analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New Order.xlsx

Full analysis: https://app.any.run/tasks/2b613b83-b8c0-4dcf-abb2-179910c1ee5b
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: July 17, 2019, 13:50:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
formbook
trojan
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

EB14DBF39DDBCC9393B46478F253A513

SHA1:

2CDEFF44C3AD4B900F6CDE2DB20A5160DF800A7B

SHA256:

48C385EDE2C46F1713A70BD49DE307908F1B844829583F4D171F1878A99FD6EE

SSDEEP:

1536:COZFoXtChGC7t7+ag06fMt/GUfm+/6wEkDNah/ear5C66UK1S8uqZpATS3trPBt:fG4dpKag0IMt/rV61kDaea5KduapAO3l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3172)
    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 3052)
      • configmz7xu.exe (PID: 1096)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3172)
    • Downloads executable files from IP

      • EQNEDT32.EXE (PID: 3172)
    • Formbook was detected

      • msg.exe (PID: 1532)
      • Firefox.exe (PID: 2588)
    • FORMBOOK was detected

      • explorer.exe (PID: 124)
    • Changes the autorun value in the registry

      • msg.exe (PID: 1532)
    • Connects to CnC server

      • explorer.exe (PID: 124)
    • Actions looks like stealing of personal data

      • msg.exe (PID: 1532)
    • Stealing of credential data

      • msg.exe (PID: 1532)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3172)
      • DllHost.exe (PID: 1660)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3172)
      • explorer.exe (PID: 124)
      • DllHost.exe (PID: 1660)
    • Starts CMD.EXE for commands execution

      • msg.exe (PID: 1532)
    • Creates files in the user directory

      • msg.exe (PID: 1532)
    • Creates files in the program directory

      • DllHost.exe (PID: 1660)
    • Loads DLL from Mozilla Firefox

      • msg.exe (PID: 1532)
  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 124)
    • Manual execution by user

      • msg.exe (PID: 1532)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3300)
    • Creates files in the user directory

      • Firefox.exe (PID: 2588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe no specs #FORMBOOK msg.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object configmz7xu.exe no specs #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3300"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3172"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3052"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1532"C:\Windows\System32\msg.exe"C:\Windows\System32\msg.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Message Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2492/c del "C:\Users\Public\vbc.exe"C:\Windows\System32\cmd.exemsg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
124C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1660C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1096"C:\Program Files\Itt-\configmz7xu.exe"C:\Program Files\Itt-\configmz7xu.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2588"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
msg.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
67.0.4
Total events
785
Read events
717
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
71
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3300EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRCFB4.tmp.cvr
MD5:
SHA256:
3300EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90AA1094.jpeg
MD5:
SHA256:
3300EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9B1CF85.jpeg
MD5:
SHA256:
3300EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF0F3F157EFD05178F.TMP
MD5:
SHA256:
3300EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$New Order.xlsx
MD5:
SHA256:
124explorer.exeC:\Users\admin\AppData\Local\Temp\Itt-\configmz7xu.exeexecutable
MD5:09E0B628FA0CA3BCCBDC2B1955F38410
SHA256:95B3D595F6608F6DF8CBEEAE89B837EE137EEC0D48ECF31464DD1B436C5B5C6D
1660DllHost.exeC:\Program Files\Itt-\configmz7xu.exeexecutable
MD5:09E0B628FA0CA3BCCBDC2B1955F38410
SHA256:95B3D595F6608F6DF8CBEEAE89B837EE137EEC0D48ECF31464DD1B436C5B5C6D
1532msg.exeC:\Users\admin\AppData\Roaming\O4PQB6EE\O4Plogrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
3172EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:09E0B628FA0CA3BCCBDC2B1955F38410
SHA256:95B3D595F6608F6DF8CBEEAE89B837EE137EEC0D48ECF31464DD1B436C5B5C6D
3172EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\order[1].exeexecutable
MD5:09E0B628FA0CA3BCCBDC2B1955F38410
SHA256:95B3D595F6608F6DF8CBEEAE89B837EE137EEC0D48ECF31464DD1B436C5B5C6D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
124
explorer.exe
GET
302
133.130.35.22:80
http://www.nijino-piano.com/ed/?Ar2=YrT5EfRXxxSP0o8gCNGUshmJDXsTkNmuhRfiozNf5mAPZzzVJj68jUELb3rLH1vSKng//Q==&_jG4N=hBclaNlx48&sql=1
JP
malicious
3172
EQNEDT32.EXE
GET
200
84.38.135.173:80
http://84.38.135.173/good/order.exe
NL
executable
863 Kb
suspicious
124
explorer.exe
GET
66.33.208.127:80
http://www.bestpracticearts.com/ed/?Ar2=eTz6d3ws8sG5UVdSF4OshHcQuAQBqoA/rcfohGNbyfNwPwD/hmZsd/uYxEBQ5LPgR/OfIA==&_jG4N=hBclaNlx48
US
malicious
124
explorer.exe
POST
133.130.35.22:80
http://www.nijino-piano.com/ed/
JP
malicious
124
explorer.exe
POST
133.130.35.22:80
http://www.nijino-piano.com/ed/
JP
malicious
124
explorer.exe
POST
133.130.35.22:80
http://www.nijino-piano.com/ed/
JP
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
124
explorer.exe
66.33.208.127:80
www.bestpracticearts.com
New Dream Network, LLC
US
malicious
3172
EQNEDT32.EXE
84.38.135.173:80
DataClub S.A.
NL
suspicious
124
explorer.exe
133.130.35.22:80
www.nijino-piano.com
GMO Internet,Inc
JP
malicious

DNS requests

Domain
IP
Reputation
www.realcubalibre.com
unknown
www.958xhl.info
unknown
www.gr311.net
unknown
www.bestpracticearts.com
  • 66.33.208.127
malicious
www.latie.top
unknown
www.ask-life-mama.com
unknown
www.iatfyck.com
unknown
www.harveyloads.com
unknown
www.g5u6vk62.biz
unknown
www.nijino-piano.com
  • 133.130.35.22
malicious

Threats

PID
Process
Class
Message
3172
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3172
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
3172
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3172
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3172
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3172
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
124
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
124
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
2 ETPRO signatures available at the full report
No debug info