File name: | 9806c7bf6f8963b979b49d994304a48b.doc |
Full analysis: | https://app.any.run/tasks/3149b350-90e8-4c85-89bb-3d1d49ef1d69 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | February 19, 2019, 06:29:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 9806C7BF6F8963B979B49D994304A48B |
SHA1: | E51A1B346BEAD153D6732A463BEAC3E4055B06D5 |
SHA256: | 4257898A698D4898B69E5EBA0178D05C0125B2FB6A65C989978DE14278B32BF4 |
SSDEEP: | 96:RN4Ri1BacBfXPBo08WZLkkUWwwrV4wPWw/J:s0TfJBo0VxkORV49wx |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9806c7bf6f8963b979b49d994304a48b.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2428 | C:\Users\admin\AppData\Roaming\win | C:\Users\admin\AppData\Roaming\win | — | WINWORD.EXE |
User: admin Company: Integrity Level: MEDIUM Description: Windows Write Exit code: 0 Version: 6.01.7600 | ||||
4004 | "C:\Windows\System32\taskhost.exe" | C:\Windows\System32\taskhost.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Tasks Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3800 | /c del "C:\Users\admin\AppData\Roaming\win" | C:\Windows\System32\cmd.exe | — | taskhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3864 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2364 | "C:\Program Files\Sjbcd\p68ppv.exe" | C:\Program Files\Sjbcd\p68ppv.exe | — | explorer.exe |
User: admin Company: Integrity Level: MEDIUM Description: Windows Write Exit code: 0 Version: 6.01.7600 | ||||
3024 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | taskhost.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
2872 | "C:\Windows\System32\cmstp.exe" | C:\Windows\System32\cmstp.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE831.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C0B1440-082D-47CF-AF7B-4440D0ADDC95}.tmp | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B4C83C6-5501-47DD-B1AB-326D74EA6C66}.tmp | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3FF639A6-C22C-4E9B-B5CF-1F235643CD7D}.tmp | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct | binary | |
MD5:E37C744F9F6FF254065C19744427F35C | SHA256:CD543BF412D26A3E062215057395E4CDBD868CD9B13D5FF1C51F74E0BE964C07 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:633EDCAF70A08EA4C8F9489679EF5BF4 | SHA256:446A4274C3E9935A40A0EA6332996E3ABECA0B7D59EB8A541F56397F29158E6E | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\win | executable | |
MD5:B21DED7BBCE5A4D96094088E020D311A | SHA256:89B1724FFBC5E26578C1DFBE5B21BC3BDBD80EF4CBFAF11C77298EFD63460FC8 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\win[1].exe | executable | |
MD5:B21DED7BBCE5A4D96094088E020D311A | SHA256:89B1724FFBC5E26578C1DFBE5B21BC3BDBD80EF4CBFAF11C77298EFD63460FC8 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$06c7bf6f8963b979b49d994304a48b.doc | pgc | |
MD5:2CBAA9BE706A2752086C67C266162B6C | SHA256:E6E887FED7973934BE6A2AD7E3F69C713660C916E66F4B3BED7478C3344B4BB1 | |||
284 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Sjbcd\p68ppv.exe | executable | |
MD5:B21DED7BBCE5A4D96094088E020D311A | SHA256:89B1724FFBC5E26578C1DFBE5B21BC3BDBD80EF4CBFAF11C77298EFD63460FC8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2976 | WINWORD.EXE | GET | 200 | 5.152.203.104:80 | http://5.152.203.104/file/win.exe | GB | executable | 868 Kb | suspicious |
284 | explorer.exe | GET | — | 213.186.33.5:80 | http://www.andex.deals/ap/?GPxT=++YF8btsEvoNCA1gBpb2ET7jfVhVqsBt3Jnl5bVpUB2IEUkZlJMvOvflBOg/3ecECuAk1g==&a4N=tXixnrypJn | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2976 | WINWORD.EXE | 5.152.203.104:80 | — | iomart Cloud Services Limited. | GB | suspicious |
284 | explorer.exe | 213.186.33.5:80 | www.andex.deals | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
www.atrpmj.men |
| unknown |
www.andex.deals |
| malicious |
www.meviasauces.com |
| unknown |
www.xshop.group |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2976 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2976 | WINWORD.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2976 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
2976 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2976 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
2976 | WINWORD.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |