analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Factura Información 5.14.2019.zip

Full analysis: https://app.any.run/tasks/c25969b0-0b3b-4969-95ed-a1be64733888
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 10:48:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

AA30B714387CC6C758D7B7E9377BB071

SHA1:

9008EA2ED02E1533F18F283E078C883E81D619B0

SHA256:

DB4CE6E7B2C89B0E2C3DDA13C2C54147A0F25440DF4DB10FFAC18A1495144182

SSDEEP:

12288:D6kuVlciBy9K/offqyuG8m4nOjNp/9jPQRm9zwKpCL+p6NKS0PkiZSPYNRB7N:D6kuVl1k9K/2f4xm4Oj7lsRap6B0PKi9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like Ransomware

      • explorer.exe (PID: 252)

    • Application was dropped or rewritten from another process

      • AWB Documents-14-5-2019.exe (PID: 2364)
      • AWB Documents-14-5-2019.exe (PID: 3460)
      • ms1br.exe (PID: 304)
      • AWB Documents-14-5-2019.exe (PID: 704)

    • FORMBOOK was detected

      • explorer.exe (PID: 252)

    • Changes the autorun value in the registry

      • wscript.exe (PID: 3068)

    • Formbook was detected

      • wscript.exe (PID: 3068)
      • Firefox.exe (PID: 4084)

    • Connects to CnC server

      • explorer.exe (PID: 252)

    • Actions looks like stealing of personal data

      • wscript.exe (PID: 3068)

    • Stealing of credential data

      • wscript.exe (PID: 3068)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3208)
      • explorer.exe (PID: 252)
      • wscript.exe (PID: 3068)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 252)
      • OUTLOOK.EXE (PID: 3208)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3068)

    • Executes scripts

      • explorer.exe (PID: 252)

    • Executable content was dropped or overwritten

      • DllHost.exe (PID: 2064)
      • explorer.exe (PID: 252)
      • WinRAR.exe (PID: 2084)

    • Creates files in the program directory

      • DllHost.exe (PID: 2064)

    • Loads DLL from Mozilla Firefox

      • wscript.exe (PID: 3068)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • explorer.exe (PID: 252)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3208)

    • Creates files in the user directory

      • Firefox.exe (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 07578cd5cacb876172d815ece92219ca.zip
ZipUncompressedSize: 760328
ZipCompressedSize: 760575
ZipCRC: 0x49d3983a
ZipModifyDate: 2019:05:14 17:01:10
ZipCompression: Deflated
ZipBitFlag: 0x0003
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
18
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs winrar.exe no specs outlook.exe winrar.exe no specs awb documents-14-5-2019.exe no specs #FORMBOOK wscript.exe cmd.exe no specs winrar.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs awb documents-14-5-2019.exe no specs msdt.exe no specs Copy/Move/Rename/Delete/Link Object ms1br.exe no specs winrar.exe colorcpl.exe no specs awb documents-14-5-2019.exe no specs lsm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Factura Información 5.14.2019.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2108"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\07578cd5cacb876172d815ece92219ca.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3208"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\07578cd5cacb876172d815ece92219ca.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3036"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\AWB Documents-14-5-2019.Zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2364"C:\Users\admin\Desktop\AWB Documents-14-5-2019.exe" C:\Users\admin\Desktop\AWB Documents-14-5-2019.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3068"C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3948/c del "C:\Users\admin\Desktop\AWB Documents-14-5-2019.exe"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1364"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\AWB Documents-14-5-2019.Zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
ctfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4084"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wscript.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Total events
11 483
Read events
10 892
Write events
568
Delete events
23

Modification events

(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Factura Información 5.14.2019.zip
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
5
Suspicious files
78
Text files
25
Unknown types
16

Dropped files

PID
Process
Filename
Type
2972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2972.35997\07578cd5cacb876172d815ece92219ca.zip
MD5:
SHA256:
2108WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2108.37112\07578cd5cacb876172d815ece92219ca
MD5:
SHA256:
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR751A.tmp.cvr
MD5:
SHA256:
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp775D.tmp
MD5:
SHA256:
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp776E.tmp
MD5:
SHA256:
252explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\07578cd5cacb876172d815ece92219ca.eml.lnklnk
MD5:B4A57DB7D6FC1DFB0E55ECDF8436DACA
SHA256:7B6F7A2A8A86144AEE1EADA61D1F711A508416E9E6729A91BE24E350D9EE6DB7
252explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\07578cd5cacb876172d815ece92219ca.zip.lnklnk
MD5:C1294E9F1190C1217FA86EA8284EDEB1
SHA256:705607C7EB24C269E18F4CB86D0202D906C24360EB4A42368E436B17E9ED7C60
252explorer.exeC:\Users\admin\Desktop\07578cd5cacb876172d815ece92219ca.zipcompressed
MD5:80F3CBF589436CAC858F9A2E735FE82D
SHA256:3F29C9EB28DA0F5830617B44C1A0497C368EA5B501A46EDC88860E0E56F8BF2B
252explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:C52E8430AC697B428901DCEEAEFECF2C
SHA256:E05A7C7522F06E6E3981E7A5C7AD066E00D9A604A6D61EAEFEE64D28A9A88E5B
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZIHFGSCH\AWB Documents-14-5-2019 (2).Zip\:Zone.Identifier:$DATA
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
26
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
252
explorer.exe
GET
23.86.36.222:80
http://www.xdjto.com/at/?SPx=iPgiA0Ni2FKFcNohD2lr7KGAvpqe0nTs2n1KN3+OoOXBLr5Abi/N0WRtSK3KIzGJgaUePA==&3fs=9rfHZlT&sql=1
US
malicious
3208
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
252
explorer.exe
GET
50.63.202.39:80
http://www.deuxbeautes.com/at/?SPx=CacqT1MFoWzLa2O38+y8OvDru6M+t+Fip6iQxWLiSGPUO2B5KV7cgAqrZBzl4/LBtH83Dw==&3fs=9rfHZlT
US
malicious
252
explorer.exe
GET
301
108.167.140.180:80
http://www.awritingresource.com/at/?SPx=3Ai0xzvC2Ek/Z/t1IKfqu1lzXAbS3HpWXyTwgo8MBSA8I2aQlvnCladPFjVZMnRLZlKk9A==&3fs=9rfHZlT&sql=1
US
malicious
252
explorer.exe
POST
213.186.33.5:80
http://www.explorecambodiaguide.com/at/
FR
malicious
252
explorer.exe
POST
23.86.36.222:80
http://www.xdjto.com/at/
US
malicious
252
explorer.exe
POST
23.86.36.222:80
http://www.xdjto.com/at/
US
malicious
252
explorer.exe
GET
50.63.202.46:80
http://www.99087755.com/at/?SPx=K3wvK2ANea00g1KvhgQv4JzZUbVULwjT8UM/8xB2N/uXnfEEemOhw/f/Iwjh8Dlg4MQb+w==&3fs=9rfHZlT
US
malicious
252
explorer.exe
POST
213.186.33.5:80
http://www.explorecambodiaguide.com/at/
FR
malicious
252
explorer.exe
POST
23.86.36.222:80
http://www.xdjto.com/at/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3208
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
252
explorer.exe
213.186.33.5:80
www.explorecambodiaguide.com
OVH SAS
FR
malicious
252
explorer.exe
23.86.36.222:80
www.xdjto.com
US
malicious
213.186.33.5:80
www.explorecambodiaguide.com
OVH SAS
FR
malicious
252
explorer.exe
50.63.202.39:80
www.deuxbeautes.com
GoDaddy.com, LLC
US
malicious
252
explorer.exe
108.167.140.180:80
www.awritingresource.com
CyrusOne LLC
US
malicious
50.63.202.46:80
www.99087755.com
GoDaddy.com, LLC
US
malicious
252
explorer.exe
23.20.239.12:80
www.ecjerseys.com
Amazon.com, Inc.
US
shared
252
explorer.exe
50.63.202.46:80
www.99087755.com
GoDaddy.com, LLC
US
malicious
252
explorer.exe
199.192.16.126:80
www.paixer.com
US
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.deuxbeautes.com
  • 50.63.202.39
malicious
www.xdjto.com
  • 23.86.36.222
malicious
www.altcointraders.info
unknown
www.explorecambodiaguide.com
  • 213.186.33.5
malicious
www.news-spaces.com
unknown
www.awritingresource.com
  • 108.167.140.180
malicious
www.paixer.com
  • 199.192.16.126
malicious
www.99087755.com
  • 50.63.202.46
malicious
www.roundpress.net
unknown

Threats

PID
Process
Class
Message
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
18 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Factura Información 5.14.2019.zip