formbook | ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342

General

Target

MT OCEAN STAR ISO 8217 2005.xlsx
Size

2.1MB
MD5

3ba4a9ceac60a4e52398ac6fbd0ebc5b
SHA1

19b79bcd8982634747f1dfc6804687d60baf73b0
SHA256

ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342
SHA512

ff14cc9946821af0891fb2b8ae10006ea9902f31c6cfcc5bc6739270080a3862db34e718cf82838585662a3dbad74892db78e891092a9cd0e137e86684440686

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aone223.com/67d/

Decoy

initiationportal.com

priority1fleet.com

xn--c1abvlc0ba.xn--p1acf

foto-golyh-devushek.com

losangeles-nightlife.com

mynewbandname.com

iaiibhzsbw.net

allwest-originals.com

peakofgoodlife.com

traeespana.com

prizotinstagram.online

powerd.net

rutharroyo.com

spreadtheaimee.com

tomleefamily.com

workingcompass.net

quallateematerial.com

davizion.com

ashleeramdanfit.com

gamers-evolution.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1960-20-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1960-21-0x000000000041EB60-mapping.dmp	formbook
behavioral1/memory/1152-30-0x0000000000070000-0x000000000009E000-memory.dmp	formbook

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1776 EQNEDT32.EXE
8 1776 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1912 vbc.exe
1960 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1776 EQNEDT32.EXE
1776 EQNEDT32.EXE
1776 EQNEDT32.EXE
1776 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	1776	EQNEDT32.EXE
8	1776	EQNEDT32.EXE

pid	process
1912	vbc.exe
1960	vbc.exe

pid	process
1776	EQNEDT32.EXE
1776	EQNEDT32.EXE
1776	EQNEDT32.EXE
1776	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execscript.exe

description	pid	process	target process
PID 1912 set thread context of 1960	1912	vbc.exe	vbc.exe
PID 1960 set thread context of 1276	1960	vbc.exe	Explorer.EXE
PID 1152 set thread context of 1276	1152	cscript.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1776 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1776	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1684 EXCEL.EXE

pid	process
1684	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

vbc.execscript.exe

pid	process
1960	vbc.exe
1960	vbc.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.execscript.exe

pid process

1960 vbc.exe
1960 vbc.exe
1960 vbc.exe
1152 cscript.exe
1152 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.execscript.exe

description pid process

Token: SeDebugPrivilege 1960 vbc.exe
Token: SeDebugPrivilege 1152 cscript.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1684 EXCEL.EXE
1684 EXCEL.EXE
1684 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1960	vbc.exe
Token: SeDebugPrivilege	1152	cscript.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1684	EXCEL.EXE
1684	EXCEL.EXE
1684	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1776 wrote to memory of 1912	1776	EQNEDT32.EXE	vbc.exe
PID 1776 wrote to memory of 1912	1776	EQNEDT32.EXE	vbc.exe
PID 1776 wrote to memory of 1912	1776	EQNEDT32.EXE	vbc.exe
PID 1776 wrote to memory of 1912	1776	EQNEDT32.EXE	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1960	1912	vbc.exe	vbc.exe
PID 1276 wrote to memory of 1152	1276	Explorer.EXE	cscript.exe
PID 1276 wrote to memory of 1152	1276	Explorer.EXE	cscript.exe
PID 1276 wrote to memory of 1152	1276	Explorer.EXE	cscript.exe
PID 1276 wrote to memory of 1152	1276	Explorer.EXE	cscript.exe
PID 1152 wrote to memory of 368	1152	cscript.exe	cmd.exe
PID 1152 wrote to memory of 368	1152	cscript.exe	cmd.exe
PID 1152 wrote to memory of 368	1152	cscript.exe	cmd.exe
PID 1152 wrote to memory of 368	1152	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\MT OCEAN STAR ISO 8217 2005.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:112

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:576

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:560

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1124

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1792

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1804

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1716

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2036

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1940

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:628

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1812

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:912

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1364

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:540

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:552

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:368

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Public\vbc.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
C:\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
C:\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
\Users\Public\vbc.exe
MD5
2201881c6cc2de12c71f906e43178ef9

SHA1
2b494db5e52b74df25ff068d0d2a3295aae4f658

SHA256
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SHA512
4ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167

Download Submit
memory/368-28-0x0000000000000000-mapping.dmp

Download
memory/1152-29-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/1152-30-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/1152-31-0x0000000001EC0000-0x00000000021C3000-memory.dmp

Filesize
3.0MB

Download
memory/1152-32-0x0000000002270000-0x0000000002303000-memory.dmp

Filesize
588KB

Download
memory/1152-27-0x0000000000000000-mapping.dmp

Download
memory/1276-26-0x0000000006BC0000-0x0000000006D06000-memory.dmp

Filesize
1.3MB

Download
memory/1276-33-0x0000000004F10000-0x0000000005003000-memory.dmp

Filesize
972KB

Download
memory/1684-2-0x000000002F751000-0x000000002F754000-memory.dmp

Filesize
12KB

Download
memory/1684-3-0x0000000071AC1000-0x0000000071AC3000-memory.dmp

Filesize
8KB

Download
memory/1684-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1688-6-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download
memory/1776-5-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1912-15-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1912-14-0x000000006CC20000-0x000000006D30E000-memory.dmp

Filesize
6.9MB

Download
memory/1912-11-0x0000000000000000-mapping.dmp

Download
memory/1912-17-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1912-19-0x0000000004470000-0x00000000044CB000-memory.dmp

Filesize
364KB

Download
memory/1912-18-0x00000000004D0000-0x00000000004DB000-memory.dmp

Filesize
44KB

Download
memory/1960-24-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/1960-25-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1960-21-0x000000000041EB60-mapping.dmp

Download
memory/1960-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads