analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW ORDER PO#7A68D22.zip

Full analysis: https://app.any.run/tasks/78e8ed08-2732-4a26-ac1c-27b11ef555a3
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: October 05, 2022, 05:02:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
trojan
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

852DC49EFB8699889906B650BB73F82D

SHA1:

4EAED5C5ABBD3FE13E45BBA2BAD1209D3CF005E5

SHA256:

F7A3063CD46B779DCEA973720641CC55A3775AA5F19D581DC5EDE573FA8B5A3C

SSDEEP:

12288:2i0oZ1hFg6qgXXa/HTrnDmwFxTgScU30OLtaPXU0dL0hYT:2i5n3PqS6ThFaSh5LtaPZ0h6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NEW ORDER PO#7A68D22.exe (PID: 4016)
      • NEW ORDER PO#7A68D22.exe (PID: 3076)

    • Loads dropped or rewritten executable

      • lsm.exe (PID: 3336)

    • FORMBOOK detected by memory dumps

      • lsm.exe (PID: 3336)

    • FORMBOOK was detected

      • Explorer.EXE (PID: 636)

  • SUSPICIOUS

    • Application launched itself

      • NEW ORDER PO#7A68D22.exe (PID: 4016)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start winrar.exe no specs new order po#7a68d22.exe no specs new order po#7a68d22.exe no specs #FORMBOOK lsm.exe #FORMBOOK explorer.exe firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NEW ORDER PO#7A68D22.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4016"C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exeWinRAR.exe
User:
admin
Company:
Magic Bone
Integrity Level:
MEDIUM
Description:
LibertyReserve
Exit code:
0
Version:
2.1.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa676.31401\new order po#7a68d22.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3076"C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exeNEW ORDER PO#7A68D22.exe
User:
admin
Company:
Magic Bone
Integrity Level:
MEDIUM
Description:
LibertyReserve
Exit code:
0
Version:
2.1.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa676.31401\new order po#7a68d22.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3336"C:\Windows\System32\lsm.exe"C:\Windows\System32\lsm.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Local Session Manager Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\lsm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sysntfy.dll
c:\windows\system32\wmsgapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
636C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2100"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exelsm.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
Total events
2 561
Read events
2 515
Write events
46
Delete events
0

Modification events

(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(676) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NEW ORDER PO#7A68D22.zip
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
2
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
676WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exeexecutable
MD5:2060AFCCFA930BCD0A2043BAF0D47BF4
SHA256:E3AC8C8B67752D68D7C6B20CEEE1FD8D60D8506B0DA5CD589C6E5976ECF8B0C1
3336lsm.exeC:\Users\admin\AppData\Local\Temp\0655mjI5asqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
3336lsm.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:1EB6ACF76A15B74B38333AF47DC1218D
SHA256:A5EF3A78EB333B0E6DCA194EA711DCBB036119A788ECFE125F05176FB0FB70A3
3336lsm.exeC:\Users\admin\AppData\Local\Temp\sqlite3.deftext
MD5:E8FDCAF1419C66D9916AD24D2FD671EE
SHA256:CB18BFE294499FEA8EE847148DD497DD20A05B3181E6B6AE8651B24B3D29391B
3336lsm.exeC:\Users\admin\AppData\Local\Temp\yvvhibap.zipcompressed
MD5:2555518E014ABDA6AB2156ACEAA4C25C
SHA256:81F30FFED254F6660EDA1845240DA62F1A73E94DBAE6DDB564F982825C7E99FE
3336lsm.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sqlite-dll-win32-x86-3270000[1].zipcompressed
MD5:2555518E014ABDA6AB2156ACEAA4C25C
SHA256:81F30FFED254F6660EDA1845240DA62F1A73E94DBAE6DDB564F982825C7E99FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
79
TCP/UDP connections
80
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
636
Explorer.EXE
POST
200
199.59.243.222:80
http://www.catsyproxy.com/uymo/
US
html
4.60 Kb
malicious
636
Explorer.EXE
POST
200
199.59.243.222:80
http://www.catsyproxy.com/uymo/
US
html
1.42 Kb
malicious
636
Explorer.EXE
POST
200
172.247.4.235:80
http://www.eee45.com/uymo/
US
html
1.74 Kb
malicious
636
Explorer.EXE
POST
200
199.59.243.222:80
http://www.catsyproxy.com/uymo/
US
html
1.31 Kb
malicious
636
Explorer.EXE
POST
200
172.247.4.235:80
http://www.eee45.com/uymo/
US
html
1.74 Kb
malicious
636
Explorer.EXE
POST
200
199.59.243.222:80
http://www.catsyproxy.com/uymo/
US
html
6.74 Kb
malicious
636
Explorer.EXE
POST
200
172.247.4.235:80
http://www.eee45.com/uymo/
US
html
1.74 Kb
malicious
636
Explorer.EXE
POST
200
199.59.243.222:80
http://www.catsyproxy.com/uymo/
US
html
1.18 Kb
malicious
636
Explorer.EXE
POST
200
172.247.4.235:80
http://www.eee45.com/uymo/
US
html
1.74 Kb
malicious
636
Explorer.EXE
GET
200
199.59.243.222:80
http://www.catsyproxy.com/uymo/?uzsDXFa=8EnFcsZxSvXTGioMiSXpEDXCZS/naozI1hChwIx3IxFVWKWWzCTXYDYfSqRHBUnVJ3+CHKI0IWy3yVbxdwam5WZlxPmZIdgRt2B5E1A=&3f9=mb1db
US
html
1.32 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
636
Explorer.EXE
162.213.249.67:80
www.madhavropa.com
NAMECHEAP-NET
US
malicious
636
Explorer.EXE
199.59.243.222:80
www.catsyproxy.com
AMAZON-02
US
malicious
3336
lsm.exe
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
suspicious
636
Explorer.EXE
173.236.158.4:80
www.star-trek.online
DREAMHOST-AS
US
malicious
636
Explorer.EXE
109.123.121.243:80
www.holteseivthn.xyz
UK-2 Limited
GB
malicious
636
Explorer.EXE
172.247.4.235:80
www.eee45.com
CNSERVERS
US
malicious
636
Explorer.EXE
122.10.14.143:80
www.cdrhdl.com
DXTL Tseung Kwan O Service
HK
malicious
109.123.121.243:80
www.holteseivthn.xyz
UK-2 Limited
GB
malicious
636
Explorer.EXE
192.64.119.254:80
www.jax.run
NAMECHEAP-NET
US
malicious
636
Explorer.EXE
81.17.29.146:80
www.mymcdsteam.com
Private Layer INC
CH
malicious

DNS requests

Domain
IP
Reputation
www.tpc-tt.site
malicious
www.madhavropa.com
  • 162.213.249.67
malicious
www.sqlite.org
  • 45.33.6.223
whitelisted
www.metodotorresmiguel.site
malicious
www.catsyproxy.com
  • 199.59.243.222
malicious
www.eee45.com
  • 172.247.4.235
malicious
www.star-trek.online
  • 173.236.158.4
malicious
www.cdrhdl.com
  • 122.10.14.143
malicious
www.holteseivthn.xyz
  • 109.123.121.243
malicious
www.mymcdsteam.com
  • 81.17.29.146
malicious

Threats

PID
Process
Class
Message
636
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
636
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
636
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
636
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
636
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
636
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
636
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
636
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
636
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
636
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (POST) M2
26 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW ORDER PO#7A68D22.zip