analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

infecScan 131019 US$.ace

Full analysis: https://app.any.run/tasks/718f164f-270e-4b71-8f98-e5851061c9ba
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 04:14:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/octet-stream
File info: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5:

5CD35CB057146CF2496F0F286C04650F

SHA1:

7D0A293C9F151F714011E5B3F208A45F769DA01E

SHA256:

A1A2DF680A572C2F7553C56A0B9E70712604FA3ED26D80FB2B0054D558F27E4B

SSDEEP:

3072:e3pK6JESIno8wVa+FFxZeF+jz6Hg4UK44y8rQMhNt9yb7le8Kxw:epuSRhLPmIjeHgATyY5hNtkHw8KG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Scan 131019 $.exe (PID: 1768)
      • Scan 131019 $.exe (PID: 2416)

    • Connects to CnC server

      • explorer.exe (PID: 352)

    • FORMBOOK was detected

      • wscript.exe (PID: 2608)
      • explorer.exe (PID: 352)
      • Firefox.exe (PID: 2484)

    • Changes the autorun value in the registry

      • wscript.exe (PID: 2608)

    • Actions looks like stealing of personal data

      • wscript.exe (PID: 2608)

    • Stealing of credential data

      • wscript.exe (PID: 2608)

  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 352)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 504)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2608)

    • Loads DLL from Mozilla Firefox

      • wscript.exe (PID: 2608)

    • Creates files in the user directory

      • wscript.exe (PID: 2608)

  • INFO

    • Manual execution by user

      • wscript.exe (PID: 2608)

    • Reads the hosts file

      • wscript.exe (PID: 2608)

    • Creates files in the user directory

      • Firefox.exe (PID: 2484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ace | ACE compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe scan 131019 $.exe no specs #FORMBOOK wscript.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs scan 131019 $.exe no specs napstat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
504"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\infecScan 131019 US$.ace"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1768"C:\Users\admin\AppData\Local\Temp\Rar$EXa504.48928\Scan 131019 $.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa504.48928\Scan 131019 $.exeWinRAR.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Exit code:
0
Version:
10.0.0.396
2608"C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3124/c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa504.48928\Scan 131019 $.exe"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2484"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wscript.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2416"C:\Users\admin\AppData\Local\Temp\Rar$EXa504.3377\Scan 131019 $.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa504.3377\Scan 131019 $.exeWinRAR.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Exit code:
0
Version:
10.0.0.396
3172"C:\Windows\System32\NAPSTAT.EXE"C:\Windows\System32\NAPSTAT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Access Protection Client UI
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
497
Read events
444
Write events
53
Delete events
0

Modification events

(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(504) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\infecScan 131019 US$.ace
(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ace\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ace\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
2
Suspicious files
73
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2608wscript.exeC:\Users\admin\AppData\Roaming\J3RN409E\J3Rlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa504.48928\Scan 131019 $.exeexecutable
MD5:5B6D2D208574C73E8C3D699B32643120
SHA256:66830D289C73488F2C5C9206D480771830C31ADEBC3B818EA1A844D87E3B3E13
2608wscript.exeC:\Users\admin\AppData\Roaming\J3RN409E\J3Rlogim.jpegimage
MD5:30649829A126D41434D0A4D6CDD5A9A4
SHA256:D22362E1D511460BCFD3D5132A1688BBCAC24CC8037D68D6E8FEE23A8E8698D2
2484Firefox.exeC:\Users\admin\AppData\Roaming\J3RN409E\J3Rlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
2608wscript.exeC:\Users\admin\AppData\Roaming\J3RN409E\J3Rlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
2608wscript.exeC:\Users\admin\AppData\Roaming\J3RN409E\J3Rlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa504.3377\Scan 131019 $.exeexecutable
MD5:5B6D2D208574C73E8C3D699B32643120
SHA256:66830D289C73488F2C5C9206D480771830C31ADEBC3B818EA1A844D87E3B3E13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
301
136.243.64.86:80
http://www.healthlife4u.com/us/?yVftlxDh=sMcqe9GXsoYPR0ZU9BLHJHv2andjRWJR2DPff7W2Hp8eJrzG92J3guDs4mr0pRQsCiuBqA==&2d3=o8TpZlH
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
136.243.64.86:80
www.healthlife4u.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
www.healthlife4u.com
  • 136.243.64.86
malicious

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
infecScan 131019 US$.ace