File name: | Order No.11052021.xls |
Full analysis: | https://app.any.run/tasks/760bceca-8595-4ebb-9d8d-5f8af0f1bfce |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | April 01, 2023, 07:21:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Thu Mar 30 10:16:58 2023, Security: 0 |
MD5: | 1E0D3A1015B42E6D6D0987021FF30157 |
SHA1: | 7ABFF8E246830592A45862DCCC20E3888942B88D |
SHA256: | 77E1337A6C79018373E084233A50C6D1B25981C368E99D0021E1CE740B0F33DB |
SSDEEP: | 24576:JLKQu9Vnu9VQu9Vlu9Vq+MXUFu9Vn+MXU6AaVZAVz9V:JLKQuvuYuduy+MXkuv+MXzAYIz9V |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 38 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2023:03:30 10:16:58 |
CreateDate: | 2006:09:16 00:00:00 |
Software: | Microsoft Excel |
LastModifiedBy: | - |
Author: | - |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
340 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.4756.1000 Modules
| |||||||||||||||
1920 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
2408 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | ||||||||||||
User: admin Company: unviciously Integrity Level: MEDIUM Description: incirclet Exit code: 0 Version: 43.9.49.0 Modules
| |||||||||||||||
2664 | "C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe" C:\Users\admin\AppData\Local\Temp\smgzriyfhl.xl | C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe | — | vbc.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2840 | "C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe" | C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe | — | qpjbhkfxdk.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2080 | "C:\Windows\SysWOW64\cmstp.exe" | C:\Windows\SysWOW64\cmstp.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Version: 7.02.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2284 | /c del "C:\Users\admin\AppData\Local\Temp\qpjbhkfxdk.exe" | C:\Windows\SysWOW64\cmd.exe | — | cmstp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: On | |||
(PID) Process: | (340) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: On |
PID | Process | Filename | Type | |
---|---|---|---|---|
340 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB2DB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2408 | vbc.exe | C:\Users\admin\AppData\Local\Temp\dxvrztsc.ue | binary | |
MD5:2549F2ECA39DD88E6EC4378A0DEDE096 | SHA256:4479539C293C314D317E4DE9D23E201099F6A829B1825F5C218FF6D76F48BD0C | |||
2408 | vbc.exe | C:\Users\admin\AppData\Local\Temp\smgzriyfhl.xl | binary | |
MD5:F90A1E44B3BDBFD6672A55D3A47F9E59 | SHA256:5F5650E854F01463ADD358F89BE21707B89ED86E16A43F29A2338F7F1A09E393 | |||
340 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9144A097.emf | emf | |
MD5:8D4D68A40197AA6204732C167FBFB296 | SHA256:AC8AE524A9DE87BEE25A3CE9EDA775CAF748A7CCCA4CB206045D8C9EB2BFA376 | |||
340 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CDEE43B8.emf | emf | |
MD5:EB96837D6914C365B8A61CABF9149722 | SHA256:905895424026F60ABAB5427F62908B06C6A6F0F7A9FB6BCB6ECDB425042BF8A5 | |||
1920 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:801CB3CDB62A8EDCDD8586B79B3AEEE9 | SHA256:1DD6F82519F3E225722D83C2344C117F08A8EC898F28CC06E19F565AF2FCB2A6 | |||
340 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\673751AC.emf | emf | |
MD5:32B9C36BC15A7A5C3EBCAF889E2BAE1A | SHA256:D00C4AB7052C2B1231BBF9E072FEBD012DD8692E02D6F58EA4581F30EBF83C39 | |||
1920 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\vbc[1].exe | executable | |
MD5:801CB3CDB62A8EDCDD8586B79B3AEEE9 | SHA256:1DD6F82519F3E225722D83C2344C117F08A8EC898F28CC06E19F565AF2FCB2A6 | |||
340 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5698209A.emf | emf | |
MD5:0FFCA2E0D06FD9393E46F20F4AE6B53E | SHA256:FA91A49FBA91AF8F9F6487B69D5D3265DFAAA123563A0558B79C0F72792C41C3 | |||
340 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31C103D3.emf | emf | |
MD5:4D59A7E93170340B5EC4009F7FA3AD31 | SHA256:83473215E5C2160333AA92EA7F9B1276D8ED7DD66AFC472DC92C88055D189D7D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1920 | EQNEDT32.EXE | GET | 200 | 192.3.101.250:80 | http://192.3.101.250/65/vbc.exe | US | executable | 289 Kb | malicious |
— | — | GET | 401 | 5.101.153.28:80 | http://www.jswl.ru/ss39/?L6Ah=QKrkJgUZ8Cr8fuRR6SMxSWygcxxmD6rmXDdIomCyIKcGBZDBLqFkMwKXeIO2D36u1H9isg==&UvS0=J6A81nnXwVQ | RU | html | 456 b | unknown |
— | — | GET | — | 206.233.181.51:80 | http://www.0532hanfeng.com/ss39/?L6Ah=1O0nxAvjpvdD0IBF8awKdsnMrO5l7IIlRqlI2anGn59N+xcASYf0izKOajK9f+3vVwOYFw==&UvS0=J6A81nnXwVQ | US | — | — | unknown |
— | — | GET | 404 | 40.76.50.119:80 | http://www.cafixerupperdeals.com/ss39/?L6Ah=E3IsIQaWWpOiF7UE9fXD60L8+gL9DxWrUmS/mO/sGaE1Y51g3TncoXhanjs1sCf9Znjj6A==&UvS0=J6A81nnXwVQ | US | html | 1.22 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 206.233.181.51:80 | www.0532hanfeng.com | HONG KONG Megalayer Technology Co.,Limited | US | unknown |
1920 | EQNEDT32.EXE | 192.3.101.250:80 | — | AS-COLOCROSSING | US | malicious |
— | — | 40.76.50.119:80 | www.cafixerupperdeals.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | malicious |
— | — | 5.101.153.28:80 | www.jswl.ru | Beget LLC | RU | unknown |
Domain | IP | Reputation |
---|---|---|
www.mbosowoudok.africa |
| unknown |
www.jswl.ru |
| unknown |
www.cafixerupperdeals.com |
| unknown |
www.0532hanfeng.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1920 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
1920 | EQNEDT32.EXE | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
1920 | EQNEDT32.EXE | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
1920 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1920 | EQNEDT32.EXE | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
1920 | EQNEDT32.EXE | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Unknown Classtype | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Unknown Classtype | ET MALWARE FormBook CnC Checkin (GET) |
— | — | Unknown Classtype | ET MALWARE FormBook CnC Checkin (GET) |