analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PEDIDO ORDER COMPRA.rar

Full analysis: https://app.any.run/tasks/4f79771f-be80-43c1-b7ae-1cfbf2029893
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: July 12, 2020, 08:24:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C90D978305B8BA64DD04CD567662F4A2

SHA1:

692C53E8E7F9D47055DF105DE282DC2C639D0DAB

SHA256:

F5352F5941FCC11A9ABC5B72FCB3A5B0F1F1575536588D2A1E87FAB87AFD80B4

SSDEEP:

3072:tOR0RZPQhfL/JCjKTsw3UzKD2wKRkLHSgxEhwKmg9akgZugsmNY3xHu6i1WnlseL:uWyLhTswkzKDrR1xVy9AJbNY3xVK4sHW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PEDIDO ORDER COMPRA.scr (PID: 2664)
      • AddInProcess32.exe (PID: 2808)
      • 8pphfdj3fp.exe (PID: 3892)
    • FORMBOOK was detected

      • explorer.exe (PID: 308)
      • wuapp.exe (PID: 3852)
      • Firefox.exe (PID: 2900)
    • Connects to CnC server

      • explorer.exe (PID: 308)
    • Actions looks like stealing of personal data

      • wuapp.exe (PID: 3852)
    • Changes the autorun value in the registry

      • wuapp.exe (PID: 3852)
    • Stealing of credential data

      • wuapp.exe (PID: 3852)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 920)
      • PEDIDO ORDER COMPRA.scr (PID: 2664)
      • explorer.exe (PID: 308)
      • DllHost.exe (PID: 2800)
    • Starts application with an unusual extension

      • explorer.exe (PID: 308)
    • Starts CMD.EXE for commands execution

      • wuapp.exe (PID: 3852)
    • Creates files in the user directory

      • wuapp.exe (PID: 3852)
    • Loads DLL from Mozilla Firefox

      • wuapp.exe (PID: 3852)
    • Executed via COM

      • DllHost.exe (PID: 2800)
    • Creates files in the program directory

      • DllHost.exe (PID: 2800)
  • INFO

    • Manual execution by user

      • PEDIDO ORDER COMPRA.scr (PID: 2664)
      • wuapp.exe (PID: 3852)
    • Reads the hosts file

      • wuapp.exe (PID: 3852)
    • Creates files in the user directory

      • Firefox.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe pedido order compra.scr addinprocess32.exe no specs #FORMBOOK wuapp.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object 8pphfdj3fp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PEDIDO ORDER COMPRA.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2664"C:\Users\admin\Desktop\PEDIDO ORDER COMPRA.scr" /SC:\Users\admin\Desktop\PEDIDO ORDER COMPRA.scr
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
2808"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exePEDIDO ORDER COMPRA.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
3852"C:\Windows\System32\wuapp.exe"C:\Windows\System32\wuapp.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Application Launcher
Version:
7.5.7601.17514 (win7sp1_rtm.101119-1850)
1352/c del "C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Windows\System32\cmd.exewuapp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
308C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2900"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wuapp.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2800C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3892"C:\Program Files\Ejz9l_rmx\8pphfdj3fp.exe"C:\Program Files\Ejz9l_rmx\8pphfdj3fp.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
1
Version:
4.7.3062.0 built by: NET472REL1
Total events
1 455
Read events
1 397
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
72
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3852wuapp.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
920WinRAR.exeC:\Users\admin\Desktop\PEDIDO ORDER COMPRA.screxecutable
MD5:21E9462149DE0C682285469779CB3021
SHA256:3DF3C3C9E77CBC7DB5B70F0926C41E18086E97522F85E97FC357F779427E3A13
308explorer.exeC:\Users\admin\AppData\Local\Temp\Ejz9l_rmx\8pphfdj3fp.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
2664PEDIDO ORDER COMPRA.scrC:\Users\admin\AppData\Local\Temp\AddInProcess32.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
3852wuapp.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogim.jpegimage
MD5:595F9FFD4DD910A0B6F12EEBAD7F0861
SHA256:4EFE1DC89B640B18EFB9C6DBB7AF2D26156ED4180A9511512EB9ED3C3EC19A63
2900Firefox.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
3852wuapp.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
3852wuapp.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
2800DllHost.exeC:\Program Files\Ejz9l_rmx\8pphfdj3fp.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
17
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
308
explorer.exe
GET
222.73.22.187:80
http://www.wanhui99.com/ex8/?FTnl-=1A+YrhTRA+OgFioXb1IKl0as4CItCysXdcO0eENdLl3fNjZhnkuh6oZK5mNfl5I4UHYO5w==&vRpxV=lhd0YfwpZdnxlH
CN
malicious
308
explorer.exe
POST
69.55.54.125:80
http://www.bigpetespizzeria.com/ex8/
US
malicious
308
explorer.exe
POST
69.55.54.125:80
http://www.bigpetespizzeria.com/ex8/
US
malicious
308
explorer.exe
GET
404
162.0.224.251:80
http://www.regulars7.info/ex8/?FTnl-=kJ2FY0974rkjF5WQK6QIuDjZZg33PtNyot66n9WxtjwqLka4zdhV692Gpf87nSBKa1L+Qw==&vRpxV=lhd0YfwpZdnxlH
CA
html
327 b
malicious
308
explorer.exe
GET
162.144.0.221:80
http://www.sake-hana.com/ex8/?FTnl-=bCslCoI5qcRsb0RmheLAY/9qOSN8mINvMb15X6IJfwDqiUNGijgDss9tINhLgKrdtjn15w==&vRpxV=lhd0YfwpZdnxlH&sql=1
US
malicious
GET
302
23.20.239.12:80
http://www.firstict.com/ex8/?FTnl-=cwItgUj5lXXRa3nVZLuA0xTPavWA5vt0jbCdgorgO/omd0YOmqYwbL8H3nkqYXVqM0auYA==&vRpxV=lhd0YfwpZdnxlH&sql=1
US
html
184 b
shared
308
explorer.exe
POST
23.20.239.12:80
http://www.firstict.com/ex8/
US
shared
308
explorer.exe
POST
23.20.239.12:80
http://www.firstict.com/ex8/
US
shared
308
explorer.exe
POST
162.144.0.221:80
http://www.sake-hana.com/ex8/
US
malicious
308
explorer.exe
GET
301
69.55.54.125:80
http://www.bigpetespizzeria.com/ex8/?FTnl-=Hr/s8XJcwBWqzcsju1bXQgUeSOK7dmbUsMKYujLCPcjhEDfvBv3cD/3m1y++wxY4I1nMAg==&vRpxV=lhd0YfwpZdnxlH&sql=1
US
html
169 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
308
explorer.exe
23.20.239.12:80
www.firstict.com
Amazon.com, Inc.
US
shared
308
explorer.exe
222.73.22.187:80
www.wanhui99.com
China Telecom (Group)
CN
malicious
23.20.239.12:80
www.firstict.com
Amazon.com, Inc.
US
shared
308
explorer.exe
69.55.54.125:80
www.bigpetespizzeria.com
Digital Ocean, Inc.
US
malicious
308
explorer.exe
162.0.224.251:80
www.regulars7.info
AirComPlus Inc.
CA
malicious
69.55.54.125:80
www.bigpetespizzeria.com
Digital Ocean, Inc.
US
malicious
308
explorer.exe
162.144.0.221:80
www.sake-hana.com
Unified Layer
US
malicious

DNS requests

Domain
IP
Reputation
www.wanhui99.com
  • 222.73.22.187
malicious
www.firstict.com
  • 23.20.239.12
shared
www.pmi-ems.com
unknown
www.daro.ltd
unknown
www.thietbidienlonganh.com
unknown
www.bigpetespizzeria.com
  • 69.55.54.125
malicious
www.sake-hana.com
  • 162.144.0.221
malicious
www.digitalhash.social
unknown
www.regulars7.info
  • 162.0.224.251
malicious

Threats

PID
Process
Class
Message
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
308
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
13 ETPRO signatures available at the full report
No debug info