Overview

overview

10

Static

static

1

8f6f20b980...86.rtf

windows7-x64

10

8f6f20b980...86.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2023 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f6f20b9800cc3739e08c986979fe886.rtf

  • Size

    27KB

  • MD5

    8f6f20b9800cc3739e08c986979fe886

  • SHA1

    945fc5d51604afd6e92c84fac68e336680d37abc

  • SHA256

    4fe0591d0c5bd1f27e2a384aa171139b371847c545e9eae6e7bc6269a954a58b

  • SHA512

    e5a31cf4eb09b45990de61527c98a3bb5726ce52bd9b103535bb347d18e60943b1d12d73f7aec23a6b214abb0cad952aec560ccb71064b131254018ecf646b71

  • SSDEEP

    768:DHe6wuA/+TFngTG1tl2qGOQP0u2kPdU8S7C5G3fljgBQ/sp:DHOuA/+TFngC1u2kl7wm7p

Score
10/10
formbookxchuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xchu

Decoy

zcartoons.com

castilloshowroom.com

3bmmdtod.life

misaxoxo.com

nadiya.online

sykkbup29.xyz

triciaaprimrosevp.com

newleter.com

ptzslk.xyz

lightbulbfestival.com

texaslandline.com

ideeintemporelle.com

girljustdoitpodcast.com

medimediamarketing.com

bunk7outfitters.com

charlievgrfminnick.click

lifestyleinthehome.com

atfbestsale.online

frontdoorproperties.co.uk

grandpaswag2024.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 12 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8f6f20b9800cc3739e08c986979fe886.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1440
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\clean_registry.exe"
          3⤵
            PID:692
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Users\Public\clean_registry.exe
          "C:\Users\Public\clean_registry.exe"
          2⤵
          • Checks QEMU agent file
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Users\Public\clean_registry.exe
            "C:\Users\Public\clean_registry.exe"
            3⤵
            • Checks QEMU agent file
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1140

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        5e0884726fdc8b5cb9dfe2341f76f265

        SHA1

        138ea225f9cdb855fcbcb78cf4b04f8d2e7a4563

        SHA256

        a23eb3890288f6f6d68c23214f2d8221007a4134fc62ba74a7e1ce02581b52e8

        SHA512

        fb07e23ba0976452b6cccbfe3fd0df54e88ca06dc834b85d30be89ec20d9fbde3c21ec52daf92b3363c81a6aada4767042ab7a9868d02e9fc0ce17256c0d551f

        Download Submit
      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

        Download Submit
      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

        Download Submit
      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

        Download Submit
      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nsd538E.tmp\System.dll
        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

        Download Submit
      • \Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

        Download Submit
      • \Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

        Download Submit
      • memory/884-101-0x00000000009C0000-0x0000000000CC3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/884-95-0x00000000006D0000-0x00000000006D6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/884-122-0x0000000000320000-0x00000000003B3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/884-103-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/884-98-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/884-97-0x00000000006D0000-0x00000000006D6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1140-91-0x0000000036890000-0x00000000368A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1140-93-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1140-84-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1140-89-0x0000000036BE0000-0x0000000036EE3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1140-88-0x0000000001470000-0x00000000068D4000-memory.dmp
        Filesize

        84.4MB

        Download
      • memory/1140-96-0x0000000001470000-0x00000000068D4000-memory.dmp
        Filesize

        84.4MB

        Download
      • memory/1140-87-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1140-83-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1140-85-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1208-124-0x0000000004AB0000-0x0000000004B52000-memory.dmp
        Filesize

        648KB

        Download
      • memory/1208-92-0x0000000003D50000-0x0000000003E14000-memory.dmp
        Filesize

        784KB

        Download
      • memory/1208-127-0x0000000004AB0000-0x0000000004B52000-memory.dmp
        Filesize

        648KB

        Download
      • memory/1208-123-0x0000000004AB0000-0x0000000004B52000-memory.dmp
        Filesize

        648KB

        Download
      • memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2024-121-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download