formbook | db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca

General

Target

Refno.191938.xlsx
Size

319KB
MD5

a6ea0794f2791f9f2bdfcdb467122e6b
SHA1

83815a1977485c3fabdd49c91926d0482e3b78e1
SHA256

db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
SHA512

8e9d56848c8e9dc03676348ebc0b57b650cfe4a8c61d1d8825b68e7989f29eb83509e9a1d5d35fcdf9e81e1ddcd8ed6a80d7a947e5906965f9d42f89f7d6fc6d

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.mvcsecrets.com/op9s/

Decoy

uscoser.club

gustrad.com

sowftwer.com

psychicpatrol.com

lmouowgoaa.com

riandmoara.com

sushigardentogo.com

cannabimall.com

ecolodgesworld.com

mysandboxcsp.com

coxsmobility.com

sfs-distribution.info

tymict.com

u-bahn.online

chrisjohnsondrums.com

comfyscoffee.com

eastwoodlearningcenter.com

a-authenticate.com

greatroyalspices.com

legalparaprofessionalonline.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1816-80-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1816-81-0x000000000041ED40-mapping.dmp	formbook
behavioral1/memory/968-90-0x0000000000070000-0x000000000009E000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1844 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1184 vbc.exe
1816 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1844 EQNEDT32.EXE
1844 EQNEDT32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	1844	EQNEDT32.EXE

pid	process
1184	vbc.exe
1816	vbc.exe

pid	process
1844	EQNEDT32.EXE
1844	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execscript.exe

description	pid	process	target process
PID 1184 set thread context of 1816	1184	vbc.exe	vbc.exe
PID 1816 set thread context of 1288	1816	vbc.exe	Explorer.EXE
PID 968 set thread context of 1288	968	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1764 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1844 EQNEDT32.EXE

pid	process
1764	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1844	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEcscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1084 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

vbc.execscript.exe

pid process

1816 vbc.exe
1816 vbc.exe
968 cscript.exe
968 cscript.exe
968 cscript.exe
968 cscript.exe
968 cscript.exe
968 cscript.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.execscript.exe

pid process

1816 vbc.exe
1816 vbc.exe
1816 vbc.exe
968 cscript.exe
968 cscript.exe
968 cscript.exe
968 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.execscript.exe

description pid process

Token: SeDebugPrivilege 1816 vbc.exe
Token: SeDebugPrivilege 968 cscript.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEvbc.exe

pid process

1084 EXCEL.EXE
1084 EXCEL.EXE
1084 EXCEL.EXE
1184 vbc.exe
1184 vbc.exe

pid	process
1084	EXCEL.EXE

pid	process
1816	vbc.exe
1816	vbc.exe
968	cscript.exe
968	cscript.exe
968	cscript.exe
968	cscript.exe
968	cscript.exe
968	cscript.exe

pid	process
1288	Explorer.EXE

pid	process
1816	vbc.exe
1816	vbc.exe
1816	vbc.exe
968	cscript.exe
968	cscript.exe
968	cscript.exe
968	cscript.exe

description	pid	process
Token: SeDebugPrivilege	1816	vbc.exe
Token: SeDebugPrivilege	968	cscript.exe

pid	process
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1184	vbc.exe
1184	vbc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1844 wrote to memory of 1184	1844	EQNEDT32.EXE	vbc.exe
PID 1844 wrote to memory of 1184	1844	EQNEDT32.EXE	vbc.exe
PID 1844 wrote to memory of 1184	1844	EQNEDT32.EXE	vbc.exe
PID 1844 wrote to memory of 1184	1844	EQNEDT32.EXE	vbc.exe
PID 1184 wrote to memory of 1764	1184	vbc.exe	schtasks.exe
PID 1184 wrote to memory of 1764	1184	vbc.exe	schtasks.exe
PID 1184 wrote to memory of 1764	1184	vbc.exe	schtasks.exe
PID 1184 wrote to memory of 1764	1184	vbc.exe	schtasks.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1184 wrote to memory of 1816	1184	vbc.exe	vbc.exe
PID 1288 wrote to memory of 968	1288	Explorer.EXE	cscript.exe
PID 1288 wrote to memory of 968	1288	Explorer.EXE	cscript.exe
PID 1288 wrote to memory of 968	1288	Explorer.EXE	cscript.exe
PID 1288 wrote to memory of 968	1288	Explorer.EXE	cscript.exe
PID 968 wrote to memory of 1516	968	cscript.exe	Firefox.exe
PID 968 wrote to memory of 1516	968	cscript.exe	Firefox.exe
PID 968 wrote to memory of 1516	968	cscript.exe	Firefox.exe
PID 968 wrote to memory of 1516	968	cscript.exe	Firefox.exe
PID 968 wrote to memory of 1516	968	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Refno.191938.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1516

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fendlKCsOIoiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp"
3⤵
- Creates scheduled task(s)
PID:1764

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp
MD5
c075e6f1cbf46155b4e600e10c332a41

SHA1
7f62b2a1f8e9a6a443f959ca412e890693a0b2e9

SHA256
f279f2322ed8baea8f698151105c2ce310b151c57a447941b716ee1f7e9474e5

SHA512
272126a2b0f54d72410aa25f99ba5b4bb2bf91a3f298de9361ab9018c3e53f93d14c2afe471a05f95f24033bebf80ff323b3239892c0202e913d6fd62fdd1095

Download Submit
C:\Users\Public\vbc.exe
MD5
106ada585df884b13cd6a8a71e404c78

SHA1
470e8dd108972fe65c027b9d4856aa365b69fd9e

SHA256
612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572

SHA512
aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2

Download Submit
C:\Users\Public\vbc.exe
MD5
106ada585df884b13cd6a8a71e404c78

SHA1
470e8dd108972fe65c027b9d4856aa365b69fd9e

SHA256
612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572

SHA512
aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2

Download Submit
C:\Users\Public\vbc.exe
MD5
106ada585df884b13cd6a8a71e404c78

SHA1
470e8dd108972fe65c027b9d4856aa365b69fd9e

SHA256
612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572

SHA512
aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2

Download Submit
\Users\Public\vbc.exe
MD5
106ada585df884b13cd6a8a71e404c78

SHA1
470e8dd108972fe65c027b9d4856aa365b69fd9e

SHA256
612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572

SHA512
aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2

Download Submit
\Users\Public\vbc.exe
MD5
106ada585df884b13cd6a8a71e404c78

SHA1
470e8dd108972fe65c027b9d4856aa365b69fd9e

SHA256
612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572

SHA512
aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2

Download Submit
memory/968-91-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/968-92-0x0000000001ED0000-0x0000000001F63000-memory.dmp

Filesize
588KB

Download
memory/968-89-0x0000000000280000-0x00000000002A2000-memory.dmp

Filesize
136KB

Download
memory/968-90-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/968-87-0x0000000000000000-mapping.dmp

Download
memory/1084-60-0x000000002F781000-0x000000002F784000-memory.dmp

Filesize
12KB

Download
memory/1084-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1084-61-0x00000000715A1000-0x00000000715A3000-memory.dmp

Filesize
8KB

Download
memory/1084-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1184-77-0x0000000004EC0000-0x0000000004EF5000-memory.dmp

Filesize
212KB

Download
memory/1184-76-0x00000000052F0000-0x000000000536F000-memory.dmp

Filesize
508KB

Download
memory/1184-66-0x0000000000000000-mapping.dmp

Download
memory/1184-73-0x00000000048F1000-0x00000000048F2000-memory.dmp

Filesize
4KB

Download
memory/1184-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1184-71-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1184-74-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/1184-72-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/1288-86-0x0000000006F50000-0x000000000707F000-memory.dmp

Filesize
1.2MB

Download
memory/1288-93-0x00000000049A0000-0x0000000004A62000-memory.dmp

Filesize
776KB

Download
memory/1516-94-0x0000000000000000-mapping.dmp

Download
memory/1516-95-0x000000013F9E0000-0x000000013FA73000-memory.dmp

Filesize
588KB

Download
memory/1516-96-0x0000000000060000-0x000000000015B000-memory.dmp

Filesize
1004KB

Download
memory/1764-78-0x0000000000000000-mapping.dmp

Download
memory/1816-85-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1816-84-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1816-81-0x000000000041ED40-mapping.dmp

Download
memory/1816-80-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1844-63-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads