download: | PURCHASE%20ORDER.lzh |
Full analysis: | https://app.any.run/tasks/de23bfe7-1278-498e-8444-d1acf834516d |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 22, 2019, 17:41:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | CB81DD9A8C895E34DA57F1591C4C7477 |
SHA1: | 8B41800F27BD3501EA56C5556CDBE73A1DFDC632 |
SHA256: | A66BCFED1504E5657689999D59C9CE59EEE692554C66D8BB42F39CB21FAC42EE |
SSDEEP: | 6144:YKIsAH6OSCLXBXfJ+aHu5MVYbmkuIMKPxd9dBLEZpk9oaQTSYeBp/kBaV6Kgz00i:YSAH6OPLBfJ1Hu5MVYaGMKJdOZp1T6/Z |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\cff4b80e-bbb3-40c5-8cfc-6e469cedb3f5.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2996 | "C:\Users\admin\Desktop\PURCHASE ORDER.exe" | C:\Users\admin\Desktop\PURCHASE ORDER.exe | — | explorer.exe |
User: admin Company: Pinnacle West Capital Corp Integrity Level: MEDIUM Description: Application Server Command Line Admin Too Exit code: 0 Version: 12.6.22.2 | ||||
4068 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\Desktop\PURCHASE ORDER.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe" | C:\Windows\System32\cmd.exe | PURCHASE ORDER.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2496 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe" | C:\Windows\System32\cmd.exe | — | PURCHASE ORDER.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3148 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe | cmd.exe | |
User: admin Company: Pinnacle West Capital Corp Integrity Level: MEDIUM Description: Application Server Command Line Admin Too Exit code: 0 Version: 12.6.22.2 | ||||
3264 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe | — | app.exe |
User: admin Company: Pinnacle West Capital Corp Integrity Level: MEDIUM Description: Application Server Command Line Admin Too Exit code: 0 Version: 12.6.22.2 | ||||
3800 | "C:\Windows\System32\dwm.exe" | C:\Windows\System32\dwm.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2576 | /c del "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe" | C:\Windows\System32\cmd.exe | — | dwm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3324 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | dwm.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2028 | explorer.exe | C:\Users\admin\Desktop\PURCHASE ORDER.exe | executable | |
MD5:90BA753AD9B518A41ADF457F08070661 | SHA256:6D82C6AECDCD500E6D2F90CDFFC922F6FA3E1C27A9875C9DA252852A835E94F4 | |||
4068 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe | executable | |
MD5:90BA753AD9B518A41ADF457F08070661 | SHA256:6D82C6AECDCD500E6D2F90CDFFC922F6FA3E1C27A9875C9DA252852A835E94F4 | |||
2028 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:7F5C4723E6C6FB6639AD1744ACBA72DE | SHA256:70AD27042A9BCE729592E56CE06CE208259221351B74EF14F5092D231FA0E2F1 | |||
2028 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\cff4b80e-bbb3-40c5-8cfc-6e469cedb3f5.rar.lnk | lnk | |
MD5:05278A1839F9FA5C4771562BD40F7081 | SHA256:E23C48136856A466C0EC6A495777ECE06438433A32CDBB747F7358D6E60895F6 | |||
3044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3044.42166\PURCHASE ORDER.exe | executable | |
MD5:90BA753AD9B518A41ADF457F08070661 | SHA256:6D82C6AECDCD500E6D2F90CDFFC922F6FA3E1C27A9875C9DA252852A835E94F4 | |||
3800 | dwm.exe | C:\Users\admin\AppData\Roaming\L13QQC3E\L13logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2028 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:601767F606F12C41BC3E22F9FC46E351 | SHA256:6E2BB28BD102051875AE2F0652D2E41B41AF2775A4C213D9A1F9896DA12392B9 | |||
2028 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:A884B83B968449D2462AEFBF7CA9CCEB | SHA256:D78C64890308BB60B31900AD3CAEE2DB2D5E9B8DADA6098D63998C9F782075AB | |||
3324 | Firefox.exe | C:\Users\admin\AppData\Roaming\L13QQC3E\L13logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
1592 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe | executable | |
MD5:90BA753AD9B518A41ADF457F08070661 | SHA256:6D82C6AECDCD500E6D2F90CDFFC922F6FA3E1C27A9875C9DA252852A835E94F4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2028 | explorer.exe | GET | — | 81.88.57.68:80 | http://www.my-financement.com/cu/?1b=p1um2x2awrdWxDuogR27tR6dMGPoltvHu5fZl/LgUKClkw2Js/1lx21OywqyzRUexysFeA==&PV=bl1TDBMX&sql=1 | IT | — | — | malicious |
2028 | explorer.exe | GET | — | 184.168.221.48:80 | http://www.trevorfetter.info/cu/?1b=QEXX3Vha/LFA1W4yfgnrhRSY4dHBT/5KY6lE5xBMLcQYuMtG6KyE1myNqYqa0uTFxpxNUg==&PV=bl1TDBMX&sql=1 | US | — | — | malicious |
2028 | explorer.exe | POST | — | 184.168.221.48:80 | http://www.trevorfetter.info/cu/ | US | — | — | malicious |
2028 | explorer.exe | POST | — | 184.168.221.48:80 | http://www.trevorfetter.info/cu/ | US | — | — | malicious |
2028 | explorer.exe | GET | 404 | 74.63.242.18:80 | http://www.invictnet.com/cu/?1b=4x9hiDMMBqRJOeV4nD4RuIc6oO02DiqRDcs3ioPu2jDwMxi4iYjZlJ7Fw8A5fh/yLXjigw==&PV=bl1TDBMX | US | html | 320 b | malicious |
2028 | explorer.exe | GET | — | 42.51.10.228:80 | http://www.xiaopangdashang.com/cu/?1b=pwOjNDcdZ/fLCpHqPGy78a52QHRvh++WZCSaKKihGh3UKww8afvtL6v3BtLe8uK/1vSGEg==&PV=bl1TDBMX&sql=1 | CN | — | — | malicious |
2028 | explorer.exe | POST | — | 81.88.57.68:80 | http://www.my-financement.com/cu/ | IT | — | — | malicious |
2028 | explorer.exe | POST | — | 192.64.115.82:80 | http://www.dronlac.com/cu/ | US | — | — | malicious |
2028 | explorer.exe | POST | — | 81.88.57.68:80 | http://www.my-financement.com/cu/ | IT | — | — | malicious |
2028 | explorer.exe | POST | — | 184.168.221.48:80 | http://www.trevorfetter.info/cu/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2028 | explorer.exe | 81.88.57.68:80 | www.my-financement.com | Register.it SpA | IT | malicious |
2028 | explorer.exe | 74.63.242.18:80 | www.invictnet.com | Limestone Networks, Inc. | US | suspicious |
2028 | explorer.exe | 42.51.10.228:80 | www.xiaopangdashang.com | Henan Telcom Union Technology Co., LTD | CN | malicious |
2028 | explorer.exe | 192.64.115.82:80 | www.dronlac.com | Namecheap, Inc. | US | malicious |
2028 | explorer.exe | 184.168.221.48:80 | www.trevorfetter.info | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.videomusikmp3.review |
| unknown |
www.dirsphoabloi.biz |
| unknown |
www.girlsinsocial.com |
| unknown |
www.invictnet.com |
| malicious |
www.trevorfetter.info |
| malicious |
www.my-financement.com |
| malicious |
www.xiaopangdashang.com |
| malicious |
www.dronlac.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |