analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SWIFT19052022.xlsx

Full analysis: https://app.any.run/tasks/ebc0c2d9-d946-4548-a720-4bf1edf83f42
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: May 20, 2022, 20:57:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
formbook
trojan
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

71336E3B7838EF9EEEE9F819F398463C

SHA1:

9CF294E9D1FA8C33591130731022608307DDBD4B

SHA256:

4EAAA7DC03CC461A9CFC0BBF593203DBB011B161BB5108E889DBE5C9B906888D

SSDEEP:

6144:BRNcsFZ/N7L4m8s/Gpn4rwgd1cbFFSwyTw:BjFZFgm8s+yr1xa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 1904)
      • vbc.exe (PID: 2628)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1904)
    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2628)
    • Changes the Startup folder

      • vbc.exe (PID: 2628)
    • FORMBOOK detected by memory dumps

      • netsh.exe (PID: 3208)
    • Connects to CnC server

      • Explorer.EXE (PID: 1176)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 1176)
  • SUSPICIOUS

    • Checks supported languages

      • EQNEDT32.EXE (PID: 1904)
      • vbc.exe (PID: 2628)
      • cmd.exe (PID: 348)
      • MSBuild.exe (PID: 2964)
    • Reads the computer name

      • EQNEDT32.EXE (PID: 1904)
      • vbc.exe (PID: 2628)
      • MSBuild.exe (PID: 2964)
    • Executed via COM

      • EQNEDT32.EXE (PID: 1904)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1904)
      • vbc.exe (PID: 2628)
    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 1904)
      • vbc.exe (PID: 2628)
    • Reads Environment values

      • vbc.exe (PID: 2628)
      • netsh.exe (PID: 3208)
    • Starts CMD.EXE for commands execution

      • vbc.exe (PID: 2628)
      • netsh.exe (PID: 3208)
    • Creates files in the user directory

      • vbc.exe (PID: 2628)
    • Uses NETSH.EXE for network configuration

      • Explorer.EXE (PID: 1176)
  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 3100)
      • timeout.exe (PID: 620)
      • netsh.exe (PID: 3208)
      • cmd.exe (PID: 904)
    • Reads the computer name

      • EXCEL.EXE (PID: 3100)
      • netsh.exe (PID: 3208)
    • Starts Microsoft Office Application

      • Explorer.EXE (PID: 1176)
    • Manual execution by user

      • netsh.exe (PID: 3208)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(3208) netsh.exe
Modules (42)kernel32.dll
advapi32.dll
ws2_32.dll
svchost.exe
msiexec.exe
wuauclt.exe
lsass.exe
wlanext.exe
msg.exe
lsm.exe
dwm.exe
help.exe
chkdsk.exe
cmmon32.exe
nbtstat.exe
spoolsv.exe
rdpclip.exe
control.exe
taskhost.exe
rundll32.exe
systray.exe
audiodg.exe
wininit.exe
services.exe
autochk.exe
autoconv.exe
autofmt.exe
cmstp.exe
colorcpl.exe
cscript.exe
explorer.exe
WWAHost.exe
ipconfig.exe
msdt.exe
mstsc.exe
NAPSTAT.EXE
netsh.exe
NETSTAT.EXE
raserver.exe
wscript.exe
wuapp.exe
cmd.exe
Decoys and strings (143)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
tjwypt.club
lexisnexisrissk.com
hillsideschnauzer.com
thebeautifullifeofthearth.com
kaiverse.world
underscorestyle.com
www86516edu.com
gloryworksmn.com
mommoth.club
buxbuxro.com
collettebowman.com
westcoastcurecarts.com
hbwsjbc.com
mapharisacapitalholdings.com
wealthybistro.com
myfexer.com
meetthewinery.com
meronbiotech.com
theketoking.com
veolx.com
euromarketinfinity.com
bayclabs.xyz
i-love-thesex.xyz
tdtivolga.com
fridom.finance
starpart.net
flanscheinkauf.com
cqtotole.com
xnproduct.com
spexwest.systems
englishkap.xyz
bold.insure
sarihstore.online
classiskink.com
bulltrade.group
rhontamos.com
icklebots.com
gtz-w.xyz
dublin-roofers.com
roomonetwonine.com
drenag-eco-life.store
restaurantemeatland.com
hochatownacm.com
getfixedauto.com
surprize4u.com
lucilliesbbq.com
wwwy1me.com
seementor.com
limitedskin.xyz
zzrbruu.xyz
petpalaceresortandspa.net
knowan.space
xlblvd37.xyz
rameshgoostar.com
thegreenteashots.com
kreatywnedzieciaki.com
beanflavouredsoup.com
id-3484756.space
musical.finance
rentdefi.xyz
vseservices.com
parachagroup.net
lambertsmarketplace.com
fishershardware.com
f-end
C2www.vitalselfstorage.com/sn12/
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe vbc.exe cmd.exe no specs timeout.exe no specs msbuild.exe no specs #FORMBOOK netsh.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3100"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1904"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2628"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Company:
EveryonePiano.com
Integrity Level:
MEDIUM
Description:
EveryonePiano Setup
Exit code:
0
Version:
1.2.11.30
348"C:\Windows\System32\cmd.exe" /c timeout 2C:\Windows\System32\cmd.exevbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
620timeout 2C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2964C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exevbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
3208"C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Formbook
(PID) Process(3208) netsh.exe
Modules (42)kernel32.dll
advapi32.dll
ws2_32.dll
svchost.exe
msiexec.exe
wuauclt.exe
lsass.exe
wlanext.exe
msg.exe
lsm.exe
dwm.exe
help.exe
chkdsk.exe
cmmon32.exe
nbtstat.exe
spoolsv.exe
rdpclip.exe
control.exe
taskhost.exe
rundll32.exe
systray.exe
audiodg.exe
wininit.exe
services.exe
autochk.exe
autoconv.exe
autofmt.exe
cmstp.exe
colorcpl.exe
cscript.exe
explorer.exe
WWAHost.exe
ipconfig.exe
msdt.exe
mstsc.exe
NAPSTAT.EXE
netsh.exe
NETSTAT.EXE
raserver.exe
wscript.exe
wuapp.exe
cmd.exe
Decoys and strings (143)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
tjwypt.club
lexisnexisrissk.com
hillsideschnauzer.com
thebeautifullifeofthearth.com
kaiverse.world
underscorestyle.com
www86516edu.com
gloryworksmn.com
mommoth.club
buxbuxro.com
collettebowman.com
westcoastcurecarts.com
hbwsjbc.com
mapharisacapitalholdings.com
wealthybistro.com
myfexer.com
meetthewinery.com
meronbiotech.com
theketoking.com
veolx.com
euromarketinfinity.com
bayclabs.xyz
i-love-thesex.xyz
tdtivolga.com
fridom.finance
starpart.net
flanscheinkauf.com
cqtotole.com
xnproduct.com
spexwest.systems
englishkap.xyz
bold.insure
sarihstore.online
classiskink.com
bulltrade.group
rhontamos.com
icklebots.com
gtz-w.xyz
dublin-roofers.com
roomonetwonine.com
drenag-eco-life.store
restaurantemeatland.com
hochatownacm.com
getfixedauto.com
surprize4u.com
lucilliesbbq.com
wwwy1me.com
seementor.com
limitedskin.xyz
zzrbruu.xyz
petpalaceresortandspa.net
knowan.space
xlblvd37.xyz
rameshgoostar.com
thegreenteashots.com
kreatywnedzieciaki.com
beanflavouredsoup.com
id-3484756.space
musical.finance
rentdefi.xyz
vseservices.com
parachagroup.net
lambertsmarketplace.com
fishershardware.com
f-end
C2www.vitalselfstorage.com/sn12/
904/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\System32\cmd.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1176C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 346
Read events
3 237
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3100EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR1B69.tmp.cvr
MD5:
SHA256:
1904EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\zmb[1].exeexecutable
MD5:61D8380734DAB62AFB07E2D12CB746AF
SHA256:BFB973A2A005029171EF58CC29552235909FFFFEEED05F5C5D469CDD6D8424CC
2628vbc.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EveryonePiano\Ixjyoejx.exeexecutable
MD5:61D8380734DAB62AFB07E2D12CB746AF
SHA256:BFB973A2A005029171EF58CC29552235909FFFFEEED05F5C5D469CDD6D8424CC
1904EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:61D8380734DAB62AFB07E2D12CB746AF
SHA256:BFB973A2A005029171EF58CC29552235909FFFFEEED05F5C5D469CDD6D8424CC
3100EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4E3CA22.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
3100EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BA5E365.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2628
vbc.exe
GET
200
192.185.174.178:80
http://darley.ml/h/Zzrfmn_Kyaogqlh.bmp
US
gmc
400 Kb
suspicious
1176
Explorer.EXE
GET
301
50.31.188.30:80
http://www.i-love-thesex.xyz/sn12/?D8=8JAhlDAmh6SZAWlDxWnQN8n40D/BvIgOjONuZlYgfCicyxJstClQxussqCBKCmck49/FHw==&jb8x=gX_XntFPZdnxM
US
malicious
1904
EQNEDT32.EXE
GET
200
192.210.240.37:80
http://192.210.240.37/d/zmb.exe
US
executable
26.5 Kb
suspicious
1176
Explorer.EXE
GET
301
82.180.174.63:80
http://www.gtz-w.xyz/sn12/?D8=qlKqemWap+BDm/CFfwEPR89PKrVFsU4yQjBBu6cgintZpospn1y2Q0jsq2fsNOZfxc2t4Q==&jb8x=gX_XntFPZdnxM
DK
html
707 b
malicious
1176
Explorer.EXE
GET
301
185.212.70.59:80
http://www.fridom.finance/sn12/?D8=1q+racYqO91np9EuUzR1BcjgODnOUPhlK3BpOtk3zjuj0mouWlkxfpN81J9GJYcTngp9uA==&jb8x=gX_XntFPZdnxM
GB
html
707 b
malicious
1176
Explorer.EXE
GET
403
185.53.179.173:80
http://www.lexisnexisrissk.com/sn12/?D8=p6FQxtvLyf8UvWk6ukS1/IppDDOBuzx3DBhxdCT2UfHVIuZKj6sk+57FzRo1w+Yowa8H6Q==&jb8x=gX_XntFPZdnxM
DE
html
146 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1904
EQNEDT32.EXE
192.210.240.37:80
ColoCrossing
US
suspicious
1176
Explorer.EXE
185.53.179.173:80
www.lexisnexisrissk.com
Team Internet AG
DE
malicious
2628
vbc.exe
192.185.174.178:80
darley.ml
CyrusOne LLC
US
malicious
1176
Explorer.EXE
185.212.70.59:80
www.fridom.finance
TerraTransit AG
GB
malicious
1176
Explorer.EXE
82.180.174.63:80
www.gtz-w.xyz
Sagitta ApS
DK
unknown
1176
Explorer.EXE
50.31.188.30:80
www.i-love-thesex.xyz
Server Central Network
US
malicious

DNS requests

Domain
IP
Reputation
darley.ml
  • 192.185.174.178
suspicious
www.lexisnexisrissk.com
  • 185.53.179.173
malicious
www.fridom.finance
  • 185.212.70.59
malicious
www.i-love-thesex.xyz
  • 50.31.188.30
malicious
www.gtz-w.xyz
  • 82.180.174.63
malicious

Threats

PID
Process
Class
Message
1904
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1904
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1904
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
2628
vbc.exe
Potentially Bad Traffic
ET POLICY Suspicious Terse Request for .bmp
2628
vbc.exe
Potentially Bad Traffic
ET INFO Request to .ML Domain with Minimal Headers
2628
vbc.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.ml domain
1176
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1 ETPRO signatures available at the full report
No debug info