=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

New order.xlsx

Status: finished
Submission Time: 2022-05-13 16:54:14 +02:00
Malicious
Trojan
Exploiter
Evader
FormBook

Comments

Tags

  • Formbook
  • VelvetSweatshop
  • xlsx

Details

  • Analysis ID:
    626188
  • API (Web) ID:
    993671
  • Analysis Started:
    2022-05-13 17:19:45 +02:00
  • Analysis Finished:
    2022-05-13 17:31:57 +02:00
  • MD5:
    70583aa55602c8ba0a7f85d815cb5806
  • SHA1:
    7123adf1a048a8168457dcb5aaa9fead90e40218
  • SHA256:
    4da5cb33b2f19fc2d80cafe3e9e9f1a7071d65724ea9316c86c1a635105bab44
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
24/60

malicious
15/41

malicious

IPs

IP Country Detection
104.168.33.25
United States
154.222.70.249
Seychelles

Domains

Name IP Detection
www.xinli-ac.com
154.222.70.249
www.insurancecentral.info
0.0.0.0

URLs

Name Detection
www.worklifefirewalls.com/m9y5/
http://104.168.33.25/gtb/vbc.exe
http://104.168.33.25/gtb/vbc.exehhC:
Click to see the 27 hidden entries
http://104.168.33.25/gtb/vbc.exej
http://www.windows.com/pctv.
http://investor.msn.com
http://www.msnbc.com/news/ticker.txt
http://wellformedweb.org/CommentAPI/
http://www.iis.fhg.de/audioPA
http://www.piriform.com/ccleanerq
http://www.mozilla.com0
http://www.piriform.com/ccleaner1SPS0
http://www.xinli-ac.com/m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr
http://nsis.sf.net/NSIS_ErrorError
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.hotmail.com/oe
http://treyresearch.net
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://java.sun.com
http://www.icra.org/vocabulary/.
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://investor.msn.com/
http://www.piriform.com/ccleaner
http://computername/printers/printername/.printer
http://www.%s.comPA
http://www.autoitscript.com/autoit3
https://support.mozilla.org
http://www.piriform.com/ccleanerv
http://servername/isapibackend.dll

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Users\user\AppData\Local\Temp\fdvucso.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Desktop\~$New order.xlsx
data
#
Click to see the 13 hidden entries
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B8C79A7.wmf
ms-windows metafont .wmf
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C67416EA.wmf
ms-windows metafont .wmf
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D915B94D.wmf
ms-windows metafont .wmf
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F22AACBE.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE9B77C.wmf
ms-windows metafont .wmf
#
C:\Users\user\AppData\Local\Temp\kk2f9zwlwvo3ghi9f9
data
#
C:\Users\user\AppData\Local\Temp\nsbF6CE.tmp
data
#
C:\Users\user\AppData\Local\Temp\wqqynoeqp
data
#
C:\Users\user\AppData\Local\Temp\~DF43C5C58FDDE0F3A8.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA5230667FEC71F99.TMP
CDFV2 Encrypted
#
C:\Users\user\AppData\Local\Temp\~DFDC892710C54AAC44.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFFA1DA6C3CBA16E75.TMP
data
#