analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Amended_INVOICE.doc

Full analysis: https://app.any.run/tasks/0a2595f6-cf2c-4ccd-aa73-18395fa8d77c
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: December 18, 2018, 10:52:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
formbook
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

B975B190C7375B3112DEBB2584176ABC

SHA1:

88315DE7E73286FCE01B854BD6106072544AA5A1

SHA256:

604EB30D8A7C1B340C03274374A7547439E5DB0F00F962D5214363248970E5B0

SSDEEP:

24576:M3h/A6ESkgtTD0ZA9oAOF6xsjuuUR41x4J04/lQM8PBRc:k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3340)
    • Application was dropped or rewritten from another process

      • 234345.bat (PID: 2884)
      • 234345.bat (PID: 3992)
      • ppxibcd.exe (PID: 2876)
      • ppxibcd.exe (PID: 4080)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3340)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3340)
    • FORMBOOK was detected

      • explorer.exe (PID: 2028)
    • Formbook was detected

      • control.exe (PID: 3100)
      • Firefox.exe (PID: 3116)
    • Connects to CnC server

      • explorer.exe (PID: 2028)
    • Changes the autorun value in the registry

      • control.exe (PID: 3100)
    • Actions looks like stealing of personal data

      • control.exe (PID: 3100)
    • Loads dropped or rewritten executable

      • control.exe (PID: 3100)
    • Stealing of credential data

      • cmd.exe (PID: 2788)
      • control.exe (PID: 3100)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3340)
      • control.exe (PID: 3100)
    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3340)
      • 234345.bat (PID: 2884)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3340)
      • control.exe (PID: 3100)
      • explorer.exe (PID: 2028)
      • DllHost.exe (PID: 3648)
    • Suspicious files were dropped or overwritten

      • EQNEDT32.EXE (PID: 3340)
    • Application launched itself

      • 234345.bat (PID: 2884)
      • ppxibcd.exe (PID: 2876)
    • Starts CMD.EXE for commands execution

      • control.exe (PID: 3100)
    • Loads DLL from Mozilla Firefox

      • control.exe (PID: 3100)
    • Creates files in the program directory

      • DllHost.exe (PID: 3648)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2960)
      • Firefox.exe (PID: 3116)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 2028)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe 234345.bat no specs 234345.bat no specs #FORMBOOK control.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object ppxibcd.exe no specs cmd.exe ppxibcd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Amended_INVOICE.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3340"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2884"C:\Users\admin\234345.bat"C:\Users\admin\234345.batEQNEDT32.EXE
User:
admin
Company:
dispensible9
Integrity Level:
MEDIUM
Description:
kakogo
Exit code:
0
Version:
7.02.0008
3992C:\Users\admin\234345.bat"C:\Users\admin\234345.bat234345.bat
User:
admin
Company:
dispensible9
Integrity Level:
MEDIUM
Description:
kakogo
Exit code:
0
Version:
7.02.0008
3100"C:\Windows\System32\control.exe"C:\Windows\System32\control.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3608/c del "C:\Users\admin\234345.bat"C:\Windows\System32\cmd.execontrol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2028C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3116"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
control.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
3648C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2876"C:\Program Files\Yjdfdh\ppxibcd.exe"C:\Program Files\Yjdfdh\ppxibcd.exeexplorer.exe
User:
admin
Company:
dispensible9
Integrity Level:
MEDIUM
Description:
kakogo
Exit code:
0
Version:
7.02.0008
Total events
1 641
Read events
1 267
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
82
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6DBE.tmp.cvr
MD5:
SHA256:
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C66137E0.jpg
MD5:
SHA256:
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ended_INVOICE.docpgc
MD5:588E6779B071A0E78D60099DCC957A28
SHA256:556B6C38DF384684ED0BF3F69919405851C75269005DD41A140323457E556427
3340EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:33C76C2D57BBB21A58769400EE122D2E
SHA256:6C54447F2689664FD609CB186BCBD8E9B63572386C2F3D590EDA9AC6B7635569
2960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6474936BCF9E0E40D986D76CB8B97569
SHA256:A429E08BF13A763B1E1B56C70E9C488FD3A3D63556417F9C15A5F53B8F3D1253
3100control.exeC:\Users\admin\AppData\Roaming\L68P23VE\L68logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
3340EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\qazxswqaz[1].jpgexecutable
MD5:18DDE9ADA9AB3D86BCA598BCDDB838EB
SHA256:3A6408DE460E3D57B0BEA55615AA5ED9F84773513A6A2B978133F1D44B391822
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{688EE379-A723-43FE-A0FA-3CB004500F91}.tmp
MD5:
SHA256:
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BBE3DDF4-644F-4094-AD18-C8A79E0D442F}.tmp
MD5:
SHA256:
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2C6FD579-3C27-47C3-9A2E-4B7D8443ED59}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2028
explorer.exe
GET
404
217.160.0.84:80
http://www.buttonsmunich.com/le/?tZqHvfp=Znv6O+T0jOO8xd5zWts+PVcjhvNjMZIkIbxUp9dPjijGUQnfLiC+P55VUk5QauzfWKuE3A==&U4Nh=NtRTwzj0Zdnx0bi
DE
html
1.33 Kb
malicious
2028
explorer.exe
GET
200
199.192.24.46:80
http://www.muzary.com/le/?tZqHvfp=8/uqfnF9fSUo0LVHQNBZi1vKY9buVfRfCgZJ4gip0FiamUZAecJ43gI1CbAHN22cbTRskw==&U4Nh=NtRTwzj0Zdnx0bi&sql=1
US
binary
323 Kb
malicious
2028
explorer.exe
POST
23.20.239.12:80
http://www.dailynf.com/le/
US
shared
2028
explorer.exe
GET
96.126.127.159:80
http://www.sellelo.com/le/?tZqHvfp=tF0SuLamJnPCaXF8JEPST2eEbNaYIuv53/MYqit6OKr7d2GG3S3OIcSQAjEMjfnBSXLgEA==&U4Nh=NtRTwzj0Zdnx0bi
US
malicious
3340
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2rDJDgP
US
html
120 b
shared
3340
EQNEDT32.EXE
GET
200
221.121.138.114:80
http://com2c.com.au/qazxswqaz.jpg
AU
executable
630 Kb
malicious
2028
explorer.exe
GET
302
23.20.239.12:80
http://www.dailynf.com/le/?tZqHvfp=X8Uw6uyhylP5XgvG0etZO/1EubUt3jCiIQZ7N42++huprpGonJOcrB4jjOVOXRanQgKpDw==&U4Nh=NtRTwzj0Zdnx0bi&sql=1
US
html
183 b
shared
2028
explorer.exe
POST
96.126.127.159:80
http://www.sellelo.com/le/
US
malicious
2028
explorer.exe
POST
103.216.218.144:80
http://www.silingle.com/le/
HK
malicious
2028
explorer.exe
POST
23.20.239.12:80
http://www.dailynf.com/le/
US
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2028
explorer.exe
217.160.0.84:80
www.buttonsmunich.com
1&1 Internet SE
DE
malicious
3340
EQNEDT32.EXE
221.121.138.114:80
com2c.com.au
Wholesale Services Provider
AU
suspicious
2028
explorer.exe
23.20.239.12:80
www.dailynf.com
Amazon.com, Inc.
US
shared
2028
explorer.exe
199.192.24.46:80
www.muzary.com
US
malicious
2028
explorer.exe
96.126.127.159:80
www.sellelo.com
Linode, LLC
US
suspicious
2028
explorer.exe
103.216.218.144:80
www.silingle.com
LinkChina Telecom Global Limited.
HK
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
com2c.com.au
  • 221.121.138.114
malicious
www.buttonsmunich.com
  • 217.160.0.84
malicious
www.dailynf.com
  • 23.20.239.12
shared
www.forrestcoder.com
unknown
www.muzary.com
  • 199.192.24.46
malicious
www.silingle.com
  • 103.216.218.144
malicious
www.sellelo.com
  • 96.126.127.159
malicious

Threats

PID
Process
Class
Message
3340
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3340
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3340
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
3340
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2028
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
2028
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
2028
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
2028
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
2028
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
2028
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
13 ETPRO signatures available at the full report
No debug info