analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Quote - 6000412697.xz

Full analysis: https://app.any.run/tasks/dee8514a-7b9b-41ba-884a-3b0c453fabb6
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 07:52:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2A132962FCB751485EB6913CB24EB39B

SHA1:

8A8F2A673AD5DE726F8ADCC4B94FADF147691B83

SHA256:

9431A47B9B1F580FA968A89445FA95DA7B73C1784CA4FA860FAC3E6EC9E8D3DD

SSDEEP:

768:iRNLauSCeXdjdYkQHhBo7HfoPe+W/2rTXgSWf:cNLLSCetjOHyfVT+bWf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Quote - 6000412697.exe (PID: 2800)
      • Quote - 6000412697.exe (PID: 3320)

    • Connects to CnC server

      • explorer.exe (PID: 372)

    • Changes the autorun value in the registry

      • wscript.exe (PID: 3576)

    • FORMBOOK was detected

      • wscript.exe (PID: 3576)
      • explorer.exe (PID: 372)
      • Firefox.exe (PID: 3480)

    • Actions looks like stealing of personal data

      • wscript.exe (PID: 3576)

    • Stealing of credential data

      • wscript.exe (PID: 3576)

    • Changes settings of System certificates

      • Quote - 6000412697.exe (PID: 2800)

  • SUSPICIOUS

    • Application launched itself

      • Quote - 6000412697.exe (PID: 3320)

    • Reads Internet Cache Settings

      • Quote - 6000412697.exe (PID: 2800)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 780)

    • Executes scripts

      • explorer.exe (PID: 372)

    • Creates files in the user directory

      • Quote - 6000412697.exe (PID: 2800)
      • wscript.exe (PID: 3576)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3576)

    • Loads DLL from Mozilla Firefox

      • wscript.exe (PID: 3576)

    • Adds / modifies Windows certificates

      • Quote - 6000412697.exe (PID: 2800)

  • INFO

    • Manual execution by user

      • wscript.exe (PID: 3576)

    • Reads settings of System Certificates

      • Quote - 6000412697.exe (PID: 2800)

    • Reads the hosts file

      • wscript.exe (PID: 3576)

    • Creates files in the user directory

      • Firefox.exe (PID: 3480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe quote - 6000412697.exe no specs quote - 6000412697.exe #FORMBOOK wscript.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
780"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Quote - 6000412697.xz.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3320"C:\Users\admin\AppData\Local\Temp\Rar$EXa780.48379\Quote - 6000412697.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa780.48379\Quote - 6000412697.exeWinRAR.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
Anterin3
Exit code:
0
Version:
1.00
2800"C:\Users\admin\AppData\Local\Temp\Rar$EXa780.48379\Quote - 6000412697.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa780.48379\Quote - 6000412697.exe
Quote - 6000412697.exe
User:
admin
Company:
WONDerware
Integrity Level:
MEDIUM
Description:
Anterin3
Exit code:
0
Version:
1.00
3576"C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
4072/c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa780.48379\Quote - 6000412697.exe"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3480"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wscript.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
4 057
Read events
475
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
88
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2800Quote - 6000412697.exeC:\Users\admin\AppData\Local\Temp\CabD346.tmp
MD5:
SHA256:
2800Quote - 6000412697.exeC:\Users\admin\AppData\Local\Temp\TarD347.tmp
MD5:
SHA256:
2800Quote - 6000412697.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29der
MD5:75D636BF532AFFBC75F461235C3B4D5C
SHA256:727247C8DCAC2B6B8A4F5890F1BCE6F8AF87B49BC38F97308E706A6A313B66AF
2800Quote - 6000412697.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72binary
MD5:0BFE2BF7BDA359F34691F9D051543BA6
SHA256:040AC6DC00AAC3D36804426AC4323B5C851F9A018621569F11F74E263ED97EBE
2800Quote - 6000412697.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:1F44800F85ACA49D6E3710FE807246B2
SHA256:F74A5413A9E36D1C874F85F0F5441F0EA11EA268DB318E986FD45C0EFEED00C9
2800Quote - 6000412697.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29binary
MD5:3421E067D3A1E68898308E21AD95B355
SHA256:BFE962542BBD9E887DCCE20EA64E4BD5005168334BFB58682DEC18A5E1903CB3
2800Quote - 6000412697.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\QZZ9VMTM.txttext
MD5:11918D74C3AD7EC577FB571CEE09EDC0
SHA256:35EA6825134AF28B3B4ABEE4E1F3B61117AC0DA0D809D9BB9104C1B0EA8FC75A
3576wscript.exeC:\Users\admin\AppData\Roaming\9389QUSF\938logri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
3576wscript.exeC:\Users\admin\AppData\Roaming\9389QUSF\938logrc.inibinary
MD5:ABC3E65903C43305DBA1DD27B3F62364
SHA256:0A8AABF9A5B3E255164B22988E6415FFC71F2F89E7217B6D6D3827DD8A69B2CF
2800Quote - 6000412697.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:E550DA03AEE5B546B436CD553D3233B9
SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
Quote - 6000412697.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2800
Quote - 6000412697.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFOOHQjK5IlqCAAAAAAyCmA%3D
US
der
471 b
whitelisted
2800
Quote - 6000412697.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc
US
der
472 b
whitelisted
372
explorer.exe
GET
301
52.26.226.99:80
http://www.pilotshometrade.com/k19/?xbkhBh=fAFvR0WqBJTOxVrHtbDRSZzgRaoorQZ5CQ0BZUmBoeACfIXNnT+eRQGsXLyJ3URolO72Ng==&odsD=rVo0vl
US
html
148 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
Quote - 6000412697.exe
216.58.207.78:443
drive.google.com
Google Inc.
US
whitelisted
2800
Quote - 6000412697.exe
172.217.23.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2800
Quote - 6000412697.exe
172.217.23.97:443
doc-00-bk-docs.googleusercontent.com
Google Inc.
US
whitelisted
372
explorer.exe
52.26.226.99:80
www.pilotshometrade.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
drive.google.com
  • 216.58.207.78
shared
ocsp.pki.goog
  • 172.217.23.99
whitelisted
doc-00-bk-docs.googleusercontent.com
  • 172.217.23.97
shared
www.simplifiedqliking.com
unknown
www.pilotshometrade.com
  • 52.26.226.99
malicious

Threats

PID
Process
Class
Message
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Quote - 6000412697.xz