File name: | IFP_Instruction N. 1111.xlsx |
Full analysis: | https://app.any.run/tasks/90e77958-d485-47e6-800f-bc3095f7b183 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 19:51:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | E17F2C36419FCEE4B2238A9701DBF094 |
SHA1: | 6457580DAFFFEFC5079BFB2B6793EDE14AD20B39 |
SHA256: | 83508C082B270819AE331E7B7412B9ABFB1B9D6C3D34F79A05CC964009A5EEC0 |
SSDEEP: | 6144:TOueG5f7QDAA536QKn2E2MuK+LWF4UX489aWEqIQI3:veGp7AAARq2EluK+LWF4UX57Ix |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2904 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
3564 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
864 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2732 | C:\Users\admin\AppData\Local\Temp\zpymalje.exe C:\Users\admin\AppData\Local\Temp\ejowcpp | C:\Users\admin\AppData\Local\Temp\zpymalje.exe | — | vbc.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3132 | C:\Users\admin\AppData\Local\Temp\zpymalje.exe C:\Users\admin\AppData\Local\Temp\ejowcpp | C:\Users\admin\AppData\Local\Temp\zpymalje.exe | — | zpymalje.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2616 | "C:\Windows\System32\spoolsv.exe" | C:\Windows\System32\spoolsv.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Spooler SubSystem App Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2512 | /c del "C:\Users\admin\AppData\Local\Temp\zpymalje.exe" | C:\Windows\System32\cmd.exe | — | spoolsv.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1176 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1176) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DCF3FEA0D57F8946A73C54B6B81FC791000000000200000000001066000000010000200000009C37F462A1D248C8879A8A5AF0931BBBDB726E64F48D09C22CE4EC8909A329A1000000000E8000000002000020000000596C0ACBB74278D843DCE8AFD3E6158B638E99E7EEBE382CEF5321E841BA6C60300000003E6B3FDB2FC96F79DE6E5094CE5C8921C77577DDE5350AFF8433FD4B5563A8890200ADFCE8355C41F4CB7FFBF1FEBDAB400000001C7F080252E5E1EA74F42551E78C3AA85D02A504AB4B328397A38D32E22586AD5B117CD570D33CA4C1001ECD6045AC1360DEA7F28C863309BC45506D4B23AB61 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | y7 |
Value: 797F3700580B0000010000000000000000000000 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR1B69.tmp.cvr | — | |
MD5:— | SHA256:— | |||
864 | vbc.exe | C:\Users\admin\AppData\Local\Temp\zpymalje.exe | executable | |
MD5:6BD81483F8E6DB1A56AAD5DF5D76BABE | SHA256:F6D4DBBF5C4BE22762E656CE96D5DADC85210EEA8352A72FB8D1B71E7D349755 | |||
864 | vbc.exe | C:\Users\admin\AppData\Local\Temp\40t6oi6qc9vu4wk | binary | |
MD5:16A8CAFC272382F26278A7073A3F58B2 | SHA256:DB4734BA587FAA66E0F09593E6B9D2E2C11228BEC7DED2FA965E84A45A55371C | |||
3564 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:82415ED5148D69E8E879CBC01CD7D796 | SHA256:3235D12EE1B9B108D372200B7BDA8B6074881F0FD8953EF80B3E2351DA328C0C | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A01E96C.emf | emf | |
MD5:894A796F9211E1080192AC72B6D54A9D | SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A | |||
3564 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\vbc[1].exe | executable | |
MD5:82415ED5148D69E8E879CBC01CD7D796 | SHA256:3235D12EE1B9B108D372200B7BDA8B6074881F0FD8953EF80B3E2351DA328C0C | |||
864 | vbc.exe | C:\Users\admin\AppData\Local\Temp\nsc232B.tmp | mp3 | |
MD5:2987AE2E30A0F4A28DFE748D08B31ADC | SHA256:7B2ACAD51AE81F90EFC022F8803630B0AF3AEA386D2D7BFDA73637DFD19C7CAE | |||
864 | vbc.exe | C:\Users\admin\AppData\Local\Temp\ejowcpp | binary | |
MD5:F79BC8AD35EC8138C272286241AC1B4F | SHA256:41C5EFF06175277F1ABE88185F0516ACA745D8C80B301F2568312B7994416416 | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3556757.emf | emf | |
MD5:8E3A74F7AA420B02D34C69E625969C0A | SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1176 | Explorer.EXE | GET | 301 | 34.117.168.233:80 | http://www.tontolibre.com/k8yg/?uZ-H=pn5LlX8KBxYcEqrzDbn/JbiSnd7qJg/XuzSBs+ukndVI+OObltTNevWtHKNodLWl7TVcUA==&9r8L-=2dLtQR88V | US | — | — | malicious |
1176 | Explorer.EXE | GET | — | 43.138.101.210:80 | http://www.wiseplato.top/k8yg/?uZ-H=/7E6wM4Mf2B5rDmcXgyVhxPlnLQxfKUixmK3spmkgL5+JauuBIdlz9TlIYioY+TC9KQROQ==&9r8L-=2dLtQR88V | JP | — | — | malicious |
1176 | Explorer.EXE | GET | 301 | 142.250.186.115:80 | http://www.catruler.com/k8yg/?uZ-H=Iace3lDSbu1mRSPEfAsJFyhKSXbWKC+ZNJR+bhcOvkj7C5lpdelZdIg6Wo80Qz3h+qRCaQ==&9r8L-=2dLtQR88V | US | — | — | malicious |
1176 | Explorer.EXE | GET | — | 108.179.232.142:80 | http://www.mellowyellowkratom.com/k8yg/?uZ-H=sLIi2l5V+K2CvOWGNl8hFpFSnRwZ61jcMswfn3gf1kL99qiF4Wyz5lwzlkhp8luOfBmA6g==&9r8L-=2dLtQR88V | US | — | — | malicious |
3564 | EQNEDT32.EXE | GET | 200 | 84.38.133.165:80 | http://84.38.133.165/1111/vbc.exe | NL | executable | 193 Kb | malicious |
1176 | Explorer.EXE | GET | 404 | 199.192.20.96:80 | http://www.renchies.com/k8yg/?uZ-H=Q/4QYXyeUhQUeHjU38nvtVW9xbxdpXVONf/UpOEQTFnd16GoySD1S6oexShrdofAuEmEgg==&9r8L-=2dLtQR88V | US | html | 278 b | malicious |
1176 | Explorer.EXE | GET | 410 | 3.64.163.50:80 | http://www.web3react.xyz/k8yg/?uZ-H=CyhYPvhLZTWPLKIKBdrJjlX3UV+FAg1Kuxm3oxJPl8VECJyLmxkJOb3GdhHz7kgYd6gWRw==&9r8L-=2dLtQR88V | US | html | 111 b | malicious |
1176 | Explorer.EXE | GET | 404 | 62.149.128.40:80 | http://www.complerandom.com/k8yg/?uZ-H=Ke9VCP2CThhu6d6ENobKGGNKuEBA6Wv99l0JkIKHluUUOqu1hIhnv26OqVkq5P/HJCeGZQ==&9r8L-=2dLtQR88V | IT | html | 4.93 Kb | malicious |
1176 | Explorer.EXE | GET | 301 | 35.202.21.90:80 | http://www.usedvehiclesbahamas.com/k8yg/?uZ-H=mwCHYfBJglIyTxuPmVxiTuhzPLVxiNXoJVl89jumiQoqcP2Zb1FfoNSLz5b30FIb5M9tUg==&9r8L-=2dLtQR88V | US | html | 166 b | malicious |
1176 | Explorer.EXE | GET | 404 | 208.100.26.245:80 | http://www.saltdone.net/k8yg/?uZ-H=ufR/vde3x5u92OqVHxzHGK4l+2zPwd+H/VkicJbW0TFbZOHeuBYo7cf6fGEqTZlDr8yKvA==&9r8L-=2dLtQR88V | US | html | 178 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1176 | Explorer.EXE | 43.138.101.210:80 | www.wiseplato.top | — | JP | malicious |
3564 | EQNEDT32.EXE | 84.38.133.165:80 | — | DataClub S.A. | NL | malicious |
1176 | Explorer.EXE | 34.117.168.233:80 | www.tontolibre.com | — | US | malicious |
1176 | Explorer.EXE | 3.64.163.50:80 | www.web3react.xyz | — | US | malicious |
1176 | Explorer.EXE | 62.149.128.40:80 | www.complerandom.com | Aruba S.p.A. | IT | malicious |
1176 | Explorer.EXE | 142.250.186.115:80 | www.catruler.com | Google Inc. | US | malicious |
1176 | Explorer.EXE | 34.102.136.180:80 | www.jujubemobi.com | — | US | whitelisted |
1176 | Explorer.EXE | 154.221.85.23:80 | www.thecuretickets.net | MULTACOM CORPORATION | US | malicious |
1176 | Explorer.EXE | 108.179.232.142:80 | www.mellowyellowkratom.com | CyrusOne LLC | US | malicious |
1176 | Explorer.EXE | 208.100.26.245:80 | www.saltdone.net | Steadfast | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.wiseplato.top |
| malicious |
www.tontolibre.com |
| malicious |
www.hk6543.com |
| unknown |
www.jujubemobi.com |
| malicious |
www.complerandom.com |
| malicious |
www.catruler.com |
| malicious |
www.helensguide.com |
| unknown |
www.web3react.xyz |
| malicious |
www.renchies.com |
| malicious |
www.usedvehiclesbahamas.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3564 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3564 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3564 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3564 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3564 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3564 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1176 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |