File name: | 16011-650038.DOCX.arj |
Full analysis: | https://app.any.run/tasks/a1be49e3-353f-4884-8930-ddfa9a349c98 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 22, 2019, 10:06:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 9E5551E606CC25CBB899EF56E9F88057 |
SHA1: | A33ED4A2BBE79DAA976F078653FAC6C1366B90E2 |
SHA256: | DB074B1E7C64BC9D828CD1177549F32BFB4C5C14B8DAAB80AB919DDD52E332DE |
SSDEEP: | 3072:IzM5W/Yp9O1jQgnZnql0wQE6Kyz3AZhZ6x+CDbz3fUod4HEwQfBuXX4WA0eImZdh:IzM5Ze11s0ZmMP3fUod4H2QXXR5eP7 |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | 16011-650038.DOCX.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2019:03:21 13:32:23 |
OperatingSystem: | Win32 |
UncompressedSize: | 442368 |
CompressedSize: | 207243 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
516 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\16011-650038.DOCX.arj.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
4068 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa516.19429\16011-650038.DOCX.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa516.19429\16011-650038.DOCX.exe | — | WinRAR.exe |
User: admin Company: Oilrefining10 Integrity Level: MEDIUM Exit code: 0 Version: 1.07.0007 | ||||
3080 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\linksmark.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2504 | C:\Users\admin\AppData\Local\Temp\Rar$EXa516.19429\16011-650038.DOCX.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa516.19429\16011-650038.DOCX.exe | — | 16011-650038.DOCX.exe |
User: admin Company: Oilrefining10 Integrity Level: MEDIUM Exit code: 0 Version: 1.07.0007 | ||||
3572 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3764 | "C:\Windows\System32\NAPSTAT.EXE" | C:\Windows\System32\NAPSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Access Protection Client UI Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3072 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa516.19429\16011-650038.DOCX.exe" | C:\Windows\System32\cmd.exe | — | NAPSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1696 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1048 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NAPSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3080 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD45E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
516 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa516.32774\16011-650038.DOCX.exe | executable | |
MD5:76747E3DF3EE255DE773B948C8F574A0 | SHA256:D8B9AC920DEAC64238415021D29296D3DB51EDCE43437C45401A1C84BC5F30B0 | |||
3080 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:7B7A1DC2078C905FA03C2597BB9AA8FC | SHA256:95EEB3AB24C5E98580556A3DFDA8D014089EC4FC8DAE7876B0437765C022A788 | |||
1696 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\linksmark.rtf (2).lnk | lnk | |
MD5:29341BC00A85B57FAF2C75726044538E | SHA256:F998B2A684489D197A3543537DCB4F01B146EC9E9D9243CDC62E394EE585EE9C | |||
3080 | WINWORD.EXE | C:\Users\admin\Desktop\~$nksmark.rtf | pgc | |
MD5:8AAC6E191B9CD93D801E5F3AD977FB65 | SHA256:E06ECDDEF919725546731B799BE671F481632EDA666A7608C4F1BB8B8EFE7622 | |||
516 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa516.19429\16011-650038.DOCX.exe | executable | |
MD5:76747E3DF3EE255DE773B948C8F574A0 | SHA256:D8B9AC920DEAC64238415021D29296D3DB51EDCE43437C45401A1C84BC5F30B0 | |||
3080 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:427B23AAA98B64BEB0A9D7917FBBA8BC | SHA256:59C379B79F8B5C707CAC9CFB1084A58894BE462114A756E2DEE5432E54B7C04F | |||
1696 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019032220190323\index.dat | dat | |
MD5:7983EE377A01FBB53FB2E35BEDE0DF46 | SHA256:B2F265B86A616BA2058BF3160F147249D7FE961C4F0D433F90247833FC1C8813 | |||
1696 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:002A4C8D47212E6F253247D35A0F3B99 | SHA256:12D596C3225502E0935C125FD1BB6E282AE25D8189EC9BBFC6A7376151184811 | |||
1696 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:79EE66B83258E90F89ACB01AFC0E3D7A | SHA256:0DA2AB304FB11D184A3F8FCF658423AF711EEE6DA9FE7134C412B91F3437B48C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1696 | explorer.exe | GET | 404 | 23.224.196.211:80 | http://www.haibinjiaqi.com/ca/?mv1D=ZY2SzckiE+XKbEQVtCSKxuu7s2V7DEYoz/e6Zzk6SWoHnBUslV+o4AjE+rQqOwBu9V9PLA==&2diH=GfTpkjZp2TvXFbS | US | html | 1.14 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1696 | explorer.exe | 23.224.196.211:80 | www.haibinjiaqi.com | CloudRadium L.L.C | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.ketanpasar.com |
| unknown |
www.haibinjiaqi.com |
| malicious |
www.downtownlaburnum.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1696 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |