analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Order No.11052021.xls

Full analysis: https://app.any.run/tasks/760bceca-8595-4ebb-9d8d-5f8af0f1bfce
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: April 01, 2023, 07:21:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
opendir
exploit
cve-2017-11882
loader
formbook
trojan
stealer
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Thu Mar 30 10:16:58 2023, Security: 0
MD5:

1E0D3A1015B42E6D6D0987021FF30157

SHA1:

7ABFF8E246830592A45862DCCC20E3888942B88D

SHA256:

77E1337A6C79018373E084233A50C6D1B25981C368E99D0021E1CE740B0F33DB

SSDEEP:

24576:JLKQu9Vnu9VQu9Vlu9Vq+MXUFu9Vn+MXU6AaVZAVz9V:JLKQuvuYuduy+MXkuv+MXzAYIz9V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1920)
    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2408)
      • qpjbhkfxdk.exe (PID: 2664)
      • qpjbhkfxdk.exe (PID: 2840)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1920)
  • SUSPICIOUS

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 1920)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1920)
      • vbc.exe (PID: 2408)
    • Application launched itself

      • qpjbhkfxdk.exe (PID: 2664)
    • Starts CMD.EXE for commands execution

      • cmstp.exe (PID: 2080)
    • Process requests binary or script from the Internet

      • EQNEDT32.EXE (PID: 1920)
    • Connects to the server without a host name

      • EQNEDT32.EXE (PID: 1920)
  • INFO

    • Reads the computer name

      • EQNEDT32.EXE (PID: 1920)
      • vbc.exe (PID: 2408)
      • qpjbhkfxdk.exe (PID: 2840)
    • Checks proxy server information

      • EQNEDT32.EXE (PID: 1920)
    • Checks supported languages

      • EQNEDT32.EXE (PID: 1920)
      • vbc.exe (PID: 2408)
      • qpjbhkfxdk.exe (PID: 2664)
      • qpjbhkfxdk.exe (PID: 2840)
    • The process checks LSA protection

      • EQNEDT32.EXE (PID: 1920)
      • vbc.exe (PID: 2408)
    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 1920)
    • Creates files or folders in the user directory

      • EQNEDT32.EXE (PID: 1920)
    • Create files in a temporary directory

      • vbc.exe (PID: 2408)
    • Manual execution by a user

      • cmstp.exe (PID: 2080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Office Excel 2003 Worksheet
CompObjUserTypeLen: 38
HeadingPairs:
  • Worksheets
  • 3
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2023:03:30 10:16:58
CreateDate: 2006:09:16 00:00:00
Software: Microsoft Excel
LastModifiedBy: -
Author: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe qpjbhkfxdk.exe no specs qpjbhkfxdk.exe no specs cmstp.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
340"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
1920"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
2408"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Company:
unviciously
Integrity Level:
MEDIUM
Description:
incirclet
Exit code:
0
Version:
43.9.49.0
Modules
Images
c:\users\public\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2664"C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe" C:\Users\admin\AppData\Local\Temp\smgzriyfhl.xlC:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\qpjbhkfxdk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2840"C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe"C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exeqpjbhkfxdk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\qpjbhkfxdk.exe
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2080"C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\cmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
2284/c del "C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe"C:\Windows\SysWOW64\cmd.execmstp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
3 412
Read events
3 314
Write events
84
Delete events
14

Modification events

(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(340) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
6
Suspicious files
6
Text files
0
Unknown types
12

Dropped files

PID
Process
Filename
Type
340EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB2DB.tmp.cvr
MD5:
SHA256:
2408vbc.exeC:\Users\admin\AppData\Local\Temp\dxvrztsc.uebinary
MD5:2549F2ECA39DD88E6EC4378A0DEDE096
SHA256:4479539C293C314D317E4DE9D23E201099F6A829B1825F5C218FF6D76F48BD0C
2408vbc.exeC:\Users\admin\AppData\Local\Temp\smgzriyfhl.xlbinary
MD5:F90A1E44B3BDBFD6672A55D3A47F9E59
SHA256:5F5650E854F01463ADD358F89BE21707B89ED86E16A43F29A2338F7F1A09E393
340EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9144A097.emfemf
MD5:8D4D68A40197AA6204732C167FBFB296
SHA256:AC8AE524A9DE87BEE25A3CE9EDA775CAF748A7CCCA4CB206045D8C9EB2BFA376
340EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CDEE43B8.emfemf
MD5:EB96837D6914C365B8A61CABF9149722
SHA256:905895424026F60ABAB5427F62908B06C6A6F0F7A9FB6BCB6ECDB425042BF8A5
1920EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:801CB3CDB62A8EDCDD8586B79B3AEEE9
SHA256:1DD6F82519F3E225722D83C2344C117F08A8EC898F28CC06E19F565AF2FCB2A6
340EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\673751AC.emfemf
MD5:32B9C36BC15A7A5C3EBCAF889E2BAE1A
SHA256:D00C4AB7052C2B1231BBF9E072FEBD012DD8692E02D6F58EA4581F30EBF83C39
1920EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\vbc[1].exeexecutable
MD5:801CB3CDB62A8EDCDD8586B79B3AEEE9
SHA256:1DD6F82519F3E225722D83C2344C117F08A8EC898F28CC06E19F565AF2FCB2A6
340EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5698209A.emfemf
MD5:0FFCA2E0D06FD9393E46F20F4AE6B53E
SHA256:FA91A49FBA91AF8F9F6487B69D5D3265DFAAA123563A0558B79C0F72792C41C3
340EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31C103D3.emfemf
MD5:4D59A7E93170340B5EC4009F7FA3AD31
SHA256:83473215E5C2160333AA92EA7F9B1276D8ED7DD66AFC472DC92C88055D189D7D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1920
EQNEDT32.EXE
GET
200
192.3.101.250:80
http://192.3.101.250/65/vbc.exe
US
executable
289 Kb
malicious
GET
401
5.101.153.28:80
http://www.jswl.ru/ss39/?L6Ah=QKrkJgUZ8Cr8fuRR6SMxSWygcxxmD6rmXDdIomCyIKcGBZDBLqFkMwKXeIO2D36u1H9isg==&UvS0=J6A81nnXwVQ
RU
html
456 b
unknown
GET
206.233.181.51:80
http://www.0532hanfeng.com/ss39/?L6Ah=1O0nxAvjpvdD0IBF8awKdsnMrO5l7IIlRqlI2anGn59N+xcASYf0izKOajK9f+3vVwOYFw==&UvS0=J6A81nnXwVQ
US
unknown
GET
404
40.76.50.119:80
http://www.cafixerupperdeals.com/ss39/?L6Ah=E3IsIQaWWpOiF7UE9fXD60L8+gL9DxWrUmS/mO/sGaE1Y51g3TncoXhanjs1sCf9Znjj6A==&UvS0=J6A81nnXwVQ
US
html
1.22 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
206.233.181.51:80
www.0532hanfeng.com
HONG KONG Megalayer Technology Co.,Limited
US
unknown
1920
EQNEDT32.EXE
192.3.101.250:80
AS-COLOCROSSING
US
malicious
40.76.50.119:80
www.cafixerupperdeals.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
malicious
5.101.153.28:80
www.jswl.ru
Beget LLC
RU
unknown

DNS requests

Domain
IP
Reputation
www.mbosowoudok.africa
unknown
www.jswl.ru
  • 5.101.153.28
unknown
www.cafixerupperdeals.com
  • 40.76.50.119
unknown
www.0532hanfeng.com
  • 206.233.181.51
unknown

Threats

PID
Process
Class
Message
1920
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1920
EQNEDT32.EXE
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
1920
EQNEDT32.EXE
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
1920
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1920
EQNEDT32.EXE
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
1920
EQNEDT32.EXE
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Unknown Classtype
ET MALWARE FormBook CnC Checkin (GET)
Unknown Classtype
ET MALWARE FormBook CnC Checkin (GET)
Unknown Classtype
ET MALWARE FormBook CnC Checkin (GET)
2 ETPRO signatures available at the full report
No debug info