formbook | 5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f

General

Target

Quote 2405987021.docx
Size

10KB
MD5

992acd038fd49f200bd5510c029e74b1
SHA1

f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
SHA256

5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
SHA512

e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.mpaiji.com/c244/

Decoy

ssgasija.com

procyoon.com

mood-street-food.com

yeglifeview.com

baoyai.com

sundarsheni.com

notoli.photography

sweetape.com

ergas.group

asyrill.com

jin188v.com

stlazarushospitalnola.com

dohertyfamily5.com

duniaclubs.club

ngobryles.com

scottsavocasalon.com

unifiui.com

baileyfred.com

nabiagency.com

alyssaternanphotography.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1796-71-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1796-72-0x000000000041EB20-mapping.dmp	formbook
behavioral1/memory/112-83-0x0000000000070000-0x000000000009E000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 1660 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1964 vbc.exe
1796 vbc.exe

flow	pid	process
8	1660	EQNEDT32.EXE

pid	process
1964	vbc.exe
1796	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://198.46.132.185/..-.-.-......................................................-...-/..................................................wbk	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1660 EQNEDT32.EXE
1660 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1660	EQNEDT32.EXE
1660	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exewscript.exe

description	pid	process	target process
PID 1964 set thread context of 1796	1964	vbc.exe	vbc.exe
PID 1796 set thread context of 1272	1796	vbc.exe	Explorer.EXE
PID 112 set thread context of 1272	112	wscript.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1660 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1660	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2020 WINWORD.EXE

pid	process
2020	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exewscript.exe

pid	process
1796	vbc.exe
1796	vbc.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe
112	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exewscript.exe

pid process

1796 vbc.exe
1796 vbc.exe
1796 vbc.exe
112 wscript.exe
112 wscript.exe

pid	process
1272	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

vbc.exeExplorer.EXEwscript.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1796	vbc.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeDebugPrivilege	112	wscript.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	2020	WINWORD.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEvbc.exe

pid process

2020 WINWORD.EXE
2020 WINWORD.EXE
1964 vbc.exe

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
2020	WINWORD.EXE
2020	WINWORD.EXE
1964	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exeWINWORD.EXEExplorer.EXEwscript.exe

description	pid	process	target process
PID 1660 wrote to memory of 1964	1660	EQNEDT32.EXE	vbc.exe
PID 1660 wrote to memory of 1964	1660	EQNEDT32.EXE	vbc.exe
PID 1660 wrote to memory of 1964	1660	EQNEDT32.EXE	vbc.exe
PID 1660 wrote to memory of 1964	1660	EQNEDT32.EXE	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 1964 wrote to memory of 1796	1964	vbc.exe	vbc.exe
PID 2020 wrote to memory of 1784	2020	WINWORD.EXE	splwow64.exe
PID 2020 wrote to memory of 1784	2020	WINWORD.EXE	splwow64.exe
PID 2020 wrote to memory of 1784	2020	WINWORD.EXE	splwow64.exe
PID 2020 wrote to memory of 1784	2020	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 112	1272	Explorer.EXE	wscript.exe
PID 1272 wrote to memory of 112	1272	Explorer.EXE	wscript.exe
PID 1272 wrote to memory of 112	1272	Explorer.EXE	wscript.exe
PID 1272 wrote to memory of 112	1272	Explorer.EXE	wscript.exe
PID 112 wrote to memory of 1668	112	wscript.exe	cmd.exe
PID 112 wrote to memory of 1668	112	wscript.exe	cmd.exe
PID 112 wrote to memory of 1668	112	wscript.exe	cmd.exe
PID 112 wrote to memory of 1668	112	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quote 2405987021.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1784

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1668

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
9c0ab971e60116467107fe8dd787e5cf

SHA1
08aefe2b9ab89d7522a93e8a6e442ee3ceb85eee

SHA256
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15

SHA512
0d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63

Download Submit
C:\Users\Public\vbc.exe
MD5
9c0ab971e60116467107fe8dd787e5cf

SHA1
08aefe2b9ab89d7522a93e8a6e442ee3ceb85eee

SHA256
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15

SHA512
0d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63

Download Submit
C:\Users\Public\vbc.exe
MD5
9c0ab971e60116467107fe8dd787e5cf

SHA1
08aefe2b9ab89d7522a93e8a6e442ee3ceb85eee

SHA256
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15

SHA512
0d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63

Download Submit
\Users\Public\vbc.exe
MD5
9c0ab971e60116467107fe8dd787e5cf

SHA1
08aefe2b9ab89d7522a93e8a6e442ee3ceb85eee

SHA256
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15

SHA512
0d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63

Download Submit
\Users\Public\vbc.exe
MD5
9c0ab971e60116467107fe8dd787e5cf

SHA1
08aefe2b9ab89d7522a93e8a6e442ee3ceb85eee

SHA256
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15

SHA512
0d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63

Download Submit
memory/112-83-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/112-84-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/112-85-0x0000000001E30000-0x0000000001EC3000-memory.dmp

Filesize
588KB

Download
memory/112-82-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/112-80-0x0000000000000000-mapping.dmp

Download
memory/1272-79-0x0000000004A10000-0x0000000004B93000-memory.dmp

Filesize
1.5MB

Download
memory/1272-86-0x00000000062E0000-0x00000000063DC000-memory.dmp

Filesize
1008KB

Download
memory/1660-63-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1668-81-0x0000000000000000-mapping.dmp

Download
memory/1784-76-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1784-74-0x0000000000000000-mapping.dmp

Download
memory/1796-77-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1796-78-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1796-72-0x000000000041EB20-mapping.dmp

Download
memory/1796-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-66-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000072C41000-0x0000000072C44000-memory.dmp

Filesize
12KB

Download
memory/2020-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-61-0x00000000706C1000-0x00000000706C3000-memory.dmp

Filesize
8KB

Download
memory/2020-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads