formbook | ff07908a590dec7673c510ec4d0043d8825a54039e35b7c28c299f95c55336c3

General

Target

RFQ # PC25-1301_1.xlsx
Size

1.8MB
MD5

d3f593571da9b55237a49f9c23a12d9a
SHA1

b3c9a6ca51802326e7de5a6854199fc369bc3b08
SHA256

ff07908a590dec7673c510ec4d0043d8825a54039e35b7c28c299f95c55336c3
SHA512

114950c12cc9fd0aa50544caed8fa0f710cc596c67ec90d3b5d2e1a72c18b5706b25ef3030949805be0e90bab31d6010fe6b0d1ab090e0651b0254482e113df8
SSDEEP

49152:OwVliPFnflCwADoUpbmepmSTKrks1l4FWQCMsx7/:Ow4dflKxpaepmS2rksiWQJsx7/

Score

10^/10

formbook hwu6 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2740-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2740-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2652-21-0x00000000000B0000-0x00000000000DF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2836	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2704	word.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	EQNEDT32.EXE

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000016db3-6.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 2740	2704	word.exe	32
PID 2740 set thread context of 1232	2740	svchost.exe	21
PID 2740 set thread context of 1232	2740	svchost.exe	21
PID 2652 set thread context of 1232	2652	msiexec.exe	21

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2836	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3020	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2704	word.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2652	msiexec.exe
2652	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	svchost.exe
Token: SeDebugPrivilege	2652	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2704	word.exe
2704	word.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2704	word.exe
2704	word.exe
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3020	EXCEL.EXE
3020	EXCEL.EXE
3020	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2704	2836	EQNEDT32.EXE	31
PID 2836 wrote to memory of 2704	2836	EQNEDT32.EXE	31
PID 2836 wrote to memory of 2704	2836	EQNEDT32.EXE	31
PID 2836 wrote to memory of 2704	2836	EQNEDT32.EXE	31
PID 2704 wrote to memory of 2740	2704	word.exe	32
PID 2704 wrote to memory of 2740	2704	word.exe	32
PID 2704 wrote to memory of 2740	2704	word.exe	32
PID 2704 wrote to memory of 2740	2704	word.exe	32
PID 2704 wrote to memory of 2740	2704	word.exe	32
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2740 wrote to memory of 2652	2740	svchost.exe	33
PID 2652 wrote to memory of 2556	2652	msiexec.exe	34
PID 2652 wrote to memory of 2556	2652	msiexec.exe	34
PID 2652 wrote to memory of 2556	2652	msiexec.exe	34
PID 2652 wrote to memory of 2556	2652	msiexec.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ # PC25-1301_1.xlsx"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3020

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Roaming\word.exe
  C:\Users\Admin\AppData\Roaming\word.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\svchost.exe
    C:\Users\Admin\AppData\Roaming\word.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\SysWOW64\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\word.exe

Filesize
1.7MB

MD5
a4c3a8129428b0447fbe11d005d1e04b

SHA1
003981a4a1fae8444bf94214045da837e9b545ad

SHA256
daab245fae21bc5fe9a8ea52e9770b22d12e66a4fbfc1bc1ca027f200da20f2f

SHA512
2c5d40db81eeab537eb1ab0ec8dbc1fd78f15969fbf4ec0d5ad2ae24f55aa2948f0bbd3dfbf7ef6444a7da5b1aa7b2584a4c86bc5322d3d647ca3da9ffe0003a

Download Submit
memory/1232-25-0x0000000004FD0000-0x0000000005075000-memory.dmp

Filesize
660KB

Download
memory/2652-18-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2652-20-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2652-21-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/2740-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-1-0x00000000724BD000-0x00000000724C8000-memory.dmp

Filesize
44KB

Download
memory/3020-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3020-17-0x00000000724BD000-0x00000000724C8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing