analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PEDIDO ORDER COMPRA.rar

Full analysis: https://app.any.run/tasks/8dbdf4bc-06d8-4d0a-b1aa-d7af420841b5
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: July 13, 2020, 05:41:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C90D978305B8BA64DD04CD567662F4A2

SHA1:

692C53E8E7F9D47055DF105DE282DC2C639D0DAB

SHA256:

F5352F5941FCC11A9ABC5B72FCB3A5B0F1F1575536588D2A1E87FAB87AFD80B4

SSDEEP:

3072:tOR0RZPQhfL/JCjKTsw3UzKD2wKRkLHSgxEhwKmg9akgZugsmNY3xHu6i1WnlseL:uWyLhTswkzKDrR1xVy9AJbNY3xVK4sHW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PEDIDO ORDER COMPRA.scr (PID: 3960)
      • AddInProcess32.exe (PID: 4052)
    • Connects to CnC server

      • explorer.exe (PID: 328)
    • FORMBOOK was detected

      • explorer.exe (PID: 328)
      • wscript.exe (PID: 2140)
      • Firefox.exe (PID: 1328)
    • Changes the autorun value in the registry

      • wscript.exe (PID: 2140)
    • Actions looks like stealing of personal data

      • wscript.exe (PID: 2140)
    • Stealing of credential data

      • wscript.exe (PID: 2140)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1924)
      • PEDIDO ORDER COMPRA.scr (PID: 3960)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 1924)
    • Executes scripts

      • explorer.exe (PID: 328)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2140)
    • Creates files in the user directory

      • wscript.exe (PID: 2140)
    • Loads DLL from Mozilla Firefox

      • wscript.exe (PID: 2140)
  • INFO

    • Manual execution by user

      • wscript.exe (PID: 2140)
    • Reads the hosts file

      • wscript.exe (PID: 2140)
    • Creates files in the user directory

      • Firefox.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe pedido order compra.scr addinprocess32.exe no specs #FORMBOOK wscript.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PEDIDO ORDER COMPRA.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3960"C:\Users\admin\AppData\Local\Temp\Rar$DIb1924.22588\PEDIDO ORDER COMPRA.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIb1924.22588\PEDIDO ORDER COMPRA.scr
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
4052"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exePEDIDO ORDER COMPRA.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
2140"C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2220/c del "C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
328C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1328"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wscript.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
470
Read events
444
Write events
26
Delete events
0

Modification events

(PID) Process:(1924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1924) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1924) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PEDIDO ORDER COMPRA.rar
(PID) Process:(1924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(328) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(328) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(1924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
73
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2140wscript.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
1924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1924.22588\PEDIDO ORDER COMPRA.screxecutable
MD5:21E9462149DE0C682285469779CB3021
SHA256:3DF3C3C9E77CBC7DB5B70F0926C41E18086E97522F85E97FC357F779427E3A13
3960PEDIDO ORDER COMPRA.scrC:\Users\admin\AppData\Local\Temp\AddInProcess32.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
2140wscript.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogim.jpegimage
MD5:803C98B0CB107827C8D84A6C41D55AD7
SHA256:27265C26AE1D162BA1C9B628D439E63AB4DC027578A607521E5CFE34E0E7D22A
1328Firefox.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
2140wscript.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
2140wscript.exeC:\Users\admin\AppData\Roaming\76M90RE2\76Mlogri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
9
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
328
explorer.exe
GET
404
162.0.224.251:80
http://www.regulars7.info/ex8/?kfJHN4=kJ2FY0974rkjF5WQK6QIuDjZZg33PtNyot66n9WxtjwqLka4zdhV692Gpf87nSBKa1L+Qw==&jBc=xbRLTJcPZdnx2P
CA
html
327 b
malicious
328
explorer.exe
GET
403
34.102.136.180:80
http://www.thebrokeragewest.com/ex8/?kfJHN4=fmkLdi28QQZDAHNvToBQ0U5J6nvIpH2LxVweFJopgYHPUL+my+UIwehx4FXexRaPjxO3yA==&jBc=xbRLTJcPZdnx2P
US
html
275 b
whitelisted
328
explorer.exe
POST
34.102.136.180:80
http://www.thebrokeragewest.com/ex8/
US
whitelisted
328
explorer.exe
POST
162.0.224.251:80
http://www.regulars7.info/ex8/
CA
malicious
328
explorer.exe
POST
34.102.136.180:80
http://www.thebrokeragewest.com/ex8/
US
whitelisted
328
explorer.exe
POST
162.0.224.251:80
http://www.regulars7.info/ex8/
CA
malicious
328
explorer.exe
POST
404
162.0.224.251:80
http://www.regulars7.info/ex8/
CA
html
295 b
malicious
328
explorer.exe
GET
301
192.0.78.24:80
http://www.blueskycampaigns.com/ex8/?kfJHN4=UXhRxN0aPDxHwLanq6IkV20VzCtu95uxy61TQb+1tVDLaIxNgxwrXDhKPTNzGojbpCYkoQ==&jBc=xbRLTJcPZdnx2P
US
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
328
explorer.exe
192.0.78.24:80
www.blueskycampaigns.com
Automattic, Inc
US
malicious
328
explorer.exe
34.102.136.180:80
www.thebrokeragewest.com
US
whitelisted
328
explorer.exe
162.0.224.251:80
www.regulars7.info
AirComPlus Inc.
CA
malicious

DNS requests

Domain
IP
Reputation
www.blueskycampaigns.com
  • 192.0.78.24
  • 192.0.78.25
malicious
www.realtynesia.com
unknown
www.regulars7.info
  • 162.0.224.251
malicious
www.daro.ltd
unknown
www.infiniti-print.com
unknown
www.87hncab0.site
unknown
www.pingguobaohuke.com
unknown
www.thebrokeragewest.com
  • 34.102.136.180
whitelisted
www.aroundthevines.com
unknown
www.thenewbombaybarbeque.com
unknown

Threats

PID
Process
Class
Message
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
328
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
6 ETPRO signatures available at the full report
No debug info