Overview

overview

10

Static

static

1

6b9167056a...f1.rtf

windows7-x64

10

6b9167056a...f1.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b9167056af49bf702c833ae4f581ef1.rtf

  • Size

    561KB

  • MD5

    6b9167056af49bf702c833ae4f581ef1

  • SHA1

    ed4886d86b8ad96a0a252190705d70e0fac9289b

  • SHA256

    13bc94a2f39a03f509036ff58462b974c401cac0df52cce22223114f909b2f72

  • SHA512

    4ba4fc52c2add76cb58cec62f9ae608108aa77374c63c4416f4e5c2ac0fc4bf3569f3520e1ac77994842789015c767d3bb2dd1d384221d5fa865ab54bfc51a07

  • SSDEEP

    6144:dwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAuB+2:dB

Score
10/10
formbookbtrdratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6b9167056af49bf702c833ae4f581ef1.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:712
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\nelb82019.scr"
          3⤵
            PID:1908
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Users\Admin\AppData\Roaming\nelb82019.scr
          "C:\Users\Admin\AppData\Roaming\nelb82019.scr"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Users\Admin\AppData\Roaming\nelb82019.scr
            "C:\Users\Admin\AppData\Roaming\nelb82019.scr"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2676

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        02a1163743a3eb0de371aa1362c74b70

        SHA1

        f54b78842ba5a29cb00d91e23ddf62a2ccb2af0c

        SHA256

        5759d10defc495405962df79b39f4f8e655762c6379910402c6bd8ee20697c41

        SHA512

        513c2bdd5590f6032c177972ba219e903b0e8825fc5269566d0a71d39a766d6f8c847feccb586644c3af146654b7de1527540b1d7b0ea856cbc281e5254ba004

        Download Submit
      • \Users\Admin\AppData\Roaming\nelb82019.scr
        Filesize

        614KB

        MD5

        607868824f841ff4b6e24e997228d10d

        SHA1

        76a91ee65551d7babf8799bbecd9e78c44f47787

        SHA256

        7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b

        SHA512

        99f856165bcdfeaf6ef3e9f34c9d88cb30e3467f238eef4489ade96024d57d50dd002da63e77dfeb82458b084a1535a7392ac159711337b8694e75822033ebc8

        Download Submit
      • memory/1136-48-0x0000000005030000-0x0000000005128000-memory.dmp
        Filesize

        992KB

        Download
      • memory/1136-56-0x0000000006CB0000-0x0000000006E34000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1136-46-0x00000000001E0000-0x00000000002E0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1724-2-0x000000007130D000-0x0000000071318000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1724-84-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1724-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1724-0-0x000000002FE51000-0x000000002FE52000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1724-54-0x000000007130D000-0x0000000071318000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2588-29-0x000000006AD9E000-0x000000006AD9F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2588-31-0x0000000001140000-0x00000000011E0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/2588-32-0x0000000000390000-0x00000000003F2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/2588-37-0x00000000006A0000-0x00000000006A8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2676-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2676-47-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2676-38-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2676-43-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2676-40-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2832-50-0x0000000000400000-0x0000000000408000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2832-51-0x00000000000C0000-0x00000000000EF000-memory.dmp
        Filesize

        188KB

        Download