File name: | Remittance docs.7z |
Full analysis: | https://app.any.run/tasks/764ad218-5fb8-4b8c-b8b7-21e329557064 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 12, 2019, 12:03:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | C7989BD81970FF7B6DE21E6F81B0BD31 |
SHA1: | 290A7CBD7B8DFB6E93515C60A3073AB5878F6A9A |
SHA256: | C1520E9DB479E10D395C87E5D1F35D06FDF175A6CE1D5561AE1324A86C258CC2 |
SSDEEP: | 3072:ZK5hc9HOt+UTj2uynHsuB+OmIA3FCjuGc5a/kVqmhuFNsmSLUhrYP5hZ:ZVta+UTjgH6OdA3ojx/kVqZN9S9PZ |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | Remittance docs.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2005:05:17 02:53:06 |
OperatingSystem: | Win32 |
UncompressedSize: | 512000 |
CompressedSize: | 252151 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
332 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Remittance docs.7z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1688 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa332.1505\Remittance docs.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa332.1505\Remittance docs.exe | — | WinRAR.exe |
User: admin Company: Gammacism Integrity Level: MEDIUM Description: GERSHON Exit code: 0 Version: 1.09.0002 | ||||
3236 | C:\Users\admin\AppData\Local\Temp\Rar$EXa332.1505\Remittance docs.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa332.1505\Remittance docs.exe | — | Remittance docs.exe |
User: admin Company: Gammacism Integrity Level: MEDIUM Description: GERSHON Exit code: 0 Version: 1.09.0002 | ||||
3196 | "C:\Windows\System32\help.exe" | C:\Windows\System32\help.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Help Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2800 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa332.1505\Remittance docs.exe" | C:\Windows\System32\cmd.exe | — | help.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2500 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\rapepoints.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3156 | "C:\Windows\system32\notepad.exe" | C:\Windows\system32\notepad.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3984 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | help.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2500 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9C09.tmp.cvr | — | |
MD5:— | SHA256:— | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:0C85BA650AF19EF01D3DFA6E3E269F4B | SHA256:D5F27B7FA7C7231081448E922D4BD8EBEC933C8D4F3B461CD534FE7D9288C79E | |||
332 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa332.1505\Remittance docs.exe | executable | |
MD5:8244B14281A498AA745D6B4753D58F5F | SHA256:F6DE46B8EBDB19BD48C989FDE7B045BD52574283E9CCEE778FB073660C132549 | |||
116 | explorer.exe | C:\Users\admin\Desktop\Remittance docs.exe | executable | |
MD5:8244B14281A498AA745D6B4753D58F5F | SHA256:F6DE46B8EBDB19BD48C989FDE7B045BD52574283E9CCEE778FB073660C132549 | |||
3196 | help.exe | C:\Users\admin\AppData\Roaming\072Q1CUE\072logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
116 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613\index.dat | dat | |
MD5:B3822D43E44E357E0E480601741AA7AA | SHA256:5019031A5ACDDF8E811BF14958754326D4AE4E4EBAF1482F6A07EC329297DDC6 | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\rapepoints.rtf (2).lnk | lnk | |
MD5:B36A3E10061B37002F8C92CE1B06FF11 | SHA256:2442AD777B96BB16538C0DC745A6945F403E866A408735DA880559E708A88375 | |||
2500 | WINWORD.EXE | C:\Users\admin\Desktop\~$pepoints.rtf | pgc | |
MD5:9010FCA19F4642DE5FF6DD555EF15CF5 | SHA256:498257546FFE14FD5B79ACEE19EF9C4C72F264AAD4DEC596D1EC9C652C66C036 | |||
2500 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\rapepoints.rtf.LNK | lnk | |
MD5:FB2385A2BDDFF3EAE460E24C084287D2 | SHA256:BB4A3B2D6F17D334241F54B59FDA5A2B49DA2291AC3DFC0CF77185A552519899 | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:59516ECA2A7D94F3AE31E59DDFEB24C7 | SHA256:F5E4860E30C9CA96F6DB8D22D2387F2AFC99DAD48EE44979B7297832E09EBE95 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 301 | 173.247.245.105:80 | http://www.laptsa.com/bo/?r6Ql=VGlX3cg+cJwxOPSToVJ/PMm4s+FW4xrDP7pcX317r9CG3GyNNj81d+orps62380TBiEziA==&YLr=8p8tQ&sql=1 | US | — | — | malicious |
116 | explorer.exe | GET | — | 104.27.154.98:80 | http://www.vativeacademy.com/bo/?r6Ql=uchk3lT4DuzSkmX3lJpXSnjc3a8okBC6SxCrL1sKHiOTEmxIi8osQxmdVQwc20eIIPVxkg==&YLr=8p8tQ&sql=1 | US | — | — | malicious |
116 | explorer.exe | POST | — | 13.64.255.183:80 | http://www.boxin-package.com/bo/ | US | — | — | malicious |
116 | explorer.exe | GET | 302 | 45.12.128.30:80 | http://www.cwlmh.com/bo/?r6Ql=OE4Nyowe2eBH45C4RQirb0x1tPZ0Sk1Hq640sSKTWdlX3VxdcsnS0XGjDRQQjsHqLnwtFA==&YLr=8p8tQ | unknown | html | 144 b | malicious |
116 | explorer.exe | POST | — | 13.64.255.183:80 | http://www.boxin-package.com/bo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 173.247.245.105:80 | http://www.laptsa.com/bo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 173.247.245.105:80 | http://www.laptsa.com/bo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 13.64.255.183:80 | http://www.boxin-package.com/bo/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 104.27.154.98:80 | http://www.vativeacademy.com/bo/ | US | — | — | malicious |
116 | explorer.exe | GET | — | 208.91.197.27:80 | http://www.enovativecommerce.com/bo/?r6Ql=LWXRiiJvAj6OTl2aIxlO6gcsDmgQcEMldz9zL2bMBBONnv5hsXNarHVQfzwFmxR1LwJTig==&YLr=8p8tQ&sql=1 | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 173.247.245.105:80 | www.laptsa.com | InMotion Hosting, Inc. | US | malicious |
— | — | 208.91.197.27:80 | www.enovativecommerce.com | Confluence Networks Inc | US | malicious |
116 | explorer.exe | 208.91.197.27:80 | www.enovativecommerce.com | Confluence Networks Inc | US | malicious |
116 | explorer.exe | 45.12.128.30:80 | www.cwlmh.com | — | — | malicious |
116 | explorer.exe | 13.64.255.183:80 | www.boxin-package.com | Microsoft Corporation | US | whitelisted |
116 | explorer.exe | 104.27.154.98:80 | www.vativeacademy.com | Cloudflare Inc | US | shared |
— | — | 104.27.154.98:80 | www.vativeacademy.com | Cloudflare Inc | US | shared |
116 | explorer.exe | 199.188.206.149:80 | www.myletuz.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.zgsdba.com |
| unknown |
www.cwlmh.com |
| malicious |
www.boxin-package.com |
| malicious |
dns.msftncsi.com |
| shared |
www.laptsa.com |
| malicious |
www.mama2.party |
| unknown |
www.nikastepanenko.com |
| unknown |
www.blazing-awning.men |
| unknown |
www.ronaldinhodasilva.com |
| unknown |
www.vativeacademy.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |