File name: | Invoice.ace |
Full analysis: | https://app.any.run/tasks/bb23b94c-4dc3-423e-9b18-70dd8ff6e353 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | April 15, 2019, 15:22:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, solid |
MD5: | 968D03817842DF7D524D0FD43A00DA9A |
SHA1: | 517B6C617676E5A6491873C20F9F1D943782E68F |
SHA256: | A3357702D074BB915CC745A7FC89A79E1214CA99C7C22F8F1A33D16371E0B43A |
SSDEEP: | 12288:nrOARY33X4dDzGLocLL8Odsj63rLggWd5b/F5hiS+:rtmHgkokL5sO3rcXb/F3+ |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3704 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2864 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3704.33639\Invoice.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3704.33639\Invoice.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM |
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Invoice.ace | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Count |
Value: 0 | |||
(PID) Process: | (3704) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B5E7961787E747239767472171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3704 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3704.33639\Invoice.exe | executable | |
MD5:A339C9303D009069CB231E291B323F79 | SHA256:4B1327E78FE1BC511D819C77C17611D3C97D1D6CE55484AD22BB6FE2C869CA41 | |||
3704 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3704.32708\Invoice.exe | executable | |
MD5:A339C9303D009069CB231E291B323F79 | SHA256:4B1327E78FE1BC511D819C77C17611D3C97D1D6CE55484AD22BB6FE2C869CA41 | |||
2864 | Invoice.exe | C:\Users\admin\AppData\Local\Temp\nsnDBC7.tmp\System.dll | executable | |
MD5:B0C77267F13B2F87C084FD86EF51CCFC | SHA256:A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 101.200.62.242:80 | http://www.leyakids.com/c172/?jLSdc=JvNTV0bCGHNMoPHtvCP3yPp52PM9JHblonM7jdZb9m6ZEYKuuWdEXhH4hkbAHSkSzZ4S7w==&JBcx=Dx4pLt206pmx&sql=1 | CN | — | — | malicious |
— | — | GET | — | 157.7.107.112:80 | http://www.mahonishimura.com/c172/?jLSdc=ZAkazBG7ZW+A/caEBTjMMEg5zjsjF2I4vPVTxDSe7Gti5QfJyGR7TqbpOv2xqXCSvRRJmg==&JBcx=Dx4pLt206pmx&sql=1 | JP | — | — | malicious |
— | — | POST | — | 157.7.107.112:80 | http://www.mahonishimura.com/c172/ | JP | — | — | malicious |
— | — | POST | — | 101.200.62.242:80 | http://www.leyakids.com/c172/ | CN | — | — | malicious |
— | — | POST | — | 101.200.62.242:80 | http://www.leyakids.com/c172/ | CN | — | — | malicious |
— | — | GET | — | 50.63.202.33:80 | http://www.dronevegas.info/c172/?jLSdc=GsrMgkYrmBWJ9t1+GtrcA/tc97lIOu0lQ+kEwM7cz1SbNCaUywPiZOVK72HtjlwIHHqNig==&JBcx=Dx4pLt206pmx&sql=1 | US | — | — | malicious |
— | — | POST | — | 157.7.107.112:80 | http://www.mahonishimura.com/c172/ | JP | — | — | malicious |
— | — | POST | — | 101.200.62.242:80 | http://www.leyakids.com/c172/ | CN | — | — | malicious |
— | — | GET | — | 154.220.98.34:80 | http://www.roybans.com/c172/?jLSdc=qa5xxjh39w3mLWZRvCD0wEKPw+OxchgvX6Lz9G5GOVnkpExIjfx9FbDOIUgAGGNP0X8GBQ==&JBcx=Dx4pLt206pmx&sql=1 | US | — | — | malicious |
— | — | GET | — | 172.107.114.153:80 | http://www.ketocureme.com/c172/?jLSdc=sS6Dr6HD7m3deEVtjBzOHPQvg/D8PMofMY5UmRS/n/qzc9DoY7JkX1wx2WrQ1OoqiGY3Ug==&JBcx=Dx4pLt206pmx&sql=1 | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 157.7.107.112:80 | www.mahonishimura.com | GMO Internet,Inc | JP | malicious |
— | — | 101.200.62.242:80 | www.leyakids.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
— | — | 188.165.53.185:80 | www.cosidor.net | OVH SAS | FR | malicious |
— | — | 172.107.114.153:80 | www.ketocureme.com | Psychz Networks | US | malicious |
— | — | 50.63.202.33:80 | www.dronevegas.info | GoDaddy.com, LLC | US | malicious |
— | — | 154.220.98.34:80 | www.roybans.com | MULTACOM CORPORATION | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.cuttingchaistudio.info |
| unknown |
www.cosidor.net |
| malicious |
www.informacaocuriosa.com |
| unknown |
www.leyakids.com |
| malicious |
www.mahonishimura.com |
| malicious |
www.dronevegas.info |
| malicious |
www.lingdachu.com |
| unknown |
www.cheap-tankless-waterheater.com |
| unknown |
www.acbandung.com |
| unknown |
www.roybans.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |