File name: | 43da3aea846a52dbf920ea733670a2ce.xlsx |
Full analysis: | https://app.any.run/tasks/404ee5a6-6df7-472c-9be8-5b6f46e08dde |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 18, 2019, 00:44:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 43DA3AEA846A52DBF920EA733670A2CE |
SHA1: | E2C66C4B4E705CEFBC4E86A19DD286BFD41CC389 |
SHA256: | 63D392216DE15E99362AC964BD15FDB9F3DEEF6E93A7631E4FC3670DE031CA42 |
SSDEEP: | 3072:Ozu2/JivhnBaVqQ5NYvXNUef/GUYxvaR0ve4O3gjlAB/eBNiDtS4mwbEeTx9PHdl:Su2/JqhnBKDNYlUefuUYYR0m36lPB4Dz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2760 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2808 | "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Users\admin\AppData\Roaming\vbc.exe | — | EQNEDT32.EXE |
User: admin Company: cAnnoN Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
3612 | "C:\Windows\System32\autochk.exe" | C:\Windows\System32\autochk.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto Check Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3676 | "C:\Windows\System32\autochk.exe" | C:\Windows\System32\autochk.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto Check Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3752 | "C:\Windows\System32\rdpclip.exe" | C:\Windows\System32\rdpclip.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: RDP Clip Monitor Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2576 | /c del "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Windows\System32\cmd.exe | — | rdpclip.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
896 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | rdpclip.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE7F3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2808 | vbc.exe | C:\Users\admin\AppData\Local\Temp\~DFDE8CDFC9DB767CE9.TMP | — | |
MD5:— | SHA256:— | |||
3752 | rdpclip.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
2760 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\vbc[1].exe | executable | |
MD5:2FE2CE2AA76BB58CABB67BB21E1689F2 | SHA256:7179542933CD84A4B90B3F2C5F99ECFD4DECC2D2B49853752884DB78D47CE846 | |||
2760 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\vbc.exe | executable | |
MD5:2FE2CE2AA76BB58CABB67BB21E1689F2 | SHA256:7179542933CD84A4B90B3F2C5F99ECFD4DECC2D2B49853752884DB78D47CE846 | |||
896 | Firefox.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
3752 | rdpclip.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logim.jpeg | image | |
MD5:CA69257B2593ACE55E18C62060526FBF | SHA256:4FF60DFD33249EFDA62B7DB0C7CF4369E5AC42795A872CD4146875C3FA8FE47E | |||
3752 | rdpclip.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
3752 | rdpclip.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
284 | explorer.exe | GET | — | 104.27.173.231:80 | http://www.cttbh.com/j01/?URpX54e=KIwMOi7B5PbWH5gtIClMDPOKYdbhjjPBYj9/auPgDoRaIftLsc6V1UkvtXneEkGZPq0K6A==&Q4N=-ZIhChZpzFCDuN | US | — | — | malicious |
2760 | EQNEDT32.EXE | GET | 200 | 23.249.161.100:80 | http://23.249.161.100/jhn/vbc.exe | US | executable | 540 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
284 | explorer.exe | 104.27.173.231:80 | www.cttbh.com | Cloudflare Inc | US | shared |
2760 | EQNEDT32.EXE | 23.249.161.100:80 | — | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.cttbh.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2760 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2760 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2760 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
2760 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2760 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
2760 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
284 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |