formbook | 8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e

General

Target

PO4018308875.doc
Size

49KB
MD5

1e7bc879d7960afaa08148c635ae534f
SHA1

e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac
SHA256

8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e
SHA512

87305e45665309e3e6de38aae33a61481445257cbef1f4ce268db0223481bb6b0acaed8d81aafee00a43d53b0278fd27a2fcd34ef51b670ca86c34108ea49366

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.containerflippers.com/np0c/

Decoy

spartansurebets.com

threelakestradingco.com

metaspace.global

zjenbao.com

directlyincluded.press

peterchadri.com

learnhousebreaking.com

wonobattle.online

leadate.com

shebafarmscali.com

top4thejob.online

awakeyourfaith.com

bedford-st.com

lolwhats.com

cucurumbel.com

lokalbazaar.com

matter.pro

eastcountyanimalrescue.com

musesgirl.com

noordinarydairy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1484-81-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1484-82-0x000000000041EB90-mapping.dmp	formbook
behavioral1/memory/564-91-0x00000000000C0000-0x00000000000EE000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 676 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

princedan859323.exeprincedan859323.exe

pid process

844 princedan859323.exe
1484 princedan859323.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXEprincedan859323.exe

pid process

676 EQNEDT32.EXE
844 princedan859323.exe

flow	pid	process
6	676	EQNEDT32.EXE

pid	process
676	EQNEDT32.EXE
844	princedan859323.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

princedan859323.exeprincedan859323.exewininit.exe

description	pid	process	target process
PID 844 set thread context of 1484	844	princedan859323.exe	princedan859323.exe
PID 1484 set thread context of 1200	1484	princedan859323.exe	Explorer.EXE
PID 564 set thread context of 1200	564	wininit.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

676 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
676	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

940 WINWORD.EXE

pid	process
940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

princedan859323.exeprincedan859323.exewininit.exe

pid	process
844	princedan859323.exe
844	princedan859323.exe
1484	princedan859323.exe
1484	princedan859323.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe
564	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

princedan859323.exewininit.exe

pid process

1484 princedan859323.exe
1484 princedan859323.exe
1484 princedan859323.exe
564 wininit.exe
564 wininit.exe

pid	process
1484	princedan859323.exe
1484	princedan859323.exe
1484	princedan859323.exe
564	wininit.exe
564	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

princedan859323.exeprincedan859323.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	844	princedan859323.exe
Token: SeDebugPrivilege	1484	princedan859323.exe
Token: SeDebugPrivilege	564	wininit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

940 WINWORD.EXE
940 WINWORD.EXE

pid	process
940	WINWORD.EXE
940	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEprincedan859323.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 676 wrote to memory of 844	676	EQNEDT32.EXE	princedan859323.exe
PID 676 wrote to memory of 844	676	EQNEDT32.EXE	princedan859323.exe
PID 676 wrote to memory of 844	676	EQNEDT32.EXE	princedan859323.exe
PID 676 wrote to memory of 844	676	EQNEDT32.EXE	princedan859323.exe
PID 940 wrote to memory of 1544	940	WINWORD.EXE	splwow64.exe
PID 940 wrote to memory of 1544	940	WINWORD.EXE	splwow64.exe
PID 940 wrote to memory of 1544	940	WINWORD.EXE	splwow64.exe
PID 940 wrote to memory of 1544	940	WINWORD.EXE	splwow64.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 844 wrote to memory of 1484	844	princedan859323.exe	princedan859323.exe
PID 1200 wrote to memory of 564	1200	Explorer.EXE	wininit.exe
PID 1200 wrote to memory of 564	1200	Explorer.EXE	wininit.exe
PID 1200 wrote to memory of 564	1200	Explorer.EXE	wininit.exe
PID 1200 wrote to memory of 564	1200	Explorer.EXE	wininit.exe
PID 564 wrote to memory of 1016	564	wininit.exe	cmd.exe
PID 564 wrote to memory of 1016	564	wininit.exe	cmd.exe
PID 564 wrote to memory of 1016	564	wininit.exe	cmd.exe
PID 564 wrote to memory of 1016	564	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO4018308875.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1544
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\princedan859323.exe"
    3⤵
    PID:1016

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Roaming\princedan859323.exe
  "C:\Users\Admin\AppData\Roaming\princedan859323.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\princedan859323.exe
    C:\Users\Admin\AppData\Local\Temp\princedan859323.exe vgyjnbhui
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\princedan859323.exe

MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\princedan859323.exe

MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan859323.exe

MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan859323.exe

MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Local\Temp\princedan859323.exe

MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Roaming\princedan859323.exe

MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
memory/564-90-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/564-87-0x0000000000000000-mapping.dmp

Download
memory/564-91-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/564-92-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/564-93-0x0000000001DE0000-0x0000000001E73000-memory.dmp

Filesize
588KB

Download
memory/844-79-0x0000000005C80000-0x0000000005CF2000-memory.dmp

Filesize
456KB

Download
memory/844-74-0x0000000004C40000-0x0000000004CA1000-memory.dmp

Filesize
388KB

Download
memory/844-66-0x0000000000000000-mapping.dmp

Download
memory/844-71-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/844-69-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/940-61-0x000000006FAC1000-0x000000006FAC3000-memory.dmp

Filesize
8KB

Download
memory/940-60-0x0000000072041000-0x0000000072044000-memory.dmp

Filesize
12KB

Download
memory/940-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/940-63-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1016-89-0x0000000000000000-mapping.dmp

Download
memory/1200-86-0x0000000004ED0000-0x0000000004FCC000-memory.dmp

Filesize
1008KB

Download
memory/1484-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1484-85-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1484-84-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

Filesize
3.0MB

Download
memory/1484-82-0x000000000041EB90-mapping.dmp

Download
memory/1544-73-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1544-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads