File name: | Payment_Notification.pdf.img |
Full analysis: | https://app.any.run/tasks/d5190f1b-9c32-4826-8795-8368a63db8d3 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2019, 18:49:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'Payment_Notification.pdf' |
MD5: | C7479984C695F25119CC8B2FD1AFE2F8 |
SHA1: | D776748F0D6EFAA886B85C212386F678C1CD93E1 |
SHA256: | C36D8B58A3DF931B8604DA4554E8EBEE0A76B284D8E5FB6E48ABFBDEC7533649 |
SSDEEP: | 12288:hyHoiS5fiPYt/gIPzx8AWUyODltPljeOlyWwfvV0RIDwJlt6+1lf:hyHvS5figtzNvyODlttKYqwJN1F |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
System: | Win32 |
---|---|
VolumeName: | Payment_Notification.pdf |
VolumeBlockCount: | 351 |
VolumeBlockSize: | 2048 |
RootDirectoryCreateDate: | 2019:05:20 07:02:16+02:00 |
Software: | PowerISO |
VolumeCreateDate: | 2019:05:20 07:02:16.00+02:00 |
VolumeModifyDate: | 2019:05:20 07:02:16.00+02:00 |
VolumeSize: | 702 kB |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2568 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Payment_Notification.pdf.img.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2728 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Payment_Notification.pdf.img.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
300 | "C:\Users\admin\Downloads\Payment_Notification.pdf.img\Payment_Notification.pdf.exe" | C:\Users\admin\Downloads\Payment_Notification.pdf.img\Payment_Notification.pdf.exe | — | explorer.exe |
User: admin Company: Alberto Rodr�guez Orozco Integrity Level: MEDIUM Description: 70s Gives Exit code: 0 Version: 3.6.41.92 | ||||
2092 | "C:\Windows\System32\services.exe" | C:\Windows\System32\services.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Services and Controller app Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1888 | /c del "C:\Users\admin\Downloads\Payment_Notification.pdf.img\Payment_Notification.pdf.exe" | C:\Windows\System32\cmd.exe | — | services.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3960 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2728.30046\Payment_Notification.pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2728.30046\Payment_Notification.pdf.exe | — | WinRAR.exe |
User: admin Company: Alberto Rodr�guez Orozco Integrity Level: MEDIUM Description: 70s Gives Exit code: 0 Version: 3.6.41.92 | ||||
2652 | "C:\Windows\System32\lsm.exe" | C:\Windows\System32\lsm.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Local Session Manager Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2036 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3964 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | services.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Payment_Notification.pdf.img.iso.lnk | lnk | |
MD5:0A08B61491D570CF6C278CBC504E953D | SHA256:55C668DB788B46283137E971BC4F0BDDF26A9CEF3EBB97AA004CD5391AC4FB65 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnk | lnk | |
MD5:C9DAD4D7DC51C4FA85EF767123B00D9E | SHA256:FF23704A9E8D159760206FC223720AB6440763C5EC346F480033C78D2FB0B216 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:0F431090B9D4B637AEC3F245E9347788 | SHA256:D7372A1622DFED8E2DC6BCA654DC0559778033400CA4D276E85E168725853F53 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019052020190521\index.dat | dat | |
MD5:BFBBB8FD77F5A678778A3E55941D8381 | SHA256:E6B35FF4D80C104A28924C686A5093FBE2ED733F2B3656C39801E4C48E60BA9C | |||
2092 | services.exe | C:\Users\admin\AppData\Roaming\031R2A5E\031logrc.ini | binary | |
MD5:68D3A607F17148CDFF0595B26605C0FB | SHA256:0647675AA83F674026500D0F789D6227F7698D298368093DE4C0E9D4B5257243 | |||
2728 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2728.30046\Payment_Notification.pdf.exe | executable | |
MD5:4944C57C2DEF4FFED07AD1126876B005 | SHA256:5592CAF3EF0FA33993D43F68C9FA2ED9497B8AF337160F0CE367CB835E38B3F5 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:71F74912BD76967AE71E8F0AF23C9A39 | SHA256:B7B38061BAFA15B43D5919D50544D30D93084248A66DAE2AB48A6143E4683DF4 | |||
2728 | WinRAR.exe | C:\Users\admin\Downloads\Payment_Notification.pdf.img\Payment_Notification.pdf.exe | executable | |
MD5:4944C57C2DEF4FFED07AD1126876B005 | SHA256:5592CAF3EF0FA33993D43F68C9FA2ED9497B8AF337160F0CE367CB835E38B3F5 | |||
300 | Payment_Notification.pdf.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\3310a4fa6cb9c60504498d7eea986fc2_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:45218ADFF3EA5BDE8A8F61987F0F458B | SHA256:F95361B82464704675F559B13C007C9567E5914984042F537122383E747194D4 | |||
2092 | services.exe | C:\Users\admin\AppData\Roaming\031R2A5E\031logim.jpeg | image | |
MD5:3F26586F583CA90A0AEA3EC1526383D4 | SHA256:FFA351727B9DB5A0706592B93568F897311957E62BA82068737DA6AF62994AC9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2036 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.market2boost.com/dy/ | US | — | — | malicious |
2036 | explorer.exe | GET | 301 | 35.246.6.109:80 | http://www.market2boost.com/dy/?cx=I7dCZLFfctmE9c1y+iuiqXSeA+PhvqYwYgIbmAdtE6ONoMhEE/BFz5t+bShobe3gfoPOpw==&Tj=YBcDkPE&sql=1 | US | — | — | malicious |
2036 | explorer.exe | GET | 301 | 2.16.187.32:80 | http://www.pattiradle.com/dy/?cx=vv3LB3t7AG5+oOlOmUOmLHqRYUfD6y430XH5RfNBRXuW1ljrWR4+FZ6QsYCkneRXjeNa9g==&Tj=YBcDkPE | unknown | — | — | suspicious |
2036 | explorer.exe | GET | — | 162.213.250.187:80 | http://www.jankolet.com/dy/?cx=w7XLkMN61pR0MnMB2qLaprTUq3KaA5aHdEqDphFd56KNj5fPvmuvIwpuWr/uCTdIhy40Vw==&Tj=YBcDkPE | US | — | — | malicious |
2036 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.market2boost.com/dy/ | US | — | — | malicious |
2036 | explorer.exe | POST | — | 35.246.6.109:80 | http://www.market2boost.com/dy/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2036 | explorer.exe | 162.213.250.187:80 | www.jankolet.com | Namecheap, Inc. | US | malicious |
2036 | explorer.exe | 2.16.187.32:80 | www.pattiradle.com | Akamai International B.V. | — | whitelisted |
2036 | explorer.exe | 35.246.6.109:80 | www.market2boost.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.personal-dudaust1-3.com |
| unknown |
www.khaledsleem.com |
| unknown |
www.6505drexel.info |
| unknown |
www.pattiradle.com |
| suspicious |
www.abatedourodogalego.com |
| unknown |
www.realmofcare.com |
| unknown |
www.fizzy-slim.site |
| unknown |
www.market2boost.com |
| malicious |
www.loanblasters.com |
| unknown |
www.jankolet.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |