formbook | 9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05

General

Target

QUOTATION#1100630004R2.doc
Size

54KB
MD5

a3336f2a85c572aab40243c347ebfe59
SHA1

f6b300530f6d294ea005b13ec08d881c9651f8af
SHA256

9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
SHA512

b4a02c7df3537f861429346bd2813de9f89cdb18fb867b8f9eb140d6e2d190bf1a9ff33302e919c111b1e379ef09840c8c1c8289d7fb20fbe2fff4268ea085cf

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.containerflippers.com/np0c/

Decoy

spartansurebets.com

threelakestradingco.com

metaspace.global

zjenbao.com

directlyincluded.press

peterchadri.com

learnhousebreaking.com

wonobattle.online

leadate.com

shebafarmscali.com

top4thejob.online

awakeyourfaith.com

bedford-st.com

lolwhats.com

cucurumbel.com

lokalbazaar.com

matter.pro

eastcountyanimalrescue.com

musesgirl.com

noordinarydairy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/240-78-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/240-79-0x000000000041EB90-mapping.dmp	formbook
behavioral1/memory/1896-89-0x0000000000090000-0x00000000000BE000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1740 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

princedan85671.exeprincedan85671.exe

pid process

760 princedan85671.exe
240 princedan85671.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXEprincedan85671.exe

pid process

1740 EQNEDT32.EXE
760 princedan85671.exe

flow	pid	process
6	1740	EQNEDT32.EXE

pid	process
1740	EQNEDT32.EXE
760	princedan85671.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

princedan85671.exeprincedan85671.execmstp.exe

description	pid	process	target process
PID 760 set thread context of 240	760	princedan85671.exe	princedan85671.exe
PID 240 set thread context of 1264	240	princedan85671.exe	Explorer.EXE
PID 240 set thread context of 1264	240	princedan85671.exe	Explorer.EXE
PID 1896 set thread context of 1264	1896	cmstp.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1740 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1740	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1084 WINWORD.EXE

pid	process
1084	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

princedan85671.exeprincedan85671.execmstp.exe

pid	process
760	princedan85671.exe
760	princedan85671.exe
240	princedan85671.exe
240	princedan85671.exe
240	princedan85671.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe
1896	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

princedan85671.execmstp.exe

pid process

240 princedan85671.exe
240 princedan85671.exe
240 princedan85671.exe
240 princedan85671.exe
1896 cmstp.exe
1896 cmstp.exe

pid	process
240	princedan85671.exe
240	princedan85671.exe
240	princedan85671.exe
240	princedan85671.exe
1896	cmstp.exe
1896	cmstp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

princedan85671.exeprincedan85671.exeExplorer.EXEcmstp.exe

description	pid	process
Token: SeDebugPrivilege	760	princedan85671.exe
Token: SeDebugPrivilege	240	princedan85671.exe
Token: SeShutdownPrivilege	1264	Explorer.EXE
Token: SeDebugPrivilege	1896	cmstp.exe
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1084 WINWORD.EXE
1084 WINWORD.EXE

pid	process
1084	WINWORD.EXE
1084	WINWORD.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EQNEDT32.EXEprincedan85671.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1740 wrote to memory of 760	1740	EQNEDT32.EXE	princedan85671.exe
PID 1740 wrote to memory of 760	1740	EQNEDT32.EXE	princedan85671.exe
PID 1740 wrote to memory of 760	1740	EQNEDT32.EXE	princedan85671.exe
PID 1740 wrote to memory of 760	1740	EQNEDT32.EXE	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 760 wrote to memory of 240	760	princedan85671.exe	princedan85671.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1264 wrote to memory of 1896	1264	Explorer.EXE	cmstp.exe
PID 1896 wrote to memory of 2004	1896	cmstp.exe	cmd.exe
PID 1896 wrote to memory of 2004	1896	cmstp.exe	cmd.exe
PID 1896 wrote to memory of 2004	1896	cmstp.exe	cmd.exe
PID 1896 wrote to memory of 2004	1896	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QUOTATION#1100630004R2.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1620

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:788

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:632

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1724

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1792

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1736

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1708

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1752

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:792

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1612

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1164

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1408

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\princedan85671.exe"
3⤵
PID:2004

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\princedan85671.exe
"C:\Users\Admin\AppData\Roaming\princedan85671.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\princedan85671.exe
C:\Users\Admin\AppData\Local\Temp\princedan85671.exe vgyjnbhui
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
C:\Users\Admin\AppData\Roaming\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Local\Temp\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
\Users\Admin\AppData\Roaming\princedan85671.exe
MD5
0e715db2198ff670f4bf0e88e0e9b547

SHA1
2de5030a9261655e5879e4faba7b5e79d1dd483e

SHA256
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98

SHA512
8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd

Download Submit
memory/240-79-0x000000000041EB90-mapping.dmp

Download
memory/240-82-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/240-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/240-84-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/240-81-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/760-68-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/760-70-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/760-71-0x0000000000B90000-0x0000000000BF1000-memory.dmp

Filesize
388KB

Download
memory/760-76-0x0000000005190000-0x0000000005202000-memory.dmp

Filesize
456KB

Download
memory/760-65-0x0000000000000000-mapping.dmp

Download
memory/1084-62-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1084-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1084-59-0x0000000072FC1000-0x0000000072FC4000-memory.dmp

Filesize
12KB

Download
memory/1084-60-0x0000000070A41000-0x0000000070A43000-memory.dmp

Filesize
8KB

Download
memory/1264-83-0x0000000004120000-0x0000000004243000-memory.dmp

Filesize
1.1MB

Download
memory/1264-85-0x00000000072D0000-0x0000000007415000-memory.dmp

Filesize
1.3MB

Download
memory/1896-86-0x0000000000000000-mapping.dmp

Download
memory/1896-88-0x0000000000B70000-0x0000000000B88000-memory.dmp

Filesize
96KB

Download
memory/1896-89-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/1896-92-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/1896-93-0x0000000000930000-0x00000000009C3000-memory.dmp

Filesize
588KB

Download
memory/2004-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads