formbook | 3cfbe6d313af628cfb2cf9f50cd12e1da119d8b0059ad812da885f90c58147eb

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEC FORM.docx
Size

11KB
MD5

d544edf8d39f07d5088b21a68c82e4d4
SHA1

5bfe1ce0407cbcd07bb138ef60bc618ab088257e
SHA256

3cfbe6d313af628cfb2cf9f50cd12e1da119d8b0059ad812da885f90c58147eb
SHA512

33b4aa3ae5744f2af646aad5324b6e2f611c9db6c8fb08d7d434279ee8c5f95d5da847843146ea26a237f3fb2bc5808e538888cd20e3c2ae508d9b9d05ec0ce5
SSDEEP

192:kya0N5lclWm4N5eNA2A+EnVs+mg1SoB3cJYkO36PvPKbwPNY9JcWezUlQU:kyX5lclWmu5+A2bkBdBMJYkOqP8wPe9L

Score

10^/10

formbook oy30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2384-179-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2384-184-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2384-188-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2424-194-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/2424-196-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2696	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
692	obioh68951.exe
2384	obioh68951.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	EQNEDT32.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 2384	692	obioh68951.exe	36
PID 2384 set thread context of 1208	2384	obioh68951.exe	14
PID 2384 set thread context of 1208	2384	obioh68951.exe	14
PID 2424 set thread context of 1208	2424	cmmon32.exe	14

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2696	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2384	obioh68951.exe
2384	obioh68951.exe
2384	obioh68951.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe
2424	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2384	obioh68951.exe
2384	obioh68951.exe
2384	obioh68951.exe
2384	obioh68951.exe
2424	cmmon32.exe
2424	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	obioh68951.exe
Token: SeDebugPrivilege	2424	cmmon32.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	2616	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2616	WINWORD.EXE
2616	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 692	2696	EQNEDT32.EXE	29
PID 2696 wrote to memory of 692	2696	EQNEDT32.EXE	29
PID 2696 wrote to memory of 692	2696	EQNEDT32.EXE	29
PID 2696 wrote to memory of 692	2696	EQNEDT32.EXE	29
PID 2616 wrote to memory of 2552	2616	WINWORD.EXE	35
PID 2616 wrote to memory of 2552	2616	WINWORD.EXE	35
PID 2616 wrote to memory of 2552	2616	WINWORD.EXE	35
PID 2616 wrote to memory of 2552	2616	WINWORD.EXE	35
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 692 wrote to memory of 2384	692	obioh68951.exe	36
PID 1208 wrote to memory of 2424	1208	Explorer.EXE	37
PID 1208 wrote to memory of 2424	1208	Explorer.EXE	37
PID 1208 wrote to memory of 2424	1208	Explorer.EXE	37
PID 1208 wrote to memory of 2424	1208	Explorer.EXE	37
PID 2424 wrote to memory of 432	2424	cmmon32.exe	38
PID 2424 wrote to memory of 432	2424	cmmon32.exe	38
PID 2424 wrote to memory of 432	2424	cmmon32.exe	38
PID 2424 wrote to memory of 432	2424	cmmon32.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DEC FORM.docx"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\obioh68951.exe"
    3⤵
    PID:432

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\obioh68951.exe
  "C:\Users\Admin\AppData\Roaming\obioh68951.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Roaming\obioh68951.exe
    "C:\Users\Admin\AppData\Roaming\obioh68951.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{6C662984-5B03-427B-A93F-84668CDD7884}.FSD

Filesize
128KB

MD5
98a57db39b3207c2fe1ffce893f47405

SHA1
e761bfb178ce37f6fcb8c7efd5a810dc53340a59

SHA256
8ca5d3f74320fcd783b56fb1a0e9984d6b155d50c9dd4abff477411bdb84b0c1

SHA512
36ade7dfea919381efe7ecd9705fa56688a1fc4a77bdb4df5c0b24829030cc36af7ba1a51f3ffc96b3105a57fe9f6de1e70983cab6dc6037b94d13bbe2598489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2abead9bcf91ab3b6835175237461e9b

SHA1
79202b8b278550a4b824ae3bac475db64ad7b98e

SHA256
de654d2b5bdb3ef26b77f925735a7db6ce6ad1f9870bef6fef847fa6837e79a5

SHA512
fd86f3920f610e8b1d4be79dd092f598af87411dfb36e51f168d7f080a313190b0c0acc3d736e33d4c6826dfc43b6e79b46264105768275fdacb584290011d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
25f58a688ed807f3ef43a7826515c8ac

SHA1
5798f28be2994953f927bbbaacb75a982625677c

SHA256
5476797f58be4525cf645dba1fe62606c9412d2205d62e0fecb159ee2fcda102

SHA512
e5f152c3d077a290d82a5290a6841bd993bcd1568c57f7120e104fd4f80434f4d196f17fc3c985ae1dbc2a618b5abd7df2716309bac8f8a243a7a9b98d35a955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D204834C-1BCA-4256-98FA-9E44BA87344D}.FSD

Filesize
128KB

MD5
43efe7a02814f20b451cdc4714cb185c

SHA1
9a2e5d477dc0cd27a093202c31832eb673cd188b

SHA256
d32917412a123f6c6381a0245f64e33093b5d72796229f20b711dc13cf52cfbc

SHA512
72306354ced40a9425f816415ec92928041dd955181293c4004a7b22ae3ba6f04665361876410b6ceb5c37b24ab90e040c820c4950a310a1306402fc23d53c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D204834C-1BCA-4256-98FA-9E44BA87344D}.FSD

Filesize
128KB

MD5
96ea3575ac0154e5b2f681ce61657b4d

SHA1
363467cb50d2aaff0f5bec14f1c4d692d1feba9b

SHA256
b2ac3069cf8b5bf072a958a6b0a9d1347ac6f12cb7c61d16bba8fe26e3a3a928

SHA512
c1c56fe28fa39e7b1f9c11926974057929d41cd7e09dfc31665cf9d38db52308c250fbd6f9fd9119f54003578b5a40c485bbd7ec667c5f8fe95a962ad94d8166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9M1KBX1\obizx[1].doc

Filesize
55KB

MD5
3db137b68ac902eaefc048a4d04c89c0

SHA1
c2127b40577e2a59ea0d0dea98f4fa96a77fdd8a

SHA256
ae8912485487bbd99f7defde38ab0da19ed679c5eec9d0272ec8ea69fc7d191d

SHA512
75db6ca8d479e9e1a6fd96730421c3bf271318868f7e1f3c3bc3461af48d681957130305a0a386c4565ee0084732d5fd70b0de8e096a6c8fe1db9b9bf3f42820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{251A4984-E62B-4498-B339-A9E4BF7D2934}

Filesize
128KB

MD5
bc9f35a53a0b261d6dafc912a3e2a60c

SHA1
ff4f35f46334df44366fa36f659f81ab87d82d4e

SHA256
4266ecad7d16e0e1d5deafc848689afad36d62e6382af4f4340bafed7e57a774

SHA512
8b951189c22e6b4c1847681452ee76dc026c83510cd18e4915dba47a218c2fd42039d3a1b4ca2ef77a53b18eeaa55b1d6450b61f5a18a5f80551a64c84a8be32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
69B

MD5
736bd76bb78cdb44d4c993fc4645056c

SHA1
6522775d33b696c48b578a8c20af26158ee3426f

SHA256
d527290f1a4d7c9490de2a4f74d3f0fdb9ed07ea6527a0514e5c6c233c7178a2

SHA512
659a81ea21ab589be23ba68651655d57329e650a00a3e4ed83f54ac94cb1df554e67d078e1c92458c66ce5344d54fcd50fcf38c659edba773bd2d41d2e7864bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
d5970db052cf35537b97df754629c10f

SHA1
c83ae2877d17609cac477db6c3a8e3b86ed7bde5

SHA256
f6a3998942bdf529d51a542e937fc31edb7d1ce3fbcbc13816f859c43df0515b

SHA512
a0aa2fbeda33c603a5a85ebe1d40dfe6692adcd7d88b584daadf4bf4407a00b63d42c18ec2ed93e922697d64d0c6273453357fcc77ece5e6756c01b40764f953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obioh68951.exe

Filesize
574KB

MD5
645369bf20bfde70c6f173a03190b14d

SHA1
306dbbfef97fc4c2ac738a7ef80bc5dbcb7fdbf4

SHA256
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422

SHA512
3d4cd0464619a5f1a8d75408190ee855f58a0384fdb11042a49a21e03f4a6b2ef1181d0e4fb27d1a4977446538f20084247f344a57fcdda888a69f009e36eb4f

Download Submit
C:\Users\Admin\AppData\Roaming\obioh68951.exe

Filesize
574KB

MD5
645369bf20bfde70c6f173a03190b14d

SHA1
306dbbfef97fc4c2ac738a7ef80bc5dbcb7fdbf4

SHA256
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422

SHA512
3d4cd0464619a5f1a8d75408190ee855f58a0384fdb11042a49a21e03f4a6b2ef1181d0e4fb27d1a4977446538f20084247f344a57fcdda888a69f009e36eb4f

Download Submit
C:\Users\Admin\AppData\Roaming\obioh68951.exe

Filesize
574KB

MD5
645369bf20bfde70c6f173a03190b14d

SHA1
306dbbfef97fc4c2ac738a7ef80bc5dbcb7fdbf4

SHA256
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422

SHA512
3d4cd0464619a5f1a8d75408190ee855f58a0384fdb11042a49a21e03f4a6b2ef1181d0e4fb27d1a4977446538f20084247f344a57fcdda888a69f009e36eb4f

Download Submit
C:\Users\Admin\AppData\Roaming\obioh68951.exe

Filesize
574KB

MD5
645369bf20bfde70c6f173a03190b14d

SHA1
306dbbfef97fc4c2ac738a7ef80bc5dbcb7fdbf4

SHA256
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422

SHA512
3d4cd0464619a5f1a8d75408190ee855f58a0384fdb11042a49a21e03f4a6b2ef1181d0e4fb27d1a4977446538f20084247f344a57fcdda888a69f009e36eb4f

Download Submit
\Users\Admin\AppData\Roaming\obioh68951.exe

Filesize
574KB

MD5
645369bf20bfde70c6f173a03190b14d

SHA1
306dbbfef97fc4c2ac738a7ef80bc5dbcb7fdbf4

SHA256
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422

SHA512
3d4cd0464619a5f1a8d75408190ee855f58a0384fdb11042a49a21e03f4a6b2ef1181d0e4fb27d1a4977446538f20084247f344a57fcdda888a69f009e36eb4f

Download Submit
memory/692-172-0x0000000004D10000-0x0000000004D7E000-memory.dmp

Filesize
440KB

Download
memory/692-169-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/692-152-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/692-149-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/692-166-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/692-181-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/692-171-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/692-151-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-201-0x0000000006A30000-0x0000000006B82000-memory.dmp

Filesize
1.3MB

Download
memory/1208-203-0x0000000006A30000-0x0000000006B82000-memory.dmp

Filesize
1.3MB

Download
memory/1208-197-0x0000000004C80000-0x0000000004D91000-memory.dmp

Filesize
1.1MB

Download
memory/1208-191-0x0000000004C80000-0x0000000004D91000-memory.dmp

Filesize
1.1MB

Download
memory/1208-190-0x0000000004E30000-0x0000000004F66000-memory.dmp

Filesize
1.2MB

Download
memory/1208-186-0x0000000004E30000-0x0000000004F66000-memory.dmp

Filesize
1.2MB

Download
memory/1208-204-0x0000000006A30000-0x0000000006B82000-memory.dmp

Filesize
1.3MB

Download
memory/2384-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-182-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/2384-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-185-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/2384-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-177-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2384-189-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2384-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-194-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2424-193-0x00000000007A0000-0x00000000007AD000-memory.dmp

Filesize
52KB

Download
memory/2424-192-0x00000000007A0000-0x00000000007AD000-memory.dmp

Filesize
52KB

Download
memory/2424-195-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/2424-196-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2424-199-0x0000000001DC0000-0x0000000001E54000-memory.dmp

Filesize
592KB

Download
memory/2616-53-0x000000002FA90000-0x000000002FBED000-memory.dmp

Filesize
1.4MB

Download
memory/2616-168-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download
memory/2616-167-0x000000002FA90000-0x000000002FBED000-memory.dmp

Filesize
1.4MB

Download
memory/2616-55-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download
memory/2616-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-230-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-231-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download