analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INVOICE OF PAYMENT.xlsx

Full analysis: https://app.any.run/tasks/eddb0a5f-6e59-412d-bbd9-3d77277104f6
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 20, 2022, 19:56:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
trojan
opendir
exploit
CVE-2017-11882
loader
formbook
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

4AED8D2A71C1585584991748A730FFDD

SHA1:

46B0BB540EA6AE963286CF70D2DA73CEB84BF1D7

SHA256:

F4159825F4DB2E144AE356E67C360949C6ABD85B910726425DDF68CBAE1D72B3

SSDEEP:

3072:Ly0siJsnDTBPzpmbnPpFpVX26lBUbiPCF/IL/osy65KckTM1A2KJ//NahzVLzS:PsnD9PzpmbxFpE6jJUwpK+e13N8pLG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3284)

    • Drops executable file immediately after starts

      • vbc.exe (PID: 2160)
      • EQNEDT32.EXE (PID: 3284)

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2160)
      • vbc.exe (PID: 1640)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3572)

    • Uses Task Scheduler to run other applications

      • vbc.exe (PID: 2160)

    • FORMBOOK detected by memory dumps

      • dwm.exe (PID: 4060)

    • FORMBOOK was detected

      • Explorer.EXE (PID: 1080)

    • Connects to CnC server

      • Explorer.EXE (PID: 1080)

  • SUSPICIOUS

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3284)
      • vbc.exe (PID: 2160)
      • vbc.exe (PID: 1640)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3284)
      • vbc.exe (PID: 2160)
      • vbc.exe (PID: 1640)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3284)
      • vbc.exe (PID: 2160)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3284)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3284)
      • vbc.exe (PID: 2160)

    • Creates files in the user directory

      • vbc.exe (PID: 2160)

    • Application launched itself

      • vbc.exe (PID: 2160)

    • Reads Environment values

      • dwm.exe (PID: 4060)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2848)
      • schtasks.exe (PID: 3572)
      • dwm.exe (PID: 4060)

    • Reads the computer name

      • EXCEL.EXE (PID: 2848)
      • schtasks.exe (PID: 3572)
      • dwm.exe (PID: 4060)

    • Starts Microsoft Office Application

      • Explorer.EXE (PID: 1080)

    • Manual execution by user

      • dwm.exe (PID: 4060)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe schtasks.exe no specs vbc.exe no specs #FORMBOOK dwm.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2848"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3284"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2160"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
TFlow
Exit code:
0
Version:
2.3.0.0
Modules
Images
c:\users\public\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3572"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CXOsgJb" /XML "C:\Users\admin\AppData\Local\Temp\tmp85A.tmp"C:\Windows\System32\schtasks.exevbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1640"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TFlow
Exit code:
0
Version:
2.3.0.0
Modules
Images
c:\users\public\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
4060"C:\Windows\System32\dwm.exe"C:\Windows\System32\dwm.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
1080C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
2 199
Read events
2 106
Write events
82
Delete events
11

Modification events

(PID) Process:(1080) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000B91A5CFE21651644B5C160471AAA3AD90000000002000000000010660000000100002000000071978CB7E4013186E1C348F785B8B7BAA1A00A16CBA6302DAF500FCC4FF674D6000000000E80000000020000200000003B133CFC8F44D1DEB47BFD864210515C27D41853C7F0527453B5E6FEB9F1BEE5300000000C9733B68D8CEC8D8A89BD1EEAB919A92078B3AF61BAE787F860DD2B916EB2CE97C7727DCB88416623803C534FDD16E440000000FE457DB17683F50FA0DB328058AB9D1A5D2B196954D7D47BA1338C5ACEE52BF1A50D8E9D939B08ECBBF26F8F51E9E1C51FFB4DADFF540830F07B8A77CB35A6CB
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:zs;
Value:
7A733B00200B0000010000000000000000000000
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2848) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
Executable files
3
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2848EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4F5A.tmp.cvr
MD5:
SHA256:
2160vbc.exeC:\Users\admin\AppData\Roaming\CXOsgJb.exeexecutable
MD5:B3A25F8FA62494CA8B99B28C4B4BB9B7
SHA256:E793DAC4E4C4C8553C02CBE177B1DE4759BF777D150ECA151C53E9C58F6B23D3
3284EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:B3A25F8FA62494CA8B99B28C4B4BB9B7
SHA256:E793DAC4E4C4C8553C02CBE177B1DE4759BF777D150ECA151C53E9C58F6B23D3
2160vbc.exeC:\Users\admin\AppData\Local\Temp\tmp85A.tmpxml
MD5:6ED0AFD3946A159E98A79A9A63E21FF0
SHA256:670D5E6A901C8BA253B36A84A5E39D616EDC9617AF7D30590D2828A7DB7E727B
2848EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77E9B80B.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
3284EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\vbc[1].exeexecutable
MD5:B3A25F8FA62494CA8B99B28C4B4BB9B7
SHA256:E793DAC4E4C4C8553C02CBE177B1DE4759BF777D150ECA151C53E9C58F6B23D3
2848EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92DE0FB2.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1080
Explorer.EXE
GET
198.54.117.215:80
http://www.duniacuan.online/n6g4/?Ul9L_=H+B+k+qiGMMG4FOx+jp/ozBWPUXFvqdW8k3ooRnseHQkdgyscNG4g4LgJodfOBvpqNfyGQ==&5j=zl3D
US
malicious
3284
EQNEDT32.EXE
GET
200
192.210.240.45:80
http://192.210.240.45/700/vbc.exe
US
executable
648 Kb
malicious
1080
Explorer.EXE
GET
302
64.190.63.111:80
http://www.plentyhearty.com/n6g4/?Ul9L_=1h7R1arRz3E4gdW1XBwvnn1v8eav0kfRFFnMvagqBjAJ+ZAKeNeFVzORKknqGRAQXs0xug==&5j=zl3D
US
malicious
1080
Explorer.EXE
GET
403
34.102.136.180:80
http://www.cliffpassphotographyllc.com/n6g4/?Ul9L_=RmKugVRP3DLdlbmOkqENJP8vqqTPjhikGwoqkD2t4Fv9KQzc/VBT6S/fqc4wjql3xXkRcA==&5j=zl3D
US
html
291 b
malicious
1080
Explorer.EXE
GET
403
185.53.179.171:80
http://www.employeebnsf.com/n6g4/?Ul9L_=/8Ga1vKGW5MV/13rB/c9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8G59FtakXMZzjYgQ==&5j=zl3D
DE
html
146 b
malicious
1080
Explorer.EXE
GET
403
34.102.136.180:80
http://www.luxurybathshowers.com/n6g4/?Ul9L_=wNT20nlCD+z1zl9ZjWVvlajHS1qEluo7RFpjBdU4pvAsmgfvk7OHprW1dCu0p5f0sWsQfw==&5j=zl3D
US
html
291 b
malicious
1080
Explorer.EXE
GET
301
52.222.236.87:80
http://www.o-taguro.com/n6g4/?Ul9L_=uuG58PPwf9dwWu3rI3FUVGJ5XjmQTEmzvQuy5/6xJ84IguGgWMhlXvrQaldP9h3flxPK/A==&5j=zl3D
US
html
183 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
Explorer.EXE
34.102.136.180:80
www.cliffpassphotographyllc.com
US
whitelisted
3284
EQNEDT32.EXE
192.210.240.45:80
ColoCrossing
US
malicious
1080
Explorer.EXE
185.53.179.171:80
www.employeebnsf.com
Team Internet AG
DE
malicious
1080
Explorer.EXE
198.54.117.215:80
www.duniacuan.online
Namecheap, Inc.
US
malicious
1080
Explorer.EXE
64.190.63.111:80
www.plentyhearty.com
US
malicious
1080
Explorer.EXE
52.222.236.87:80
www.o-taguro.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.plentyhearty.com
  • 64.190.63.111
malicious
www.cliffpassphotographyllc.com
  • 34.102.136.180
malicious
www.o-taguro.com
  • 52.222.236.87
  • 52.222.236.110
  • 52.222.236.101
  • 52.222.236.3
malicious
www.duniacuan.online
  • 198.54.117.215
  • 198.54.117.216
  • 198.54.117.217
  • 198.54.117.210
  • 198.54.117.211
  • 198.54.117.212
  • 198.54.117.218
malicious
www.luxurybathshowers.com
  • 34.102.136.180
malicious
www.employeebnsf.com
  • 185.53.179.171
malicious
www.linymar.xyz
unknown
www.jumpn-giveaway.online
malicious
www.admincost.com
unknown

Threats

PID
Process
Class
Message
3284
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3284
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN MSIL/GenKryptik.FQRH Download Request
3284
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3284
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3284
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3284
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3284
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1080
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1080
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1080
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INVOICE OF PAYMENT.xlsx