File name: | RFQ for quotation.rar |
Full analysis: | https://app.any.run/tasks/b3724f73-579f-47b8-8ea6-af0a638f96ab |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 31, 2020, 07:49:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 67B7F7BA367AC389DF1E00981FD22E3F |
SHA1: | ED79A201925FCC073F9A36F0F2E9D6729683F7E2 |
SHA256: | B1F08F3421D9CFEA602520D7F3A475AF2D4283B25A1F0D915C7F3B18EE0CD985 |
SSDEEP: | 768:9RNLauSCeXdjdYkQHhBo7HfoPe+W/2rTXgSWB:TNLLSCetjOHyfVT+bWB |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ for quotation.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2876 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.34749\RFQ for quotation.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.34749\RFQ for quotation.exe | — | WinRAR.exe |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: Anterin3 Exit code: 0 Version: 1.00 | ||||
3912 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.34749\RFQ for quotation.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.34749\RFQ for quotation.exe | RFQ for quotation.exe | |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: Anterin3 Exit code: 0 Version: 1.00 | ||||
2608 | "C:\Windows\System32\wuauclt.exe" | C:\Windows\System32\wuauclt.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Version: 7.5.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3524 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.34749\RFQ for quotation.exe" | C:\Windows\System32\cmd.exe | — | wuauclt.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
372 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1848 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | wuauclt.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
3360 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.43777\RFQ for quotation.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.43777\RFQ for quotation.exe | — | WinRAR.exe |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: Anterin3 Exit code: 0 Version: 1.00 | ||||
2764 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.43777\RFQ for quotation.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.43777\RFQ for quotation.exe | — | RFQ for quotation.exe |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: Anterin3 Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\Local\Temp\CabAB7B.tmp | — | |
MD5:— | SHA256:— | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\Local\Temp\TarAB7C.tmp | — | |
MD5:— | SHA256:— | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72 | binary | |
MD5:E0F181B96417F67AFA7382EED5885691 | SHA256:8222C47CB79943D44AFCC86248B64729F9E03A41C835BC479D0B57F2240E1AA1 | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:2B89E3AE041D1BB60B361732B444DE2E | SHA256:7959752A4894328216AAD879A721A57E80E3B234CCC6E9E22ADADA9304146BFA | |||
2608 | wuauclt.exe | C:\Users\admin\AppData\Roaming\9389QUSF\938logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29 | der | |
MD5:75D636BF532AFFBC75F461235C3B4D5C | SHA256:727247C8DCAC2B6B8A4F5890F1BCE6F8AF87B49BC38F97308E706A6A313B66AF | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | der | |
MD5:E550DA03AEE5B546B436CD553D3233B9 | SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7 | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72 | der | |
MD5:F26B1B29960D99AD1C44E71E3D2ABE4C | SHA256:7910B27AFDEE20EA27C4FA19221B1B63E00235E261E1A3FB9F1FB3456CBBB7AC | |||
2564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2564.34749\RFQ for quotation.exe | executable | |
MD5:79CE577FA36E015A65D873A97F747BFC | SHA256:79220F4BAF3CD0F1DC1727AFFFC0578837F05B3EE7D587D5616EF45881B27AE2 | |||
3912 | RFQ for quotation.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5PFFYNVE.txt | text | |
MD5:B7FAD8A159A9F929AB5EF58E84D481D5 | SHA256:A48C7A34EDD64C37FF62925D5ACC5C2264779BFFC14BB0E4842AC14093FFC0BC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3912 | RFQ for quotation.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3912 | RFQ for quotation.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc | US | der | 472 b | whitelisted |
3912 | RFQ for quotation.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFOOHQjK5IlqCAAAAAAyCmA%3D | US | der | 471 b | whitelisted |
372 | explorer.exe | GET | 301 | 217.76.130.148:80 | http://www.ussecorp.com/k19/?q4N=iI9gZg3Bjo8jADwQPCawrcP6hlQTIvOzbu4SAOAxTT40ioNFbLFdphHDRZ4WyC7VGb1C8Q==&rTXd=LLrHh | ES | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3912 | RFQ for quotation.exe | 172.217.21.193:443 | doc-00-bk-docs.googleusercontent.com | Google Inc. | US | whitelisted |
3912 | RFQ for quotation.exe | 172.217.21.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3912 | RFQ for quotation.exe | 172.217.23.110:443 | drive.google.com | Google Inc. | US | whitelisted |
372 | explorer.exe | 217.76.130.148:80 | www.ussecorp.com | 1&1 Internet SE | ES | malicious |
Domain | IP | Reputation |
---|---|---|
drive.google.com |
| shared |
ocsp.pki.goog |
| whitelisted |
doc-00-bk-docs.googleusercontent.com |
| shared |
www.lxtcss.com |
| unknown |
www.ussecorp.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |