Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

Excel spreasheet macro kicks off Formbook infection

Published: 2020-07-10
Last Updated: 2020-07-10 00:03:22 UTC
by Brad Duncan (Version: 1)
0 comment(s)


Formbook has been around for years.  According to FireEye, Formbook has been "..advertised in various hacking forums since early 2016."  My previous diary about Formbook was back in November 2019, and not much has changed since then.  It still bears documentation, though, if only to show this malware is still active and remains part of our threat landscape.

Today's diary covers a Formbook infection from Thursday, June 9th 2020.

Shown above:  Flow chart for the Formbook infection covered in today's diary.

The lure

The lure for this particular infection was a malicious Excel spreadsheet.  Searching through VirusTotal, I found a malware sample that I tested in my lab.  The submission name was /tmp/eml_attach_for_scan/2433e76542036ab53b138a98eeda548a.file, so I don't know what the original file name was.

Shown above: Malicious Excel spreadsheet I found in VirusTotal.

Shown above: The malicious spreadsheet opened on a vulnerable Windows 10 host, ready for me to enable macros.

Initial infection

The initial infection happened immediately after I enabled macros, when my lab host retireved a Windows executable (EXE) for Formbook from hxxp://sagc[.]be/svc.exe and executed the file.  See the images below for details.

Shown above:  My lab host retrieving the Formbook EXE from sagc[.]be after enabling macros.

Shown above: Initial location where the Formbook EXE was saved to my lab host.

Shown above:  Formbook EXE's final location on my infected lab host with a Windows registry update to keep it persistent.

Data exfiltration

Post-infection traffic was sent to several different domains using URL patterns shown in the next image.

Shown above: Traffic from an infection filtered in Wireshark.

Data stolen by Formbook included a screenshot of my infected lab host, along with keystroke logs, application passwords, sensitive data from the browser chache, and information contained in the clipboard.  This data is temporarily stored in a randomly-named folder under the infected user's AppData\Roaming directory.  These artifacts are deleted after the data is exfiltrated through Formbook command and control (C2) traffic.

Shown above: Stolen data from the infected Windows host, waiting for Formbook to exfiltrate it over C2 traffic.

Indicators of Compromise (IoCs)

SHA256 hash: 148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc

  • File size: 94,829 bytes
  • File name: unknown
  • File type: Microsoft Excel 2007+
  • File description: Excel spreadsheet with macro for Formbook malware

SHA256 hash: 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef

  • File size: 481,792 bytes
  • File location: hxxp://sagc[.]be/svc.exe
  • File location: C:\Users\[username]\AppData\Local\Temp\putty.exe
  • File location: C:\Program Files (x86)\Bwls\userwzqlrdw.exe
  • File description: Windows executable (EXE) file for Formbook malware

Traffic from an infected Windows host:

Excel macro retrieves Formbook EXE:

  • 92.48.206[.]34 port 80 - sagc[.]be - GET /svc.exe

Formbook post-infection traffic:

  • 157.7.107[.]81 port 80 - www.lovelydays[.]info - GET /ns424/?[long string]
  • 23.235.199[.]50 port 80 - www.rightwebmarketing[.]com - GET /ns424/?[long string]
  • 23.235.199[.]50 port 80 - www.rightwebmarketing[.]com - POST /ns424/
  • 63.250.34[.]167 port 80 - www.mansiobok2[.]info - GET /ns424/?[long string]
  • 63.250.34[.]167 port 80 - www.mansiobok2[.]info - POST /ns424/
  • 34.102.136[.]180 port 80 - www.confidentbeauty[.]tips - GET /ns424/?[long string]
  • 34.102.136[.]180 port 80 - www.confidentbeauty[.]tips - POST /ns424/
  • 198.54.117[.]217 port 80 - www.donateoneeight[.]net - GET /ns424/?[long string]
  • 198.54.117[.]217 port 80 - www.donateoneeight[.]net - POST /ns424/

Unresolved DNS queries from the infected Windows host caused by Formbook:

  • DNS query for www.bakingandcookingandmore[.]com - response: No such name
  • DNS query for www.systemscan12[.]top - response: No such name
  • DNS query for www.lux-dl[.]com - response: No such name
  • DNS query for www.duongtinhot24h[.]com - response: No such name
  • DNS query for www.kcsmqd[.]com - response: No such name
  • DNS query for www.pksbarandgrill[.]net - response: No such name
  • DNS query for www.lx-w[.]com - response: No such name
  • DNS query for www.costcocanadaliguor[.]com - response: No such name
  • DNS query for www.autohaker[.]com - response: No such name
  • DNS query for www.e-golden-boy[.]com - response: No such name
  • DNS query for www.angelalevelsup[.]com - response: No such name

Final words

Formbook infections work nearly the same as they did when I wrote my first diary about Formbook in October 2017.  I'm surprised that I still occasionally run across a sample during my day-to-day research.  An up-to-date Windows 10 with default security settings should prevent these sorts of infection from happening.  I guess it's still somehow profitable for criminals behind Formbook to continue developing this malware.  Apparently, there's no shortage of vulnerable Windows hosts for potential targets.

A pcap of the infection traffic and malware samples for today's diary can be found here.

Brad Duncan
brad [at]

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688
Jul 9th 2020
12 hours ago by Johannes (0 comments)

If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
Jul 8th 2020
1 day ago by Xme (0 comments)

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt
Jul 7th 2020
2 days ago by Renato (0 comments)

Happy Birthday DShield: was registered 20 years ago.
Jul 7th 2020
2 days ago by Johannes (0 comments)

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits
Jul 7th 2020
2 days ago by Johannes (0 comments)

CVE-2020-5902: F5 BIG-IP RCE Vulnerability
Jul 6th 2020
3 days ago by DidierStevens (0 comments)

CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Jul 5th 2020
4 days ago by DidierStevens (0 comments)

Wireshark 3.2.5 Released
Jul 5th 2020
4 days ago by DidierStevens (0 comments)

Happy FouRth of July from the Internet Storm Center
Jul 4th 2020
5 days ago by Russ McRee (0 comments)

View All Diaries →

Latest Discussions

Security Policies
created Jun 30th 2020
1 week ago by Anonymous (1 reply)

IP Address from Hex
created Apr 15th 2020
2 months ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
2 months ago by ismicok (0 replies)
created Mar 10th 2020
3 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
4 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)