analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

IFP_Instruction N. 1111.xlsx

Full analysis: https://app.any.run/tasks/90e77958-d485-47e6-800f-bc3095f7b183
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: May 20, 2022, 19:51:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
formbook
trojan
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

E17F2C36419FCEE4B2238A9701DBF094

SHA1:

6457580DAFFFEFC5079BFB2B6793EDE14AD20B39

SHA256:

83508C082B270819AE331E7B7412B9ABFB1B9D6C3D34F79A05CC964009A5EEC0

SSDEEP:

6144:TOueG5f7QDAA536QKn2E2MuK+LWF4UX489aWEqIQI3:veGp7AAARq2EluK+LWF4UX57Ix

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3564)
    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3564)
      • vbc.exe (PID: 864)
    • Application was dropped or rewritten from another process

      • zpymalje.exe (PID: 2732)
      • vbc.exe (PID: 864)
      • zpymalje.exe (PID: 3132)
    • FORMBOOK detected by memory dumps

      • spoolsv.exe (PID: 2616)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 1176)
    • Connects to CnC server

      • Explorer.EXE (PID: 1176)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3564)
    • Reads the computer name

      • EQNEDT32.EXE (PID: 3564)
      • vbc.exe (PID: 864)
      • zpymalje.exe (PID: 3132)
    • Checks supported languages

      • EQNEDT32.EXE (PID: 3564)
      • vbc.exe (PID: 864)
      • zpymalje.exe (PID: 2732)
      • zpymalje.exe (PID: 3132)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3564)
      • vbc.exe (PID: 864)
    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3564)
      • vbc.exe (PID: 864)
    • Application launched itself

      • zpymalje.exe (PID: 2732)
    • Reads Environment values

      • spoolsv.exe (PID: 2616)
    • Starts CMD.EXE for commands execution

      • spoolsv.exe (PID: 2616)
  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2904)
      • spoolsv.exe (PID: 2616)
      • cmd.exe (PID: 2512)
    • Reads the computer name

      • EXCEL.EXE (PID: 2904)
      • spoolsv.exe (PID: 2616)
    • Starts Microsoft Office Application

      • Explorer.EXE (PID: 1176)
    • Manual execution by user

      • spoolsv.exe (PID: 2616)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe zpymalje.exe no specs zpymalje.exe no specs #FORMBOOK spoolsv.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2904"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3564"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
864"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\public\vbc.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2732C:\Users\admin\AppData\Local\Temp\zpymalje.exe C:\Users\admin\AppData\Local\Temp\ejowcppC:\Users\admin\AppData\Local\Temp\zpymalje.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\zpymalje.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptdll.dll
3132C:\Users\admin\AppData\Local\Temp\zpymalje.exe C:\Users\admin\AppData\Local\Temp\ejowcppC:\Users\admin\AppData\Local\Temp\zpymalje.exezpymalje.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\zpymalje.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2616"C:\Windows\System32\spoolsv.exe"C:\Windows\System32\spoolsv.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Spooler SubSystem App
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2512/c del "C:\Users\admin\AppData\Local\Temp\zpymalje.exe"C:\Windows\System32\cmd.exespoolsv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1176C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 957
Read events
1 872
Write events
74
Delete events
11

Modification events

(PID) Process:(1176) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DCF3FEA0D57F8946A73C54B6B81FC791000000000200000000001066000000010000200000009C37F462A1D248C8879A8A5AF0931BBBDB726E64F48D09C22CE4EC8909A329A1000000000E8000000002000020000000596C0ACBB74278D843DCE8AFD3E6158B638E99E7EEBE382CEF5321E841BA6C60300000003E6B3FDB2FC96F79DE6E5094CE5C8921C77577DDE5350AFF8433FD4B5563A8890200ADFCE8355C41F4CB7FFBF1FEBDAB400000001C7F080252E5E1EA74F42551E78C3AA85D02A504AB4B328397A38D32E22586AD5B117CD570D33CA4C1001ECD6045AC1360DEA7F28C863309BC45506D4B23AB61
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:y7
Value:
797F3700580B0000010000000000000000000000
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2904) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
Executable files
3
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2904EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR1B69.tmp.cvr
MD5:
SHA256:
864vbc.exeC:\Users\admin\AppData\Local\Temp\zpymalje.exeexecutable
MD5:6BD81483F8E6DB1A56AAD5DF5D76BABE
SHA256:F6D4DBBF5C4BE22762E656CE96D5DADC85210EEA8352A72FB8D1B71E7D349755
864vbc.exeC:\Users\admin\AppData\Local\Temp\40t6oi6qc9vu4wkbinary
MD5:16A8CAFC272382F26278A7073A3F58B2
SHA256:DB4734BA587FAA66E0F09593E6B9D2E2C11228BEC7DED2FA965E84A45A55371C
3564EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:82415ED5148D69E8E879CBC01CD7D796
SHA256:3235D12EE1B9B108D372200B7BDA8B6074881F0FD8953EF80B3E2351DA328C0C
2904EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A01E96C.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
3564EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\vbc[1].exeexecutable
MD5:82415ED5148D69E8E879CBC01CD7D796
SHA256:3235D12EE1B9B108D372200B7BDA8B6074881F0FD8953EF80B3E2351DA328C0C
864vbc.exeC:\Users\admin\AppData\Local\Temp\nsc232B.tmpmp3
MD5:2987AE2E30A0F4A28DFE748D08B31ADC
SHA256:7B2ACAD51AE81F90EFC022F8803630B0AF3AEA386D2D7BFDA73637DFD19C7CAE
864vbc.exeC:\Users\admin\AppData\Local\Temp\ejowcppbinary
MD5:F79BC8AD35EC8138C272286241AC1B4F
SHA256:41C5EFF06175277F1ABE88185F0516ACA745D8C80B301F2568312B7994416416
2904EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3556757.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
13
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
Explorer.EXE
GET
301
34.117.168.233:80
http://www.tontolibre.com/k8yg/?uZ-H=pn5LlX8KBxYcEqrzDbn/JbiSnd7qJg/XuzSBs+ukndVI+OObltTNevWtHKNodLWl7TVcUA==&9r8L-=2dLtQR88V
US
malicious
1176
Explorer.EXE
GET
43.138.101.210:80
http://www.wiseplato.top/k8yg/?uZ-H=/7E6wM4Mf2B5rDmcXgyVhxPlnLQxfKUixmK3spmkgL5+JauuBIdlz9TlIYioY+TC9KQROQ==&9r8L-=2dLtQR88V
JP
malicious
1176
Explorer.EXE
GET
301
142.250.186.115:80
http://www.catruler.com/k8yg/?uZ-H=Iace3lDSbu1mRSPEfAsJFyhKSXbWKC+ZNJR+bhcOvkj7C5lpdelZdIg6Wo80Qz3h+qRCaQ==&9r8L-=2dLtQR88V
US
malicious
1176
Explorer.EXE
GET
108.179.232.142:80
http://www.mellowyellowkratom.com/k8yg/?uZ-H=sLIi2l5V+K2CvOWGNl8hFpFSnRwZ61jcMswfn3gf1kL99qiF4Wyz5lwzlkhp8luOfBmA6g==&9r8L-=2dLtQR88V
US
malicious
3564
EQNEDT32.EXE
GET
200
84.38.133.165:80
http://84.38.133.165/1111/vbc.exe
NL
executable
193 Kb
malicious
1176
Explorer.EXE
GET
404
199.192.20.96:80
http://www.renchies.com/k8yg/?uZ-H=Q/4QYXyeUhQUeHjU38nvtVW9xbxdpXVONf/UpOEQTFnd16GoySD1S6oexShrdofAuEmEgg==&9r8L-=2dLtQR88V
US
html
278 b
malicious
1176
Explorer.EXE
GET
410
3.64.163.50:80
http://www.web3react.xyz/k8yg/?uZ-H=CyhYPvhLZTWPLKIKBdrJjlX3UV+FAg1Kuxm3oxJPl8VECJyLmxkJOb3GdhHz7kgYd6gWRw==&9r8L-=2dLtQR88V
US
html
111 b
malicious
1176
Explorer.EXE
GET
404
62.149.128.40:80
http://www.complerandom.com/k8yg/?uZ-H=Ke9VCP2CThhu6d6ENobKGGNKuEBA6Wv99l0JkIKHluUUOqu1hIhnv26OqVkq5P/HJCeGZQ==&9r8L-=2dLtQR88V
IT
html
4.93 Kb
malicious
1176
Explorer.EXE
GET
301
35.202.21.90:80
http://www.usedvehiclesbahamas.com/k8yg/?uZ-H=mwCHYfBJglIyTxuPmVxiTuhzPLVxiNXoJVl89jumiQoqcP2Zb1FfoNSLz5b30FIb5M9tUg==&9r8L-=2dLtQR88V
US
html
166 b
malicious
1176
Explorer.EXE
GET
404
208.100.26.245:80
http://www.saltdone.net/k8yg/?uZ-H=ufR/vde3x5u92OqVHxzHGK4l+2zPwd+H/VkicJbW0TFbZOHeuBYo7cf6fGEqTZlDr8yKvA==&9r8L-=2dLtQR88V
US
html
178 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1176
Explorer.EXE
43.138.101.210:80
www.wiseplato.top
JP
malicious
3564
EQNEDT32.EXE
84.38.133.165:80
DataClub S.A.
NL
malicious
1176
Explorer.EXE
34.117.168.233:80
www.tontolibre.com
US
malicious
1176
Explorer.EXE
3.64.163.50:80
www.web3react.xyz
US
malicious
1176
Explorer.EXE
62.149.128.40:80
www.complerandom.com
Aruba S.p.A.
IT
malicious
1176
Explorer.EXE
142.250.186.115:80
www.catruler.com
Google Inc.
US
malicious
1176
Explorer.EXE
34.102.136.180:80
www.jujubemobi.com
US
whitelisted
1176
Explorer.EXE
154.221.85.23:80
www.thecuretickets.net
MULTACOM CORPORATION
US
malicious
1176
Explorer.EXE
108.179.232.142:80
www.mellowyellowkratom.com
CyrusOne LLC
US
malicious
1176
Explorer.EXE
208.100.26.245:80
www.saltdone.net
Steadfast
US
malicious

DNS requests

Domain
IP
Reputation
www.wiseplato.top
  • 43.138.101.210
malicious
www.tontolibre.com
  • 34.117.168.233
malicious
www.hk6543.com
unknown
www.jujubemobi.com
  • 34.102.136.180
malicious
www.complerandom.com
  • 62.149.128.40
malicious
www.catruler.com
  • 142.250.186.115
malicious
www.helensguide.com
unknown
www.web3react.xyz
  • 3.64.163.50
malicious
www.renchies.com
  • 199.192.20.96
malicious
www.usedvehiclesbahamas.com
  • 35.202.21.90
malicious

Threats

PID
Process
Class
Message
3564
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3564
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3564
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3564
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3564
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3564
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1176
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
No debug info