analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW PO No. PO202204-074.xlsx

Full analysis: https://app.any.run/tasks/06b9c700-5337-4686-8a45-30e7f46aa8e5
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 20, 2022, 20:29:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
formbook
trojan
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

3DFA648F0C076DA4F2524BB3F47CEF26

SHA1:

4068A34330D6292D1620E4302DE41B14B5CB2811

SHA256:

4A9C2E21D0E9F0545AE6A15A2FC165FCE752B4837D1BEBC0D2FAD5DF75F87250

SSDEEP:

6144:7rctBYD3TVQECX53dYA18laGfb1IqGlACeKI3Y7:PDKX2Vfb1PGlrB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3452)

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3452)

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 1784)
      • vbc.exe (PID: 1736)

    • FORMBOOK detected by memory dumps

      • cmmon32.exe (PID: 3600)

    • Connects to CnC server

      • Explorer.EXE (PID: 1296)

    • FORMBOOK was detected

      • Explorer.EXE (PID: 1296)

  • SUSPICIOUS

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3452)
      • vbc.exe (PID: 1784)
      • vbc.exe (PID: 1736)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3452)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3452)
      • vbc.exe (PID: 1784)
      • vbc.exe (PID: 1736)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3452)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3452)

    • Application launched itself

      • vbc.exe (PID: 1784)

    • Starts CMD.EXE for commands execution

      • cmmon32.exe (PID: 3600)

    • Reads Environment values

      • cmmon32.exe (PID: 3600)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2944)
      • cmmon32.exe (PID: 3600)
      • cmd.exe (PID: 3980)

    • Reads the computer name

      • EXCEL.EXE (PID: 2944)
      • cmmon32.exe (PID: 3600)

    • Starts Microsoft Office Application

      • Explorer.EXE (PID: 1296)

    • Manual execution by user

      • cmmon32.exe (PID: 3600)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(3600) cmmon32.exe
Modules (42)kernel32.dll
advapi32.dll
ws2_32.dll
svchost.exe
msiexec.exe
wuauclt.exe
lsass.exe
wlanext.exe
msg.exe
lsm.exe
dwm.exe
help.exe
chkdsk.exe
cmmon32.exe
nbtstat.exe
spoolsv.exe
rdpclip.exe
control.exe
taskhost.exe
rundll32.exe
systray.exe
audiodg.exe
wininit.exe
services.exe
autochk.exe
autoconv.exe
autofmt.exe
cmstp.exe
colorcpl.exe
cscript.exe
explorer.exe
WWAHost.exe
ipconfig.exe
msdt.exe
mstsc.exe
NAPSTAT.EXE
netsh.exe
NETSTAT.EXE
raserver.exe
wscript.exe
wuapp.exe
cmd.exe
Decoys and strings (143)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
cryptocurrenciesmarketcaps.com
legaslktiy3.xyz
cardhj.com
zouoolaa.xyz
yjy888.com
modernboatsalesnadservice.xyz
zeirishiyamasaki.com
jamesture.com
wwwcharleys.com
walletsw.com
mbbpaymentplan.com
lume24.com
steelonsite.com
digihm.solutions
desertunicorns.com
marbepay.com
vvv678.com
73154.xyz
qzbozhijy.com
daometalaunch.com
asproclub.com
jobeta.net
whusab.xyz
delivery-074812.xyz
magicportriat.com
floridacommercialprinting.com
jogodobicho.top
acessesiteonline01.online
lakrkajz.xyz
medicalmassageofpalmbeaches.com
trendylifeco.com
upliftpropertysolutions.com
discountbestdeals.com
antoniolorenzo.com
etheteroad.com
atukr.icu
xinli-ac.com
hhydlxs.com
megabandar.xyz
olyards.com
likeama.com
homes.equipment
rscall.center
mayonline.online
trq-advisors.com
growyourown.center
citzensinfo.com
modernerkredit.com
chitbucket.com
kookpedal.com
tatahotsauce.com
steadywoman.com
rfpconsultants.xyz
insurancecentral.info
appalachianfamilies.com
boywhocode.xyz
a-superb-us-retro-clothes.fyi
meandmsjones.online
pastoreemilio.com
emprendemente.online
erminelair.com
doudou-ssr.net
credit.cool
dgengcase.com
f-end
C2www.worklifefirewalls.com/m9y5/
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe vbc.exe no specs vbc.exe no specs #FORMBOOK cmmon32.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3452"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1784"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
TFlow
Exit code:
0
Version:
2.3.0.0
1736"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TFlow
Exit code:
0
Version:
2.3.0.0
3600"C:\Windows\System32\cmmon32.exe"C:\Windows\System32\cmmon32.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Monitor
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
Formbook
(PID) Process(3600) cmmon32.exe
Modules (42)kernel32.dll
advapi32.dll
ws2_32.dll
svchost.exe
msiexec.exe
wuauclt.exe
lsass.exe
wlanext.exe
msg.exe
lsm.exe
dwm.exe
help.exe
chkdsk.exe
cmmon32.exe
nbtstat.exe
spoolsv.exe
rdpclip.exe
control.exe
taskhost.exe
rundll32.exe
systray.exe
audiodg.exe
wininit.exe
services.exe
autochk.exe
autoconv.exe
autofmt.exe
cmstp.exe
colorcpl.exe
cscript.exe
explorer.exe
WWAHost.exe
ipconfig.exe
msdt.exe
mstsc.exe
NAPSTAT.EXE
netsh.exe
NETSTAT.EXE
raserver.exe
wscript.exe
wuapp.exe
cmd.exe
Decoys and strings (143)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
cryptocurrenciesmarketcaps.com
legaslktiy3.xyz
cardhj.com
zouoolaa.xyz
yjy888.com
modernboatsalesnadservice.xyz
zeirishiyamasaki.com
jamesture.com
wwwcharleys.com
walletsw.com
mbbpaymentplan.com
lume24.com
steelonsite.com
digihm.solutions
desertunicorns.com
marbepay.com
vvv678.com
73154.xyz
qzbozhijy.com
daometalaunch.com
asproclub.com
jobeta.net
whusab.xyz
delivery-074812.xyz
magicportriat.com
floridacommercialprinting.com
jogodobicho.top
acessesiteonline01.online
lakrkajz.xyz
medicalmassageofpalmbeaches.com
trendylifeco.com
upliftpropertysolutions.com
discountbestdeals.com
antoniolorenzo.com
etheteroad.com
atukr.icu
xinli-ac.com
hhydlxs.com
megabandar.xyz
olyards.com
likeama.com
homes.equipment
rscall.center
mayonline.online
trq-advisors.com
growyourown.center
citzensinfo.com
modernerkredit.com
chitbucket.com
kookpedal.com
tatahotsauce.com
steadywoman.com
rfpconsultants.xyz
insurancecentral.info
appalachianfamilies.com
boywhocode.xyz
a-superb-us-retro-clothes.fyi
meandmsjones.online
pastoreemilio.com
emprendemente.online
erminelair.com
doudou-ssr.net
credit.cool
dgengcase.com
f-end
C2www.worklifefirewalls.com/m9y5/
3980/c del "C:\Users\Public\vbc.exe"C:\Windows\System32\cmd.execmmon32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1296C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 077
Read events
1 982
Write events
84
Delete events
11

Modification events

(PID) Process:(1296) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000157665AB480A0F48AFBF088EC0A166E10000000002000000000010660000000100002000000078C720B2CDC4CC7B5C9E9CE953907D377DA1602AF7A26A3CE142E5412684643E000000000E8000000002000020000000B4EF3F3B73C9C61944A7FC5B55D369A98A4820C649A7947A26B936BD04BAF4D03000000005BB3C8896586C0F182ED4325502D91AB6582F91E2995FCF61A336DFFA2316C1D6C2F5F73EEEE968BC3ADD4F30A72B2540000000F5146EB24230B616D74B2AC2B9927CC110E331C6EFCB7F02C0C6F1AA8EAF2D18BA11ACAE362FB142F930A52550E1125FEC04A26146C5EF3641FDCF661FFFE9AF
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:&,;
Value:
262C3B00800B0000010000000000000000000000
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2944) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
Executable files
2
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2944EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9476.tmp.cvr
MD5:
SHA256:
2944EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED062C3F.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
3452EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:163FEC7150A575753BC40DFC0643847D
SHA256:682629E9B965B64912C262031E640DE0B18C637B392DF618DB5775B8BEF53EF4
3452EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\six[1].exeexecutable
MD5:163FEC7150A575753BC40DFC0643847D
SHA256:682629E9B965B64912C262031E640DE0B18C637B392DF618DB5775B8BEF53EF4
2944EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF355BB6.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1296
Explorer.EXE
GET
200
192.151.224.138:80
http://www.vvv678.com/m9y5/?_Fi4AN=Z9bVZj0SCq8PeZMXM4gyUiy5DWlUmbnpgDhHq5KQSXlmCSDwp9xD/Q4l8kI77NpTNlltOw==&Q2r=ej4hBTbpK0hLnV
HK
html
210 b
malicious
3452
EQNEDT32.EXE
GET
200
104.168.33.25:80
http://104.168.33.25/one/six.exe
US
executable
648 Kb
malicious
1296
Explorer.EXE
GET
404
66.228.55.89:80
http://www.growyourown.center/m9y5/?_Fi4AN=Dx0j4UT1ibVEbTnFQ7uBXyfJUjNA44YaPt3+Z1wxnGVS6y/fZz0igZfqjfBKdp6DFJTFcg==&Q2r=ej4hBTbpK0hLnV
US
html
1.21 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1296
Explorer.EXE
192.151.224.138:80
www.vvv678.com
CloudRadium L.L.C
HK
malicious
3452
EQNEDT32.EXE
104.168.33.25:80
ColoCrossing
US
malicious
1296
Explorer.EXE
66.228.55.89:80
www.growyourown.center
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.vvv678.com
  • 192.151.224.138
malicious
www.growyourown.center
  • 66.228.55.89
unknown

Threats

PID
Process
Class
Message
3452
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3452
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3452
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3452
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3452
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3452
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1296
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW PO No. PO202204-074.xlsx