formbook | 2cf1aa6e42a4116110b4b054b7e44b889a5cec40916393883c6bec4388e5599f

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03/08/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf1aa6e42a4116110b4b054b7e44b889a5cec40916393883c6bec4388e5599fdoc_JC.docx
Size

11KB
MD5

57e9d1f10761c88a94a5c67152c0116f
SHA1

0f5348591d5609f69fa322c2a25c997fbd401185
SHA256

2cf1aa6e42a4116110b4b054b7e44b889a5cec40916393883c6bec4388e5599f
SHA512

59336427b1da3f5b37083fcfc41da6faf7d51ca7799ec121dbb96749a4ffb0976b236531c24567932c6b6d31f083e1da63e769f682479674a0a7dce4b8e6f837
SSDEEP

192:qya0Ne0vGWo4N5eNA2A+EnVs+mg1SoBaJYKO36PvXKuhHY9zcWeseqn:qyXe0vGWou5+A2bkBdBaJYKOqP9h49zn

Score

10^/10

formbook oy30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2496-180-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2496-185-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2496-189-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2092-197-0x0000000000120000-0x000000000014F000-memory.dmp	formbook
behavioral1/memory/2092-199-0x0000000000120000-0x000000000014F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2756	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
572	obihgj57848.exe
1348	obihgj57848.exe
2496	obihgj57848.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	EQNEDT32.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 572 set thread context of 2496	572	obihgj57848.exe	37
PID 2496 set thread context of 1228	2496	obihgj57848.exe	21
PID 2496 set thread context of 1228	2496	obihgj57848.exe	21
PID 2092 set thread context of 1228	2092	msiexec.exe	21

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2756	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2192	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
572	obihgj57848.exe
572	obihgj57848.exe
2496	obihgj57848.exe
2496	obihgj57848.exe
2496	obihgj57848.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2496	obihgj57848.exe
2496	obihgj57848.exe
2496	obihgj57848.exe
2496	obihgj57848.exe
2092	msiexec.exe
2092	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	obihgj57848.exe
Token: SeDebugPrivilege	2496	obihgj57848.exe
Token: SeDebugPrivilege	2092	msiexec.exe
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeShutdownPrivilege	2192	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2192	WINWORD.EXE
2192	WINWORD.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 572	2756	EQNEDT32.EXE	29
PID 2756 wrote to memory of 572	2756	EQNEDT32.EXE	29
PID 2756 wrote to memory of 572	2756	EQNEDT32.EXE	29
PID 2756 wrote to memory of 572	2756	EQNEDT32.EXE	29
PID 2192 wrote to memory of 532	2192	WINWORD.EXE	35
PID 2192 wrote to memory of 532	2192	WINWORD.EXE	35
PID 2192 wrote to memory of 532	2192	WINWORD.EXE	35
PID 2192 wrote to memory of 532	2192	WINWORD.EXE	35
PID 572 wrote to memory of 1348	572	obihgj57848.exe	36
PID 572 wrote to memory of 1348	572	obihgj57848.exe	36
PID 572 wrote to memory of 1348	572	obihgj57848.exe	36
PID 572 wrote to memory of 1348	572	obihgj57848.exe	36
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 572 wrote to memory of 2496	572	obihgj57848.exe	37
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 1228 wrote to memory of 2092	1228	Explorer.EXE	38
PID 2092 wrote to memory of 1660	2092	msiexec.exe	39
PID 2092 wrote to memory of 1660	2092	msiexec.exe	39
PID 2092 wrote to memory of 1660	2092	msiexec.exe	39
PID 2092 wrote to memory of 1660	2092	msiexec.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2cf1aa6e42a4116110b4b054b7e44b889a5cec40916393883c6bec4388e5599fdoc_JC.docx"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:532
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
    3⤵
    PID:1660

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Roaming\obihgj57848.exe
  "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Roaming\obihgj57848.exe
    "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
    3⤵
    - Executes dropped EXE
    PID:1348
- - C:\Users\Admin\AppData\Roaming\obihgj57848.exe
    "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A1079F38-BEE5-48A6-A9E4-66D08C20C12E}.FSD

Filesize
128KB

MD5
425fc1dd5b2aba98db62b82c30eba9ef

SHA1
a92ef95a905f3160751bc1a94a084582b0f9d9af

SHA256
27ad3148c590c69c9e35e07a961e6e6c1c9e3a4799a2173086832396e6837c52

SHA512
0f9ab5081c809c5ee32e2f8194b3546036284c671dc8104794843005fb788aaaa2e662ba9660392571dbd3b36626cd86b02ff9912cb74c434aa8cddec9c9e58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
cc79f271d8a54142fa334a0eb1c9ab45

SHA1
a545d10880ba035a6c227d8aaf18f708abca3639

SHA256
b8be296108731043ffb9a716790e2378a84c4343d1d2015dffe3adcb4f7834e1

SHA512
494daf684815f640fddd32991ca9d9e4c592b0151a2f41e6608448edd86c6ed5b552d7fa50260f17b32820294947a7ccf3a74185137966c53ad9cf83d7d65453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
0a832821a6463efb8cdb7654b4a74bd9

SHA1
1caea7a1269f29f9103adf830e96c54219d7c1ea

SHA256
0f7bc20948ce374ba62f2e4e671af5027999bd8498957d6ad1ac471c9019adef

SHA512
6fcd81c6e2a879bfe9502af1fd9ba65c7a7ce8e8ad759c90c633cb9fd075677e161a1e3fc594f2ab4baa8494ff60a402d7f28864b39106c7ca384ad7b3d32412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\obizx[1].doc

Filesize
50KB

MD5
50dc985e3749a03e19cad19ecf48888e

SHA1
b800887d75f8cfe2f55541e7d201e94e46ca8ab1

SHA256
7604b60990297c5b6f34db41501c0297dbeac0f303377ccc92c4092579b2c846

SHA512
f71edc4d2f9440c66b9acc0e90e36c65d412f4f8b247f6cca1f20137e3ba320a1493e5cca80e2aaaca2610b35e6c960cb0997066c3c921aea63dc61279bb40e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{20B572AE-B35D-48AD-8763-5EA0A2ECCCAB}

Filesize
128KB

MD5
1e5cb6c664a554441cfbecb50984f195

SHA1
53b61f5bb45a208c181cdc35a66e06a3291ff678

SHA256
c8eef6699da8d70a39ead8507cd4c0b3cfff2bd7fa480459526c7c7940b10291

SHA512
6dd132c25a6df969171784d4130c48546013c836f9c92f20eb99f45825143a6fa64144717b3d2689b0e6daacb87e88f3c053a3505fb828b9313ce50f0d362e43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
603e21a1e4fdff679d7951272132dbde

SHA1
62b495b8e6ed1c7e8fdc8c5c4a08a271b831d226

SHA256
d21577610e2b4d2e17f0df8741b66d95f6bb3ca5e30e45d6ee336c1f907bc8cd

SHA512
0c2c5155c21d68e7f4d285ac9660be98903bfc3bc7b26157a111d24a833bdded6c7c8495dc86e7cc12bc928570a71a3633d8bf4895c9fbfd714b3996be7c6433

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
545KB

MD5
b661633cfae6e392a3994073f6efc706

SHA1
a81a13005df44e605ef3e17c05adb77b009cf774

SHA256
fbfd173952479920e0f3a8aa41bdd2faea86d2de9a7080a023831e4769c94468

SHA512
3c50916a58985027771660e104812cea7920ba374d00f70b92ba788ada61187ed0c7e8f307ad194bbd82564b01cd31dc11af2dbab82bde3701f2e5f6795112d5

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
545KB

MD5
b661633cfae6e392a3994073f6efc706

SHA1
a81a13005df44e605ef3e17c05adb77b009cf774

SHA256
fbfd173952479920e0f3a8aa41bdd2faea86d2de9a7080a023831e4769c94468

SHA512
3c50916a58985027771660e104812cea7920ba374d00f70b92ba788ada61187ed0c7e8f307ad194bbd82564b01cd31dc11af2dbab82bde3701f2e5f6795112d5

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
545KB

MD5
b661633cfae6e392a3994073f6efc706

SHA1
a81a13005df44e605ef3e17c05adb77b009cf774

SHA256
fbfd173952479920e0f3a8aa41bdd2faea86d2de9a7080a023831e4769c94468

SHA512
3c50916a58985027771660e104812cea7920ba374d00f70b92ba788ada61187ed0c7e8f307ad194bbd82564b01cd31dc11af2dbab82bde3701f2e5f6795112d5

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
545KB

MD5
b661633cfae6e392a3994073f6efc706

SHA1
a81a13005df44e605ef3e17c05adb77b009cf774

SHA256
fbfd173952479920e0f3a8aa41bdd2faea86d2de9a7080a023831e4769c94468

SHA512
3c50916a58985027771660e104812cea7920ba374d00f70b92ba788ada61187ed0c7e8f307ad194bbd82564b01cd31dc11af2dbab82bde3701f2e5f6795112d5

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
545KB

MD5
b661633cfae6e392a3994073f6efc706

SHA1
a81a13005df44e605ef3e17c05adb77b009cf774

SHA256
fbfd173952479920e0f3a8aa41bdd2faea86d2de9a7080a023831e4769c94468

SHA512
3c50916a58985027771660e104812cea7920ba374d00f70b92ba788ada61187ed0c7e8f307ad194bbd82564b01cd31dc11af2dbab82bde3701f2e5f6795112d5

Download Submit
\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
545KB

MD5
b661633cfae6e392a3994073f6efc706

SHA1
a81a13005df44e605ef3e17c05adb77b009cf774

SHA256
fbfd173952479920e0f3a8aa41bdd2faea86d2de9a7080a023831e4769c94468

SHA512
3c50916a58985027771660e104812cea7920ba374d00f70b92ba788ada61187ed0c7e8f307ad194bbd82564b01cd31dc11af2dbab82bde3701f2e5f6795112d5

Download Submit
memory/572-151-0x000000006AC80000-0x000000006B36E000-memory.dmp

Filesize
6.9MB

Download
memory/572-156-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/572-172-0x00000000057A0000-0x000000000580E000-memory.dmp

Filesize
440KB

Download
memory/572-166-0x0000000001E10000-0x0000000001E24000-memory.dmp

Filesize
80KB

Download
memory/572-182-0x000000006AC80000-0x000000006B36E000-memory.dmp

Filesize
6.9MB

Download
memory/572-150-0x00000000002C0000-0x000000000034E000-memory.dmp

Filesize
568KB

Download
memory/572-169-0x000000006AC80000-0x000000006B36E000-memory.dmp

Filesize
6.9MB

Download
memory/572-171-0x0000000001E90000-0x0000000001E9A000-memory.dmp

Filesize
40KB

Download
memory/1228-192-0x00000000071F0000-0x00000000072FA000-memory.dmp

Filesize
1.0MB

Download
memory/1228-187-0x0000000006360000-0x0000000006476000-memory.dmp

Filesize
1.1MB

Download
memory/1228-208-0x00000000073A0000-0x0000000007502000-memory.dmp

Filesize
1.4MB

Download
memory/1228-206-0x00000000073A0000-0x0000000007502000-memory.dmp

Filesize
1.4MB

Download
memory/1228-205-0x00000000073A0000-0x0000000007502000-memory.dmp

Filesize
1.4MB

Download
memory/1228-191-0x0000000006360000-0x0000000006476000-memory.dmp

Filesize
1.1MB

Download
memory/1228-200-0x00000000071F0000-0x00000000072FA000-memory.dmp

Filesize
1.0MB

Download
memory/2092-199-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2092-198-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/2092-197-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2092-202-0x0000000001FC0000-0x0000000002054000-memory.dmp

Filesize
592KB

Download
memory/2092-196-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2092-194-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2092-193-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2192-54-0x000000002F310000-0x000000002F46D000-memory.dmp

Filesize
1.4MB

Download
memory/2192-56-0x00000000713AD000-0x00000000713B8000-memory.dmp

Filesize
44KB

Download
memory/2192-232-0x00000000713AD000-0x00000000713B8000-memory.dmp

Filesize
44KB

Download
memory/2192-231-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2192-168-0x00000000713AD000-0x00000000713B8000-memory.dmp

Filesize
44KB

Download
memory/2192-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2192-167-0x000000002F310000-0x000000002F46D000-memory.dmp

Filesize
1.4MB

Download
memory/2496-186-0x0000000000350000-0x0000000000365000-memory.dmp

Filesize
84KB

Download
memory/2496-183-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/2496-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-178-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-190-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download