File name: | 70973273827.zip |
Full analysis: | https://app.any.run/tasks/30a0a179-430f-40fa-9e50-5f0b8d2e31bb |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 16, 2024, 19:39:57 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
MD5: | 4A0644ED3A1EC484BAEFF22D09CE2E41 |
SHA1: | 3C82490E661D224E089A4BE7FBD22EDD971357D5 |
SHA256: | A8AEC987E06C77A6F942D054E3AE9B5CA1524A76804CB702F25BB2B384576A4A |
SSDEEP: | 24576:SwWbjZ98xP28OKiOh9V7YO10xMGTY0FaNCztgDhqryaB1tXZxXlZHBpFZ7BXLk:Sw4l98x+8OKiOh9ZYO10xMGTY0gNCztg |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 70973273827.exe |
---|---|
ZipUncompressedSize: | 1297920 |
ZipCompressedSize: | 738394 |
ZipCRC: | 0xe90d95e2 |
ZipModifyDate: | 2024:10:15 10:27:58 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1160 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\70973273827.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
6236 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1160.43020\70973273827.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1160.43020\70973273827.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
5984 | C:\Windows\System32\colorcpl.exe | C:\Windows\SysWOW64\colorcpl.exe | — | 70973273827.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Color Control Panel Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4236 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
2428 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6216 | "C:\Windows\SysWOW64\takeown.exe" | C:\Windows\SysWOW64\takeown.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Takes ownership of a file Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4032 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | takeown.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
2172 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4692 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (1160) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
(PID) Process: | (1160) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\70973273827.zip | |||
(PID) Process: | (1160) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1160) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1160) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1160) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (6216) takeown.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (6216) takeown.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (6216) takeown.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1160.43020\70973273827.exe | executable | |
MD5:B4849613138E9FE5EE61112FB3A94ED5 | SHA256:70AA4F39BE71336CEDBA42E099127E7F2B626092A28DE0123747A426515EB384 | |||
6216 | takeown.exe | C:\Users\admin\AppData\Local\Temp\dGg-0-kL | sqlite | |
MD5:A45465CDCDC6CB30C8906F3DA4EC114C | SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4360 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
3788 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
6752 | SIHClient.exe | GET | 200 | 2.23.9.218:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
— | — | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1160 | WinRAR.exe | GET | 404 | 161.97.168.245:80 | http://www.98080753.xyz/eth5/?dL=rP5P45xZZ1/7FcUVWGgV+6/ZO6MpfjajuRWKRMBKl26wwcm/v5roWtgm33BJF8xpb4kfp7QdHQmzbzTt1acSQ7iNbxybmltoUbt6GUZbn3H+QiUSLD6G3Zt0Jww7NoXeduzinLI=&Ww7Xx=Y_htJi9e | unknown | — | — | unknown |
1160 | WinRAR.exe | POST | 404 | 161.97.168.245:80 | http://www.98080753.xyz/eth5/ | unknown | — | — | unknown |
1160 | WinRAR.exe | POST | 404 | 161.97.168.245:80 | http://www.98080753.xyz/eth5/ | unknown | — | — | unknown |
1160 | WinRAR.exe | GET | 200 | 3.33.130.190:80 | http://www.joshcharlesfitness.xyz/f2m8/?dL=q8u1m2y9j/W78LyjSxotGlAe++C026C5ZcIT7WbQRmUkJn/aUKn129a9SdOjfVpEuogWIbFDr3wrvEdEbURHbI4y9KegmpXXXGRAMcxEz0qVghK49oGROLw39JECHYSImiE1GV4=&Ww7Xx=Y_htJi9e | unknown | — | — | unknown |
1160 | WinRAR.exe | POST | 404 | 74.48.31.123:80 | http://www.facaicloud.top/dc1u/ | unknown | — | — | unknown |
— | — | GET | 200 | 2.16.164.51:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4360 | SearchApp.exe | 2.23.209.149:443 | www.bing.com | Akamai International B.V. | GB | unknown |
4360 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
6944 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.16.164.51:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
— | — | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
th.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2172 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1160 | WinRAR.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
1160 | WinRAR.exe | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
1160 | WinRAR.exe | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
1160 | WinRAR.exe | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
1160 | WinRAR.exe | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
1160 | WinRAR.exe | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
2172 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1160 | WinRAR.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
1160 | WinRAR.exe | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |