analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe.zip

Full analysis: https://app.any.run/tasks/7d8523cd-fad2-4058-b35e-3f2ee3a895cb
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: January 11, 2019, 02:48:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

85E1A4D16028759CF253A04BA621E299

SHA1:

C5FFF92FA9AACFD8F70FC52E23A0A9896EC26EDC

SHA256:

A5B35FEE27D749013CF9185FA6ED46A75BFCF7A2A7E2B34F4BEE77211CF08756

SSDEEP:

3072:FUM7oJ78IE3oIgsZl79E9xx1JswrF+pkvNRNPAas1ZC0lzxV9F6+WoepGO/63Nfb:emoE/BZlunx11rtTPAhfrlFz3Wo9frl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe (PID: 3464)
    • FORMBOOK was detected

      • explorer.exe (PID: 284)
    • Connects to CnC server

      • explorer.exe (PID: 284)
    • Changes the autorun value in the registry

      • NETSTAT.EXE (PID: 916)
    • Actions looks like stealing of personal data

      • NETSTAT.EXE (PID: 916)
    • Formbook was detected

      • NETSTAT.EXE (PID: 916)
      • Firefox.exe (PID: 3364)
    • Stealing of credential data

      • NETSTAT.EXE (PID: 916)
  • SUSPICIOUS

    • Uses NETSTAT.EXE to discover network connections

      • explorer.exe (PID: 284)
    • Starts CMD.EXE for commands execution

      • NETSTAT.EXE (PID: 916)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3484)
    • Creates files in the user directory

      • NETSTAT.EXE (PID: 916)
    • Loads DLL from Mozilla Firefox

      • NETSTAT.EXE (PID: 916)
  • INFO

    • Creates files in the user directory

      • Firefox.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe
ZipUncompressedSize: 331776
ZipCompressedSize: 230926
ZipCRC: 0x1105df9c
ZipModifyDate: 2019:01:11 09:50:09
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe rfq#8373kacopy materials_migumi manufacturing.exe no specs #FORMBOOK netstat.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3484"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3464"C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exeWinRAR.exe
User:
admin
Company:
kASPERSkY LAb ZAO
Integrity Level:
MEDIUM
Description:
aUDACITY TEam
Exit code:
0
Version:
1.00
916"C:\Windows\System32\NETSTAT.EXE"C:\Windows\System32\NETSTAT.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3712/c del "C:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe"C:\Windows\System32\cmd.exeNETSTAT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3364"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
NETSTAT.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
Total events
487
Read events
455
Write events
32
Delete events
0

Modification events

(PID) Process:(284) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3484) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exe.zip
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(284) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
Executable files
1
Suspicious files
77
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
916NETSTAT.EXEC:\Users\admin\AppData\Roaming\90MN02QE\90Mlogrc.inibinary
MD5:6A2D8FD600948CEFEA9C615AF9607BD5
SHA256:8A8A84891ECB2032320D1C0DE99FDCD94100DF10F352D9F96FD1B2433CD4D45B
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3484.41737\RFQ#8373KACOPY MATERIALS_MIGUMI MANUFACTURING.exeexecutable
MD5:D50A6AE9966872DC4962C4EA0FE8C720
SHA256:5CB2938458C4A42B6E57C66E5AD343E461AFB2C143352A69E499555D5AA1C335
916NETSTAT.EXEC:\Users\admin\AppData\Roaming\90MN02QE\90Mlogim.jpegimage
MD5:F1B3B5F081E9D906FAC10932D4F8BB71
SHA256:AA6E21D2AECE018BC3D582DFE366A0A32516C8190F6BC1D9891660BDCAFFAE0D
3364Firefox.exeC:\Users\admin\AppData\Roaming\90MN02QE\90Mlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
916NETSTAT.EXEC:\Users\admin\AppData\Roaming\90MN02QE\90Mlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
916NETSTAT.EXEC:\Users\admin\AppData\Roaming\90MN02QE\90Mlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
284
explorer.exe
GET
404
162.213.249.190:80
http://www.curitys.com/sl/?Mv18FTb=W/uOiPZNlETHq9Ymnqd0TLQ3X23BuGIfrKaAqSmi8RTaE2Kcpr/7O6euLpsR/xgWuxZ60A==&9rxd8=Gdj8-
US
html
326 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
284
explorer.exe
162.213.249.190:80
www.curitys.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.curitys.com
  • 162.213.249.190
malicious

Threats

PID
Process
Class
Message
284
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
284
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1 ETPRO signatures available at the full report
No debug info