File name: | DHL_KR.zip |
Full analysis: | https://app.any.run/tasks/f8673e9d-8c11-4380-8d8c-aa0516186762 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | August 26, 2019, 02:12:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 38D3DFEBFD261D415CAD88810704F48F |
SHA1: | 9E5D2B503034394BCA69127533FE7FF486C8EF10 |
SHA256: | 991477849BAD61381517C361F1E8B0A865C1B06A97D12BBFFF42D6E91E9D2A63 |
SSDEEP: | 6144:DeHbjND9KBRMs2/0a2Xhg5NrQeF9gTRtQe04fDeMl:K7jNIjMs2/0ayT1TnQ5wqMl |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:08:18 13:05:29 |
ZipCRC: | 0x23af1632 |
ZipCompressedSize: | 239652 |
ZipUncompressedSize: | 438272 |
ZipFileName: | DHL_KR/DHL_KR.com |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2860 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DHL_KR.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
4012 | "C:\Users\admin\Desktop\DHL_KR.com" | C:\Users\admin\Desktop\DHL_KR.com | — | explorer.exe | |||||||||||
User: admin Company: paNDORATV Integrity Level: MEDIUM Exit code: 0 Version: 4.02.0001 Modules
| |||||||||||||||
3112 | "C:\Users\admin\Desktop\DHL_KR.com" | C:\Users\admin\Desktop\DHL_KR.com | — | DHL_KR.com | |||||||||||
User: admin Company: paNDORATV Integrity Level: MEDIUM Exit code: 0 Version: 4.02.0001 Modules
| |||||||||||||||
3948 | "C:\Users\admin\Desktop\DHL_KR.com" | C:\Users\admin\Desktop\DHL_KR.com | — | DHL_KR.com | |||||||||||
User: admin Company: paNDORATV Integrity Level: MEDIUM Exit code: 0 Version: 4.02.0001 Modules
| |||||||||||||||
2628 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3276 | /c del "C:\Users\admin\Desktop\DHL_KR.com" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
276 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
4020 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2544 | "C:\Program Files\G-zc\mfcr6q.exe" | C:\Program Files\G-zc\mfcr6q.exe | — | explorer.exe | |||||||||||
User: admin Company: paNDORATV Integrity Level: MEDIUM Exit code: 0 Version: 4.02.0001 Modules
| |||||||||||||||
3216 | "C:\Program Files\G-zc\mfcr6q.exe" | C:\Program Files\G-zc\mfcr6q.exe | — | mfcr6q.exe | |||||||||||
User: admin Company: paNDORATV Integrity Level: MEDIUM Exit code: 0 Version: 4.02.0001 Modules
|
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\DHL_KR.zip | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (276) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
Operation: | write | Name: | a |
Value: WinRAR.exe | |||
(PID) Process: | (276) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a |
PID | Process | Filename | Type | |
---|---|---|---|---|
2544 | mfcr6q.exe | C:\Users\admin\AppData\Local\Temp\~DF74EA10D8E7FDF2D6.TMP | binary | |
MD5:58C4A0F2EA2D25D389F96FA161D07DAE | SHA256:9800EEDB3694F976A0101E94BA0A46B9F8DBDFFC2700B69EB96D4568154C2106 | |||
276 | explorer.exe | C:\Users\admin\AppData\Local\Temp\G-zc\mfcr6q.exe | executable | |
MD5:DF2827BE612AA282A795AF525CFC19BA | SHA256:FB234C86111A42AE2945DD1EF9BDA6754C5A3D2B7EA1D45CFB7141D8194251F4 | |||
3216 | mfcr6q.exe | C:\Users\admin\AppData\Local\Temp\~DFFD8ACD59997FE83F.TMP | binary | |
MD5:58C4A0F2EA2D25D389F96FA161D07DAE | SHA256:9800EEDB3694F976A0101E94BA0A46B9F8DBDFFC2700B69EB96D4568154C2106 | |||
3112 | DHL_KR.com | C:\Users\admin\AppData\Local\Temp\~DFA11684055DB99B65.TMP | binary | |
MD5:58C4A0F2EA2D25D389F96FA161D07DAE | SHA256:9800EEDB3694F976A0101E94BA0A46B9F8DBDFFC2700B69EB96D4568154C2106 | |||
4020 | DllHost.exe | C:\Program Files\G-zc\mfcr6q.exe | executable | |
MD5:DF2827BE612AA282A795AF525CFC19BA | SHA256:FB234C86111A42AE2945DD1EF9BDA6754C5A3D2B7EA1D45CFB7141D8194251F4 | |||
4012 | DHL_KR.com | C:\Users\admin\AppData\Local\Temp\~DFE8E960FFD6E1A9DB.TMP | binary | |
MD5:58C4A0F2EA2D25D389F96FA161D07DAE | SHA256:9800EEDB3694F976A0101E94BA0A46B9F8DBDFFC2700B69EB96D4568154C2106 | |||
2860 | WinRAR.exe | C:\Users\admin\Desktop\DHL_KR.com | executable | |
MD5:DF2827BE612AA282A795AF525CFC19BA | SHA256:FB234C86111A42AE2945DD1EF9BDA6754C5A3D2B7EA1D45CFB7141D8194251F4 | |||
4012 | DHL_KR.com | C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini | text | |
MD5:D2A2412BDDBA16D60EC63BD9550D933F | SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A | |||
2628 | cmd.exe | C:\Users\admin\AppData\Roaming\7051N28E\705logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2628 | cmd.exe | C:\Users\admin\AppData\Roaming\7051N28E\705logim.jpeg | image | |
MD5:FC0E084F1C79B2AB557D482F063CD856 | SHA256:6ADAB60884603BA49FC7E89A15207C5FCB1A48D9D13295F3FF25A4867FB4F535 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
276 | explorer.exe | GET | — | 104.27.191.13:80 | http://www.pemasarankampoengkurma.com/tt/?w2=5V1MTDzGrEje9A+rurpnqzuoJnugdZjzH0dvo5aFwJnuCpriO1dqdkrTC5vfNMlpzvGKDQ==&s0H=uHlP7BMX | US | — | — | malicious |
276 | explorer.exe | POST | — | 65.254.248.135:80 | http://www.nyamadotbantu.com/tt/ | US | — | — | malicious |
276 | explorer.exe | GET | 404 | 47.91.239.71:80 | http://www.wzkns.com/tt/?w2=cf1diMNyh+lRTAYcqTUZMMARPCqzFwxwdvBXmJ7SNzr4Mo5OVi6hssxKU0fglv1auZnkDg==&s0H=uHlP7BMX | HK | html | 2.21 Kb | malicious |
276 | explorer.exe | POST | — | 104.27.191.13:80 | http://www.pemasarankampoengkurma.com/tt/ | US | — | — | malicious |
276 | explorer.exe | GET | 404 | 65.254.248.135:80 | http://www.nyamadotbantu.com/tt/?w2=UC3G6cfmHSj3w0xWNTh72guQpoIs+C56Lx0arbCbtvpIVoFAj3Ul+3IomTB4sXgRf3FxHg==&s0H=uHlP7BMX&sql=1 | US | html | 863 b | malicious |
276 | explorer.exe | GET | 404 | 198.54.112.26:80 | http://www.pursemtb.com/tt/?w2=WsRiLUilOF0e3/UDMPL6Kuy27Gh9En8nOqStYRE7TkPPp6FFhj2eWCfSTbf+qV/yotNhpw==&s0H=uHlP7BMX | US | html | 326 b | malicious |
276 | explorer.exe | POST | — | 104.27.191.13:80 | http://www.pemasarankampoengkurma.com/tt/ | US | — | — | malicious |
276 | explorer.exe | POST | 404 | 198.54.112.26:80 | http://www.pursemtb.com/tt/ | US | html | 292 b | malicious |
276 | explorer.exe | POST | — | 47.96.113.13:80 | http://www.wash.ltd/tt/ | CN | — | — | malicious |
276 | explorer.exe | POST | — | 65.254.248.135:80 | http://www.nyamadotbantu.com/tt/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
276 | explorer.exe | 65.254.248.135:80 | www.nyamadotbantu.com | The Endurance International Group, Inc. | US | malicious |
276 | explorer.exe | 104.27.191.13:80 | www.pemasarankampoengkurma.com | Cloudflare Inc | US | shared |
276 | explorer.exe | 198.54.112.26:80 | www.pursemtb.com | Namecheap, Inc. | US | malicious |
276 | explorer.exe | 47.91.239.71:80 | www.wzkns.com | Alibaba (China) Technology Co., Ltd. | HK | malicious |
276 | explorer.exe | 52.58.78.16:80 | www.bluflo.com | Amazon.com, Inc. | DE | whitelisted |
— | — | 192.0.78.25:80 | www.browndogtrading.com | Automattic, Inc | US | malicious |
276 | explorer.exe | 47.96.113.13:80 | www.wash.ltd | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
276 | explorer.exe | 192.0.78.25:80 | www.browndogtrading.com | Automattic, Inc | US | malicious |
— | — | 50.63.202.43:80 | www.conbrio.life | GoDaddy.com, LLC | US | malicious |
276 | explorer.exe | 50.63.202.43:80 | www.conbrio.life | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.wzkns.com |
| malicious |
www.nyamadotbantu.com |
| malicious |
www.healthywealthyandtravelwise.com |
| unknown |
www.pursemtb.com |
| malicious |
www.ultrastore.site |
| unknown |
www.pemasarankampoengkurma.com |
| malicious |
www.wash.ltd |
| malicious |
www.bluflo.com |
| malicious |
www.wwwjinsha247.com |
| unknown |
www.xn--boq6uq1s7l3a5u0abwl.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |