File name: | Amended_INVOICE.doc |
Full analysis: | https://app.any.run/tasks/0a2595f6-cf2c-4ccd-aa73-18395fa8d77c |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 18, 2018, 10:52:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | B975B190C7375B3112DEBB2584176ABC |
SHA1: | 88315DE7E73286FCE01B854BD6106072544AA5A1 |
SHA256: | 604EB30D8A7C1B340C03274374A7547439E5DB0F00F962D5214363248970E5B0 |
SSDEEP: | 24576:M3h/A6ESkgtTD0ZA9oAOF6xsjuuUR41x4J04/lQM8PBRc:k |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Amended_INVOICE.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3340 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2884 | "C:\Users\admin\234345.bat" | C:\Users\admin\234345.bat | — | EQNEDT32.EXE |
User: admin Company: dispensible9 Integrity Level: MEDIUM Description: kakogo Exit code: 0 Version: 7.02.0008 | ||||
3992 | C:\Users\admin\234345.bat" | C:\Users\admin\234345.bat | — | 234345.bat |
User: admin Company: dispensible9 Integrity Level: MEDIUM Description: kakogo Exit code: 0 Version: 7.02.0008 | ||||
3100 | "C:\Windows\System32\control.exe" | C:\Windows\System32\control.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3608 | /c del "C:\Users\admin\234345.bat" | C:\Windows\System32\cmd.exe | — | control.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3116 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | control.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
3648 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2876 | "C:\Program Files\Yjdfdh\ppxibcd.exe" | C:\Program Files\Yjdfdh\ppxibcd.exe | — | explorer.exe |
User: admin Company: dispensible9 Integrity Level: MEDIUM Description: kakogo Exit code: 0 Version: 7.02.0008 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6DBE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C66137E0.jpg | — | |
MD5:— | SHA256:— | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ended_INVOICE.doc | pgc | |
MD5:588E6779B071A0E78D60099DCC957A28 | SHA256:556B6C38DF384684ED0BF3F69919405851C75269005DD41A140323457E556427 | |||
3340 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:33C76C2D57BBB21A58769400EE122D2E | SHA256:6C54447F2689664FD609CB186BCBD8E9B63572386C2F3D590EDA9AC6B7635569 | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6474936BCF9E0E40D986D76CB8B97569 | SHA256:A429E08BF13A763B1E1B56C70E9C488FD3A3D63556417F9C15A5F53B8F3D1253 | |||
3100 | control.exe | C:\Users\admin\AppData\Roaming\L68P23VE\L68logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3340 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\qazxswqaz[1].jpg | executable | |
MD5:18DDE9ADA9AB3D86BCA598BCDDB838EB | SHA256:3A6408DE460E3D57B0BEA55615AA5ED9F84773513A6A2B978133F1D44B391822 | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{688EE379-A723-43FE-A0FA-3CB004500F91}.tmp | — | |
MD5:— | SHA256:— | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BBE3DDF4-644F-4094-AD18-C8A79E0D442F}.tmp | — | |
MD5:— | SHA256:— | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2C6FD579-3C27-47C3-9A2E-4B7D8443ED59}.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2028 | explorer.exe | GET | 404 | 217.160.0.84:80 | http://www.buttonsmunich.com/le/?tZqHvfp=Znv6O+T0jOO8xd5zWts+PVcjhvNjMZIkIbxUp9dPjijGUQnfLiC+P55VUk5QauzfWKuE3A==&U4Nh=NtRTwzj0Zdnx0bi | DE | html | 1.33 Kb | malicious |
2028 | explorer.exe | GET | 200 | 199.192.24.46:80 | http://www.muzary.com/le/?tZqHvfp=8/uqfnF9fSUo0LVHQNBZi1vKY9buVfRfCgZJ4gip0FiamUZAecJ43gI1CbAHN22cbTRskw==&U4Nh=NtRTwzj0Zdnx0bi&sql=1 | US | binary | 323 Kb | malicious |
2028 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.dailynf.com/le/ | US | — | — | shared |
2028 | explorer.exe | GET | — | 96.126.127.159:80 | http://www.sellelo.com/le/?tZqHvfp=tF0SuLamJnPCaXF8JEPST2eEbNaYIuv53/MYqit6OKr7d2GG3S3OIcSQAjEMjfnBSXLgEA==&U4Nh=NtRTwzj0Zdnx0bi | US | — | — | malicious |
3340 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2rDJDgP | US | html | 120 b | shared |
3340 | EQNEDT32.EXE | GET | 200 | 221.121.138.114:80 | http://com2c.com.au/qazxswqaz.jpg | AU | executable | 630 Kb | malicious |
2028 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.dailynf.com/le/?tZqHvfp=X8Uw6uyhylP5XgvG0etZO/1EubUt3jCiIQZ7N42++huprpGonJOcrB4jjOVOXRanQgKpDw==&U4Nh=NtRTwzj0Zdnx0bi&sql=1 | US | html | 183 b | shared |
2028 | explorer.exe | POST | — | 96.126.127.159:80 | http://www.sellelo.com/le/ | US | — | — | malicious |
2028 | explorer.exe | POST | — | 103.216.218.144:80 | http://www.silingle.com/le/ | HK | — | — | malicious |
2028 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.dailynf.com/le/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3340 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2028 | explorer.exe | 217.160.0.84:80 | www.buttonsmunich.com | 1&1 Internet SE | DE | malicious |
3340 | EQNEDT32.EXE | 221.121.138.114:80 | com2c.com.au | Wholesale Services Provider | AU | suspicious |
2028 | explorer.exe | 23.20.239.12:80 | www.dailynf.com | Amazon.com, Inc. | US | shared |
2028 | explorer.exe | 199.192.24.46:80 | www.muzary.com | — | US | malicious |
2028 | explorer.exe | 96.126.127.159:80 | www.sellelo.com | Linode, LLC | US | suspicious |
2028 | explorer.exe | 103.216.218.144:80 | www.silingle.com | LinkChina Telecom Global Limited. | HK | suspicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
com2c.com.au |
| malicious |
www.buttonsmunich.com |
| malicious |
www.dailynf.com |
| shared |
www.forrestcoder.com |
| unknown |
www.muzary.com |
| malicious |
www.silingle.com |
| malicious |
www.sellelo.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3340 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3340 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
3340 | EQNEDT32.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server |
3340 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
2028 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
2028 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
2028 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |