formbook | 08a0ab3c46df8c30ed29ab0ab4d5cc733c421cbff42490788a34f5aba13bb37b

Analysis

max time kernel
70s
max time network
16s
platform
windows7_x64
resource
win7v20201028
submitted
26-02-2021 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENTADVICE.xlsx
Size

2.3MB
MD5

6a665d2ebffb301cd53b051cf04337b3
SHA1

74b35d94beacfe37f41cc6891e7ddc96a442c0bd
SHA256

08a0ab3c46df8c30ed29ab0ab4d5cc733c421cbff42490788a34f5aba13bb37b
SHA512

8b19d0ffa2315b8ff74eece86ab92bc417523867291589700cf086f6a3aa0199e119fcd55a04d05e007a15bdfaceeeab6a31c1906d7bd8ca37c50fdcaea6ecae

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

http://www.torontotel.com/4qdc/

Decoy

mangpe.asia

mmstruckingllc.com

ascendingworship.com

gfeets.com

smartcbda.com

dreaminggrand.com

dohostar.com

farkindalik365.com

weareexpatwomen.com

gamereruns.com

rosesandframes.com

commagx4.info

tarpleymusic.info

szttskj.com

calatheahomeservices.com

qm7886.com

emunmous.com

deutschclub.com

39palmavenue.com

thepixxelgroup.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1324-20-0x0000000000400000-0x000000000043E000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 2004 EQNEDT32.EXE
8 2004 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

680 vbc.exe
1324 vbc.exe
Loads dropped DLL 9 IoCs

Processes:

EQNEDT32.EXEvbc.exedw20.exe

pid process

2004 EQNEDT32.EXE
2004 EQNEDT32.EXE
2004 EQNEDT32.EXE
2004 EQNEDT32.EXE
680 vbc.exe
680 vbc.exe
2028 dw20.exe
2028 dw20.exe
2028 dw20.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 680 set thread context of 1324 680 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
4	2004	EQNEDT32.EXE
8	2004	EQNEDT32.EXE

pid	process
680	vbc.exe
1324	vbc.exe

pid	process
2004	EQNEDT32.EXE
2004	EQNEDT32.EXE
2004	EQNEDT32.EXE
2004	EQNEDT32.EXE
680	vbc.exe
680	vbc.exe
2028	dw20.exe
2028	dw20.exe
2028	dw20.exe

description	pid	process	target process
PID 680 set thread context of 1324	680	vbc.exe	vbc.exe

NSIS installer 20 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2004 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2004	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

648 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exe

pid process

680 vbc.exe
680 vbc.exe
680 vbc.exe
680 vbc.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vbc.exe

pid process

680 vbc.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

648 EXCEL.EXE
648 EXCEL.EXE
648 EXCEL.EXE
648 EXCEL.EXE
648 EXCEL.EXE

pid	process
648	EXCEL.EXE

pid	process
680	vbc.exe
680	vbc.exe
680	vbc.exe
680	vbc.exe

pid	process
680	vbc.exe

pid	process
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exe

description	pid	process	target process
PID 2004 wrote to memory of 680	2004	EQNEDT32.EXE	vbc.exe
PID 2004 wrote to memory of 680	2004	EQNEDT32.EXE	vbc.exe
PID 2004 wrote to memory of 680	2004	EQNEDT32.EXE	vbc.exe
PID 2004 wrote to memory of 680	2004	EQNEDT32.EXE	vbc.exe
PID 680 wrote to memory of 1324	680	vbc.exe	vbc.exe
PID 680 wrote to memory of 1324	680	vbc.exe	vbc.exe
PID 680 wrote to memory of 1324	680	vbc.exe	vbc.exe
PID 680 wrote to memory of 1324	680	vbc.exe	vbc.exe
PID 680 wrote to memory of 1324	680	vbc.exe	vbc.exe
PID 1324 wrote to memory of 2028	1324	vbc.exe	dw20.exe
PID 1324 wrote to memory of 2028	1324	vbc.exe	dw20.exe
PID 1324 wrote to memory of 2028	1324	vbc.exe	dw20.exe
PID 1324 wrote to memory of 2028	1324	vbc.exe	dw20.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICE.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:648

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 400
4⤵
- Loads dropped DLL
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
C:\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
C:\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9252.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\oaur7ez8.dll
MD5
327cefe445fbf7dacdaf0505f6e580c4

SHA1
772415ad16012ecac845a85cc97b258a7bc40db0

SHA256
724328c68f60b86ff8a7ae132c4a8dde1bcf35bebe2c9c4aada13ebd5e64eef5

SHA512
bfbd73a45602f481768b21a10c35c11bb44627048fa22b902cb93a3b617906e3a7accd2ce711970634708385e748ca59f0b3535e3f023b8febcc9908d8f2605e

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
\Users\Public\vbc.exe
MD5
456dfe1f5220c97f904bd4704ea34956

SHA1
539cade9a33487696ec1b037c9e124af71a353e3

SHA256
9ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e

SHA512
817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda

Download Submit
memory/624-6-0x000007FEF7500000-0x000007FEF777A000-memory.dmp

Filesize
2.5MB

Download
memory/648-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/648-2-0x000000002F0C1000-0x000000002F0C4000-memory.dmp

Filesize
12KB

Download
memory/648-3-0x0000000071461000-0x0000000071463000-memory.dmp

Filesize
8KB

Download
memory/680-11-0x0000000000000000-mapping.dmp

Download
memory/1324-17-0x000000000040188B-mapping.dmp

Download
memory/1324-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1324-27-0x0000000000271000-0x0000000000272000-memory.dmp

Filesize
4KB

Download
memory/1324-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-5-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/2028-22-0x0000000001EB0000-0x0000000001EC1000-memory.dmp

Filesize
68KB

Download
memory/2028-21-0x0000000000000000-mapping.dmp

Download
memory/2028-25-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download
memory/2028-31-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download