File name:

Wire_Slip_pdf.exe.bz2

Full analysis: https://app.any.run/tasks/2e49ea5f-1e86-4de6-9c5c-f9e5e2d10c08
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: May 27, 2020, 17:50:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-bzip2
File info: bzip2 compressed data, block size = 900k
MD5:

738B83ABDCDB6462DBCF3B6B17E743DE

SHA1:

E203B4F05EBFB4B1A97573353D48464D7626BE19

SHA256:

C0D3574A4C99D94A21FDCE3FF06F1186EF8980372320FA45603FC10F2DD496A5

SSDEEP:

6144:TzkSADm20B8DLItJffd6bePfii59nWYvRfe8J:TzkSADFrDLCV6yPfZbWAfr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Wire_Slip_pdf.exe (PID: 3072)
      • regsvchtg8in.exe (PID: 1668)
    • Changes the autorun value in the registry

      • lsm.exe (PID: 2580)
    • FORMBOOK was detected

      • lsm.exe (PID: 2580)
      • explorer.exe (PID: 312)
      • Firefox.exe (PID: 1628)
    • Connects to CnC server

      • explorer.exe (PID: 312)
    • Actions looks like stealing of personal data

      • lsm.exe (PID: 2580)
    • Stealing of credential data

      • lsm.exe (PID: 2580)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • lsm.exe (PID: 2580)
    • Creates files in the user directory

      • explorer.exe (PID: 312)
      • lsm.exe (PID: 2580)
    • Loads DLL from Mozilla Firefox

      • lsm.exe (PID: 2580)
    • Creates files in the program directory

      • DllHost.exe (PID: 2652)
    • Executable content was dropped or overwritten

      • DllHost.exe (PID: 2652)
      • explorer.exe (PID: 312)
    • Executed via COM

      • DllHost.exe (PID: 2652)
  • INFO

    • Manual execution by user

      • Wire_Slip_pdf.exe (PID: 3072)
      • lsm.exe (PID: 2580)
    • Reads the hosts file

      • lsm.exe (PID: 2580)
    • Creates files in the user directory

      • Firefox.exe (PID: 1628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bz2/bzip2 | bzip2 compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs wire_slip_pdf.exe no specs #FORMBOOK lsm.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object regsvchtg8in.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2412"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Wire_Slip_pdf.exe.bz2"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3072"C:\Users\admin\Desktop\Wire_Slip_pdf.exe" C:\Users\admin\Desktop\Wire_Slip_pdf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2580"C:\Windows\System32\lsm.exe"C:\Windows\System32\lsm.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Local Session Manager Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2884/c del "C:\Users\admin\Desktop\Wire_Slip_pdf.exe"C:\Windows\System32\cmd.exelsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
312C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1628"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
lsm.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2652C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1668"C:\Program Files\Opr2pln\regsvchtg8in.exe"C:\Program Files\Opr2pln\regsvchtg8in.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 062
Read events
3 013
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
73
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2412.17366\Wire_Slip_pdf.exe
MD5:
SHA256:
2580lsm.exeC:\Users\admin\AppData\Roaming\651AO9PC\651logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
312explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:331C63F43B123BBFA883F38834A39C40
SHA256:4CDCB2EAC34611745906FFA9D43C3CBDD7BFEFC7A10B8D2C4B08635C23C2635A
312explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Wire_Slip_pdf.exe.bz2.lnklnk
MD5:DEE187D7F1DAB405DD2BF40D92412FA0
SHA256:A7F4B45257084E9FCDA5BCDD565EF8F401BF2C3B5296129A03F996DC6109DE1B
312explorer.exeC:\Users\admin\Desktop\Wire_Slip_pdf.exeexecutable
MD5:4E27900568769C906D602CAAB43A6045
SHA256:A4D34995DBE67A24B6BCC4DD52845DE151673EA8CB24640240906518707E99C6
312explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:39BD070E1C9C7677EBDA03A00C2A0DE4
SHA256:3232C28F27D1002DB447F02AA72B05EA2DF8BC05D21A9BADF1DD548F4C18643E
2580lsm.exeC:\Users\admin\AppData\Roaming\651AO9PC\651logri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
2580lsm.exeC:\Users\admin\AppData\Roaming\651AO9PC\651logim.jpegimage
MD5:32221A14176E80FF7227A804509B72AA
SHA256:A1706ABEFC4A1B9F9C274A3077926CF3966C2ED4831481A4B19B9183A3B99C96
2652DllHost.exeC:\Program Files\Opr2pln\regsvchtg8in.exeexecutable
MD5:4E27900568769C906D602CAAB43A6045
SHA256:A4D34995DBE67A24B6BCC4DD52845DE151673EA8CB24640240906518707E99C6
2580lsm.exeC:\Users\admin\AppData\Roaming\651AO9PC\651logrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
17
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
312
explorer.exe
GET
301
35.242.251.130:80
http://www.mcarselloteachingportfolio.com/ssr/?uzpD=M9DeyV41VEVME5TZQcIYacosWApjjzBtEVOj9nq26s2n2p1N1EKwJ81DAsjdy/mDduwe3A==&4h=W6QlrtLh5B2LXLvP&sql=1
US
malicious
312
explorer.exe
GET
184.168.221.63:80
http://www.pixelcinematography.com/ssr/?uzpD=oTkxNe6AbmdgpyKsE/WO73RQkVFEA4f5DW2bnEFjN8qXW8eITtwkuk9UNGSkfzxKXe4fyg==&4h=W6QlrtLh5B2LXLvP&sql=1
US
malicious
312
explorer.exe
GET
404
63.250.47.83:80
http://www.glamotd.com/ssr/?uzpD=9TZRYUq2eUCQ+8ek9izORiiODnWQ99Dx3Jw5Ozl1S9DDzAcL4pglPlF24+XaTVVoQVtaFw==&4h=W6QlrtLh5B2LXLvP
US
html
327 b
malicious
312
explorer.exe
GET
302
23.20.239.12:80
http://www.yohogame.com/ssr/?uzpD=3A27A4qsfFqpuvEIfJDuCWPRETIrgsbJ99RjSOaHHFAG0UwOtyvm773Ea9CPRR750BzU4A==&4h=W6QlrtLh5B2LXLvP
US
html
184 b
shared
312
explorer.exe
POST
184.168.221.63:80
http://www.pixelcinematography.com/ssr/
US
malicious
312
explorer.exe
POST
35.242.251.130:80
http://www.mcarselloteachingportfolio.com/ssr/
US
malicious
312
explorer.exe
POST
63.250.47.83:80
http://www.glamotd.com/ssr/
US
malicious
312
explorer.exe
POST
184.168.221.63:80
http://www.pixelcinematography.com/ssr/
US
malicious
312
explorer.exe
POST
35.242.251.130:80
http://www.mcarselloteachingportfolio.com/ssr/
US
malicious
312
explorer.exe
POST
184.168.221.63:80
http://www.pixelcinematography.com/ssr/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
312
explorer.exe
35.242.251.130:80
www.mcarselloteachingportfolio.com
US
malicious
312
explorer.exe
23.20.239.12:80
www.yohogame.com
Amazon.com, Inc.
US
shared
312
explorer.exe
63.250.47.83:80
www.glamotd.com
Frontline Data Services, Inc
US
malicious
312
explorer.exe
184.168.221.63:80
www.pixelcinematography.com
GoDaddy.com, LLC
US
malicious
312
explorer.exe
35.214.191.38:80
www.segurosemporda.cat
US
malicious

DNS requests

Domain
IP
Reputation
www.cnnenterprisesinc.com
unknown
www.alkgh.link
unknown
www.h93gybwhr5.biz
unknown
www.yohogame.com
  • 23.20.239.12
shared
www.zhongkewy.com
unknown
www.mcarselloteachingportfolio.com
  • 35.242.251.130
malicious
www.benefitfocusonline.com
unknown
www.pixelcinematography.com
  • 184.168.221.63
malicious
www.seronreserve.com
unknown
www.glamotd.com
  • 63.250.47.83
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
13 ETPRO signatures available at the full report
No debug info