analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

da650c498da68f0fa5c2d12ed513fd81cb7939c6c16f11a4c924f1ff97a02095

Full analysis: https://app.any.run/tasks/628e8b46-4b8b-4c87-9950-1113606b0a0f
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 22:08:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
trojan
formbook
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

0B5D3DDDCFFE87427815545683D28BD2

SHA1:

7E3D7C34E6ADAEE70A99A381912208BDA1B3484A

SHA256:

DA650C498DA68F0FA5C2D12ED513FD81CB7939C6C16F11A4C924F1FF97A02095

SSDEEP:

24576:jakyUbuCyde71rrHWuzuP0n+q2nAo/W68Mn1TQFHQvKPXwgkqhLS8EiZsQK0n1:9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 356)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 356)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 356)

    • Runs app for hidden code execution

      • cmd.exe (PID: 1716)
      • cmd.exe (PID: 2452)

    • Application was dropped or rewritten from another process

      • mondi.exe (PID: 2112)
      • gdidzohrzi.exe (PID: 1892)

    • Changes the autorun value in the registry

      • wininit.exe (PID: 1276)

    • FORMBOOK was detected

      • explorer.exe (PID: 116)

    • Formbook was detected

      • wininit.exe (PID: 1276)
      • Firefox.exe (PID: 1208)

    • Connects to CnC server

      • explorer.exe (PID: 116)

    • Actions looks like stealing of personal data

      • wininit.exe (PID: 1276)

    • Stealing of credential data

      • wininit.exe (PID: 1276)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1716)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 680)
      • wininit.exe (PID: 1276)

    • Application launched itself

      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 680)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 764)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 680)
      • cmd.exe (PID: 2752)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 4012)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 680)

    • Creates files in the user directory

      • wininit.exe (PID: 1276)

    • Creates files in the program directory

      • DllHost.exe (PID: 3848)

    • Loads DLL from Mozilla Firefox

      • wininit.exe (PID: 1276)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 116)
      • DllHost.exe (PID: 3848)

  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 116)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 356)
      • Firefox.exe (PID: 1208)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
35
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs mondi.exe no specs taskkill.exe no specs eqnedt32.exe no specs reg.exe no specs #FORMBOOK wininit.exe cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object gdidzohrzi.exe no specs help.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
356"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\da650c498da68f0fa5c2d12ed513fd81cb7939c6c16f11a4c924f1ff97a02095.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
1716"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3572CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
680C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\hondi.cmdC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2452"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3400TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1704CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2112C:\Users\admin\AppData\Local\Temp\mondi.eXe C:\Users\admin\AppData\Local\Temp\mondi.execmd.exe
User:
admin
Company:
saMsUNG
Integrity Level:
MEDIUM
Description:
TEsT9
Exit code:
0
Version:
1.00
3312TASKKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2412"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Version:
00110900
Total events
705
Read events
681
Write events
21
Delete events
3

Modification events

(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:."5
Value:
2E22350064010000010000000000000000000000
(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(356) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1318584350
(PID) Process:(356) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1318584464
(PID) Process:(356) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1318584465
(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
6401000062FA3A57EAFAD40100000000
(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:t#5
Value:
742335006401000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:t#5
Value:
742335006401000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(356) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
76
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR722E.tmp.cvr
MD5:
SHA256:
2112mondi.exeC:\Users\admin\AppData\Local\Temp\~DFD7333185C0E151C6.TMP
MD5:
SHA256:
356WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3DF3236C-1FD8-4436-96CF-C7078FB63DC8}.tmpdocument
MD5:8D45494BB013885B8CA7F99EA4FB9EB2
SHA256:5B5AB2E37BF02B4099B8F70AB1BD3671E2931A7C9B650AD41B583F386DE0C38E
356WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{890C995F-7439-4E1C-A800-491F9B24A7C2}.tmpbinary
MD5:86545E6955C44CA708B6B651F9AF55D8
SHA256:AE34256167D90DDB8173AE9B9648D8A97CD2D27BB9DD1C75A554C40EDD8A5D79
356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\dqfm.cmdtext
MD5:308D8E82E7ADC9279E411F982E6498EE
SHA256:94EB53C44C0B67B261BFF82D58E488DE542846AA1E2573BE375221AC68BBB00C
356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\hondi.cmdtext
MD5:54CA3A500C443EABBCE1970B5B43A327
SHA256:70A48CA2C20EFD4D0B1192C2FA84D2AFF25FD4CC094AEFF3491FFAEB18F53D8C
356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mondi.exeexecutable
MD5:7F6518487EA5B33F23974398EA73153F
SHA256:1A65A88B2152506F9B70FC01C47E36288752F9C787502BD5172A97F9508BF14B
356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\trbatehtqevyay.ScTxml
MD5:AA71A44BF5DFE09062E37CA88607A62F
SHA256:E942325B1059A2AA7EE8B739EB138500FBB669233F3332FE7A79C339D626225C
1892gdidzohrzi.exeC:\Users\admin\AppData\Local\Temp\~DF59BA4A9BEA5C3E2E.TMP
MD5:
SHA256:
3848DllHost.exeC:\Program Files\Xrx40zl\gdidzohrzi.exeexecutable
MD5:7F6518487EA5B33F23974398EA73153F
SHA256:1A65A88B2152506F9B70FC01C47E36288752F9C787502BD5172A97F9508BF14B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
33
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
explorer.exe
GET
183.2.168.240:80
http://www.ilovhealth.com/ma/?Tj=yB8DzvG50WrZ5bro4niN/28fuMvoF9nGbn3WmJ9H3xEqbrM11kTiX5XG2fG/vxwaiwBwNQ==&SXl=clchANDpAPXD&sql=1
CN
malicious
116
explorer.exe
GET
301
193.24.239.210:80
http://www.use-case-db.com/ma/?Tj=dp+yriQE5XMm+jdVrLoV5uyEzpybFdjjbIh4BkCL3u4a+SnvKZHyUMb6MGyBij10omFZ3w==&SXl=clchANDpAPXD&sql=1
DE
malicious
116
explorer.exe
GET
154.91.101.68:80
http://www.huangwandao.com/ma/?Tj=qLHHDa6YqDFPu6/3vmxg7Z5CssNLFL2wneYJGeik6PQFntCLLgSC9Hl/Dq8yiLioPfgmWQ==&SXl=clchANDpAPXD&sql=1
HK
malicious
116
explorer.exe
POST
193.24.239.210:80
http://www.use-case-db.com/ma/
DE
malicious
116
explorer.exe
POST
183.2.168.240:80
http://www.ilovhealth.com/ma/
CN
malicious
116
explorer.exe
POST
183.2.168.240:80
http://www.ilovhealth.com/ma/
CN
malicious
116
explorer.exe
POST
183.2.168.240:80
http://www.ilovhealth.com/ma/
CN
malicious
116
explorer.exe
GET
404
172.217.22.51:80
http://www.afenergie.net/ma/?Tj=Z852dGnQeKTDDDQI3qkg9gNFyt+ndfNKotglJPEGH8JRQAkJlrJG/j7nbKFRO8GKdczMdQ==&SXl=clchANDpAPXD&sql=1
US
html
1.63 Kb
malicious
116
explorer.exe
POST
193.24.239.210:80
http://www.use-case-db.com/ma/
DE
malicious
116
explorer.exe
POST
193.24.239.210:80
http://www.use-case-db.com/ma/
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
116
explorer.exe
183.2.168.240:80
www.ilovhealth.com
CHINANET Guangdong province network
CN
malicious
116
explorer.exe
193.24.239.210:80
www.use-case-db.com
Insoft EDV-Systeme und Handelsgesellschaft mbH
DE
malicious
116
explorer.exe
185.120.7.1:80
www.designbaz.com
Host
GB
malicious
116
explorer.exe
172.217.22.51:80
www.afenergie.net
Google Inc.
US
whitelisted
172.217.22.51:80
www.afenergie.net
Google Inc.
US
whitelisted
116
explorer.exe
199.192.23.212:80
www.smaleg.com
US
malicious
116
explorer.exe
154.91.101.68:80
www.huangwandao.com
IPTP LTD
HK
malicious
116
explorer.exe
217.160.0.177:80
www.bondsgroup.limited
1&1 Internet SE
DE
malicious
116
explorer.exe
184.168.131.241:80
www.ebet.life
GoDaddy.com, LLC
US
shared
116
explorer.exe
109.199.127.55:80
www.onlinenews.media
SingleHop, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.designbaz.com
  • 185.120.7.1
suspicious
www.ecotour-africa.com
unknown
www.ilovhealth.com
  • 183.2.168.240
malicious
www.use-case-db.com
  • 193.24.239.210
malicious
www.afenergie.net
  • 172.217.22.51
malicious
www.huangwandao.com
  • 154.91.101.68
malicious
www.smaleg.com
  • 199.192.23.212
malicious
www.bondsgroup.limited
  • 217.160.0.177
malicious
www.onlinenews.media
  • 109.199.127.55
malicious
www.ebet.life
  • 184.168.131.241
  • 95.179.179.195
malicious

Threats

PID
Process
Class
Message
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
25 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
da650c498da68f0fa5c2d12ed513fd81cb7939c6c16f11a4c924f1ff97a02095