analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8499d70c4cfbd26c29cf078a95b804d68ed0706f3485acf6d2375645e73aafec

Full analysis: https://app.any.run/tasks/9876579b-1157-475a-828b-76400bdd95cc
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: April 25, 2019, 02:41:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
opendir
trojan
formbook
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

3D2D4C460855060E929861B2B0B537EA

SHA1:

D8D1EAA009D194059A578BEE7AEFC0C66FF7B40F

SHA256:

8499D70C4CFBD26C29CF078A95B804D68ED0706F3485ACF6D2375645E73AAFEC

SSDEEP:

1536:qs0LETglZ3INzXAZnti6+/AVCFJxJpCIJIcGgoETRl+9IQzXAIRm456+/AVCFJxG:q7Lc7k+t6cIFhHtF4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2400)
      • EXCEL.EXE (PID: 2328)
    • Application was dropped or rewritten from another process

      • y0yltj11f.exe (PID: 2468)
      • y0yltj11f.exe (PID: 2184)
      • y0yltj11f.exe (PID: 1412)
      • y0yltj11f.exe (PID: 3876)
      • y0yltj11f.exe (PID: 2148)
      • y0yltj11f.exe (PID: 1816)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2400)
      • EXCEL.EXE (PID: 2328)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2400)
    • FORMBOOK was detected

      • explorer.exe (PID: 116)
    • Changes the autorun value in the registry

      • lsass.exe (PID: 3764)
    • Formbook was detected

      • lsass.exe (PID: 3764)
      • Firefox.exe (PID: 1540)
    • Connects to CnC server

      • explorer.exe (PID: 116)
    • Actions looks like stealing of personal data

      • lsass.exe (PID: 3764)
    • Stealing of credential data

      • lsass.exe (PID: 3764)
  • SUSPICIOUS

    • Application launched itself

      • y0yltj11f.exe (PID: 2468)
      • y0yltj11f.exe (PID: 2184)
      • y0yltj11f.exe (PID: 1412)
      • y0yltj11f.exe (PID: 3876)
    • Loads DLL from Mozilla Firefox

      • lsass.exe (PID: 3764)
    • Starts CMD.EXE for commands execution

      • lsass.exe (PID: 3764)
    • Creates files in the user directory

      • lsass.exe (PID: 3764)
  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 116)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3692)
      • EXCEL.EXE (PID: 2400)
      • EXCEL.EXE (PID: 2328)
      • excelcnv.exe (PID: 2052)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3692)
      • EXCEL.EXE (PID: 2400)
      • Firefox.exe (PID: 1540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

LastModifiedBy: Administrator
CreateDate: 2019:04:24 00:32:00
ModifyDate: 2019:04:24 00:32:00
RevisionNumber: 1
TotalEditTime: -
Pages: 1
Words: 7
Characters: 46
CharactersWithSpaces: 52
InternalVersionNumber: 101
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
16
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs excel.exe y0yltj11f.exe no specs excel.exe y0yltj11f.exe no specs excelcnv.exe no specs y0yltj11f.exe no specs y0yltj11f.exe no specs y0yltj11f.exe no specs #FORMBOOK lsass.exe y0yltj11f.exe no specs cmd.exe no specs autofmt.exe no specs audiodg.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3692"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\8499d70c4cfbd26c29cf078a95b804d68ed0706f3485acf6d2375645e73aafec.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2400"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2184"C:\Users\admin\AppData\Local\Temp\y0yltj11f.exe" C:\Users\admin\AppData\Local\Temp\y0yltj11f.exeEXCEL.EXE
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
2328"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2468"C:\Users\admin\AppData\Local\Temp\y0yltj11f.exe" C:\Users\admin\AppData\Local\Temp\y0yltj11f.exeEXCEL.EXE
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
2052"C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -EmbeddingC:\Program Files\Microsoft Office\Office14\excelcnv.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
1412"C:\Users\admin\AppData\Local\Temp\y0yltj11f.exe" C:\Users\admin\AppData\Local\Temp\y0yltj11f.exey0yltj11f.exe
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
3876"C:\Users\admin\AppData\Local\Temp\y0yltj11f.exe" C:\Users\admin\AppData\Local\Temp\y0yltj11f.exey0yltj11f.exe
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
2148"C:\Users\admin\AppData\Local\Temp\y0yltj11f.exe" C:\Users\admin\AppData\Local\Temp\y0yltj11f.exey0yltj11f.exe
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
3764"C:\Windows\System32\lsass.exe"C:\Windows\System32\lsass.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Local Security Authority Process
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 760
Read events
2 069
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
77
Text files
7
Unknown types
4

Dropped files

PID
Process
Filename
Type
3692WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6FEC.tmp.cvr
MD5:
SHA256:
2400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7B27.tmp.cvr
MD5:
SHA256:
2328EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9E8D.tmp.cvr
MD5:
SHA256:
2052excelcnv.exeC:\Users\admin\AppData\Local\Temp\CVRAAC2.tmp.cvr
MD5:
SHA256:
2052excelcnv.exeC:\Users\admin\AppData\Local\Temp\~DF43A754AA6F83433A.TMP
MD5:
SHA256:
3692WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC5FACC7374B2757E.TMP
MD5:
SHA256:
2052excelcnv.exeC:\Users\admin\AppData\Local\Temp\~DF31857D6BE9FE825E.TMP
MD5:
SHA256:
3692WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF6AA0538ED5E22445.TMP
MD5:
SHA256:
2400EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\crtwon[1].exeexecutable
MD5:CFFD1C065E58BB6F5F11D424836DA6C7
SHA256:2091F1BD001DE44C14F98506C7E1C44FC7E94AE4AABCA8C7FD6520401FE7A4DB
3692WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:825C45DD10C96600B19CB23B108C989D
SHA256:7C821062FDC859ADBA6F62E919301188567AB7912FBA2458B8EC3C72FE0F88DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
31
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
explorer.exe
GET
91.195.240.82:80
http://www.tienda-ricky.net/da/?6lfPdxQ8=gWaMHjPy43/YVarkXp/FDnxiXZ+G84g6oFTZfbHBTb9niPdy2YNQy76SYZ5eTB7Ci/MJVQ==&3f6=YnM4ANLx&sql=1
DE
malicious
2328
EXCEL.EXE
GET
301
104.27.142.228:80
http://docusiqn.ml/dreal/crtwon.exe
US
suspicious
2400
EXCEL.EXE
GET
301
104.27.142.228:80
http://docusiqn.ml/dreal/crtwon.exe
US
suspicious
116
explorer.exe
GET
157.112.176.43:80
http://www.xn--ecki4eoz5532fh5ud.com/da/?6lfPdxQ8=LFwaSLNiYPAvk5+WI5GuagEWzi6/QukDPTZMOJwFc9e+TjXtJxQP3DlBA8lj/A5pMZPwXw==&3f6=YnM4ANLx
JP
malicious
116
explorer.exe
POST
91.195.240.82:80
http://www.tienda-ricky.net/da/
DE
malicious
116
explorer.exe
GET
199.73.55.48:80
http://www.killtherefresh.com/da/?6lfPdxQ8=wYPjeTAPrlnTa7me4E7acxHvZUeN9MgtD1OzqGNrPCHAf6tOuOZp9wK5jIdm3EKA5MkK9w==&3f6=YnM4ANLx&sql=1
US
malicious
116
explorer.exe
GET
301
98.158.224.130:80
http://www.bnfproperty.com/da/?6lfPdxQ8=1zUt7hhy9tUhvhWcRWSzTUPtrAAECjwJvxFPDAonf91o8ianlJvqWQBtsgrXhu06FuuQrw==&3f6=YnM4ANLx&sql=1
US
malicious
116
explorer.exe
POST
91.195.240.82:80
http://www.tienda-ricky.net/da/
DE
malicious
116
explorer.exe
POST
69.164.196.16:80
http://www.caitlinbeanan.com/da/
US
malicious
116
explorer.exe
POST
52.206.237.51:80
http://www.zjydl.com/da/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2400
EXCEL.EXE
104.27.142.228:80
docusiqn.ml
Cloudflare Inc
US
shared
2328
EXCEL.EXE
104.27.142.228:80
docusiqn.ml
Cloudflare Inc
US
shared
116
explorer.exe
157.112.176.43:80
www.xn--ecki4eoz5532fh5ud.com
SAKURA Internet Inc.
JP
malicious
2328
EXCEL.EXE
104.27.142.228:443
docusiqn.ml
Cloudflare Inc
US
shared
2400
EXCEL.EXE
104.27.142.228:443
docusiqn.ml
Cloudflare Inc
US
shared
116
explorer.exe
69.164.196.16:80
www.caitlinbeanan.com
Linode, LLC
US
malicious
116
explorer.exe
52.206.237.51:80
www.zjydl.com
Amazon.com, Inc.
US
malicious
116
explorer.exe
91.195.240.82:80
www.tienda-ricky.net
SEDO GmbH
DE
malicious
116
explorer.exe
199.73.55.48:80
www.killtherefresh.com
ScaleMatrix
US
malicious
116
explorer.exe
98.158.224.130:80
www.bnfproperty.com
Hurricane Electric, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
docusiqn.ml
  • 104.27.142.228
  • 104.27.143.228
suspicious
www.xn--ecki4eoz5532fh5ud.com
  • 157.112.176.43
malicious
www.tienda-ricky.net
  • 91.195.240.82
malicious
www.caitlinbeanan.com
  • 69.164.196.16
malicious
www.bnfproperty.com
  • 98.158.224.130
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.killtherefresh.com
  • 199.73.55.48
malicious
www.zjydl.com
  • 52.206.237.51
  • 34.227.231.125
malicious
www.ihr-hoersystem.com
  • 217.160.0.99
malicious
www.nitrotramp.com
  • 151.101.1.211
  • 151.101.65.211
  • 151.101.129.211
  • 151.101.193.211
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
2400
EXCEL.EXE
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ml) in TLS SNI
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
20 ETPRO signatures available at the full report
No debug info