File name: | debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.zip |
Full analysis: | https://app.any.run/tasks/522afd01-1817-4dc0-b945-3da0ed3421c1 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 30, 2020, 11:39:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 14CF6604341667C5FACD9F2FF10D1422 |
SHA1: | 1D27120F7D6A1F66E4494E21F3FCE5C0C2F08D76 |
SHA256: | FA97258B563CD4CC030B0FE1642941713F0203D7F9415AB3EBD7FB9F6821AAD3 |
SSDEEP: | 768:GLA8sYDPAHcRL+52kmZeljl9ZVvVX2wu2BW:SsIIcRLfkrpfVswdA |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0003 |
ZipCompression: | Unknown (99) |
ZipModifyDate: | 2020:05:30 11:39:08 |
ZipCRC: | 0x9d3109de |
ZipCompressedSize: | 24632 |
ZipUncompressedSize: | 24607 |
ZipFileName: | debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.rar |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2916 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb1932.14256\debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.rar | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1696 | "C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe" | C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 2.02 | ||||
2820 | "C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe" | C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe | DHL_AWB# 9284730931.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 2.02 | ||||
2192 | "C:\Windows\System32\svchost.exe" | C:\Windows\System32\svchost.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | /c del "C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe" | C:\Windows\System32\cmd.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
312 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
948 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | svchost.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2820 | DHL_AWB# 9284730931.exe | C:\Users\admin\AppData\Local\Temp\Cab89D6.tmp | — | |
MD5:— | SHA256:— | |||
2820 | DHL_AWB# 9284730931.exe | C:\Users\admin\AppData\Local\Temp\Tar89D7.tmp | — | |
MD5:— | SHA256:— | |||
2192 | svchost.exe | C:\Users\admin\AppData\Roaming\JMAMR4D1\JMAlogrc.ini | binary | |
MD5:6A2D8FD600948CEFEA9C615AF9607BD5 | SHA256:8A8A84891ECB2032320D1C0DE99FDCD94100DF10F352D9F96FD1B2433CD4D45B | |||
2820 | DHL_AWB# 9284730931.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | der | |
MD5:FABE66F6C09EA2E22FB75534D5F2834B | SHA256:F9C09E24BD256FC300B86FA4A0CE870A20B2A1F7B3AE142038927DD1223B8D2E | |||
1932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1932.14256\debf4ee90ca6ca27ae7d4e425efe55bbea1fd60cc5be2935afcf38e898c4824f.rar | compressed | |
MD5:4688165B3C9BDC3AD266387231621585 | SHA256:DEBF4EE90CA6CA27AE7D4E425EFE55BBEA1FD60CC5BE2935AFCF38E898C4824F | |||
2820 | DHL_AWB# 9284730931.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | binary | |
MD5:5CA21F8519184187636B2937F8BCC814 | SHA256:AB3E583B43DE86153B341A35141C47E770628A0124AD95291D75F1E03A613F48 | |||
1696 | DHL_AWB# 9284730931.exe | C:\Users\admin\AppData\Local\Temp\~DFE92D1184FD76FC83.TMP | binary | |
MD5:EF7B28ED0E469CB1EAD7DE7238B83D97 | SHA256:3C574F1712DEA3C23FE6B3C21489245D8F5C2A7F29D85EEC4217BD21B2D56512 | |||
2916 | WinRAR.exe | C:\Users\admin\Desktop\DHL_AWB# 9284730931.exe | executable | |
MD5:DDCDC714BEDFFB59133570C3A2B7913F | SHA256:BE3E6008DDE30CB959B90A332A79931B889216A9483944DC5C0D958DEC1B8E46 | |||
2192 | svchost.exe | C:\Users\admin\AppData\Roaming\JMAMR4D1\JMAlogim.jpeg | image | |
MD5:31EE57C6E7D6809ABE8BF3F91D90458B | SHA256:D51CF93FEC4851D45298255603FD919BA77556DBE07C090ED153D727928D6A86 | |||
948 | Firefox.exe | C:\Users\admin\AppData\Roaming\JMAMR4D1\JMAlogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
312 | explorer.exe | GET | — | 203.159.95.17:80 | http://www.zgmmds8.com/f23/?RLr=vXynGr9PpokEwKvpJCAzPh/5OfWF50dRGKHx+LbCEPSFsSU+I5i+AHs247TvwKjccPTDpw==&BRQl=0VvHIbaPn4fXJTG0 | TH | — | — | malicious |
2820 | DHL_AWB# 9284730931.exe | GET | 200 | 2.16.107.80:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2820 | DHL_AWB# 9284730931.exe | 2.16.107.80:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | suspicious |
312 | explorer.exe | 203.159.95.17:80 | www.zgmmds8.com | — | TH | malicious |
2820 | DHL_AWB# 9284730931.exe | 41.204.161.16:443 | qif.ac.ke | Kenya Education Network | KE | suspicious |
Domain | IP | Reputation |
---|---|---|
qif.ac.ke |
| suspicious |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
www.zgmmds8.com |
| malicious |
www.kenguy.ninja |
| unknown |
www.aroundthesix.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
312 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |