File name: | SEALEY UK ORDER PI DX190530.xlsx |
Full analysis: | https://app.any.run/tasks/bdddf2dd-ec89-4761-bd1c-9edde24cf11b |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 19, 2019, 06:24:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | A50A3071CA1B34DD38A353CE402EE4ED |
SHA1: | 56534549BA3BE16337EE16AA68FCC81AF02AD6F4 |
SHA256: | B8D0936C7E24DFD4D68492AEE7FABA065E0EEF4D47B03B459FB590D1A2FFF53C |
SSDEEP: | 768:MRC1jSlqm5lm1xd8jugoyT0dpB6cN3DmyQN:MXTJ9oz3DqNN |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2876 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3584 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3784 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.07.0001 | ||||
2684 | C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.07.0001 | ||||
2796 | "C:\Windows\System32\services.exe" | C:\Windows\System32\services.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Services and Controller app Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3832 | /c del "C:\Users\Public\vbc.exe" | C:\Windows\System32\cmd.exe | — | services.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
252 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | ctfmon.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1504 | "C:\Program Files\Ejdfl_rt\3fxxvpr5plne.exe" | C:\Program Files\Ejdfl_rt\3fxxvpr5plne.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.07.0001 | ||||
568 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | services.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE54D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72D98342.png | — | |
MD5:— | SHA256:— | |||
2876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFAD605323758E3E6A.TMP | — | |
MD5:— | SHA256:— | |||
2876 | EXCEL.EXE | C:\Users\admin\Desktop\~$SEALEY UK ORDER PI DX190530.xlsx | — | |
MD5:— | SHA256:— | |||
2876 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\SEALEY UK ORDER PI DX190530.xlsx.LNK | lnk | |
MD5:AD787947B49541A641EA6C5D55BBB205 | SHA256:201E87028779FFC19F23AC06244DF3A4D571A43C3A09C9E88BF79C2781A80D9D | |||
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9839aec31243a928.automaticDestinations-ms | automaticdestinations-ms | |
MD5:E8584489BA4435D40E9B2B9D72F64F6F | SHA256:4F3489AC9DFD6F5A4640A8527F6F182C4776E13B09581448509591D627355F05 | |||
2876 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:ABEA0ED6044C991A592A304182A868FC | SHA256:DFE9839135DEE5C8D3B04364E6EEA65B9A137315E3D4F83631C628BEC6374705 | |||
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:D79A0D0DBF15FF1672CA14667E150C88 | SHA256:6FD0CD8EB32175FD3502C6E4AE6B61502D590EEE5F67EF66F0F9C1F095B4B284 | |||
252 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Ejdfl_rt\3fxxvpr5plne.exe | executable | |
MD5:136A7184DE475E32AC15A0AA27747A18 | SHA256:8D6D79ACCE267A7DF89FF1A76706DF8B41D373D53412A4A2BD372C6146D32EFA | |||
3584 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:136A7184DE475E32AC15A0AA27747A18 | SHA256:8D6D79ACCE267A7DF89FF1A76706DF8B41D373D53412A4A2BD372C6146D32EFA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
252 | explorer.exe | GET | 301 | 107.180.51.3:80 | http://www.holisticmargin.com/mi/?FTn8o=9bFpQfKhqHZfYhUyl+6W9dytNe2N5ztWzZ/aZUH0S0bw8BgewcUJ/KkeHENGUYsggP1mVw==&uRpx=kjd0TfwH1JnxzH | US | — | — | malicious |
3584 | EQNEDT32.EXE | GET | 200 | 23.249.165.218:80 | http://promotionzynovawillzerodacontinuegood.duckdns.org/frank.exe | US | executable | 496 Kb | malicious |
252 | explorer.exe | POST | — | 74.220.215.226:80 | http://www.mtzionstl.com/mi/ | US | — | — | malicious |
252 | explorer.exe | POST | — | 74.220.215.226:80 | http://www.mtzionstl.com/mi/ | US | — | — | malicious |
252 | explorer.exe | POST | — | 74.220.215.226:80 | http://www.mtzionstl.com/mi/ | US | — | — | malicious |
252 | explorer.exe | GET | 301 | 74.220.215.226:80 | http://www.mtzionstl.com/mi/?FTn8o=9UQ3Pml9iZg+vknTSSRFJwLChFOr+Qx3p5wC6tigYIkAmwL2mknOhivaCDadb4zi+FJrMA==&uRpx=kjd0TfwH1JnxzH&sql=1 | US | html | 415 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3584 | EQNEDT32.EXE | 23.249.165.218:80 | promotionzynovawillzerodacontinuegood.duckdns.org | ColoCrossing | US | malicious |
252 | explorer.exe | 74.220.215.226:80 | www.mtzionstl.com | Unified Layer | US | malicious |
252 | explorer.exe | 107.180.51.3:80 | www.holisticmargin.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
promotionzynovawillzerodacontinuegood.duckdns.org |
| malicious |
www.gosport.store |
| unknown |
www.holisticmargin.com |
| malicious |
www.mtzionstl.com |
| malicious |
www.capitalcamerarentals.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3584 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |