formbook | 90546a3e111449c78cf6bf0d4955235a4e6a1dbbd63d398df5037af4c83512ad

General

Target

Order Confirmation_AW06846590.xlsx
Size

1.9MB
MD5

93b2589a476be0ed105c0522952b7184
SHA1

4d5ac891d6d8277d8babf4b063200386df057008
SHA256

90546a3e111449c78cf6bf0d4955235a4e6a1dbbd63d398df5037af4c83512ad
SHA512

dcfb163f66d635e50949143811cb9f6411440ced9cfeea6083d0ef581df096275aeed41800d3e2b3c22676f06f91c153ac92ba5cf06c1c3da7ef0016de8c0a5d
SSDEEP

24576:oYCz3zxQUcyfUELdvcKdzAxLP4a+3kpUHErAjRrd35ypIhiYxEaQOmMFMf8A55:BCz3a1tovcykxRTAjHs+/QwdA55

Score

10^/10

formbook dh08 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dh08

Decoy

lhmontajes.com

thomasholiday.com

onlinerscor.site

shadowstudiofx.com

velasdemieldeabeja.com

zerotoherobudgeting.com

hw158990.vip

xvzcjp.sbs

polaski-loamaz.info

4zx1le.cfd

bronzemember.club

nevadajacoby.shop

mmmms78.top

toolnetic.shop

sabongcash.asia

espiralconhecimento.com

ftscwj.com

1wpdip.top

scap.site

marineaccidentlawyer.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2308-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2308-78-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2504-87-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2504-89-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2912	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2860	word.exe
2308	word.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	EQNEDT32.EXE
2860	word.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2308	2860	word.exe	30
PID 2308 set thread context of 1352	2308	word.exe	11
PID 2504 set thread context of 1352	2504	ipconfig.exe	11

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2504	ipconfig.exe

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2912	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1800	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2308	word.exe
2308	word.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe
2504	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1352	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2860	word.exe
2308	word.exe
2308	word.exe
2308	word.exe
2504	ipconfig.exe
2504	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	word.exe
Token: SeDebugPrivilege	2504	ipconfig.exe
Token: SeShutdownPrivilege	1352	Explorer.EXE
Token: SeShutdownPrivilege	1352	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2860	2912	EQNEDT32.EXE	29
PID 2912 wrote to memory of 2860	2912	EQNEDT32.EXE	29
PID 2912 wrote to memory of 2860	2912	EQNEDT32.EXE	29
PID 2912 wrote to memory of 2860	2912	EQNEDT32.EXE	29
PID 2860 wrote to memory of 2308	2860	word.exe	30
PID 2860 wrote to memory of 2308	2860	word.exe	30
PID 2860 wrote to memory of 2308	2860	word.exe	30
PID 2860 wrote to memory of 2308	2860	word.exe	30
PID 2860 wrote to memory of 2308	2860	word.exe	30
PID 1352 wrote to memory of 2504	1352	Explorer.EXE	33
PID 1352 wrote to memory of 2504	1352	Explorer.EXE	33
PID 1352 wrote to memory of 2504	1352	Explorer.EXE	33
PID 1352 wrote to memory of 2504	1352	Explorer.EXE	33
PID 2504 wrote to memory of 852	2504	ipconfig.exe	34
PID 2504 wrote to memory of 852	2504	ipconfig.exe	34
PID 2504 wrote to memory of 852	2504	ipconfig.exe	34
PID 2504 wrote to memory of 852	2504	ipconfig.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order Confirmation_AW06846590.xlsx"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\word.exe"
    3⤵
    PID:852

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Roaming\word.exe
  C:\Users\Admin\AppData\Roaming\word.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Roaming\word.exe
    "C:\Users\Admin\AppData\Roaming\word.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd86ED.tmp\fzawrfns.dll

Filesize
68KB

MD5
2c5a961db492972b7cf950fdea40f820

SHA1
9fa3f69ff20ecf2c5ad7b40973e29f36f2ff1ea9

SHA256
de9eeb89373941336f8b935ef49803446a7dd11f2fdfb833b65e16571db1576d

SHA512
d361ad562cd3bb4406cd64e4b90c8a9206a1fbf665c5288ddc0673015e8ee32e06b8c87f8b3854431468401a2c63b084ddd1c3480ecb42c66a1bcb193f8cc02e

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
289KB

MD5
d534b629964d561e1e0deccf08ff6687

SHA1
f8b13d33da7f4c4aef01a63a306e8cda2b3e154e

SHA256
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895

SHA512
54ada4b0990d36a3c9c6b6d5d79c64ee0d6ff55ccafadbbf4d5e03a848379ef4bcca6d9e90793cff85cfc67d0582ff7279a72b9ca71c0b6d0914e9d73a00c47e

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
289KB

MD5
d534b629964d561e1e0deccf08ff6687

SHA1
f8b13d33da7f4c4aef01a63a306e8cda2b3e154e

SHA256
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895

SHA512
54ada4b0990d36a3c9c6b6d5d79c64ee0d6ff55ccafadbbf4d5e03a848379ef4bcca6d9e90793cff85cfc67d0582ff7279a72b9ca71c0b6d0914e9d73a00c47e

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
289KB

MD5
d534b629964d561e1e0deccf08ff6687

SHA1
f8b13d33da7f4c4aef01a63a306e8cda2b3e154e

SHA256
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895

SHA512
54ada4b0990d36a3c9c6b6d5d79c64ee0d6ff55ccafadbbf4d5e03a848379ef4bcca6d9e90793cff85cfc67d0582ff7279a72b9ca71c0b6d0914e9d73a00c47e

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
289KB

MD5
d534b629964d561e1e0deccf08ff6687

SHA1
f8b13d33da7f4c4aef01a63a306e8cda2b3e154e

SHA256
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895

SHA512
54ada4b0990d36a3c9c6b6d5d79c64ee0d6ff55ccafadbbf4d5e03a848379ef4bcca6d9e90793cff85cfc67d0582ff7279a72b9ca71c0b6d0914e9d73a00c47e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd86ED.tmp\fzawrfns.dll

Filesize
68KB

MD5
2c5a961db492972b7cf950fdea40f820

SHA1
9fa3f69ff20ecf2c5ad7b40973e29f36f2ff1ea9

SHA256
de9eeb89373941336f8b935ef49803446a7dd11f2fdfb833b65e16571db1576d

SHA512
d361ad562cd3bb4406cd64e4b90c8a9206a1fbf665c5288ddc0673015e8ee32e06b8c87f8b3854431468401a2c63b084ddd1c3480ecb42c66a1bcb193f8cc02e

Download Submit
\Users\Admin\AppData\Roaming\word.exe

Filesize
289KB

MD5
d534b629964d561e1e0deccf08ff6687

SHA1
f8b13d33da7f4c4aef01a63a306e8cda2b3e154e

SHA256
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895

SHA512
54ada4b0990d36a3c9c6b6d5d79c64ee0d6ff55ccafadbbf4d5e03a848379ef4bcca6d9e90793cff85cfc67d0582ff7279a72b9ca71c0b6d0914e9d73a00c47e

Download Submit
memory/1352-81-0x0000000006B00000-0x0000000006C89000-memory.dmp

Filesize
1.5MB

Download
memory/1352-90-0x0000000006B00000-0x0000000006C89000-memory.dmp

Filesize
1.5MB

Download
memory/1352-99-0x0000000006C90000-0x0000000006E0B000-memory.dmp

Filesize
1.5MB

Download
memory/1352-97-0x0000000006C90000-0x0000000006E0B000-memory.dmp

Filesize
1.5MB

Download
memory/1352-79-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/1352-96-0x0000000006C90000-0x0000000006E0B000-memory.dmp

Filesize
1.5MB

Download
memory/1800-107-0x000000007399D000-0x00000000739A8000-memory.dmp

Filesize
44KB

Download
memory/1800-55-0x000000007399D000-0x00000000739A8000-memory.dmp

Filesize
44KB

Download
memory/1800-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1800-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1800-82-0x000000007399D000-0x00000000739A8000-memory.dmp

Filesize
44KB

Download
memory/2308-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-80-0x0000000000340000-0x0000000000355000-memory.dmp

Filesize
84KB

Download
memory/2308-76-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/2308-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-86-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2504-87-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2504-88-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/2504-89-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2504-83-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2504-92-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/2860-72-0x000000006CA20000-0x000000006CA36000-memory.dmp

Filesize
88KB

Download
memory/2860-75-0x000000006CA20000-0x000000006CA36000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads