File name: | 3c37d89b7b7a5d8bb2ad098c0208107c836b0f1c8b49bd3c058436b9683296fe.rtf |
Full analysis: | https://app.any.run/tasks/e4603d56-81d6-4522-b709-af561a9ad90a |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 14, 2019, 20:49:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | EB3A5949733A99EA6E31C1A05ACB078D |
SHA1: | 92627DF4C832379984A2553DF690E16591C7A08A |
SHA256: | 3C37D89B7B7A5D8BB2AD098C0208107C836B0F1C8B49BD3C058436B9683296FE |
SSDEEP: | 1536:NBsG2OiYC8X3xdHoP13Gm+xaA2kUm4MSRh2radgngQ:NlhiYC8Zr |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 85 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 2 |
ModifyDate: | 2019:01:20 14:19:00 |
CreateDate: | 2019:01:20 14:19:00 |
LastModifiedBy: | Windows User |
Author: | Windows User |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3500 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3c37d89b7b7a5d8bb2ad098c0208107c836b0f1c8b49bd3c058436b9683296fe.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3904 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3484 | C:\Users\Public\3.exe | C:\Users\Public\3.exe | — | EQNEDT32.EXE |
User: admin Company: PLURILINGUAL8 Integrity Level: MEDIUM Exit code: 0 Version: 1.03.0002 | ||||
3184 | :\Users\Public\3.exe | C:\Users\Public\3.exe | — | 3.exe |
User: admin Company: PLURILINGUAL8 Integrity Level: MEDIUM Exit code: 0 Version: 1.03.0002 | ||||
2988 | "C:\Windows\System32\raserver.exe" | C:\Windows\System32\raserver.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Remote Assistance COM Server Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4068 | /c del "C:\Users\Public\3.exe" | C:\Windows\System32\cmd.exe | — | raserver.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3388 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | raserver.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
1088 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2132 | "C:\Program Files\K8pmxrtbp\autochkbld.exe" | C:\Program Files\K8pmxrtbp\autochkbld.exe | — | explorer.exe |
User: admin Company: PLURILINGUAL8 Integrity Level: MEDIUM Exit code: 0 Version: 1.03.0002 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3500 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDCF4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3500 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3C9A769D-770D-4387-982D-1B8E51226270}.tmp | — | |
MD5:— | SHA256:— | |||
3500 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{09A964ED-7E63-4D2C-A923-28198CD80C09}.tmp | — | |
MD5:— | SHA256:— | |||
3500 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FDFCEAAD-B14E-4501-A16E-E86FEA1E57B2}.tmp | — | |
MD5:— | SHA256:— | |||
3500 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2A891164FE91BA6AC05B0BF649A261EA | SHA256:DBE2D12E45090C02E4A69E55CEC720728F1BD7706358E7ED5CE8E9FC4F94AD32 | |||
3904 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:B92A3A2091BA999D686A04BD72E951EE | SHA256:53B33465DA29A7F0C1F4D25E6962D9C6092878ECDC8538CE808EA4ECCA875D5D | |||
3500 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{769BA9E7-2F2D-4B77-99D1-484862B228DC}.tmp | binary | |
MD5:806BEEA24B8D3BDFE4C6DE9083DE51DD | SHA256:0CC951FF49026C41CA7A5BFAC62054B66467E670B8C30E16E36DF5BB52906935 | |||
3904 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\NewOrder[1].jpg | executable | |
MD5:FAB84396A57BE43D0F8415FA5391576D | SHA256:0351E4F1B5FCD2EA0EBF370033C59E9F1AA4122A78FB4BD69190F49F893EF83F | |||
2988 | raserver.exe | C:\Users\admin\AppData\Roaming\3Q8O943E\3Q8logrc.ini | binary | |
MD5:BB0BE4A1590C6350E4EC2974BB1C098B | SHA256:7BED4626B2F3BE5F8A0D8C5A62509A6DEFCF3C3755A174232563906D8E72800F | |||
284 | explorer.exe | C:\Users\admin\AppData\Local\Temp\K8pmxrtbp\autochkbld.exe | executable | |
MD5:FAB84396A57BE43D0F8415FA5391576D | SHA256:0351E4F1B5FCD2EA0EBF370033C59E9F1AA4122A78FB4BD69190F49F893EF83F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
284 | explorer.exe | GET | 403 | 23.227.38.64:80 | http://www.maneproject.online/nk/?8p=0yIE6IQvRohyNShN76SfvYtA2Afj4vZHQmkxFxgeRRxL4dPC6PLMCMFSINCWX5uIL7jbyw==&n2=iLj8LXix | CA | html | 1.74 Kb | malicious |
284 | explorer.exe | GET | — | 198.54.117.217:80 | http://www.onlineprices.win/nk/?8p=LRbk0SzEDYEbav2sOxLDDnjuV83UFYwnXyhGbMdvwR4XhK+y1pnWzAe28ENUx4SuLSM7jA==&n2=iLj8LXix&sql=1 | US | — | — | malicious |
3904 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2O2KOku | US | html | 118 b | shared |
3904 | EQNEDT32.EXE | GET | 200 | 45.67.14.199:80 | http://v39t67xz.ru/NewOrder.jpg | unknown | executable | 509 Kb | malicious |
284 | explorer.exe | GET | 404 | 162.213.250.187:80 | http://www.symtual.com/nk/?8p=HOgvtAkoy5xX7DSGkMySvfQymB7oXtIIQrGF12lTFoE3FF+PBnvvwbHC3dw2M19jGDO2Mw==&n2=iLj8LXix&sql=1 | US | html | 326 b | malicious |
284 | explorer.exe | POST | — | 162.213.250.187:80 | http://www.symtual.com/nk/ | US | — | — | malicious |
284 | explorer.exe | POST | — | 198.54.117.217:80 | http://www.onlineprices.win/nk/ | US | — | — | malicious |
284 | explorer.exe | GET | 301 | 138.197.206.197:80 | http://www.horugame.com/nk/?8p=YkgU8Qs+yU9oBJ/N1zBUE1b04PZ80lmhZVPatlw7C85ZrSbvpFzm2L3ApLReymSUBVApgg==&n2=iLj8LXix | US | — | — | malicious |
284 | explorer.exe | POST | — | 162.213.250.187:80 | http://www.symtual.com/nk/ | US | — | — | malicious |
284 | explorer.exe | POST | — | 162.213.250.187:80 | http://www.symtual.com/nk/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
284 | explorer.exe | 23.227.38.64:80 | www.maneproject.online | Shopify, Inc. | CA | malicious |
3904 | EQNEDT32.EXE | 45.67.14.199:80 | v39t67xz.ru | — | — | suspicious |
284 | explorer.exe | 162.213.250.187:80 | www.symtual.com | Namecheap, Inc. | US | malicious |
284 | explorer.exe | 138.197.206.197:80 | www.horugame.com | Digital Ocean, Inc. | US | malicious |
284 | explorer.exe | 198.54.117.217:80 | www.onlineprices.win | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
v39t67xz.ru |
| malicious |
www.diversityvoice.net |
| unknown |
www.todaysliftinggains.com |
| unknown |
www.thewineandaletrailsj.com |
| unknown |
www.maneproject.online |
| malicious |
www.onlineprices.win |
| malicious |
www.symtual.com |
| malicious |
www.twitteh.com |
| unknown |
www.crisefabio.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3904 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3904 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
3904 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
3904 | EQNEDT32.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |