formbook | e2a65cc31e28a6510e974316379e8b6eb7c138d1da04cf84d0293fdc55d7d08e

General

Target

VM ASIAN CHAMPION.xlsx
Size

1.8MB
MD5

fc2961be55b07415b4f6a712bd7736e5
SHA1

e1c6c4c78a6deebda2e5444bc84317658a0f5b52
SHA256

e2a65cc31e28a6510e974316379e8b6eb7c138d1da04cf84d0293fdc55d7d08e
SHA512

d8e8a3f15b21ba1824788c774116a83af1d021634a5da09dc7a5a2abba02aabfe8ae3b44f7f53fb62a8c47d6120d1fe28ccbdc6ed99b73cf647b9947bd652c02

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.printmeroyal.com/ndm/

Decoy

gamilashopping.com

thebodyerotique.com

vulcan24on-line.com

nehyam.com

retrofityapi.com

sprayld2u.com

kieronart.com

vinteebee.com

temati.club

drenaz-limfatyczny.com

zrtopway.com

acaciagardens-bh.com

myloudmylarbags.com

fejseshessete.com

total-bar.com

yourmajordomo.com

newsstarbharat.com

vongbi.asia

multipeace.space

thesmellyheifer.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/296-15-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/296-16-0x000000000041EAF0-mapping.dmp	formbook
behavioral1/memory/1932-18-0x0000000000000000-mapping.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1976 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1164 vbc.exe
296 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	1976	EQNEDT32.EXE

pid	process
1164	vbc.exe
296	vbc.exe

pid	process
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exesvchost.exe

description	pid	process	target process
PID 1164 set thread context of 296	1164	vbc.exe	vbc.exe
PID 296 set thread context of 1264	296	vbc.exe	Explorer.EXE
PID 1932 set thread context of 1264	1932	svchost.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1976 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1976	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

644 EXCEL.EXE

pid	process
644	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

vbc.exesvchost.exe

pid	process
296	vbc.exe
296	vbc.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exesvchost.exe

pid process

296 vbc.exe
296 vbc.exe
296 vbc.exe
1932 svchost.exe
1932 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exesvchost.exe

description pid process

Token: SeDebugPrivilege 296 vbc.exe
Token: SeDebugPrivilege 1932 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	296	vbc.exe
Token: SeDebugPrivilege	1932	svchost.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1976 wrote to memory of 1164	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1164	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1164	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1164	1976	EQNEDT32.EXE	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 296	1164	vbc.exe	vbc.exe
PID 1264 wrote to memory of 1932	1264	Explorer.EXE	svchost.exe
PID 1264 wrote to memory of 1932	1264	Explorer.EXE	svchost.exe
PID 1264 wrote to memory of 1932	1264	Explorer.EXE	svchost.exe
PID 1264 wrote to memory of 1932	1264	Explorer.EXE	svchost.exe
PID 1932 wrote to memory of 1316	1932	svchost.exe	cmd.exe
PID 1932 wrote to memory of 1316	1932	svchost.exe	cmd.exe
PID 1932 wrote to memory of 1316	1932	svchost.exe	cmd.exe
PID 1932 wrote to memory of 1316	1932	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\VM ASIAN CHAMPION.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1316

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Public\vbc.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
C:\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
C:\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
\Users\Public\vbc.exe
MD5
026b337a051a03e14690154785c25b76

SHA1
9cedfcf4ef7f1aef400ff9ff39d31e7882757837

SHA256
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

SHA512
4d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8

Download Submit
memory/296-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/296-16-0x000000000041EAF0-mapping.dmp

Download
memory/1164-10-0x000000006C630000-0x000000006CD1E000-memory.dmp

Filesize
6.9MB

Download
memory/1164-11-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1164-13-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/1164-14-0x00000000003A0000-0x000000000041D000-memory.dmp

Filesize
500KB

Download
memory/1164-7-0x0000000000000000-mapping.dmp

Download
memory/1316-20-0x0000000000000000-mapping.dmp

Download
memory/1776-2-0x000007FEF7790000-0x000007FEF7A0A000-memory.dmp

Filesize
2.5MB

Download
memory/1932-18-0x0000000000000000-mapping.dmp

Download
memory/1932-19-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1932-21-0x00000000007D0000-0x0000000000953000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads