formbook | 7604b60990297c5b6f34db41501c0297dbeac0f303377ccc92c4092579b2c846

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7604b60990297c5b6f34db41501c0297dbeac0f303377ccc92c4092579b2c846_JC.rtf
Size

50KB
MD5

50dc985e3749a03e19cad19ecf48888e
SHA1

b800887d75f8cfe2f55541e7d201e94e46ca8ab1
SHA256

7604b60990297c5b6f34db41501c0297dbeac0f303377ccc92c4092579b2c846
SHA512

f71edc4d2f9440c66b9acc0e90e36c65d412f4f8b247f6cca1f20137e3ba320a1493e5cca80e2aaaca2610b35e6c960cb0997066c3c921aea63dc61279bb40e0
SSDEEP

768:zwAbZSibMX9gRWj4rOoE3M04JUNWMgQvWx1BuYUdVJ:zwAlR/23KUNWdjrUdVJ

Score

10^/10

formbook oy30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2368-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2368-93-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2636-99-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2636-101-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1764	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2172	obihgj57848.exe
2368	obihgj57848.exe

Loads dropped DLL 1 IoCs

pid	Process
1764	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2368	2172	obihgj57848.exe	36
PID 2368 set thread context of 1364	2368	obihgj57848.exe	17
PID 2636 set thread context of 1364	2636	cmd.exe	17

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1764	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2204	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2368	obihgj57848.exe
2368	obihgj57848.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe
2636	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2368	obihgj57848.exe
2368	obihgj57848.exe
2368	obihgj57848.exe
2636	cmd.exe
2636	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	obihgj57848.exe
Token: SeDebugPrivilege	2636	cmd.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2172	1764	EQNEDT32.EXE	32
PID 1764 wrote to memory of 2172	1764	EQNEDT32.EXE	32
PID 1764 wrote to memory of 2172	1764	EQNEDT32.EXE	32
PID 1764 wrote to memory of 2172	1764	EQNEDT32.EXE	32
PID 2204 wrote to memory of 2892	2204	WINWORD.EXE	35
PID 2204 wrote to memory of 2892	2204	WINWORD.EXE	35
PID 2204 wrote to memory of 2892	2204	WINWORD.EXE	35
PID 2204 wrote to memory of 2892	2204	WINWORD.EXE	35
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 2172 wrote to memory of 2368	2172	obihgj57848.exe	36
PID 1364 wrote to memory of 2636	1364	Explorer.EXE	37
PID 1364 wrote to memory of 2636	1364	Explorer.EXE	37
PID 1364 wrote to memory of 2636	1364	Explorer.EXE	37
PID 1364 wrote to memory of 2636	1364	Explorer.EXE	37
PID 2636 wrote to memory of 888	2636	cmd.exe	38
PID 2636 wrote to memory of 888	2636	cmd.exe	38
PID 2636 wrote to memory of 888	2636	cmd.exe	38
PID 2636 wrote to memory of 888	2636	cmd.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7604b60990297c5b6f34db41501c0297dbeac0f303377ccc92c4092579b2c846_JC.rtf"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
    3⤵
    PID:888

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\obihgj57848.exe
  "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Roaming\obihgj57848.exe
    "C:\Users\Admin\AppData\Roaming\obihgj57848.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
609b593e227e101e5eee9a8280b139bb

SHA1
b370e5dc50fa5b34310e757a2270220a9ce76c8c

SHA256
0511f5e156c28048da7456bb4a382398cb75c465241940873f96cf0f06b40ba0

SHA512
9c76639b74d2e406291477f2a20b7503eb85f7c95c161b5320192bc9ab57351212997870e9cc570f16e2bbff92d2437e3c5d944bc5d0956c70c7b03b52318caf

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
604KB

MD5
6e7113e47f407f98a8683186130a52f8

SHA1
fa10a9a007e18af75427da0ba68633438a5853ec

SHA256
2e2f7d2ee122957844312161a09f0506d601b0ca7ebb31be40d7057d03627595

SHA512
abce5058b4a277d85e693e75dff86070b7e279a073f1128adec0da9419eba14025c4d7f096b4140fa294d1475ff9e82c5ea5368227e29165cf0d6c18d359460e

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
604KB

MD5
6e7113e47f407f98a8683186130a52f8

SHA1
fa10a9a007e18af75427da0ba68633438a5853ec

SHA256
2e2f7d2ee122957844312161a09f0506d601b0ca7ebb31be40d7057d03627595

SHA512
abce5058b4a277d85e693e75dff86070b7e279a073f1128adec0da9419eba14025c4d7f096b4140fa294d1475ff9e82c5ea5368227e29165cf0d6c18d359460e

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
604KB

MD5
6e7113e47f407f98a8683186130a52f8

SHA1
fa10a9a007e18af75427da0ba68633438a5853ec

SHA256
2e2f7d2ee122957844312161a09f0506d601b0ca7ebb31be40d7057d03627595

SHA512
abce5058b4a277d85e693e75dff86070b7e279a073f1128adec0da9419eba14025c4d7f096b4140fa294d1475ff9e82c5ea5368227e29165cf0d6c18d359460e

Download Submit
C:\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
604KB

MD5
6e7113e47f407f98a8683186130a52f8

SHA1
fa10a9a007e18af75427da0ba68633438a5853ec

SHA256
2e2f7d2ee122957844312161a09f0506d601b0ca7ebb31be40d7057d03627595

SHA512
abce5058b4a277d85e693e75dff86070b7e279a073f1128adec0da9419eba14025c4d7f096b4140fa294d1475ff9e82c5ea5368227e29165cf0d6c18d359460e

Download Submit
\Users\Admin\AppData\Roaming\obihgj57848.exe

Filesize
604KB

MD5
6e7113e47f407f98a8683186130a52f8

SHA1
fa10a9a007e18af75427da0ba68633438a5853ec

SHA256
2e2f7d2ee122957844312161a09f0506d601b0ca7ebb31be40d7057d03627595

SHA512
abce5058b4a277d85e693e75dff86070b7e279a073f1128adec0da9419eba14025c4d7f096b4140fa294d1475ff9e82c5ea5368227e29165cf0d6c18d359460e

Download Submit
memory/1364-132-0x000007FEF6400000-0x000007FEF6543000-memory.dmp

Filesize
1.3MB

Download
memory/1364-133-0x000007FEBCC20000-0x000007FEBCC2A000-memory.dmp

Filesize
40KB

Download
memory/1364-135-0x000007FEF6400000-0x000007FEF6543000-memory.dmp

Filesize
1.3MB

Download
memory/1364-136-0x000007FEBCC20000-0x000007FEBCC2A000-memory.dmp

Filesize
40KB

Download
memory/1364-109-0x0000000006FC0000-0x0000000007118000-memory.dmp

Filesize
1.3MB

Download
memory/1364-107-0x0000000006FC0000-0x0000000007118000-memory.dmp

Filesize
1.3MB

Download
memory/1364-106-0x0000000006FC0000-0x0000000007118000-memory.dmp

Filesize
1.3MB

Download
memory/1364-102-0x00000000063E0000-0x00000000064F2000-memory.dmp

Filesize
1.1MB

Download
memory/1364-96-0x00000000063E0000-0x00000000064F2000-memory.dmp

Filesize
1.1MB

Download
memory/1364-94-0x0000000004CB0000-0x0000000004DB0000-memory.dmp

Filesize
1024KB

Download
memory/2172-90-0x000000006BBE0000-0x000000006C2CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-70-0x000000006BBE0000-0x000000006C2CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-76-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2172-71-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/2172-69-0x0000000000C10000-0x0000000000CAE000-memory.dmp

Filesize
632KB

Download
memory/2172-83-0x0000000005680000-0x00000000056EE000-memory.dmp

Filesize
440KB

Download
memory/2172-80-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/2172-79-0x000000006BBE0000-0x000000006C2CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-82-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2204-129-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-130-0x0000000071A2D000-0x0000000071A38000-memory.dmp

Filesize
44KB

Download
memory/2204-54-0x000000002F4F0000-0x000000002F64D000-memory.dmp

Filesize
1.4MB

Download
memory/2204-56-0x0000000071A2D000-0x0000000071A38000-memory.dmp

Filesize
44KB

Download
memory/2204-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-77-0x000000002F4F0000-0x000000002F64D000-memory.dmp

Filesize
1.4MB

Download
memory/2204-78-0x0000000071A2D000-0x0000000071A38000-memory.dmp

Filesize
44KB

Download
memory/2368-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-95-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/2368-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-91-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/2368-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-101-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2636-104-0x0000000002280000-0x0000000002314000-memory.dmp

Filesize
592KB

Download
memory/2636-100-0x0000000001ED0000-0x00000000021D3000-memory.dmp

Filesize
3.0MB

Download
memory/2636-99-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2636-98-0x000000004A130000-0x000000004A17C000-memory.dmp

Filesize
304KB

Download
memory/2636-97-0x000000004A130000-0x000000004A17C000-memory.dmp

Filesize
304KB

Download