File name: | DHL Original Document01082019.xlsx |
Full analysis: | https://app.any.run/tasks/9e807eb1-4ddb-4a1c-9a9c-9aff93d6bb78 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 10, 2019, 16:26:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 3F1902C84FFFE0F913B01CCE836BFF93 |
SHA1: | E34F9D2DF5F7C026B7A32CCDDA48768AEF5D5F1F |
SHA256: | F788429FD21392D855B7FBE4DFB1EEF7F18CCE63C7552149DD79FBF8BDD4CC09 |
SSDEEP: | 192:8MBA+OBWtV0zO6efvx2btz/gtT3U+aX1rGrByob8u4DlVL1NB:DBA+OBGShefvx2blA3oGrktDZ3 |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1633 |
ZipCompressedSize: | 401 |
ZipCRC: | 0xcf0be3bd |
ZipModifyDate: | 2019:01:09 02:24:20 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2820 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3240 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3920 | C:\Users\admin\AppData\Roaming\tmp_Qs.exe | C:\Users\admin\AppData\Roaming\tmp_Qs.exe | — | EQNEDT32.EXE |
User: admin Company: Scientific-Atlanta Inc Integrity Level: MEDIUM Description: Optimizes and tweaks your Windows Exit code: 0 Version: 18.5.31.2 | ||||
3576 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | tmp_Qs.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
2692 | "C:\Windows\System32\NAPSTAT.EXE" | C:\Windows\System32\NAPSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Access Protection Client UI Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3644 | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\System32\cmd.exe | — | NAPSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3740 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | NAPSTAT.EXE | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2820 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9291.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2820 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$DHL Original Document01082019.xlsx | — | |
MD5:— | SHA256:— | |||
2820 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoAF33.tmp | — | |
MD5:— | SHA256:— | |||
2692 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\70LA3082\70Llogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3240 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\tmp_Qs.exe | executable | |
MD5:DBBB46AB9FAD99B2D89D984B40C5F348 | SHA256:6A4B86C19EEAA0BA8F7092486A5982AF1A36A99F648DCFFAB9222A95B077F847 | |||
3240 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\tmp[1].exe | executable | |
MD5:DBBB46AB9FAD99B2D89D984B40C5F348 | SHA256:6A4B86C19EEAA0BA8F7092486A5982AF1A36A99F648DCFFAB9222A95B077F847 | |||
2820 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\error028200_01.xml | xml | |
MD5:7D2AD8DE0D4A507E74E9CAD58BB322F3 | SHA256:B28F1C2B2074BD5E0D0D5C878654D50C7ED5412C343270265F0E38A0A797020B | |||
2692 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\70LA3082\70Llogim.jpeg | image | |
MD5:3845E2330F4643A78CE8A985AAB5DE5A | SHA256:FFDF058B3AF4DE26F4AA246A9DF33072E114F3C6E1C114B172F57E0CCDCE233C | |||
3740 | Firefox.exe | C:\Users\admin\AppData\Roaming\70LA3082\70Llogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
2692 | NAPSTAT.EXE | C:\Users\admin\AppData\Roaming\70LA3082\70Llogri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3240 | EQNEDT32.EXE | GET | 200 | 198.54.114.227:80 | http://interraniternational.com/docfle/tmp.exe | US | executable | 397 Kb | malicious |
116 | explorer.exe | GET | 400 | 198.49.23.144:80 | http://adamhipps.com/private/?ETQl=+ZAkYif+OBJ3/DL2eIsy2tFYHWzJJhO0aTVgkJ6V6jipQzqNffD2lflImWF1Ok5ujRbexw==&VR0dn=lhnxV4Axx0zxQH | US | html | 378 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 198.49.23.144:80 | adamhipps.com | Squarespace, Inc. | US | malicious |
3240 | EQNEDT32.EXE | 198.54.114.227:80 | interraniternational.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
interraniternational.com |
| malicious |
adamhipps.com |
| malicious |
rghuckins.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3240 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3240 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |