File name: | Product_sample.rar |
Full analysis: | https://app.any.run/tasks/075a1120-b84d-458c-b5fc-198080a431f9 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 18, 2019, 22:06:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | B3EF9DBBA0D1763A503E11F495C7EDA1 |
SHA1: | 0947F0F182E74E8B85EC804AA2233E9004DE4FA5 |
SHA256: | F1D7A267BAF46DE888A1E6A92010578EDA42DED49C2FB07E2309C8616BC00FD0 |
SSDEEP: | 6144:J6aP8WYLB1RfEoNtBRvz9GFgLLPO9S5j2jq2Kxrnl9dZQ2t:JX8WY/RfEyPRvz9GFg3V5qKdtnt |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
CompressedSize: | 289553 |
---|---|
UncompressedSize: | 512000 |
OperatingSystem: | Win32 |
ModifyDate: | 2002:04:03 21:36:17 |
PackingMethod: | Normal |
ArchivedFileName: | Product_sample.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3384 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Product_sample.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2980 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.9921\Product_sample.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.9921\Product_sample.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.04.0007 | ||||
1916 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.9921\Product_sample.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.9921\Product_sample.exe | — | Product_sample.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.04.0007 | ||||
3648 | "C:\Windows\System32\mstsc.exe" | C:\Windows\System32\mstsc.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Connection Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3316 | /c del "C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.9921\Product_sample.exe" | C:\Windows\System32\cmd.exe | — | mstsc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2036 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3028 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | mstsc.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 | ||||
3344 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2384 | "C:\Program Files\J-zyplx\hb2t9zcplnzhzl.exe" | C:\Program Files\J-zyplx\hb2t9zcplnzhzl.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.04.0007 | ||||
3108 | C:\Program Files\J-zyplx\hb2t9zcplnzhzl.exe" | C:\Program Files\J-zyplx\hb2t9zcplnzhzl.exe | — | hb2t9zcplnzhzl.exe |
User: admin Integrity Level: MEDIUM Version: 1.04.0007 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:CB1D4CA6DB4A8226BEB9F52EEEA92A8F | SHA256:8B93E2495940A1DAE7D74A45C0AC21B752D0A60B3BC608657E02C5DD1D3AA78B | |||
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnk | lnk | |
MD5:A2E4B817C44B8C7CCABC1DE8BB2D7356 | SHA256:9C257B05FADB0083525B39770BD7EB205225073DC9DA0EA981B57FAA930B6A4B | |||
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Product_sample.rar.lnk | lnk | |
MD5:7BB52662D5CACEC4BF300EF269DC1E2A | SHA256:8892A600C1E5CFF7D03A0FCA3EE6E1CB5645148C076441C943AC53306938C61C | |||
3648 | mstsc.exe | C:\Users\admin\AppData\Roaming\055428TE\055logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:1C4A9E1B00B624BD401BF22C19DCF0AF | SHA256:6AF37C6F786B255048BA9039B940F45EED3B0E17E1999E6D403F33767B1ECA03 | |||
3384 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.9921\Product_sample.exe | executable | |
MD5:EC09897A02DA3D15670269BBDD4CF947 | SHA256:689747F900480F05C8F0D40028F98E85CFE1FE80CB0A87564AED47B182D40230 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061820190619\index.dat | dat | |
MD5:2492496F9FBAAD4C84365D79A470F63D | SHA256:BFC81181E937C8283579C78E2F68EE23AFBE9EBD52AF01A71BB496446469C333 | |||
3344 | DllHost.exe | C:\Program Files\J-zyplx\hb2t9zcplnzhzl.exe | executable | |
MD5:EC09897A02DA3D15670269BBDD4CF947 | SHA256:689747F900480F05C8F0D40028F98E85CFE1FE80CB0A87564AED47B182D40230 | |||
2036 | explorer.exe | C:\Users\admin\AppData\Local\Temp\J-zyplx\hb2t9zcplnzhzl.exe | executable | |
MD5:EC09897A02DA3D15670269BBDD4CF947 | SHA256:689747F900480F05C8F0D40028F98E85CFE1FE80CB0A87564AED47B182D40230 | |||
3648 | mstsc.exe | C:\Users\admin\AppData\Roaming\055428TE\055logim.jpeg | image | |
MD5:D9A42ACD8AD060D54DA941C2FE2F24EB | SHA256:DB9C5A3A137C80F365724D888C2F9428A8294E4C84F6F8543944EB5D2252CA79 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2036 | explorer.exe | GET | — | 147.135.4.31:80 | http://www.psychologyreversenow.com/ha/?6lo04BMX=5x5EwvrLPmsHeUBeYEZtXTHbihifM1R15DfEYLzBvxYX4YRyL0a3cjW/W9PgBloTQ3+j7g==&0P=ZlD0DHTPPje | US | — | — | malicious |
2036 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.elsendorf.com/ha/ | US | — | — | shared |
2036 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.elsendorf.com/ha/ | US | — | — | shared |
2036 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.elsendorf.com/ha/?6lo04BMX=Xs+GM5Uprrwok/HJCSWjrHYNi14CD0NsPVnEhMW5tBug75OUxj/olvGTTcDK2abHoOHOFw==&0P=ZlD0DHTPPje&sql=1 | US | html | 185 b | shared |
2036 | explorer.exe | POST | — | 160.124.152.98:80 | http://www.thenewlypress.com/ha/ | ZA | — | — | malicious |
2036 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.elsendorf.com/ha/ | US | — | — | shared |
2036 | explorer.exe | GET | 404 | 160.124.152.98:80 | http://www.thenewlypress.com/ha/?6lo04BMX=Q/BuhMpIvEEb+0rQ0xJBMaA25Q/Wsgl9qDJMOPZJ9+T9cn9wTS1OZ/JVHCLeIhbim+/TQg==&0P=ZlD0DHTPPje&sql=1 | ZA | html | 221 b | malicious |
2036 | explorer.exe | POST | — | 160.124.152.98:80 | http://www.thenewlypress.com/ha/ | ZA | — | — | malicious |
2036 | explorer.exe | POST | — | 160.124.152.98:80 | http://www.thenewlypress.com/ha/ | ZA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2036 | explorer.exe | 160.124.152.98:80 | www.thenewlypress.com | — | ZA | malicious |
2036 | explorer.exe | 147.135.4.31:80 | www.psychologyreversenow.com | OVH SAS | US | malicious |
2036 | explorer.exe | 23.20.239.12:80 | www.elsendorf.com | Amazon.com, Inc. | US | shared |
— | — | 160.124.152.98:80 | www.thenewlypress.com | — | ZA | malicious |
Domain | IP | Reputation |
---|---|---|
www.psychologyreversenow.com |
| malicious |
www.elsendorf.com |
| shared |
www.khaiminhland.info |
| unknown |
www.thenewlypress.com |
| malicious |
www.ccluav24.com |
| unknown |
www.gandtlottery.com |
| unknown |
www.opti-tech-be.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
2036 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |