analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9806c7bf6f8963b979b49d994304a48b.doc

Full analysis: https://app.any.run/tasks/3149b350-90e8-4c85-89bb-3d1d49ef1d69
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: February 19, 2019, 06:29:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
opendir
loader
trojan
formbook
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

9806C7BF6F8963B979B49D994304A48B

SHA1:

E51A1B346BEAD153D6732A463BEAC3E4055B06D5

SHA256:

4257898A698D4898B69E5EBA0178D05C0125B2FB6A65C989978DE14278B32BF4

SSDEEP:

96:RN4Ri1BacBfXPBo08WZLkkUWwwrV4wPWw/J:s0TfJBo0VxkORV49wx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2976)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2976)
    • Application was dropped or rewritten from another process

      • win (PID: 2428)
      • p68ppv.exe (PID: 2364)
    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2976)
    • Downloads executable files from IP

      • WINWORD.EXE (PID: 2976)
    • FORMBOOK was detected

      • explorer.exe (PID: 284)
    • Connects to CnC server

      • explorer.exe (PID: 284)
    • Changes the autorun value in the registry

      • taskhost.exe (PID: 4004)
    • Actions looks like stealing of personal data

      • taskhost.exe (PID: 4004)
    • Formbook was detected

      • taskhost.exe (PID: 4004)
      • Firefox.exe (PID: 3024)
    • Stealing of credential data

      • taskhost.exe (PID: 4004)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 2976)
    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2976)
    • Starts CMD.EXE for commands execution

      • taskhost.exe (PID: 4004)
    • Executable content was dropped or overwritten

      • explorer.exe (PID: 284)
      • DllHost.exe (PID: 3864)
    • Creates files in the user directory

      • taskhost.exe (PID: 4004)
    • Loads DLL from Mozilla Firefox

      • taskhost.exe (PID: 4004)
    • Creates files in the program directory

      • DllHost.exe (PID: 3864)
  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 284)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2976)
      • Firefox.exe (PID: 3024)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winword.exe win no specs #FORMBOOK taskhost.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object p68ppv.exe no specs #FORMBOOK firefox.exe no specs cmstp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9806c7bf6f8963b979b49d994304a48b.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2428C:\Users\admin\AppData\Roaming\winC:\Users\admin\AppData\Roaming\winWINWORD.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Windows Write
Exit code:
0
Version:
6.01.7600
4004"C:\Windows\System32\taskhost.exe"C:\Windows\System32\taskhost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3800/c del "C:\Users\admin\AppData\Roaming\win"C:\Windows\System32\cmd.exetaskhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3864C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2364"C:\Program Files\Sjbcd\p68ppv.exe"C:\Program Files\Sjbcd\p68ppv.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Windows Write
Exit code:
0
Version:
6.01.7600
3024"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
taskhost.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
2872"C:\Windows\System32\cmstp.exe"C:\Windows\System32\cmstp.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
Total events
1 379
Read events
1 018
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
74
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE831.tmp.cvr
MD5:
SHA256:
2976WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C0B1440-082D-47CF-AF7B-4440D0ADDC95}.tmp
MD5:
SHA256:
2976WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B4C83C6-5501-47DD-B1AB-326D74EA6C66}.tmp
MD5:
SHA256:
2976WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3FF639A6-C22C-4E9B-B5CF-1F235643CD7D}.tmp
MD5:
SHA256:
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sctbinary
MD5:E37C744F9F6FF254065C19744427F35C
SHA256:CD543BF412D26A3E062215057395E4CDBD868CD9B13D5FF1C51F74E0BE964C07
2976WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:633EDCAF70A08EA4C8F9489679EF5BF4
SHA256:446A4274C3E9935A40A0EA6332996E3ABECA0B7D59EB8A541F56397F29158E6E
2976WINWORD.EXEC:\Users\admin\AppData\Roaming\winexecutable
MD5:B21DED7BBCE5A4D96094088E020D311A
SHA256:89B1724FFBC5E26578C1DFBE5B21BC3BDBD80EF4CBFAF11C77298EFD63460FC8
2976WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\win[1].exeexecutable
MD5:B21DED7BBCE5A4D96094088E020D311A
SHA256:89B1724FFBC5E26578C1DFBE5B21BC3BDBD80EF4CBFAF11C77298EFD63460FC8
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$06c7bf6f8963b979b49d994304a48b.docpgc
MD5:2CBAA9BE706A2752086C67C266162B6C
SHA256:E6E887FED7973934BE6A2AD7E3F69C713660C916E66F4B3BED7478C3344B4BB1
284explorer.exeC:\Users\admin\AppData\Local\Temp\Sjbcd\p68ppv.exeexecutable
MD5:B21DED7BBCE5A4D96094088E020D311A
SHA256:89B1724FFBC5E26578C1DFBE5B21BC3BDBD80EF4CBFAF11C77298EFD63460FC8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2976
WINWORD.EXE
GET
200
5.152.203.104:80
http://5.152.203.104/file/win.exe
GB
executable
868 Kb
suspicious
284
explorer.exe
GET
213.186.33.5:80
http://www.andex.deals/ap/?GPxT=++YF8btsEvoNCA1gBpb2ET7jfVhVqsBt3Jnl5bVpUB2IEUkZlJMvOvflBOg/3ecECuAk1g==&a4N=tXixnrypJn
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2976
WINWORD.EXE
5.152.203.104:80
iomart Cloud Services Limited.
GB
suspicious
284
explorer.exe
213.186.33.5:80
www.andex.deals
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.atrpmj.men
unknown
www.andex.deals
  • 213.186.33.5
malicious
www.meviasauces.com
unknown
www.xshop.group
unknown

Threats

PID
Process
Class
Message
2976
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2976
WINWORD.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2976
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2976
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2976
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2976
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
284
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1 ETPRO signatures available at the full report
No debug info