analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.zip

Full analysis: https://app.any.run/tasks/522afd01-1817-4dc0-b945-3da0ed3421c1
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 11:39:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

14CF6604341667C5FACD9F2FF10D1422

SHA1:

1D27120F7D6A1F66E4494E21F3FCE5C0C2F08D76

SHA256:

FA97258B563CD4CC030B0FE1642941713F0203D7F9415AB3EBD7FB9F6821AAD3

SSDEEP:

768:GLA8sYDPAHcRL+52kmZeljl9ZVvVX2wu2BW:SsIIcRLfkrpfVswdA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 1932)
      • svchost.exe (PID: 2192)

    • Application was dropped or rewritten from another process

      • DHL_AWB# 9284730931.exe (PID: 1696)
      • DHL_AWB# 9284730931.exe (PID: 2820)

    • Uses SVCHOST.EXE for hidden code execution

      • explorer.exe (PID: 312)

    • FORMBOOK was detected

      • explorer.exe (PID: 312)
      • svchost.exe (PID: 2192)
      • Firefox.exe (PID: 948)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2192)

    • Connects to CnC server

      • explorer.exe (PID: 312)

    • Stealing of credential data

      • svchost.exe (PID: 2192)

    • Changes settings of System certificates

      • DHL_AWB# 9284730931.exe (PID: 2820)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 1932)
      • DHL_AWB# 9284730931.exe (PID: 1696)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2916)

    • Reads Internet Cache Settings

      • DHL_AWB# 9284730931.exe (PID: 2820)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2192)

    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 2192)

    • Creates files in the user directory

      • svchost.exe (PID: 2192)

    • Adds / modifies Windows certificates

      • DHL_AWB# 9284730931.exe (PID: 2820)

  • INFO

    • Manual execution by user

      • DHL_AWB# 9284730931.exe (PID: 1696)
      • svchost.exe (PID: 2192)

    • Reads settings of System Certificates

      • DHL_AWB# 9284730931.exe (PID: 2820)

    • Reads the hosts file

      • svchost.exe (PID: 2192)

    • Creates files in the user directory

      • Firefox.exe (PID: 948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2020:05:30 11:39:08
ZipCRC: 0x9d3109de
ZipCompressedSize: 24632
ZipUncompressedSize: 24607
ZipFileName: debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.rar
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe dhl_awb# 9284730931.exe no specs dhl_awb# 9284730931.exe #FORMBOOK svchost.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2916"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb1932.14256\debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.rarC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1696"C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe" C:\Users\admin\Desktop\DHL_AWB# 9284730931.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.02
2820"C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe" C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe
DHL_AWB# 9284730931.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.02
2192"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144/c del "C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe"C:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
312C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
948"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
svchost.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
6 328
Read events
2 662
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
81
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2820DHL_AWB# 9284730931.exeC:\Users\admin\AppData\Local\Temp\Cab89D6.tmp
MD5:
SHA256:
2820DHL_AWB# 9284730931.exeC:\Users\admin\AppData\Local\Temp\Tar89D7.tmp
MD5:
SHA256:
2192svchost.exeC:\Users\admin\AppData\Roaming\JMAMR4D1\JMAlogrc.inibinary
MD5:6A2D8FD600948CEFEA9C615AF9607BD5
SHA256:8A8A84891ECB2032320D1C0DE99FDCD94100DF10F352D9F96FD1B2433CD4D45B
2820DHL_AWB# 9284730931.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:FABE66F6C09EA2E22FB75534D5F2834B
SHA256:F9C09E24BD256FC300B86FA4A0CE870A20B2A1F7B3AE142038927DD1223B8D2E
1932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1932.14256\debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.rarcompressed
MD5:4688165B3C9BDC3AD266387231621585
SHA256:DEBF4EE90CA6CA27AE7D4E425EFE55BBEA1FD60CC5BE2935AFCF38E898C4824F
2820DHL_AWB# 9284730931.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:5CA21F8519184187636B2937F8BCC814
SHA256:AB3E583B43DE86153B341A35141C47E770628A0124AD95291D75F1E03A613F48
1696DHL_AWB# 9284730931.exeC:\Users\admin\AppData\Local\Temp\~DFE92D1184FD76FC83.TMPbinary
MD5:EF7B28ED0E469CB1EAD7DE7238B83D97
SHA256:3C574F1712DEA3C23FE6B3C21489245D8F5C2A7F29D85EEC4217BD21B2D56512
2916WinRAR.exeC:\Users\admin\Desktop\DHL_AWB# 9284730931.exeexecutable
MD5:DDCDC714BEDFFB59133570C3A2B7913F
SHA256:BE3E6008DDE30CB959B90A332A79931B889216A9483944DC5C0D958DEC1B8E46
2192svchost.exeC:\Users\admin\AppData\Roaming\JMAMR4D1\JMAlogim.jpegimage
MD5:31EE57C6E7D6809ABE8BF3F91D90458B
SHA256:D51CF93FEC4851D45298255603FD919BA77556DBE07C090ED153D727928D6A86
948Firefox.exeC:\Users\admin\AppData\Roaming\JMAMR4D1\JMAlogrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
312
explorer.exe
GET
203.159.95.17:80
http://www.zgmmds8.com/f23/?RLr=vXynGr9PpokEwKvpJCAzPh/5OfWF50dRGKHx+LbCEPSFsSU+I5i+AHs247TvwKjccPTDpw==&BRQl=0VvHIbaPn4fXJTG0
TH
malicious
2820
DHL_AWB# 9284730931.exe
GET
200
2.16.107.80:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
DHL_AWB# 9284730931.exe
2.16.107.80:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
312
explorer.exe
203.159.95.17:80
www.zgmmds8.com
TH
malicious
2820
DHL_AWB# 9284730931.exe
41.204.161.16:443
qif.ac.ke
Kenya Education Network
KE
suspicious

DNS requests

Domain
IP
Reputation
qif.ac.ke
  • 41.204.161.16
suspicious
isrg.trustid.ocsp.identrust.com
  • 2.16.107.80
  • 2.16.107.73
whitelisted
www.zgmmds8.com
  • 203.159.95.17
malicious
www.kenguy.ninja
unknown
www.aroundthesix.com
unknown

Threats

PID
Process
Class
Message
312
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.zip