File name: | PO no.01313283.xlsx |
Full analysis: | https://app.any.run/tasks/7b383c42-0d1d-4a8b-8bba-2965b0727354 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | November 08, 2018, 23:19:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 8162899574DD9BF113E7D5850B36903D |
SHA1: | 79528E042C26EDCA9E535869318CC95588FDAFDE |
SHA256: | 05806749C9C50F3A7559357C5DCBB3917783BE47706C6BEC8B74C9C50A84A7CE |
SSDEEP: | 3072:7Wno3fi5NdQVRmuK+Cmk0wsoyqBemBazm7TqRF87mNnB0GDxXAUHw:s7QuuK+CR07oymBaEORF+cHXRw |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3924 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3508 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3736 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3308 | "C:\Users\admin\AppData\Local\Temp\90407336\rns.exe" qgx=vbw | C:\Users\admin\AppData\Local\Temp\90407336\rns.exe | — | vbc.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
628 | C:\Users\admin\AppData\Local\Temp\90407336\rns.exe C:\Users\admin\AppData\Local\Temp\90407336\FVIEZ | C:\Users\admin\AppData\Local\Temp\90407336\rns.exe | rns.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3656 | "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe" | C:\Users\admin\AppData\Local\Temp\RegSvcs.exe | — | rns.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
256 | "C:\Windows\System32\control.exe" | C:\Windows\System32\control.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3280 | /c del "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe" | C:\Windows\System32\cmd.exe | — | control.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1604 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3732 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | control.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | *%k |
Value: 2A256B00540F0000010000000000000000000000 | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: 540F00000ED5C180B977D40100000000 | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | *%k |
Value: 2A256B00540F0000010000000000000000000000 | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3924) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5DA39F |
Operation: | write | Name: | 5DA39F |
Value: 04000000540F00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0050004F0020006E006F002E00300031003300310033003200380033002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000B0314081B977D4019FA35D009FA35D0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA1AA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\nrw.mp3 | text | |
MD5:D19084D895A74DDF37208C9A2A04D808 | SHA256:D05F2464E8BAA4E01B80FCDE1CB1E06F32E09F2FC96BE9C4AF11CE13DB6FE68E | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\bqd.xl | text | |
MD5:8B4E174CA7350758A33B0490971F84F4 | SHA256:1EF293D70FA9C5B505EE9D61F449AD200B06DADD7C3EF28012A57713D4241A3F | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\efr.bmp | text | |
MD5:AC17706881B5ECA4108AC69D7756B202 | SHA256:5B6328CF41A13DCA9388FD9A4F0E6B97FADF859677D925B898B100EB72A8345D | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\jug.xl | text | |
MD5:A22055E3AF5206EEA00531258489E2C5 | SHA256:14F1BF6EFBBF9960908489E9329F3A126E4B8C6AC5C74E319A05910650DF544C | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\aaq.docx | text | |
MD5:4A2927FDF8596BF0AB5EEE6923A6DB0C | SHA256:3F6D12EA89FABDA15D79ACC2068532D01CE0340974C7D83E087033E1A12538F5 | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\ocj.dat | text | |
MD5:2BFEABC8B449A09668371E8371091F24 | SHA256:48DE13701C9EB1C969023C389574C19381D598E1B9773257BE045B10563C5764 | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\qgx=vbw | text | |
MD5:0106092DEBA205CB68AC70845856CBE1 | SHA256:E8730684BE006116371F1C6E8A4B206866CE88DA340E23A587439A28C4413019 | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\hnq.mp3 | text | |
MD5:FAB79B481C319B651FDBEBA163ABAC34 | SHA256:ED44651D5FCEE90FCE6C71C6C0F97C234B28B70D147667B62FF637C8B8CB2ACC | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\90407336\cgm.mp3 | text | |
MD5:134051898B2D9E9464116B9A8E9B9770 | SHA256:6701C0E71B49A127E2A24CCAF1CB7E9F1642DFB8B3586932D15AA1399DF1593E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1604 | explorer.exe | GET | — | 160.153.136.3:80 | http://www.duetassetmanagement.com/aa8/?ib-T4z9p=B2fTNwRIgNPUIBaqQetYCPINXRQ9KqEA564Rq7KNLlEZU7QnvW7V6e8rWbQFdZCZocJpPw==&TZ=ytg4Dt6Xj | US | — | — | malicious |
1604 | explorer.exe | GET | — | 47.52.142.209:80 | http://www.fluorysports.com/aa8/?ib-T4z9p=8QtQh+QKR4X7xXWpsWgmLAzc5/T6YCkTzuAoZm2VrSe2knya/26h47lQL8rgD55NpSkKog==&TZ=ytg4Dt6Xj&sql=1 | HK | — | — | malicious |
1604 | explorer.exe | POST | — | 47.52.142.209:80 | http://www.fluorysports.com/aa8/ | HK | — | — | malicious |
3508 | EQNEDT32.EXE | GET | 200 | 23.249.161.100:80 | http://23.249.161.100/frankm/frank.exe | US | executable | 822 Kb | malicious |
1604 | explorer.exe | POST | — | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | — | — | malicious |
1604 | explorer.exe | GET | 200 | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/?ib-T4z9p=RHDVyMGFPOescSk8fBVyz7avp6vl173cjAxPM1VuTIfp3KGJQuEcxaOelH6TQ4dkTsIRxg==&TZ=ytg4Dt6Xj&sql=1 | US | binary | 323 Kb | malicious |
1604 | explorer.exe | POST | 404 | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | html | 295 b | malicious |
1604 | explorer.exe | POST | — | 47.52.142.209:80 | http://www.fluorysports.com/aa8/ | HK | — | — | malicious |
1604 | explorer.exe | POST | — | 47.52.142.209:80 | http://www.fluorysports.com/aa8/ | HK | — | — | malicious |
1604 | explorer.exe | POST | 404 | 162.213.255.220:80 | http://www.nadidetadllar.com/aa8/ | US | html | 295 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1604 | explorer.exe | 160.153.136.3:80 | www.duetassetmanagement.com | GoDaddy.com, LLC | US | malicious |
1604 | explorer.exe | 162.213.255.220:80 | www.nadidetadllar.com | Namecheap, Inc. | US | malicious |
3508 | EQNEDT32.EXE | 23.249.161.100:80 | — | ColoCrossing | US | malicious |
1604 | explorer.exe | 47.52.142.209:80 | www.fluorysports.com | Alibaba (China) Technology Co., Ltd. | HK | malicious |
Domain | IP | Reputation |
---|---|---|
www.duetassetmanagement.com |
| malicious |
www.fluorysports.com |
| malicious |
www.nadidetadllar.com |
| malicious |
www.yg6669.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3508 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3508 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3508 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3508 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3508 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |