File name: | RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe.zip |
Full analysis: | https://app.any.run/tasks/7d8523cd-fad2-4058-b35e-3f2ee3a895cb |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 11, 2019, 02:48:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 85E1A4D16028759CF253A04BA621E299 |
SHA1: | C5FFF92FA9AACFD8F70FC52E23A0A9896EC26EDC |
SHA256: | A5B35FEE27D749013CF9185FA6ED46A75BFCF7A2A7E2B34F4BEE77211CF08756 |
SSDEEP: | 3072:FUM7oJ78IE3oIgsZl79E9xx1JswrF+pkvNRNPAas1ZC0lzxV9F6+WoepGO/63Nfb:emoE/BZlunx11rtTPAhfrlFz3Wo9frl |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe |
---|---|
ZipUncompressedSize: | 331776 |
ZipCompressedSize: | 230926 |
ZipCRC: | 0x1105df9c |
ZipModifyDate: | 2019:01:11 09:50:09 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3484 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3464 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe | — | WinRAR.exe |
User: admin Company: kASPERSkY LAb ZAO Integrity Level: MEDIUM Description: aUDACITY TEam Exit code: 0 Version: 1.00 | ||||
916 | "C:\Windows\System32\NETSTAT.EXE" | C:\Windows\System32\NETSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3712 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe" | C:\Windows\System32\cmd.exe | — | NETSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3364 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NETSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
(PID) Process: | (284) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe.zip | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3484) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (284) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
Operation: | write | Name: | a |
Value: WinRAR.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
916 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\90MN02QE\90Mlogrc.ini | binary | |
MD5:6A2D8FD600948CEFEA9C615AF9607BD5 | SHA256:8A8A84891ECB2032320D1C0DE99FDCD94100DF10F352D9F96FD1B2433CD4D45B | |||
3484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe | executable | |
MD5:D50A6AE9966872DC4962C4EA0FE8C720 | SHA256:5CB2938458C4A42B6E57C66E5AD343E461AFB2C143352A69E499555D5AA1C335 | |||
916 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\90MN02QE\90Mlogim.jpeg | image | |
MD5:F1B3B5F081E9D906FAC10932D4F8BB71 | SHA256:AA6E21D2AECE018BC3D582DFE366A0A32516C8190F6BC1D9891660BDCAFFAE0D | |||
3364 | Firefox.exe | C:\Users\admin\AppData\Roaming\90MN02QE\90Mlogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
916 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\90MN02QE\90Mlogri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
916 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\90MN02QE\90Mlogrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
284 | explorer.exe | GET | 404 | 162.213.249.190:80 | http://www.curitys.com/sl/?Mv18FTb=W/uOiPZNlETHq9Ymnqd0TLQ3X23BuGIfrKaAqSmi8RTaE2Kcpr/7O6euLpsR/xgWuxZ60A==&9rxd8=Gdj8- | US | html | 326 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
284 | explorer.exe | 162.213.249.190:80 | www.curitys.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.curitys.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
284 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |