File name: | IMG_ORDER_NEW_7647_.xlsx |
Full analysis: | https://app.any.run/tasks/a94679ce-bf21-4923-9d7e-0089e92d1736 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 22, 2019, 20:50:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | A2CD8D4D640604CC7A47A7B5B480C321 |
SHA1: | 43B3DED1BC24F843CFBEA9A54F933F41A1612F51 |
SHA256: | BFAEBEB4A8B10DE53D5D31EC919140E4C5741885A4FE629DE6542F574CA6B2F7 |
SSDEEP: | 3072:5Icg/zDGgRQ49QRItHLrFG5tk9TD6c0H0cA/ejoK6WcMoEiKhA9hnmB1Ekko8oy:CxNoufFKk9T2c0H+/ejofQxCszEfAy |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2876 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3024 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2816 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Company: cAnNoN Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
2924 | "C:\Windows\System32\svchost.exe" | C:\Windows\System32\svchost.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3484 | /c del "C:\Users\Public\vbc.exe" | C:\Windows\System32\cmd.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3984 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | svchost.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9197.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2816 | vbc.exe | C:\Users\admin\AppData\Local\Temp\~DF143D78B4BAE1CBEB.TMP | — | |
MD5:— | SHA256:— | |||
2924 | svchost.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\IMG_ORDER_NEW_7647_.xlsx.lnk | lnk | |
MD5:406935924315B05D6C18B15A3AA9C7EB | SHA256:62A6D725A5381A4FEAEBBE35F116AB4FB52D7CB8E873CCD2A7D51D667FFB48F6 | |||
2876 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\IMG_ORDER_NEW_7647_.xlsx.LNK | lnk | |
MD5:2863172C12BF69E117061C2FEB3116D7 | SHA256:50E4D4723F8215C49DA807A86B778855B7E54260E48CFF739432C55C534FFDEF | |||
2876 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AFFD94D2785DA7C2CD2E920093E40F77 | SHA256:A362E85B34C6D1CE02AB95D61C522963043BD493200F2105044BE95C261996E7 | |||
3024 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:7EEC69EC2E535191C236E90FD7BCA3EE | SHA256:2945C35013A3D76E616DA628E9D8C7F1F551E28CACD8AFBD471316265DC0443B | |||
3984 | Firefox.exe | C:\Users\admin\AppData\Roaming\N05-24-S\N05logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:436541A65EE423C3E132091E9D9B06FA | SHA256:2719B87636D5B566BADC3EC4885FA331DA8DF3C9EA005515400429F569E47FC9 | |||
3024 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\vbc[1].exe | executable | |
MD5:7EEC69EC2E535191C236E90FD7BCA3EE | SHA256:2945C35013A3D76E616DA628E9D8C7F1F551E28CACD8AFBD471316265DC0443B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 301 | 217.160.0.160:80 | http://www.libertyfallen.site/j01/?otJHZlY=AL0CkUwz6NK+2YVCnyC4od7xS/t1Z41i3c4vsXS+lnaDa4Wiw+nPJV9LyI+dyeBwoimfKA==&Mv18=cBUdRzC8V6Ut-P | DE | — | — | malicious |
3024 | EQNEDT32.EXE | GET | 200 | 23.249.161.100:80 | http://23.249.161.100/jhn/vbc.exe | US | executable | 548 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3024 | EQNEDT32.EXE | 23.249.161.100:80 | — | ColoCrossing | US | malicious |
116 | explorer.exe | 217.160.0.160:80 | www.libertyfallen.site | 1&1 Internet SE | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.libertyfallen.site |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3024 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3024 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3024 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3024 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3024 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3024 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |