analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice.ace

Full analysis: https://app.any.run/tasks/bb23b94c-4dc3-423e-9b18-70dd8ff6e353
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: April 15, 2019, 15:22:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
Indicators:
MIME: application/octet-stream
File info: ACE archive data version 20, from Win/32, version 20 to extract, solid
MD5:

968D03817842DF7D524D0FD43A00DA9A

SHA1:

517B6C617676E5A6491873C20F9F1D943782E68F

SHA256:

A3357702D074BB915CC745A7FC89A79E1214CA99C7C22F8F1A33D16371E0B43A

SSDEEP:

12288:nrOARY33X4dDzGLocLL8Odsj63rLggWd5b/F5hiS+:rtmHgkokL5sO3rcXb/F3+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Invoice.exe (PID: 2864)
    • Application was dropped or rewritten from another process

      • Invoice.exe (PID: 2864)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3704)
      • Invoice.exe (PID: 2864)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ace | ACE compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe invoice.exe

Process information

PID
CMD
Path
Indicators
Parent process
3704"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.ace"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2864"C:\Users\admin\AppData\Local\Temp\Rar$EXa3704.33639\Invoice.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3704.33639\Invoice.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Total events
782
Read events
758
Write events
24
Delete events
0

Modification events

(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3704) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Invoice.ace
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Operation:writeName:Count
Value:
0
(PID) Process:(3704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Operation:writeName:Name
Value:
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B5E7961787E747239767472171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3704WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3704.33639\Invoice.exeexecutable
MD5:A339C9303D009069CB231E291B323F79
SHA256:4B1327E78FE1BC511D819C77C17611D3C97D1D6CE55484AD22BB6FE2C869CA41
3704WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3704.32708\Invoice.exeexecutable
MD5:A339C9303D009069CB231E291B323F79
SHA256:4B1327E78FE1BC511D819C77C17611D3C97D1D6CE55484AD22BB6FE2C869CA41
2864Invoice.exeC:\Users\admin\AppData\Local\Temp\nsnDBC7.tmp\System.dllexecutable
MD5:B0C77267F13B2F87C084FD86EF51CCFC
SHA256:A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
18
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
101.200.62.242:80
http://www.leyakids.com/c172/?jLSdc=JvNTV0bCGHNMoPHtvCP3yPp52PM9JHblonM7jdZb9m6ZEYKuuWdEXhH4hkbAHSkSzZ4S7w==&JBcx=Dx4pLt206pmx&sql=1
CN
malicious
GET
157.7.107.112:80
http://www.mahonishimura.com/c172/?jLSdc=ZAkazBG7ZW+A/caEBTjMMEg5zjsjF2I4vPVTxDSe7Gti5QfJyGR7TqbpOv2xqXCSvRRJmg==&JBcx=Dx4pLt206pmx&sql=1
JP
malicious
POST
157.7.107.112:80
http://www.mahonishimura.com/c172/
JP
malicious
POST
101.200.62.242:80
http://www.leyakids.com/c172/
CN
malicious
POST
101.200.62.242:80
http://www.leyakids.com/c172/
CN
malicious
GET
50.63.202.33:80
http://www.dronevegas.info/c172/?jLSdc=GsrMgkYrmBWJ9t1+GtrcA/tc97lIOu0lQ+kEwM7cz1SbNCaUywPiZOVK72HtjlwIHHqNig==&JBcx=Dx4pLt206pmx&sql=1
US
malicious
POST
157.7.107.112:80
http://www.mahonishimura.com/c172/
JP
malicious
POST
101.200.62.242:80
http://www.leyakids.com/c172/
CN
malicious
GET
154.220.98.34:80
http://www.roybans.com/c172/?jLSdc=qa5xxjh39w3mLWZRvCD0wEKPw+OxchgvX6Lz9G5GOVnkpExIjfx9FbDOIUgAGGNP0X8GBQ==&JBcx=Dx4pLt206pmx&sql=1
US
malicious
GET
172.107.114.153:80
http://www.ketocureme.com/c172/?jLSdc=sS6Dr6HD7m3deEVtjBzOHPQvg/D8PMofMY5UmRS/n/qzc9DoY7JkX1wx2WrQ1OoqiGY3Ug==&JBcx=Dx4pLt206pmx&sql=1
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
157.7.107.112:80
www.mahonishimura.com
GMO Internet,Inc
JP
malicious
101.200.62.242:80
www.leyakids.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
188.165.53.185:80
www.cosidor.net
OVH SAS
FR
malicious
172.107.114.153:80
www.ketocureme.com
Psychz Networks
US
malicious
50.63.202.33:80
www.dronevegas.info
GoDaddy.com, LLC
US
malicious
154.220.98.34:80
www.roybans.com
MULTACOM CORPORATION
US
malicious

DNS requests

Domain
IP
Reputation
www.cuttingchaistudio.info
unknown
www.cosidor.net
  • 188.165.53.185
malicious
www.informacaocuriosa.com
unknown
www.leyakids.com
  • 101.200.62.242
malicious
www.mahonishimura.com
  • 157.7.107.112
malicious
www.dronevegas.info
  • 50.63.202.33
malicious
www.lingdachu.com
unknown
www.cheap-tankless-waterheater.com
unknown
www.acbandung.com
unknown
www.roybans.com
  • 154.220.98.34
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
12 ETPRO signatures available at the full report
No debug info