File name: | NEW ORDER PO#7A68D22.zip |
Full analysis: | https://app.any.run/tasks/78e8ed08-2732-4a26-ac1c-27b11ef555a3 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 05, 2022, 05:02:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 852DC49EFB8699889906B650BB73F82D |
SHA1: | 4EAED5C5ABBD3FE13E45BBA2BAD1209D3CF005E5 |
SHA256: | F7A3063CD46B779DCEA973720641CC55A3775AA5F19D581DC5EDE573FA8B5A3C |
SSDEEP: | 12288:2i0oZ1hFg6qgXXa/HTrnDmwFxTgScU30OLtaPXU0dL0hYT:2i5n3PqS6ThFaSh5LtaPZ0h6 |
.zip | | | ZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
676 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NEW ORDER PO#7A68D22.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
4016 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Magic Bone Integrity Level: MEDIUM Description: LibertyReserve Exit code: 0 Version: 2.1.0 Modules
| |||||||||||||||
3076 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe | — | NEW ORDER PO#7A68D22.exe | |||||||||||
User: admin Company: Magic Bone Integrity Level: MEDIUM Description: LibertyReserve Exit code: 0 Version: 2.1.0 Modules
| |||||||||||||||
3336 | "C:\Windows\System32\lsm.exe" | C:\Windows\System32\lsm.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Local Session Manager Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
636 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2100 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | — | lsm.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\NEW ORDER PO#7A68D22.zip | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (676) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
676 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa676.31401\NEW ORDER PO#7A68D22.exe | executable | |
MD5:2060AFCCFA930BCD0A2043BAF0D47BF4 | SHA256:E3AC8C8B67752D68D7C6B20CEEE1FD8D60D8506B0DA5CD589C6E5976ECF8B0C1 | |||
3336 | lsm.exe | C:\Users\admin\AppData\Local\Temp\0655mjI5a | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
3336 | lsm.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.dll | executable | |
MD5:1EB6ACF76A15B74B38333AF47DC1218D | SHA256:A5EF3A78EB333B0E6DCA194EA711DCBB036119A788ECFE125F05176FB0FB70A3 | |||
3336 | lsm.exe | C:\Users\admin\AppData\Local\Temp\sqlite3.def | text | |
MD5:E8FDCAF1419C66D9916AD24D2FD671EE | SHA256:CB18BFE294499FEA8EE847148DD497DD20A05B3181E6B6AE8651B24B3D29391B | |||
3336 | lsm.exe | C:\Users\admin\AppData\Local\Temp\yvvhibap.zip | compressed | |
MD5:2555518E014ABDA6AB2156ACEAA4C25C | SHA256:81F30FFED254F6660EDA1845240DA62F1A73E94DBAE6DDB564F982825C7E99FE | |||
3336 | lsm.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sqlite-dll-win32-x86-3270000[1].zip | compressed | |
MD5:2555518E014ABDA6AB2156ACEAA4C25C | SHA256:81F30FFED254F6660EDA1845240DA62F1A73E94DBAE6DDB564F982825C7E99FE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
636 | Explorer.EXE | POST | 200 | 199.59.243.222:80 | http://www.catsyproxy.com/uymo/ | US | html | 4.60 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 199.59.243.222:80 | http://www.catsyproxy.com/uymo/ | US | html | 1.42 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 172.247.4.235:80 | http://www.eee45.com/uymo/ | US | html | 1.74 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 199.59.243.222:80 | http://www.catsyproxy.com/uymo/ | US | html | 1.31 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 172.247.4.235:80 | http://www.eee45.com/uymo/ | US | html | 1.74 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 199.59.243.222:80 | http://www.catsyproxy.com/uymo/ | US | html | 6.74 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 172.247.4.235:80 | http://www.eee45.com/uymo/ | US | html | 1.74 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 199.59.243.222:80 | http://www.catsyproxy.com/uymo/ | US | html | 1.18 Kb | malicious |
636 | Explorer.EXE | POST | 200 | 172.247.4.235:80 | http://www.eee45.com/uymo/ | US | html | 1.74 Kb | malicious |
636 | Explorer.EXE | GET | 200 | 199.59.243.222:80 | http://www.catsyproxy.com/uymo/?uzsDXFa=8EnFcsZxSvXTGioMiSXpEDXCZS/naozI1hChwIx3IxFVWKWWzCTXYDYfSqRHBUnVJ3+CHKI0IWy3yVbxdwam5WZlxPmZIdgRt2B5E1A=&3f9=mb1db | US | html | 1.32 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
636 | Explorer.EXE | 162.213.249.67:80 | www.madhavropa.com | NAMECHEAP-NET | US | malicious |
636 | Explorer.EXE | 199.59.243.222:80 | www.catsyproxy.com | AMAZON-02 | US | malicious |
3336 | lsm.exe | 45.33.6.223:80 | www.sqlite.org | Linode, LLC | US | suspicious |
636 | Explorer.EXE | 173.236.158.4:80 | www.star-trek.online | DREAMHOST-AS | US | malicious |
636 | Explorer.EXE | 109.123.121.243:80 | www.holteseivthn.xyz | UK-2 Limited | GB | malicious |
636 | Explorer.EXE | 172.247.4.235:80 | www.eee45.com | CNSERVERS | US | malicious |
636 | Explorer.EXE | 122.10.14.143:80 | www.cdrhdl.com | DXTL Tseung Kwan O Service | HK | malicious |
— | — | 109.123.121.243:80 | www.holteseivthn.xyz | UK-2 Limited | GB | malicious |
636 | Explorer.EXE | 192.64.119.254:80 | www.jax.run | NAMECHEAP-NET | US | malicious |
636 | Explorer.EXE | 81.17.29.146:80 | www.mymcdsteam.com | Private Layer INC | CH | malicious |
Domain | IP | Reputation |
---|---|---|
www.tpc-tt.site |
| malicious |
www.madhavropa.com |
| malicious |
www.sqlite.org |
| whitelisted |
www.metodotorresmiguel.site |
| malicious |
www.catsyproxy.com |
| malicious |
www.eee45.com |
| malicious |
www.star-trek.online |
| malicious |
www.cdrhdl.com |
| malicious |
www.holteseivthn.xyz |
| malicious |
www.mymcdsteam.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
636 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
636 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
636 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
636 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
636 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
636 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
636 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
636 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
636 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
636 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (POST) M2 |