File name: | 4550358074.xlsx |
Full analysis: | https://app.any.run/tasks/8e49bf78-a044-41f8-b2b1-78012ede89f5 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 20:18:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 5087229AA443812B4A6982516AAC8DD6 |
SHA1: | 43FB51A19D694886607ADFE41A3C5F7A6CC41AD0 |
SHA256: | F6863356A62890163BB85742BD591EBAF28F079B3E62913BD9659B90830FD9D3 |
SSDEEP: | 6144:RGbIVrje95/BmTTczIDDQda3BnnfupvuRzN7SO4Xvair:RDjCp6YzgcenGopN7yXF |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2604 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
3772 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
3500 | C:\Users\Public\vbc.exe | C:\Users\Public\vbc.exe | EQNEDT32.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2508 | C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe C:\Users\admin\AppData\Local\Temp\dgfoei | C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe | — | vbc.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2032 | C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe C:\Users\admin\AppData\Local\Temp\dgfoei | C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe | — | nfueyjoofx.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2840 | "C:\Windows\System32\services.exe" | C:\Windows\System32\services.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Services and Controller app Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1376 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | ./; |
Value: 2E2F3B002C0A0000010000000000000000000000 | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2604) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRCF2E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3772 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:523E3A307421539D0D7288098359A3E1 | SHA256:DE2CBF081557F75987C719476B820B152632DF1A1EE2480941227635EFFE5317 | |||
3772 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\pppp[1].exe | executable | |
MD5:523E3A307421539D0D7288098359A3E1 | SHA256:DE2CBF081557F75987C719476B820B152632DF1A1EE2480941227635EFFE5317 | |||
3500 | vbc.exe | C:\Users\admin\AppData\Local\Temp\dgfoei | binary | |
MD5:2C8EEEA9DCD42D1C40BFA474BCF327BC | SHA256:63E0A6A2745A4EC90BA186A13484B21B38DF1F5EE94AFD2BB37627635A85D1E5 | |||
3500 | vbc.exe | C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe | executable | |
MD5:DD37FC9C466CFCCC07C4FD447BFE0FD8 | SHA256:CDCDD14F503EB70BF94ABCAA28AAD2D84C28FC4E111EF9E7CB3B69B6A4F62CE5 | |||
3500 | vbc.exe | C:\Users\admin\AppData\Local\Temp\i1452n33fa | binary | |
MD5:9A304D96D42FBC0E048ECA9664058C4F | SHA256:6E5774EF00D3436CE85465A1D01247978FB1382CB2CA472753B8300A9A539A07 | |||
3500 | vbc.exe | C:\Users\admin\AppData\Local\Temp\nsmD6A1.tmp | binary | |
MD5:B484372ABDDB8E532098ABE4C9B718B9 | SHA256:8C03C4605BF1009374B0BD83825C9A1A8599C091D4DA293D38D4C15C4AF669BE | |||
2604 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0F6EC0D.emf | emf | |
MD5:894A796F9211E1080192AC72B6D54A9D | SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A | |||
2604 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21A7C53C.emf | emf | |
MD5:8E3A74F7AA420B02D34C69E625969C0A | SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1376 | Explorer.EXE | GET | 301 | 108.167.140.178:80 | http://www.43mediahub.com/tgdh/?vRpxV=jPSZdofIrBG15VDEEOzyXbtkwf2ivlRf+sFgf6BbAOHQn0hFnvjxCN10cFBRMovYdpT+mg==&5j=W4NhrnChIPJhlxeP | US | — | — | malicious |
1376 | Explorer.EXE | GET | — | 104.223.211.55:80 | http://www.socialmediacowgirl.com/tgdh/?vRpxV=+rVQ4iMqt7Xe86yKJhUGKtl3Unozp9KKlvFxKVM6MbmOjpccAh096VsuH7DOzfBAPcKyGg==&5j=W4NhrnChIPJhlxeP | US | — | — | malicious |
1376 | Explorer.EXE | GET | — | 91.189.114.8:80 | http://www.gavrishev.com/tgdh/?vRpxV=44UUxfumUOvjBqHlsrEiM9tSf94dP8lgTNccNx4xYfFpqzBGReyJHyXqyG/djNUc/5TDvg==&5j=W4NhrnChIPJhlxeP | RU | — | — | malicious |
3772 | EQNEDT32.EXE | GET | 200 | 107.172.76.143:80 | http://107.172.76.143/abc/pppp.exe | US | executable | 194 Kb | suspicious |
1376 | Explorer.EXE | GET | 200 | 199.59.243.200:80 | http://www.nicheperfumeonline.com/tgdh/?vRpxV=4hV+to6ZBrIRw5Ri89w5uuyOqPRJe6+zGGCALeVI85dDpAR3gbnMPvUxMNfDmepPXVpWsg==&5j=W4NhrnChIPJhlxeP | US | html | 1.43 Kb | malicious |
1376 | Explorer.EXE | GET | 301 | 108.167.140.178:80 | http://www.43mediahub.com/tgdh/?vRpxV=jPSZdofIrBG15VDEEOzyXbtkwf2ivlRf+sFgf6BbAOHQn0hFnvjxCN10cFBRMovYdpT+mg==&cx4=vTEDV4KXeR7p | US | — | — | malicious |
1376 | Explorer.EXE | GET | 301 | 172.67.150.30:80 | http://www.desasuli.com/tgdh/?vRpxV=68RpmOkHv7uhAsIY1sBzGqnRYjL6aD7AyQIKboRgiHNpYMXwQdCyrw+1KwZ6lrcb3/P7Kw==&5j=W4NhrnChIPJhlxeP | US | — | — | malicious |
1376 | Explorer.EXE | GET | 301 | 45.126.182.163:80 | http://www.uhfkt.xyz/tgdh/?vRpxV=gZsPL74qy8OSzNpxbQbNLQkdQWzxjWV9z4YIE4EPwHu5fHt9bKS6kJwtbDGNKC1i/jB7mA==&5j=W4NhrnChIPJhlxeP | HK | html | 178 b | malicious |
1376 | Explorer.EXE | GET | 302 | 93.179.125.22:80 | http://www.qw8932.com/tgdh/?vRpxV=qCV3iQ0ueCToWtUI4EnPsvCf0UQaQuK51EGTEDWEFSV6jG3FPv9fiuc98DjnhAClGNAqNw==&5j=W4NhrnChIPJhlxeP | RU | html | 145 b | malicious |
1376 | Explorer.EXE | GET | 301 | 35.234.94.17:80 | http://www.stillmilkymerch.com/tgdh/?vRpxV=Q9GxysnPPPuw8URpOurY0859FvCi+wseROY+TVt0drM2x4amPt0EleBSOcV/csvJbWSmqQ==&5j=W4NhrnChIPJhlxeP | US | text | 52 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1376 | Explorer.EXE | 199.59.243.200:80 | www.nicheperfumeonline.com | — | US | malicious |
1376 | Explorer.EXE | 108.167.140.178:80 | www.43mediahub.com | CyrusOne LLC | US | malicious |
3772 | EQNEDT32.EXE | 107.172.76.143:80 | — | ColoCrossing | US | suspicious |
1376 | Explorer.EXE | 104.21.27.132:80 | www.pinup-casinolar.com | Cloudflare Inc | US | malicious |
1376 | Explorer.EXE | 104.223.211.55:80 | www.socialmediacowgirl.com | Global Frag Networks | US | malicious |
1376 | Explorer.EXE | 93.179.125.22:80 | www.qw8932.com | — | RU | malicious |
1376 | Explorer.EXE | 91.189.114.8:80 | www.gavrishev.com | Hosting Center LLC | RU | malicious |
1376 | Explorer.EXE | 45.126.182.163:80 | www.uhfkt.xyz | Dimension Network & Communication Limited | HK | malicious |
1376 | Explorer.EXE | 34.102.136.180:80 | www.mahetsijewels.com | — | US | whitelisted |
1376 | Explorer.EXE | 170.178.187.5:80 | www.51jrw.com | Sharktech | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.43mediahub.com |
| malicious |
www.nicheperfumeonline.com |
| malicious |
www.pinup-casinolar.com |
| malicious |
www.qw8932.com |
| malicious |
www.asklmhob.club |
| unknown |
www.socialmediacowgirl.com |
| malicious |
www.gavrishev.com |
| malicious |
www.uhfkt.xyz |
| malicious |
www.51jrw.com |
| malicious |
www.desasuli.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3772 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3772 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3772 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3772 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3772 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1376 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1376 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1376 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1376 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1376 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |