File name: | sample2.doc |
Full analysis: | https://app.any.run/tasks/c27f17a2-31ba-46b9-b243-8931da7aba39 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | April 23, 2019, 09:29:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: od6586, Subject: j2ec698, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Apr 22 22:30:00 2019, Last Saved Time/Date: Mon Apr 22 22:30:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | E29E3020B3AE80BCF53E16A3F71CD9DD |
SHA1: | 6543EF5EFE35438A746857538365BD6C224ABD8E |
SHA256: | B7096A1FC9D5483F33D286DE03FB00A17717695A69EC97933A3396989C03BC9C |
SSDEEP: | 384:V8iS8px8SMDOeF2R94usNo9nFN46+XhEx+xbcpf1dOPw1Ggi8eV3my+qtsJiN0jO:J3y4Hsm9FNoX+s544V2yHWU |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | od6586 |
---|---|
Subject: | j2ec698 |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:04:22 21:30:00 |
ModifyDate: | 2019:04:22 21:30:00 |
Pages: | 1 |
Words: | - |
Characters: | - |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Bytes: | 11000 |
Lines: | - |
Paragraphs: | - |
CharCountWithSpaces: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | od6586 |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2240 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample2.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2524 | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\t8d2ae6.txt" "t8d2ae6.exe" &start "" "C:\Users\admin\AppData\Local\Temp\t8d2ae6.exe" | C:\Windows\System32\cmd.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1472 | "C:\Users\admin\AppData\Local\Temp\t8d2ae6.exe" | C:\Users\admin\AppData\Local\Temp\t8d2ae6.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1248 | "C:\Windows\System32\msg.exe" | C:\Windows\System32\msg.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Message Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2448 | /c del "C:\Users\admin\AppData\Local\Temp\t8d2ae6.exe" | C:\Windows\System32\cmd.exe | — | msg.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4060 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | msg.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5CF0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\t8d2ae6.txt | — | |
MD5:— | SHA256:— | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ample2.doc | pgc | |
MD5:34E8AFFC300CC3C0B51FC8D63D0EA725 | SHA256:F064E2CE8209301F5A3BC4B5FC7BE1B8310902EF66D4B5361D1E6924D675B977 | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2E15D5C604345F8015FBF3360A0E0AC | SHA256:1F21FE58E7748D2F29BC412D23F15565CB01B44D017CC45BB01701708A9978D6 | |||
2524 | cmd.exe | C:\Users\admin\AppData\Local\Temp\t8d2ae6.exe | executable | |
MD5:C2D3F10DB930781B44FC1E72AB647836 | SHA256:607A7D15E416F4D74892BFF2EF0884C1916C017865F864E21770737BA0B4ED6F | |||
1248 | msg.exe | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
4060 | Firefox.exe | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
1248 | msg.exe | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logim.jpeg | image | |
MD5:1884D513F6B13C17693B43560E8C9D95 | SHA256:A857B0EA485D0FC9CD7AB98114090F1DB4A57B214F132B9C4C51C6E215DB7647 | |||
1248 | msg.exe | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 | |||
1248 | msg.exe | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | — | 192.64.116.237:80 | http://www.balonck.com/ma/?h6eD7BM=/v2RQsfcB4Q6qGDPygIIRXLYa/kE1fw2A9JQIWUr6qNr8r+MuhxrIEyDSzIfBkU/Dln1Ag==&MJoH=Fdm09tQ8qp8LelC0&sql=1 | US | — | — | malicious |
116 | explorer.exe | GET | — | 23.20.239.12:80 | http://www.findnursingschool.com/ma/?h6eD7BM=brN7AQ4sTjmtXs+RvxPtFgm5sWRuttZYKoVhvxhqVATouhZ6FNa2DKCLBX4d9jlPE79BhQ==&MJoH=Fdm09tQ8qp8LelC0 | US | — | — | shared |
116 | explorer.exe | POST | — | 23.227.38.64:80 | http://www.giggypets.com/ma/ | CA | — | — | malicious |
116 | explorer.exe | POST | — | 192.64.116.237:80 | http://www.balonck.com/ma/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 23.227.38.64:80 | http://www.giggypets.com/ma/ | CA | — | — | malicious |
116 | explorer.exe | GET | 403 | 23.227.38.64:80 | http://www.giggypets.com/ma/?h6eD7BM=Mx3KSaNyAdZXUf57ORb5UWCCrwXq/nsnxSr/+kl4KNB+71d9j24AqREIQl63UE+KK210wg==&MJoH=Fdm09tQ8qp8LelC0&sql=1 | CA | html | 1.74 Kb | malicious |
116 | explorer.exe | POST | — | 75.126.102.243:80 | http://www.losaltoseye.com/ma/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 75.126.102.243:80 | http://www.losaltoseye.com/ma/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 154.209.2.147:80 | http://www.whlies.com/ma/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 154.209.2.147:80 | http://www.whlies.com/ma/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 154.209.2.147:80 | www.whlies.com | MULTACOM CORPORATION | US | malicious |
116 | explorer.exe | 23.227.38.64:80 | www.giggypets.com | Shopify, Inc. | CA | malicious |
2240 | WINWORD.EXE | 217.64.195.171:443 | www.rossofuoco.com | SEEWEB s.r.l. | IT | unknown |
116 | explorer.exe | 75.126.102.243:80 | www.losaltoseye.com | SoftLayer Technologies Inc. | US | malicious |
116 | explorer.exe | 23.20.239.12:80 | www.findnursingschool.com | Amazon.com, Inc. | US | shared |
116 | explorer.exe | 192.64.116.237:80 | www.balonck.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.rossofuoco.com |
| unknown |
www.findnursingschool.com |
| shared |
www.hxhwhg.com |
| unknown |
www.giggypets.com |
| malicious |
www.theceramicgarden.net |
| unknown |
www.balonck.com |
| malicious |
www.pbwsic.online |
| unknown |
www.isurro.com |
| unknown |
www.losaltoseye.com |
| malicious |
www.glindatv.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |