formbook | 040ce819e4f59dd7803e3c75da71048dd8fcf3b28f840889562fd55b6e3f74f2

General

Target

INV2021-20800.docx
Size

10KB
MD5

6c1c7232217cf3ac24711d9d5588126d
SHA1

03900482a118b894b2a5154dba552a543ccb7eb3
SHA256

040ce819e4f59dd7803e3c75da71048dd8fcf3b28f840889562fd55b6e3f74f2
SHA512

fb792cb769fb519529fa5029fbef1aef286ce30d9defaf698d4b5450965854b563e36e46b852f4a7df9f0fcc60ed4185b7b23c245dba0e7529ce57cf9dabf8e2

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.rocketschool.net/nf2/

Decoy

avlholisticdentalcare.com

coolermassmedia.com

anythingneverything.net

maimaixiu.club

veyconcorp.com

rplelectro.com

koch-mannes.club

tecknetpro.com

getresurface.net

mertzengin.com

nbppfanzgn.com

508hill.com

ourdailydelights.com

aimeesambayan.com

productstoredt.com

doublelblonghorns.com

lucidcurriculum.com

thegoddessnow.com

qywqmjku.icu

yonibymina.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1336-80-0x000000000041EB30-mapping.dmp	formbook
behavioral1/memory/1336-79-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2004-90-0x00000000000D0000-0x00000000000FE000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

13 1184 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1516 vbc.exe
1336 vbc.exe

flow	pid	process
13	1184	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://itsssl.com/jBbhJ	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1184 EQNEDT32.EXE
1184 EQNEDT32.EXE
1184 EQNEDT32.EXE
1184 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1184	EQNEDT32.EXE
1184	EQNEDT32.EXE
1184	EQNEDT32.EXE
1184	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execmstp.exe

description	pid	process	target process
PID 1516 set thread context of 1336	1516	vbc.exe	vbc.exe
PID 1336 set thread context of 1288	1336	vbc.exe	Explorer.EXE
PID 2004 set thread context of 1288	2004	cmstp.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1184 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1184	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

772 WINWORD.EXE

pid	process
772	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

vbc.exevbc.execmstp.exe

pid	process
1516	vbc.exe
1336	vbc.exe
1336	vbc.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.execmstp.exe

pid process

1336 vbc.exe
1336 vbc.exe
1336 vbc.exe
2004 cmstp.exe
2004 cmstp.exe

pid	process
1288	Explorer.EXE

pid	process
1336	vbc.exe
1336	vbc.exe
1336	vbc.exe
2004	cmstp.exe
2004	cmstp.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

vbc.exevbc.execmstp.exeWINWORD.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1516	vbc.exe
Token: SeDebugPrivilege	1336	vbc.exe
Token: SeDebugPrivilege	2004	cmstp.exe
Token: SeShutdownPrivilege	772	WINWORD.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

772 WINWORD.EXE
772 WINWORD.EXE

pid	process
772	WINWORD.EXE
772	WINWORD.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1184 wrote to memory of 1516	1184	EQNEDT32.EXE	vbc.exe
PID 1184 wrote to memory of 1516	1184	EQNEDT32.EXE	vbc.exe
PID 1184 wrote to memory of 1516	1184	EQNEDT32.EXE	vbc.exe
PID 1184 wrote to memory of 1516	1184	EQNEDT32.EXE	vbc.exe
PID 772 wrote to memory of 1608	772	WINWORD.EXE	splwow64.exe
PID 772 wrote to memory of 1608	772	WINWORD.EXE	splwow64.exe
PID 772 wrote to memory of 1608	772	WINWORD.EXE	splwow64.exe
PID 772 wrote to memory of 1608	772	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1516 wrote to memory of 1336	1516	vbc.exe	vbc.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 1288 wrote to memory of 2004	1288	Explorer.EXE	cmstp.exe
PID 2004 wrote to memory of 548	2004	cmstp.exe	cmd.exe
PID 2004 wrote to memory of 548	2004	cmstp.exe	cmd.exe
PID 2004 wrote to memory of 548	2004	cmstp.exe	cmd.exe
PID 2004 wrote to memory of 548	2004	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INV2021-20800.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1608

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:548

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
C:\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
C:\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
\Users\Public\vbc.exe
MD5
fa0d69a3ff0a272e9e16c1fcac400a6a

SHA1
be235c4800548dddf216d72b5c3e22024f6be642

SHA256
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

SHA512
007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e

Download Submit
memory/548-88-0x0000000000000000-mapping.dmp

Download
memory/772-60-0x0000000072C81000-0x0000000072C84000-memory.dmp

Filesize
12KB

Download
memory/772-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/772-61-0x0000000070701000-0x0000000070703000-memory.dmp

Filesize
8KB

Download
memory/772-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1184-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1288-94-0x00000000064A0000-0x00000000065AB000-memory.dmp

Filesize
1.0MB

Download
memory/1288-85-0x0000000005F60000-0x0000000006088000-memory.dmp

Filesize
1.2MB

Download
memory/1336-84-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1336-83-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/1336-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1336-80-0x000000000041EB30-mapping.dmp

Download
memory/1516-77-0x00000000056C0000-0x0000000005738000-memory.dmp

Filesize
480KB

Download
memory/1516-78-0x00000000008C0000-0x00000000008FD000-memory.dmp

Filesize
244KB

Download
memory/1516-76-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/1516-75-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/1516-71-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1516-68-0x0000000000000000-mapping.dmp

Download
memory/1608-74-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1608-73-0x0000000000000000-mapping.dmp

Download
memory/2004-86-0x0000000000000000-mapping.dmp

Download
memory/2004-90-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/2004-91-0x0000000002220000-0x0000000002523000-memory.dmp

Filesize
3.0MB

Download
memory/2004-89-0x0000000000E00000-0x0000000000E18000-memory.dmp

Filesize
96KB

Download
memory/2004-92-0x0000000000910000-0x00000000009A3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads