analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

shipping quote1232_pdf.zip

Full analysis: https://app.any.run/tasks/57f991b2-1caf-45cc-a1e0-98156bb8fb4d
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 07:54:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
trojan
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

167D29FD346B734B545586D15C291D79

SHA1:

10B16D594A426B9FCEE9B39F693262A3DC378B0E

SHA256:

B937A3F01C12690106D2A5C9A85E8793852B2F63A134A50C0BA8AB25080DB2D1

SSDEEP:

24576:2M3vNPUzs2zqX2UXFpdzghOQKeSyBmjidorWLAvu2xfkMlit:x1czsLXtQOc1EEMfHlit

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Shipping quote1232_pdf.exe (PID: 1348)
      • Shipping quote1232_pdf.exe (PID: 2720)

    • Changes the autorun value in the registry

      • msdt.exe (PID: 3620)

    • FORMBOOK was detected

      • msdt.exe (PID: 3620)
      • explorer.exe (PID: 372)
      • Firefox.exe (PID: 2692)

    • Connects to CnC server

      • explorer.exe (PID: 372)

    • Actions looks like stealing of personal data

      • msdt.exe (PID: 3620)

    • Stealing of credential data

      • msdt.exe (PID: 3620)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • msdt.exe (PID: 3620)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3808)

    • Application launched itself

      • Shipping quote1232_pdf.exe (PID: 1348)

    • Creates files in the user directory

      • msdt.exe (PID: 3620)

    • Loads DLL from Mozilla Firefox

      • msdt.exe (PID: 3620)

  • INFO

    • Manual execution by user

      • msdt.exe (PID: 3620)

    • Reads the hosts file

      • msdt.exe (PID: 3620)

    • Creates files in the user directory

      • Firefox.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Shipping quote1232_pdf.exe
ZipUncompressedSize: 1630208
ZipCompressedSize: 1203925
ZipCRC: 0x9742d8ce
ZipModifyDate: 2020:03:31 00:14:13
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe shipping quote1232_pdf.exe no specs shipping quote1232_pdf.exe no specs #FORMBOOK msdt.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3808"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\shipping quote1232_pdf.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1348"C:\Users\admin\AppData\Local\Temp\Rar$EXa3808.10821\Shipping quote1232_pdf.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3808.10821\Shipping quote1232_pdf.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2720"C:\Users\admin\AppData\Local\Temp\Rar$EXa3808.10821\Shipping quote1232_pdf.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa3808.10821\Shipping quote1232_pdf.exeShipping quote1232_pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3620"C:\Windows\System32\msdt.exe"C:\Windows\System32\msdt.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1844/c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa3808.10821\Shipping quote1232_pdf.exe"C:\Windows\System32\cmd.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2692"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
msdt.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
464
Read events
444
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
73
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3808.10821\Shipping quote1232_pdf.exeexecutable
MD5:1A57837884026FE553D0E3A6A15745E4
SHA256:EDB85A186B4CC1AB193C58BE14B486B3FB2AF8D76A8EE14C9DB52E5D4221EC07
3620msdt.exeC:\Users\admin\AppData\Roaming\4QN086VE\4QNlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
2692Firefox.exeC:\Users\admin\AppData\Roaming\4QN086VE\4QNlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
3620msdt.exeC:\Users\admin\AppData\Roaming\4QN086VE\4QNlogim.jpegimage
MD5:D8F25D86631FEB8D521D49B1752E9CC7
SHA256:A77D986E5BDFFD0DCBB0E8402E31E6B214AAA75C261365B179EF12490AFD42FE
3620msdt.exeC:\Users\admin\AppData\Roaming\4QN086VE\4QNlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
3620msdt.exeC:\Users\admin\AppData\Roaming\4QN086VE\4QNlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
372
explorer.exe
GET
198.54.117.210:80
http://www.matabishi.com/k8g/?0ph=KXYIa96KmMLkH/9ukUAZ9nByBsayi1UQmYcHYFNcpj2uJC2CRbRNPGCNFNU/4ae7xcfw8w==&00=Kxd09b7XJ
US
malicious
372
explorer.exe
GET
184.168.221.88:80
http://www.guideonwebs.com/k8g/?0ph=Xn9dmeINecPQ+IwFR1eHYb2x98hoRafi5f8Y11XvFF/o1l0h7/6YQbHiuLp49VJQqg2HJQ==&00=Kxd09b7XJ
US
malicious
372
explorer.exe
POST
184.168.221.88:80
http://www.guideonwebs.com/k8g/
US
malicious
372
explorer.exe
POST
184.168.221.88:80
http://www.guideonwebs.com/k8g/
US
malicious
372
explorer.exe
POST
198.54.117.210:80
http://www.matabishi.com/k8g/
US
malicious
372
explorer.exe
POST
23.20.239.12:80
http://www.sanfranciscosound.com/k8g/
US
shared
372
explorer.exe
GET
404
199.192.27.69:80
http://www.crokve.com/k8g/?0ph=w8ILsvv3aNSoYaKuumFxw/bvUZnFs5YeE+MmwZxEWouYUXZUHG/ymXGvzPuQAr2Rb5Hjyg==&00=Kxd09b7XJ
US
html
327 b
malicious
372
explorer.exe
GET
302
23.20.239.12:80
http://www.sanfranciscosound.com/k8g/?0ph=HFT/yqDra9GCYrZMXg9yOuPz9+GBS5G6qwo4xxaIGSDg11JlZ0lUqJWlINryMEVwAIzuOQ==&00=Kxd09b7XJ
US
html
193 b
shared
372
explorer.exe
POST
199.192.27.69:80
http://www.crokve.com/k8g/
US
malicious
372
explorer.exe
POST
404
199.192.27.69:80
http://www.crokve.com/k8g/
US
html
291 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
372
explorer.exe
154.90.167.87:80
www.xuanyu-tj.com
MULTACOM CORPORATION
US
malicious
372
explorer.exe
184.168.221.88:80
www.guideonwebs.com
GoDaddy.com, LLC
US
malicious
372
explorer.exe
199.192.27.69:80
www.crokve.com
US
malicious
372
explorer.exe
198.54.117.210:80
www.matabishi.com
Namecheap, Inc.
US
malicious
372
explorer.exe
23.20.239.12:80
www.sanfranciscosound.com
Amazon.com, Inc.
US
shared
372
explorer.exe
103.247.11.208:80
www.mediamazballon.com
Rumahweb Indonesia CV.
ID
malicious

DNS requests

Domain
IP
Reputation
www.xuanyu-tj.com
  • 154.90.167.87
malicious
www.crokve.com
  • 199.192.27.69
malicious
www.guideonwebs.com
  • 184.168.221.88
malicious
www.accstandard.com
unknown
www.sanfranciscosound.com
  • 23.20.239.12
shared
www.matabishi.com
  • 198.54.117.210
  • 198.54.117.218
  • 198.54.117.216
  • 198.54.117.212
  • 198.54.117.217
  • 198.54.117.211
  • 198.54.117.215
malicious
www.mediamazballon.com
  • 103.247.11.208
malicious

Threats

PID
Process
Class
Message
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
372
explorer.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
372
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
16 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
shipping quote1232_pdf.zip