Overview

overview

10

Static

static

1

3122e46802...6.xlsx

windows7-x64

10

3122e46802...6.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    57s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3122e46802fdd1d353960c89b9d2679e5c818d5cf027dff747acd0d0c2aea7b6.xlsx

  • Size

    1.4MB

  • MD5

    88f068751d671c40053bdf391c237bd5

  • SHA1

    0885f4d1befb6c12afa526769d6c25ae398412ab

  • SHA256

    3122e46802fdd1d353960c89b9d2679e5c818d5cf027dff747acd0d0c2aea7b6

  • SHA512

    4a9d265e88c98ecee75e8ff01904a618a86c5a315a6095899efa1e98e541a97a54c1097da9243a7b5b0fab13d640d356c8b42c8ff8a6fe0a609ee13558c85253

  • SSDEEP

    24576:JutNHbejV7LluSPKUn+Yw7P20aJRhq+0WBSxJ8sUJjlHcs+0ZlX81kt2i1Pe7Kj:UfHbGRPV67ujzBInUvHwB+Iixy2

Score
10/10
formbookhwu6discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3122e46802fdd1d353960c89b9d2679e5c818d5cf027dff747acd0d0c2aea7b6.xlsx
        2⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2480
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Roaming\word.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\svchost.exe
          C:\Users\Admin\AppData\Roaming\word.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2416

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\word.exe
      Filesize

      1.6MB

      MD5

      df85a6fea907176063e6dc8ad2888bfb

      SHA1

      450837ad62e143afee717c52264e21d253bd2a74

      SHA256

      28818006253d45c3dd643095a63892bf730611b9347b8f3b930be3efffa908d8

      SHA512

      c25297581c5e420ac0f092b481c8a54454addc461b97171a69c81a0dfbeec632323e9f8b7d73ee4097078c3bef3ce766f9dcb2df6c898e44b64b064850300c58

      Download Submit

    • memory/2416-14-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2480-1-0x000000007296D000-0x0000000072978000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2480-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2480-2-0x000000007296D000-0x0000000072978000-memory.dmp

      Filesize

      44KB

      Download