EDDB956FDD | |||
124 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\heredev.rtf (2).lnk | lnk | |
MD5:6AC113D95B2AF5672FA9470F81B34B7A | SHA256:5DDE31B701BC48D7382DBA3FD8EBA0E5E590C81241463059A3B45713C0BB6647 | |||
2336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:9E6193635399A9AC6E3AECAF29A5B443 | SHA256:4F49BB10A5E1124CD8DFE0AB748F9548E0BB0F98474C2B28AE71852DB97D46ED |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
124 | explorer.exe | POST | — | 185.230.62.161:80 | http://www.aloefitcanada.com/i19/ | unknown | — | — | malicious |
124 | explorer.exe | GET | — | 185.230.62.161:80 | http://www.aloefitcanada.com/i19/?lhEhBv=hD8MHFnnSrWd8E//RdH8spdDsAiIKBADlkmY4kt2Bt/bfTqcgOkD2Q0D2+biWwh38x9XgA==&2do=3f6HZlJ0EdiDsH9 | unknown | — | — | malicious |
124 | explorer.exe | GET | — | 52.37.176.68:80 | http://www.dobloodsugarchartsjet.live/i19/?lhEhBv=52aabKi7Nu/BGNrrVrMyfsmNWMD5JzEIHDoWffdAwn6WaFdQYyBy5rm5Bjy4P3jPmeUesA==&2do=3f6HZlJ0EdiDsH9&sql=1 | US | — | — | malicious |
124 | explorer.exe | POST | — | 52.37.176.68:80 | http://www.dobloodsugarchartsjet.live/i19/ | US | — | — | malicious |
124 | explorer.exe | POST | — | 185.230.62.161:80 | http://www.aloefitcanada.com/i19/ | unknown | — | — | malicious |
124 | explorer.exe | POST | — | 52.37.176.68:80 | http://www.dobloodsugarchartsjet.live/i19/ | US | — | — | malicious |
124 | explorer.exe | POST | — | 52.37.176.68:80 | http://www.dobloodsugarchartsjet.live/i19/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
124 | explorer.exe | 185.230.62.161:80 | www.aloefitcanada.com | — | — | malicious |
124 | explorer.exe | 52.37.176.68:80 | www.dobloodsugarchartsjet.live | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bangbanglong.net |
| unknown |
www.aloefitcanada.com |
| malicious |
www.dobloodsugarchartsjet.live |
| malicious |
www.indiancreekrestaurant.com |
| unknown |
www.fastwingcourier.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
124 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
124 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
124 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
124 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
124 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
124 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |