analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4550358074.xlsx

Full analysis: https://app.any.run/tasks/8e49bf78-a044-41f8-b2b1-78012ede89f5
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: May 20, 2022, 20:18:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
formbook
trojan
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

5087229AA443812B4A6982516AAC8DD6

SHA1:

43FB51A19D694886607ADFE41A3C5F7A6CC41AD0

SHA256:

F6863356A62890163BB85742BD591EBAF28F079B3E62913BD9659B90830FD9D3

SSDEEP:

6144:RGbIVrje95/BmTTczIDDQda3BnnfupvuRzN7SO4Xvair:RDjCp6YzgcenGopN7yXF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3772)
      • vbc.exe (PID: 3500)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3772)
    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 3500)
      • nfueyjoofx.exe (PID: 2508)
      • nfueyjoofx.exe (PID: 2032)
    • FORMBOOK detected by memory dumps

      • services.exe (PID: 2840)
    • Connects to CnC server

      • Explorer.EXE (PID: 1376)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 1376)
  • SUSPICIOUS

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3772)
      • vbc.exe (PID: 3500)
      • nfueyjoofx.exe (PID: 2032)
    • Checks supported languages

      • EQNEDT32.EXE (PID: 3772)
      • vbc.exe (PID: 3500)
      • nfueyjoofx.exe (PID: 2508)
      • nfueyjoofx.exe (PID: 2032)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3772)
    • Executable content was dropped or overwritten

      • vbc.exe (PID: 3500)
      • EQNEDT32.EXE (PID: 3772)
    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3772)
      • vbc.exe (PID: 3500)
    • Application launched itself

      • nfueyjoofx.exe (PID: 2508)
    • Reads Environment values

      • services.exe (PID: 2840)
  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2604)
      • services.exe (PID: 2840)
    • Reads the computer name

      • EXCEL.EXE (PID: 2604)
      • services.exe (PID: 2840)
    • Starts Microsoft Office Application

      • Explorer.EXE (PID: 1376)
    • Manual execution by user

      • services.exe (PID: 2840)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe nfueyjoofx.exe no specs nfueyjoofx.exe no specs #FORMBOOK services.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2604"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3772"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3500C:\Users\Public\vbc.exeC:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\public\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2508C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe C:\Users\admin\AppData\Local\Temp\dgfoeiC:\Users\admin\AppData\Local\Temp\nfueyjoofx.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nfueyjoofx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
2032C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe C:\Users\admin\AppData\Local\Temp\dgfoeiC:\Users\admin\AppData\Local\Temp\nfueyjoofx.exenfueyjoofx.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\nfueyjoofx.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2840"C:\Windows\System32\services.exe"C:\Windows\System32\services.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Services and Controller app
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
1376C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 882
Read events
1 789
Write events
81
Delete events
12

Modification events

(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:./;
Value:
2E2F3B002C0A0000010000000000000000000000
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2604) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
3
Suspicious files
3
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2604EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRCF2E.tmp.cvr
MD5:
SHA256:
3772EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:523E3A307421539D0D7288098359A3E1
SHA256:DE2CBF081557F75987C719476B820B152632DF1A1EE2480941227635EFFE5317
3772EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\pppp[1].exeexecutable
MD5:523E3A307421539D0D7288098359A3E1
SHA256:DE2CBF081557F75987C719476B820B152632DF1A1EE2480941227635EFFE5317
3500vbc.exeC:\Users\admin\AppData\Local\Temp\dgfoeibinary
MD5:2C8EEEA9DCD42D1C40BFA474BCF327BC
SHA256:63E0A6A2745A4EC90BA186A13484B21B38DF1F5EE94AFD2BB37627635A85D1E5
3500vbc.exeC:\Users\admin\AppData\Local\Temp\nfueyjoofx.exeexecutable
MD5:DD37FC9C466CFCCC07C4FD447BFE0FD8
SHA256:CDCDD14F503EB70BF94ABCAA28AAD2D84C28FC4E111EF9E7CB3B69B6A4F62CE5
3500vbc.exeC:\Users\admin\AppData\Local\Temp\i1452n33fabinary
MD5:9A304D96D42FBC0E048ECA9664058C4F
SHA256:6E5774EF00D3436CE85465A1D01247978FB1382CB2CA472753B8300A9A539A07
3500vbc.exeC:\Users\admin\AppData\Local\Temp\nsmD6A1.tmpbinary
MD5:B484372ABDDB8E532098ABE4C9B718B9
SHA256:8C03C4605BF1009374B0BD83825C9A1A8599C091D4DA293D38D4C15C4AF669BE
2604EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0F6EC0D.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
2604EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21A7C53C.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
15
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1376
Explorer.EXE
GET
301
108.167.140.178:80
http://www.43mediahub.com/tgdh/?vRpxV=jPSZdofIrBG15VDEEOzyXbtkwf2ivlRf+sFgf6BbAOHQn0hFnvjxCN10cFBRMovYdpT+mg==&5j=W4NhrnChIPJhlxeP
US
malicious
1376
Explorer.EXE
GET
104.223.211.55:80
http://www.socialmediacowgirl.com/tgdh/?vRpxV=+rVQ4iMqt7Xe86yKJhUGKtl3Unozp9KKlvFxKVM6MbmOjpccAh096VsuH7DOzfBAPcKyGg==&5j=W4NhrnChIPJhlxeP
US
malicious
1376
Explorer.EXE
GET
91.189.114.8:80
http://www.gavrishev.com/tgdh/?vRpxV=44UUxfumUOvjBqHlsrEiM9tSf94dP8lgTNccNx4xYfFpqzBGReyJHyXqyG/djNUc/5TDvg==&5j=W4NhrnChIPJhlxeP
RU
malicious
3772
EQNEDT32.EXE
GET
200
107.172.76.143:80
http://107.172.76.143/abc/pppp.exe
US
executable
194 Kb
suspicious
1376
Explorer.EXE
GET
200
199.59.243.200:80
http://www.nicheperfumeonline.com/tgdh/?vRpxV=4hV+to6ZBrIRw5Ri89w5uuyOqPRJe6+zGGCALeVI85dDpAR3gbnMPvUxMNfDmepPXVpWsg==&5j=W4NhrnChIPJhlxeP
US
html
1.43 Kb
malicious
1376
Explorer.EXE
GET
301
108.167.140.178:80
http://www.43mediahub.com/tgdh/?vRpxV=jPSZdofIrBG15VDEEOzyXbtkwf2ivlRf+sFgf6BbAOHQn0hFnvjxCN10cFBRMovYdpT+mg==&cx4=vTEDV4KXeR7p
US
malicious
1376
Explorer.EXE
GET
301
172.67.150.30:80
http://www.desasuli.com/tgdh/?vRpxV=68RpmOkHv7uhAsIY1sBzGqnRYjL6aD7AyQIKboRgiHNpYMXwQdCyrw+1KwZ6lrcb3/P7Kw==&5j=W4NhrnChIPJhlxeP
US
malicious
1376
Explorer.EXE
GET
301
45.126.182.163:80
http://www.uhfkt.xyz/tgdh/?vRpxV=gZsPL74qy8OSzNpxbQbNLQkdQWzxjWV9z4YIE4EPwHu5fHt9bKS6kJwtbDGNKC1i/jB7mA==&5j=W4NhrnChIPJhlxeP
HK
html
178 b
malicious
1376
Explorer.EXE
GET
302
93.179.125.22:80
http://www.qw8932.com/tgdh/?vRpxV=qCV3iQ0ueCToWtUI4EnPsvCf0UQaQuK51EGTEDWEFSV6jG3FPv9fiuc98DjnhAClGNAqNw==&5j=W4NhrnChIPJhlxeP
RU
html
145 b
malicious
1376
Explorer.EXE
GET
301
35.234.94.17:80
http://www.stillmilkymerch.com/tgdh/?vRpxV=Q9GxysnPPPuw8URpOurY0859FvCi+wseROY+TVt0drM2x4amPt0EleBSOcV/csvJbWSmqQ==&5j=W4NhrnChIPJhlxeP
US
text
52 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1376
Explorer.EXE
199.59.243.200:80
www.nicheperfumeonline.com
US
malicious
1376
Explorer.EXE
108.167.140.178:80
www.43mediahub.com
CyrusOne LLC
US
malicious
3772
EQNEDT32.EXE
107.172.76.143:80
ColoCrossing
US
suspicious
1376
Explorer.EXE
104.21.27.132:80
www.pinup-casinolar.com
Cloudflare Inc
US
malicious
1376
Explorer.EXE
104.223.211.55:80
www.socialmediacowgirl.com
Global Frag Networks
US
malicious
1376
Explorer.EXE
93.179.125.22:80
www.qw8932.com
RU
malicious
1376
Explorer.EXE
91.189.114.8:80
www.gavrishev.com
Hosting Center LLC
RU
malicious
1376
Explorer.EXE
45.126.182.163:80
www.uhfkt.xyz
Dimension Network & Communication Limited
HK
malicious
1376
Explorer.EXE
34.102.136.180:80
www.mahetsijewels.com
US
whitelisted
1376
Explorer.EXE
170.178.187.5:80
www.51jrw.com
Sharktech
US
malicious

DNS requests

Domain
IP
Reputation
www.43mediahub.com
  • 108.167.140.178
malicious
www.nicheperfumeonline.com
  • 199.59.243.200
malicious
www.pinup-casinolar.com
  • 104.21.27.132
  • 172.67.142.158
malicious
www.qw8932.com
  • 93.179.125.22
malicious
www.asklmhob.club
unknown
www.socialmediacowgirl.com
  • 104.223.211.55
malicious
www.gavrishev.com
  • 91.189.114.8
malicious
www.uhfkt.xyz
  • 45.126.182.163
  • 67.211.66.229
malicious
www.51jrw.com
  • 170.178.187.5
malicious
www.desasuli.com
  • 172.67.150.30
  • 104.21.96.8
malicious

Threats

PID
Process
Class
Message
3772
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3772
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3772
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3772
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3772
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1376
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1376
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1376
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1376
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1376
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
No debug info