formbook | 2ab4dc35e47019378cb6acc7be371790eba069b80e8439df9c292cecf62364f0

General

Target

8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e.rtf
Size

49KB
MD5

1e7bc879d7960afaa08148c635ae534f
SHA1

e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac
SHA256

8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e
SHA512

87305e45665309e3e6de38aae33a61481445257cbef1f4ce268db0223481bb6b0acaed8d81aafee00a43d53b0278fd27a2fcd34ef51b670ca86c34108ea49366

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.containerflippers.com/np0c/

Decoy

spartansurebets.com

threelakestradingco.com

metaspace.global

zjenbao.com

directlyincluded.press

peterchadri.com

learnhousebreaking.com

wonobattle.online

leadate.com

shebafarmscali.com

top4thejob.online

awakeyourfaith.com

bedford-st.com

lolwhats.com

cucurumbel.com

lokalbazaar.com

matter.pro

eastcountyanimalrescue.com

musesgirl.com

noordinarydairy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/732-81-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/732-82-0x000000000041EB90-mapping.dmp	formbook
behavioral1/memory/1540-93-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1976 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

princedan859323.exeprincedan859323.exe

pid process

1796 princedan859323.exe
732 princedan859323.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXEprincedan859323.exe

pid process

1976 EQNEDT32.EXE
1796 princedan859323.exe

flow	pid	process
7	1976	EQNEDT32.EXE

pid	process
1976	EQNEDT32.EXE
1796	princedan859323.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

princedan859323.exeprincedan859323.execmmon32.exe

description	pid	process	target process
PID 1796 set thread context of 732	1796	princedan859323.exe	princedan859323.exe
PID 732 set thread context of 1240	732	princedan859323.exe	Explorer.EXE
PID 732 set thread context of 1240	732	princedan859323.exe	Explorer.EXE
PID 1540 set thread context of 1240	1540	cmmon32.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1976 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1976	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1656 WINWORD.EXE

pid	process
1656	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

princedan859323.exeprincedan859323.execmmon32.exe

pid	process
1796	princedan859323.exe
1796	princedan859323.exe
732	princedan859323.exe
732	princedan859323.exe
732	princedan859323.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe
1540	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

princedan859323.execmmon32.exe

pid process

732 princedan859323.exe
732 princedan859323.exe
732 princedan859323.exe
732 princedan859323.exe
1540 cmmon32.exe
1540 cmmon32.exe

pid	process
732	princedan859323.exe
732	princedan859323.exe
732	princedan859323.exe
732	princedan859323.exe
1540	cmmon32.exe
1540	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

princedan859323.exeprincedan859323.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1796	princedan859323.exe
Token: SeDebugPrivilege	732	princedan859323.exe
Token: SeDebugPrivilege	1540	cmmon32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1656 WINWORD.EXE
1656 WINWORD.EXE

pid	process
1656	WINWORD.EXE
1656	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEprincedan859323.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1976 wrote to memory of 1796	1976	EQNEDT32.EXE	princedan859323.exe
PID 1976 wrote to memory of 1796	1976	EQNEDT32.EXE	princedan859323.exe
PID 1976 wrote to memory of 1796	1976	EQNEDT32.EXE	princedan859323.exe
PID 1976 wrote to memory of 1796	1976	EQNEDT32.EXE	princedan859323.exe
PID 1656 wrote to memory of 1376	1656	WINWORD.EXE	splwow64.exe
PID 1656 wrote to memory of 1376	1656	WINWORD.EXE	splwow64.exe
PID 1656 wrote to memory of 1376	1656	WINWORD.EXE	splwow64.exe
PID 1656 wrote to memory of 1376	1656	WINWORD.EXE	splwow64.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1796 wrote to memory of 732	1796	princedan859323.exe	princedan859323.exe
PID 1240 wrote to memory of 1540	1240	Explorer.EXE	cmmon32.exe
PID 1240 wrote to memory of 1540	1240	Explorer.EXE	cmmon32.exe
PID 1240 wrote to memory of 1540	1240	Explorer.EXE	cmmon32.exe
PID 1240 wrote to memory of 1540	1240	Explorer.EXE	cmmon32.exe
PID 1540 wrote to memory of 2004	1540	cmmon32.exe	cmd.exe
PID 1540 wrote to memory of 2004	1540	cmmon32.exe	cmd.exe
PID 1540 wrote to memory of 2004	1540	cmmon32.exe	cmd.exe
PID 1540 wrote to memory of 2004	1540	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1376

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1704

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1976

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:396

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1332

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2040

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1528

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1120

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\princedan859323.exe"
3⤵
PID:2004

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\princedan859323.exe
"C:\Users\Admin\AppData\Roaming\princedan859323.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\princedan859323.exe
C:\Users\Admin\AppData\Local\Temp\princedan859323.exe vgyjnbhui
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\princedan859323.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\princedan859323.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan859323.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan859323.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Local\Temp\princedan859323.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Roaming\princedan859323.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
memory/732-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/732-87-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/732-84-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/732-85-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/732-82-0x000000000041EB90-mapping.dmp

Download
memory/1240-88-0x0000000006970000-0x0000000006ADF000-memory.dmp

Filesize
1.4MB

Download
memory/1240-86-0x0000000004050000-0x00000000041AD000-memory.dmp

Filesize
1.4MB

Download
memory/1376-72-0x0000000000000000-mapping.dmp

Download
memory/1376-73-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/1540-89-0x0000000000000000-mapping.dmp

Download
memory/1540-95-0x0000000001D10000-0x0000000001DA3000-memory.dmp

Filesize
588KB

Download
memory/1540-94-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/1540-93-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1540-92-0x0000000000340000-0x000000000034D000-memory.dmp

Filesize
52KB

Download
memory/1656-61-0x0000000070A81000-0x0000000070A83000-memory.dmp

Filesize
8KB

Download
memory/1656-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1656-60-0x0000000073001000-0x0000000073004000-memory.dmp

Filesize
12KB

Download
memory/1656-63-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1796-74-0x00000000047A0000-0x0000000004801000-memory.dmp

Filesize
388KB

Download
memory/1796-66-0x0000000000000000-mapping.dmp

Download
memory/1796-69-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1796-71-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1796-79-0x0000000005AB0000-0x0000000005B22000-memory.dmp

Filesize
456KB

Download
memory/2004-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads