analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

617724eae420e5972f88066ba4c9eb9a24772176.xls

Full analysis: https://app.any.run/tasks/156c9447-61de-40e6-bdfc-bec6d828a3b9
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 12:35:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
formbook
stealer
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: DELL, Last Saved By: DELL, Create Time/Date: Wed Sep 30 09:35:34 2020, Last Saved Time/Date: Wed Sep 30 09:35:34 2020, Security: 0
MD5:

68D49604D2AF422137883BBE175597C9

SHA1:

617724EAE420E5972F88066BA4C9EB9A24772176

SHA256:

8F0B57FFEBABF29670832449B17EB4B76E9C9D4ACC7D79A34547CF641521BBB5

SSDEEP:

6144:Pk3hOdsylKlgryzc4bNhZF+E+W2kn08u0keNXFL318Aeu3bjbAOiOEc8ICtLtBDI:Qu03NXB31lf7jnEnIgLt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2628)

    • Application was dropped or rewritten from another process

      • svchost32.exe (PID: 3984)
      • AddInProcess32.exe (PID: 1544)
      • osign.exe (PID: 1700)
      • ezotrtxrfh52th.exe (PID: 1100)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2628)

    • Changes the autorun value in the registry

      • reg.exe (PID: 1736)
      • msdt.exe (PID: 2560)

    • Loads dropped or rewritten executable

      • svchost32.exe (PID: 3984)
      • osign.exe (PID: 1700)
      • msdt.exe (PID: 2560)

    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • msdt.exe (PID: 2560)
      • Firefox.exe (PID: 3132)

    • Connects to CnC server

      • explorer.exe (PID: 352)

    • Actions looks like stealing of personal data

      • msdt.exe (PID: 2560)

    • Stealing of credential data

      • cmd.exe (PID: 724)
      • msdt.exe (PID: 2560)

  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 352)
      • msdt.exe (PID: 2560)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2152)

    • Starts CMD.EXE for commands execution

      • svchost32.exe (PID: 3984)
      • msdt.exe (PID: 2560)

    • Executable content was dropped or overwritten

      • svchost32.exe (PID: 3984)
      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 3320)
      • msdt.exe (PID: 2560)

    • Starts itself from another location

      • svchost32.exe (PID: 3984)

    • Loads DLL from Mozilla Firefox

      • msdt.exe (PID: 2560)

    • Executed via COM

      • DllHost.exe (PID: 3320)

    • Creates files in the program directory

      • DllHost.exe (PID: 3320)

  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 352)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2628)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2628)
      • Firefox.exe (PID: 3132)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2628)

    • Manual execution by user

      • msdt.exe (PID: 2560)

    • Reads the hosts file

      • msdt.exe (PID: 2560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: DELL
LastModifiedBy: DELL
CreateDate: 2020:09:30 08:35:34
ModifyDate: 2020:09:30 08:35:34
Security: None
CodePage: Windows Latin 1 (Western European)
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet 1
HeadingPairs:
  • Worksheets
  • 1
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
13
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start excel.exe svchost32.exe cmd.exe no specs reg.exe osign.exe no specs addinprocess32.exe no specs #FORMBOOK msdt.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object ezotrtxrfh52th.exe no specs cmd.exe

Process information

PID
CMD
Path
Indicators
Parent process
2628"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3984"C:\Users\Public\svchost32.exe" C:\Users\Public\svchost32.exe
EXCEL.EXE
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
2152"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\cmd.exesvchost32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1736REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1700"C:\Users\admin\osign.exe" C:\Users\admin\osign.exesvchost32.exe
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
1544"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\admin\AppData\Local\Temp\AddInProcess32.exeosign.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
2560"C:\Windows\System32\msdt.exe"C:\Windows\System32\msdt.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3368/c del "C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe"C:\Windows\System32\cmd.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3132"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
msdt.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
3 150
Read events
3 043
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
81
Text files
3
Unknown types
8

Dropped files

PID
Process
Filename
Type
2628EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7734.tmp.cvr
MD5:
SHA256:
2628EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:C18DBBEEE55AA6913B14339658E03C80
SHA256:70AA862CDACBFCAAE05C35C02FA1A4382E99AFDEC4E6CD8C86BEB8ED6EEE1058
2628EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\DFI-6059[1].jpgexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
2628EXCEL.EXEC:\Users\Public\svchost32.exeexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
2628EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\617724eae420e5972f88066ba4c9eb9a24772176.xls.LNKlnk
MD5:096E18A9E0C0814BAD6C6515AC03707D
SHA256:FCA92D19FD313D296EC26A044BBC7E03DD9594ADC7A26C7C98198E4005C47AE3
3984svchost32.exeC:\Users\admin\osign.exeexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9839aec31243a928.automaticDestinations-msautomaticdestinations-ms
MD5:7C236A024EB366A12DFEB83F8EE907F9
SHA256:1908EB21AF5DFDA629B7C34956E80790C480C30519A74BABC28FD0ADD11F44EF
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\617724eae420e5972f88066ba4c9eb9a24772176.xls.lnklnk
MD5:D9B89F2D15C3B9CFFC088DE442FF39F1
SHA256:6F590805FE669C73BB82C9EA470DB664040488F5173BAF390D9D3F9E99F2757C
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:C6D57A4918E84C3EA00309237381554A
SHA256:D2E4F3794D70FAA5F90BFB3BAD3FF9CF2C063848E11CBFB8C90C92C7FA4EC16B
3984svchost32.exeC:\Users\admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dllexecutable
MD5:14FF402962AD21B78AE0B4C43CD1F194
SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
33
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
404
195.110.124.154:80
http://www.boredofbooze.com/dmr/?cx4=ntLgBywNjS5QZXxHKZ+BKASXsoIOPh1l5kT/i2xbM/vpQBgtOnKeve7TX11hZZzbS+jxTg==&Tj=Cp8LjLB
IT
html
202 b
malicious
352
explorer.exe
POST
23.20.239.12:80
http://www.sunlivetv.com/dmr/
US
malicious
352
explorer.exe
POST
404
63.250.45.230:80
http://www.funpexw.com/dmr/
US
html
292 b
malicious
352
explorer.exe
POST
195.110.124.154:80
http://www.boredofbooze.com/dmr/
IT
malicious
2628
EXCEL.EXE
GET
200
185.33.85.52:80
http://185.33.85.52/FR/DFI-6059.jpg
GB
executable
406 Kb
malicious
352
explorer.exe
GET
200
217.70.184.50:80
http://www.duplex-id.com/dmr/?cx4=JqX3llDj5zrEJKAr/heZ/yuNYEc2LyTvyN69LG/zeKg7yqdKQXyOgjofEK3QvXdz4KAd2A==&Tj=Cp8LjLB
FR
html
2.45 Kb
malicious
352
explorer.exe
POST
23.20.239.12:80
http://www.sunlivetv.com/dmr/
US
malicious
352
explorer.exe
POST
195.110.124.154:80
http://www.boredofbooze.com/dmr/
IT
malicious
352
explorer.exe
POST
404
63.250.45.230:80
http://www.funpexw.com/dmr/
US
html
292 b
malicious
352
explorer.exe
POST
195.110.124.154:80
http://www.boredofbooze.com/dmr/
IT
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
23.20.239.12:80
www.sunlivetv.com
Amazon.com, Inc.
US
shared
352
explorer.exe
217.70.184.50:80
www.duplex-id.com
GANDI SAS
FR
malicious
352
explorer.exe
63.250.45.230:80
www.funpexw.com
Frontline Data Services, Inc
US
malicious
352
explorer.exe
195.110.124.154:80
www.boredofbooze.com
Register.it SpA
IT
malicious
2628
EXCEL.EXE
185.33.85.52:80
GB
malicious
352
explorer.exe
185.225.208.56:80
www.aracaju.online
malicious
352
explorer.exe
34.102.136.180:80
www.shiltawi.com
US
whitelisted
34.102.136.180:80
www.shiltawi.com
US
whitelisted

DNS requests

Domain
IP
Reputation
www.diptya.net
unknown
www.dhzzyy.net
malicious
www.rooster-money.com
unknown
www.swiyke.download
unknown
www.duplex-id.com
  • 217.70.184.50
malicious
www.bestsmokeapp.com
unknown
www.hotelsitaly.online
unknown
www.siyahmaske.win
unknown
www.funpexw.com
  • 63.250.45.230
malicious
www.imagingnetworkri.net
unknown

Threats

PID
Process
Class
Message
2628
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2628
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2628
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2628
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2628
EXCEL.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2628
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2628
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
24 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
617724eae420e5972f88066ba4c9eb9a24772176.xls