formbook | 2187745dcc704a8e203aa138a9a6f63f1ffe5ebb08129899cdec638ab48b7e41

General

Target

fdd8c54cb9c4249532e2e00910c8ff36.rtf
Size

43KB
MD5

fdd8c54cb9c4249532e2e00910c8ff36
SHA1

a63ab26f4adde349872fd4785449b76d74f8592c
SHA256

2187745dcc704a8e203aa138a9a6f63f1ffe5ebb08129899cdec638ab48b7e41
SHA512

62266f92bd5bb49545b6db4a5e4ae357e564762c89757580b7e0ea9b63bf6800e17df5a2ef503ed11b43ec49feede9ac51def550d141deb3b8467012445152bd
SSDEEP

768:EFx0XaIsnPRIa4fwJMrwEm2eY+UIAntUvQTd9zS4VDPThO0af7oK:Ef0Xvx3EMcEBeynxHzS49PVO0ajoK

Score

10^/10

formbook mf6w rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Extracted

Family

formbook

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2912-81-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2644-86-0x00000000027F0000-0x0000000002830000-memory.dmp	formbook
behavioral1/memory/2912-91-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2912-95-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2604-97-0x0000000000110000-0x000000000013F000-memory.dmp	formbook
behavioral1/memory/2604-99-0x0000000000110000-0x000000000013F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1140	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2000	maxdn5871.exe
2912	maxdn5871.exe

Loads dropped DLL 1 IoCs

pid	Process
1140	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2912	2000	maxdn5871.exe	36
PID 2912 set thread context of 1248	2912	maxdn5871.exe	20
PID 2912 set thread context of 1248	2912	maxdn5871.exe	20
PID 2604 set thread context of 1248	2604	svchost.exe	20

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1140	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
852	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2644	powershell.exe
2912	maxdn5871.exe
2912	maxdn5871.exe
2912	maxdn5871.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2912	maxdn5871.exe
2912	maxdn5871.exe
2912	maxdn5871.exe
2912	maxdn5871.exe
2604	svchost.exe
2604	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2912	maxdn5871.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
852	WINWORD.EXE
852	WINWORD.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2000	1140	EQNEDT32.EXE	30
PID 1140 wrote to memory of 2000	1140	EQNEDT32.EXE	30
PID 1140 wrote to memory of 2000	1140	EQNEDT32.EXE	30
PID 1140 wrote to memory of 2000	1140	EQNEDT32.EXE	30
PID 852 wrote to memory of 1680	852	WINWORD.EXE	33
PID 852 wrote to memory of 1680	852	WINWORD.EXE	33
PID 852 wrote to memory of 1680	852	WINWORD.EXE	33
PID 852 wrote to memory of 1680	852	WINWORD.EXE	33
PID 2000 wrote to memory of 2644	2000	maxdn5871.exe	34
PID 2000 wrote to memory of 2644	2000	maxdn5871.exe	34
PID 2000 wrote to memory of 2644	2000	maxdn5871.exe	34
PID 2000 wrote to memory of 2644	2000	maxdn5871.exe	34
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 2000 wrote to memory of 2912	2000	maxdn5871.exe	36
PID 1248 wrote to memory of 2604	1248	Explorer.EXE	37
PID 1248 wrote to memory of 2604	1248	Explorer.EXE	37
PID 1248 wrote to memory of 2604	1248	Explorer.EXE	37
PID 1248 wrote to memory of 2604	1248	Explorer.EXE	37
PID 2604 wrote to memory of 2504	2604	svchost.exe	38
PID 2604 wrote to memory of 2504	2604	svchost.exe	38
PID 2604 wrote to memory of 2504	2604	svchost.exe	38
PID 2604 wrote to memory of 2504	2604	svchost.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fdd8c54cb9c4249532e2e00910c8ff36.rtf"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1680
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\maxdn5871.exe"
    3⤵
    PID:2504

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Roaming\maxdn5871.exe
  "C:\Users\Admin\AppData\Roaming\maxdn5871.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\maxdn5871.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Users\Admin\AppData\Roaming\maxdn5871.exe
    "C:\Users\Admin\AppData\Roaming\maxdn5871.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
662618042be95150af1d413d50ad52cf

SHA1
8b1c12f4abfb39c9fa73e61bb8fa009e777e8631

SHA256
ac0ecdfe3dd5b563235db8cfd087034b8d638a730f34a42a2067cea217b59f6c

SHA512
e9e566dc31f287b7038b0d0f9244193a158e32ea8496f9f75f6d1dd42dfc843234426ec0a33898cdef3e65ce09936e31d03687d87ed166edc2b9651e762d7b7c

Download Submit
C:\Users\Admin\AppData\Roaming\maxdn5871.exe

Filesize
659KB

MD5
2a86cd3c0f52f11b0f3f89a6c9ee472a

SHA1
674357cff08015d1afa76df35bb3c816a63ddf23

SHA256
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e

SHA512
3a59d607f0ea8560543dbaae46ccc9acb7037cd76773ba09ebf9ade48518e9b5c39221850383331c5af73a3849aff7bec2ce267d62f899201b9dc8dc1c3c6010

Download Submit
C:\Users\Admin\AppData\Roaming\maxdn5871.exe

Filesize
659KB

MD5
2a86cd3c0f52f11b0f3f89a6c9ee472a

SHA1
674357cff08015d1afa76df35bb3c816a63ddf23

SHA256
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e

SHA512
3a59d607f0ea8560543dbaae46ccc9acb7037cd76773ba09ebf9ade48518e9b5c39221850383331c5af73a3849aff7bec2ce267d62f899201b9dc8dc1c3c6010

Download Submit
C:\Users\Admin\AppData\Roaming\maxdn5871.exe

Filesize
659KB

MD5
2a86cd3c0f52f11b0f3f89a6c9ee472a

SHA1
674357cff08015d1afa76df35bb3c816a63ddf23

SHA256
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e

SHA512
3a59d607f0ea8560543dbaae46ccc9acb7037cd76773ba09ebf9ade48518e9b5c39221850383331c5af73a3849aff7bec2ce267d62f899201b9dc8dc1c3c6010

Download Submit
C:\Users\Admin\AppData\Roaming\maxdn5871.exe

Filesize
659KB

MD5
2a86cd3c0f52f11b0f3f89a6c9ee472a

SHA1
674357cff08015d1afa76df35bb3c816a63ddf23

SHA256
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e

SHA512
3a59d607f0ea8560543dbaae46ccc9acb7037cd76773ba09ebf9ade48518e9b5c39221850383331c5af73a3849aff7bec2ce267d62f899201b9dc8dc1c3c6010

Download Submit
\Users\Admin\AppData\Roaming\maxdn5871.exe

Filesize
659KB

MD5
2a86cd3c0f52f11b0f3f89a6c9ee472a

SHA1
674357cff08015d1afa76df35bb3c816a63ddf23

SHA256
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e

SHA512
3a59d607f0ea8560543dbaae46ccc9acb7037cd76773ba09ebf9ade48518e9b5c39221850383331c5af73a3849aff7bec2ce267d62f899201b9dc8dc1c3c6010

Download Submit
memory/852-126-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/852-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1248-127-0x0000000004CD0000-0x0000000004D87000-memory.dmp

Filesize
732KB

Download
memory/1248-129-0x0000000004CD0000-0x0000000004D87000-memory.dmp

Filesize
732KB

Download
memory/1248-90-0x00000000071D0000-0x00000000072B7000-memory.dmp

Filesize
924KB

Download
memory/1248-125-0x0000000004CD0000-0x0000000004D87000-memory.dmp

Filesize
732KB

Download
memory/1248-93-0x00000000088E0000-0x00000000089E3000-memory.dmp

Filesize
1.0MB

Download
memory/2000-76-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2000-77-0x00000000057A0000-0x0000000005818000-memory.dmp

Filesize
480KB

Download
memory/2000-74-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2000-69-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2000-68-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2000-66-0x0000000000A40000-0x0000000000AEA000-memory.dmp

Filesize
680KB

Download
memory/2604-97-0x0000000000110000-0x000000000013F000-memory.dmp

Filesize
188KB

Download
memory/2604-101-0x00000000005A0000-0x0000000000634000-memory.dmp

Filesize
592KB

Download
memory/2604-99-0x0000000000110000-0x000000000013F000-memory.dmp

Filesize
188KB

Download
memory/2604-98-0x00000000006C0000-0x00000000009C3000-memory.dmp

Filesize
3.0MB

Download
memory/2604-96-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2604-94-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2644-87-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2644-86-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2912-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-89-0x00000000001A0000-0x00000000001B5000-memory.dmp

Filesize
84KB

Download
memory/2912-88-0x0000000000AF0000-0x0000000000DF3000-memory.dmp

Filesize
3.0MB

Download
memory/2912-92-0x00000000001E0000-0x00000000001F5000-memory.dmp

Filesize
84KB

Download
memory/2912-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads