formbook | 9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05

General

Target

QUOTATION1100630004R2.doc
Size

54KB
MD5

a3336f2a85c572aab40243c347ebfe59
SHA1

f6b300530f6d294ea005b13ec08d881c9651f8af
SHA256

9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
SHA512

b4a02c7df3537f861429346bd2813de9f89cdb18fb867b8f9eb140d6e2d190bf1a9ff33302e919c111b1e379ef09840c8c1c8289d7fb20fbe2fff4268ea085cf

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.containerflippers.com/np0c/

Decoy

spartansurebets.com

threelakestradingco.com

metaspace.global

zjenbao.com

directlyincluded.press

peterchadri.com

learnhousebreaking.com

wonobattle.online

leadate.com

shebafarmscali.com

top4thejob.online

awakeyourfaith.com

bedford-st.com

lolwhats.com

cucurumbel.com

lokalbazaar.com

matter.pro

eastcountyanimalrescue.com

musesgirl.com

noordinarydairy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/728-81-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/728-82-0x000000000041EB90-mapping.dmp	formbook
behavioral1/memory/944-91-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1796 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

princedan85671.exeprincedan85671.exe

pid process

812 princedan85671.exe
728 princedan85671.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXEprincedan85671.exe

pid process

1796 EQNEDT32.EXE
812 princedan85671.exe

flow	pid	process
7	1796	EQNEDT32.EXE

pid	process
1796	EQNEDT32.EXE
812	princedan85671.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

princedan85671.exeprincedan85671.exesystray.exe

description	pid	process	target process
PID 812 set thread context of 728	812	princedan85671.exe	princedan85671.exe
PID 728 set thread context of 1256	728	princedan85671.exe	Explorer.EXE
PID 944 set thread context of 1256	944	systray.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1796 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1796	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1208 WINWORD.EXE

pid	process
1208	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

princedan85671.exeprincedan85671.exesystray.exe

pid	process
812	princedan85671.exe
812	princedan85671.exe
728	princedan85671.exe
728	princedan85671.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe
944	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

princedan85671.exesystray.exe

pid process

728 princedan85671.exe
728 princedan85671.exe
728 princedan85671.exe
944 systray.exe
944 systray.exe

pid	process
1256	Explorer.EXE

pid	process
728	princedan85671.exe
728	princedan85671.exe
728	princedan85671.exe
944	systray.exe
944	systray.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

princedan85671.exeprincedan85671.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	812	princedan85671.exe
Token: SeDebugPrivilege	728	princedan85671.exe
Token: SeDebugPrivilege	944	systray.exe
Token: SeShutdownPrivilege	1256	Explorer.EXE
Token: SeShutdownPrivilege	1256	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1208 WINWORD.EXE
1208 WINWORD.EXE

pid	process
1208	WINWORD.EXE
1208	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEprincedan85671.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1796 wrote to memory of 812	1796	EQNEDT32.EXE	princedan85671.exe
PID 1796 wrote to memory of 812	1796	EQNEDT32.EXE	princedan85671.exe
PID 1796 wrote to memory of 812	1796	EQNEDT32.EXE	princedan85671.exe
PID 1796 wrote to memory of 812	1796	EQNEDT32.EXE	princedan85671.exe
PID 1208 wrote to memory of 1756	1208	WINWORD.EXE	splwow64.exe
PID 1208 wrote to memory of 1756	1208	WINWORD.EXE	splwow64.exe
PID 1208 wrote to memory of 1756	1208	WINWORD.EXE	splwow64.exe
PID 1208 wrote to memory of 1756	1208	WINWORD.EXE	splwow64.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 812 wrote to memory of 728	812	princedan85671.exe	princedan85671.exe
PID 1256 wrote to memory of 944	1256	Explorer.EXE	systray.exe
PID 1256 wrote to memory of 944	1256	Explorer.EXE	systray.exe
PID 1256 wrote to memory of 944	1256	Explorer.EXE	systray.exe
PID 1256 wrote to memory of 944	1256	Explorer.EXE	systray.exe
PID 944 wrote to memory of 1484	944	systray.exe	cmd.exe
PID 944 wrote to memory of 1484	944	systray.exe	cmd.exe
PID 944 wrote to memory of 1484	944	systray.exe	cmd.exe
PID 944 wrote to memory of 1484	944	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QUOTATION1100630004R2.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1756

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\princedan85671.exe"
3⤵
PID:1484

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Roaming\princedan85671.exe
"C:\Users\Admin\AppData\Roaming\princedan85671.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\princedan85671.exe
C:\Users\Admin\AppData\Local\Temp\princedan85671.exe vgyjnbhui
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Local\Temp\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Roaming\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
memory/728-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/728-84-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/728-85-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/728-82-0x000000000041EB90-mapping.dmp

Download
memory/812-69-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-71-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/812-66-0x0000000000000000-mapping.dmp

Download
memory/812-74-0x0000000001FA0000-0x0000000002001000-memory.dmp

Filesize
388KB

Download
memory/812-79-0x0000000005AC0000-0x0000000005B32000-memory.dmp

Filesize
456KB

Download
memory/944-93-0x0000000001EE0000-0x0000000001F73000-memory.dmp

Filesize
588KB

Download
memory/944-90-0x0000000000140000-0x0000000000145000-memory.dmp

Filesize
20KB

Download
memory/944-87-0x0000000000000000-mapping.dmp

Download
memory/944-91-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/944-92-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/1208-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1208-61-0x000000006FE01000-0x000000006FE03000-memory.dmp

Filesize
8KB

Download
memory/1208-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1208-60-0x0000000072381000-0x0000000072384000-memory.dmp

Filesize
12KB

Download
memory/1208-63-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1256-86-0x0000000006150000-0x00000000062D0000-memory.dmp

Filesize
1.5MB

Download
memory/1256-94-0x0000000006AD0000-0x0000000006C29000-memory.dmp

Filesize
1.3MB

Download
memory/1484-89-0x0000000000000000-mapping.dmp

Download
memory/1756-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1756-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads