formbook | e68ea041c96b370e4d00b77da341aef26e7e25403198f5a49e9f9e310f66dc90

General

Target

order703233.xls
Size

1.1MB
MD5

8cc4e73f5ceb73680f5f59b09997d8a3
SHA1

263fb5f059b972f779b4f5d14fb8e674a5b6c799
SHA256

e68ea041c96b370e4d00b77da341aef26e7e25403198f5a49e9f9e310f66dc90
SHA512

6dc39b4d0065b9bddd34ee65bd2369fd61d6b14fe4e2dd69aefca48ace7b6b974fb8c151b85d7bc50ceebe44b935b15358126cf876e95720da975e76fb792613
SSDEEP

24576:Ez0w6sYz+o0xfsjcUos+xKXw6s5zDo0xfsjcUos+xKN3tYjYqJP46w7B:ET6sYOxfsjdos+xKA6s5Txfsjdos+xKp

Score

10^/10

formbook m42i persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m42i

Decoy

kosporttraining.com

z19zgcn.site

kaka225.click

85471xii.net

iuplqle.xyz

bengtsberg.net

bk2y0rmx.site

hotspudqec.space

dreamshospital.com

studio-glinka.com

garotosdatv1.online

au-t-global.com

0kxm.com

medsuppanam.com

sameypaige.com

osstshirts.com

xkrujqqo.shop

hk2r.top

rakebacksites.com

ledxiu.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/3036-78-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3036-83-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1328-91-0x00000000001C0000-0x00000000001EF000-memory.dmp	formbook
behavioral1/memory/1328-93-0x00000000001C0000-0x00000000001EF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2236	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2008	RegEdits.exe
3036	RegEdits.exe

Loads dropped DLL 3 IoCs

pid	Process
2236	EQNEDT32.EXE
2008	RegEdits.exe
2008	RegEdits.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Windows\CurrentVersion\Run\yyienjsscxxhqq = "C:\\Users\\Admin\\AppData\\Roaming\\iiqaavf\\fbkktp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RegEdits.exe\" "	RegEdits.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 3036	2008	RegEdits.exe	32
PID 3036 set thread context of 1248	3036	RegEdits.exe	12
PID 1328 set thread context of 1248	1328	cscript.exe	12

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2236	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
612	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3036	RegEdits.exe
3036	RegEdits.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe
1328	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2008	RegEdits.exe
3036	RegEdits.exe
3036	RegEdits.exe
3036	RegEdits.exe
1328	cscript.exe
1328	cscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	RegEdits.exe
Token: SeDebugPrivilege	1328	cscript.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
612	EXCEL.EXE
612	EXCEL.EXE
612	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2008	2236	EQNEDT32.EXE	31
PID 2236 wrote to memory of 2008	2236	EQNEDT32.EXE	31
PID 2236 wrote to memory of 2008	2236	EQNEDT32.EXE	31
PID 2236 wrote to memory of 2008	2236	EQNEDT32.EXE	31
PID 2008 wrote to memory of 3036	2008	RegEdits.exe	32
PID 2008 wrote to memory of 3036	2008	RegEdits.exe	32
PID 2008 wrote to memory of 3036	2008	RegEdits.exe	32
PID 2008 wrote to memory of 3036	2008	RegEdits.exe	32
PID 2008 wrote to memory of 3036	2008	RegEdits.exe	32
PID 1248 wrote to memory of 1328	1248	Explorer.EXE	33
PID 1248 wrote to memory of 1328	1248	Explorer.EXE	33
PID 1248 wrote to memory of 1328	1248	Explorer.EXE	33
PID 1248 wrote to memory of 1328	1248	Explorer.EXE	33
PID 1328 wrote to memory of 768	1328	cscript.exe	35
PID 1328 wrote to memory of 768	1328	cscript.exe	35
PID 1328 wrote to memory of 768	1328	cscript.exe	35
PID 1328 wrote to memory of 768	1328	cscript.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\order703233.xls
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:612
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RegEdits.exe"
    3⤵
    PID:768

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\RegEdits.exe
  "C:\Users\Admin\AppData\Local\Temp\RegEdits.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\RegEdits.exe
    "C:\Users\Admin\AppData\Local\Temp\RegEdits.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B2CDEF6.emf

Filesize
1.4MB

MD5
476c7c2f309c957f6428d04e94c4f64a

SHA1
f1b0fa252babfb7002dc87069a436ad71bda532f

SHA256
c0da66b866cc999aee20456c2eee3eefc05046b8f5df3755f95fecb85f9f8be5

SHA512
c941fbacc6c98b556ea742538b2f2c61a66be677aa5f97457dfe07ea9652e17fe545ac05740f8ed20b1449fdcf38e97c49fe73ff8d53220a4e8d3e6e3615854e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegEdits.exe

Filesize
352KB

MD5
923b2cf57335ee5730c03f793b9b465a

SHA1
a27545f9f552769d83c2aa846d79cd1252ed7ca3

SHA256
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

SHA512
b4dd59cd556535fed05ad51ad75472fa69cd03964a897bcc3179901dd5d452057b092d190292f3e4d7b5294a8b97ae42ecadc7ee4d26537fdc81b6dd5be1ba96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegEdits.exe

Filesize
352KB

MD5
923b2cf57335ee5730c03f793b9b465a

SHA1
a27545f9f552769d83c2aa846d79cd1252ed7ca3

SHA256
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

SHA512
b4dd59cd556535fed05ad51ad75472fa69cd03964a897bcc3179901dd5d452057b092d190292f3e4d7b5294a8b97ae42ecadc7ee4d26537fdc81b6dd5be1ba96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegEdits.exe

Filesize
352KB

MD5
923b2cf57335ee5730c03f793b9b465a

SHA1
a27545f9f552769d83c2aa846d79cd1252ed7ca3

SHA256
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

SHA512
b4dd59cd556535fed05ad51ad75472fa69cd03964a897bcc3179901dd5d452057b092d190292f3e4d7b5294a8b97ae42ecadc7ee4d26537fdc81b6dd5be1ba96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegEdits.exe

Filesize
352KB

MD5
923b2cf57335ee5730c03f793b9b465a

SHA1
a27545f9f552769d83c2aa846d79cd1252ed7ca3

SHA256
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

SHA512
b4dd59cd556535fed05ad51ad75472fa69cd03964a897bcc3179901dd5d452057b092d190292f3e4d7b5294a8b97ae42ecadc7ee4d26537fdc81b6dd5be1ba96

Download Submit
\Users\Admin\AppData\Local\Temp\RegEdits.exe

Filesize
352KB

MD5
923b2cf57335ee5730c03f793b9b465a

SHA1
a27545f9f552769d83c2aa846d79cd1252ed7ca3

SHA256
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

SHA512
b4dd59cd556535fed05ad51ad75472fa69cd03964a897bcc3179901dd5d452057b092d190292f3e4d7b5294a8b97ae42ecadc7ee4d26537fdc81b6dd5be1ba96

Download Submit
\Users\Admin\AppData\Local\Temp\RegEdits.exe

Filesize
352KB

MD5
923b2cf57335ee5730c03f793b9b465a

SHA1
a27545f9f552769d83c2aa846d79cd1252ed7ca3

SHA256
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

SHA512
b4dd59cd556535fed05ad51ad75472fa69cd03964a897bcc3179901dd5d452057b092d190292f3e4d7b5294a8b97ae42ecadc7ee4d26537fdc81b6dd5be1ba96

Download Submit
\Users\Admin\AppData\Local\Temp\nso4434.tmp\heqtnvfb.dll

Filesize
277KB

MD5
742832ba3c099d07751e6405cac76dd4

SHA1
42eb205c6f3a3b11bb1df8b2e1e8ae1e1505770d

SHA256
307825cea8af6c41025578bbc6272e561579c38c2caad845453cfc9008c04932

SHA512
3f98b2532ba399cba00132a4d7bca493ec6b0d1627c5d2b0b977ba4c7c0a8fc6ca43bf994f0fcee35655219a80bd77844b3c65c8d2e8d351edae7308d2c3b0ff

Download Submit
memory/612-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/612-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1248-81-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/1248-101-0x00000000072C0000-0x00000000073E2000-memory.dmp

Filesize
1.1MB

Download
memory/1248-98-0x00000000072C0000-0x00000000073E2000-memory.dmp

Filesize
1.1MB

Download
memory/1248-86-0x0000000007060000-0x0000000007203000-memory.dmp

Filesize
1.6MB

Download
memory/1248-97-0x00000000072C0000-0x00000000073E2000-memory.dmp

Filesize
1.1MB

Download
memory/1328-93-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1328-91-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1328-92-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/1328-90-0x0000000000470000-0x0000000000492000-memory.dmp

Filesize
136KB

Download
memory/1328-95-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/1328-88-0x0000000000470000-0x0000000000492000-memory.dmp

Filesize
136KB

Download
memory/3036-85-0x0000000000340000-0x0000000000355000-memory.dmp

Filesize
84KB

Download
memory/3036-84-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/3036-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing