formbook | 1a65d32d353149d5b310fc0ea603268baf85a66733870cc890d6558ac44a1107

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
19-03-2021 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.jpg.exe
Size

764KB
MD5

980a55049ad78b00f7a9cd35feccef70
SHA1

c550a9b12b02882ac068fce2f65f4e827c9ba1b8
SHA256

1a65d32d353149d5b310fc0ea603268baf85a66733870cc890d6558ac44a1107
SHA512

d3794e0d3108eba464236b5e9b19b3c0c472751c51ce7385425a888b00681788e85af2952190ac94e3bce80dd7f073f5d5eedc1db66683e72a4856ee8db13b98

Score

10^/10

formbook modiloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/528-16-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/528-18-0x0000000010410000-0x000000001043D000-memory.dmp	formbook
behavioral1/memory/1036-24-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chkdsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JHL0HZEHUBJ = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	chkdsk.exe

Executes dropped EXE 1 IoCs

Processes:

order.exe

pid process

1292 order.exe
Loads dropped DLL 3 IoCs

Processes:

test.jpg.exe

pid process

1656 test.jpg.exe
1656 test.jpg.exe
1656 test.jpg.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chkdsk.exe

description ioc process

Key created \Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chkdsk.exe

pid	process
1292	order.exe

pid	process
1656	test.jpg.exe
1656	test.jpg.exe
1656	test.jpg.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	chkdsk.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ieinstal.exechkdsk.exe

description	pid	process	target process
PID 528 set thread context of 1272	528	ieinstal.exe	Explorer.EXE
PID 1036 set thread context of 1272	1036	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

ieinstal.exechkdsk.exe

pid	process
528	ieinstal.exe
528	ieinstal.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe
1036	chkdsk.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ieinstal.exechkdsk.exe

pid process

528 ieinstal.exe
528 ieinstal.exe
528 ieinstal.exe
1036 chkdsk.exe
1036 chkdsk.exe
1036 chkdsk.exe
1036 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ieinstal.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 528 ieinstal.exe
Token: SeDebugPrivilege 1036 chkdsk.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

DllHost.exeExplorer.EXE

pid process

2044 DllHost.exe
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	528	ieinstal.exe
Token: SeDebugPrivilege	1036	chkdsk.exe

pid	process
2044	DllHost.exe
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

test.jpg.exeorder.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1656 wrote to memory of 1292	1656	test.jpg.exe	order.exe
PID 1656 wrote to memory of 1292	1656	test.jpg.exe	order.exe
PID 1656 wrote to memory of 1292	1656	test.jpg.exe	order.exe
PID 1656 wrote to memory of 1292	1656	test.jpg.exe	order.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1292 wrote to memory of 528	1292	order.exe	ieinstal.exe
PID 1272 wrote to memory of 1036	1272	Explorer.EXE	chkdsk.exe
PID 1272 wrote to memory of 1036	1272	Explorer.EXE	chkdsk.exe
PID 1272 wrote to memory of 1036	1272	Explorer.EXE	chkdsk.exe
PID 1272 wrote to memory of 1036	1272	Explorer.EXE	chkdsk.exe
PID 1036 wrote to memory of 1984	1036	chkdsk.exe	Firefox.exe
PID 1036 wrote to memory of 1984	1036	chkdsk.exe	Firefox.exe
PID 1036 wrote to memory of 1984	1036	chkdsk.exe	Firefox.exe
PID 1036 wrote to memory of 1984	1036	chkdsk.exe	Firefox.exe
PID 1036 wrote to memory of 1984	1036	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\test.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\test.jpg.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1696

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe
MD5
a9b4ac2880dbc00edc0b62fb63b1e447

SHA1
062ef6e5beac11ae5d408646a02d04e5e6e7cd8b

SHA256
2b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a

SHA512
88d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe
MD5
a9b4ac2880dbc00edc0b62fb63b1e447

SHA1
062ef6e5beac11ae5d408646a02d04e5e6e7cd8b

SHA256
2b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a

SHA512
88d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.jpg
MD5
0879e3401ab547891747edc709ecbbec

SHA1
91e27a26d6c7f9738ae73643cc5dbd5c5ebc8576

SHA256
8774d498e85555448fda230243d8afa9cbf60dd70b847411b60967e2a1dac9c7

SHA512
f02bd578ad77e2c113fb18f89a06c7ea2c1935e6056541f6c182335506fd27041ea64f3050f4a4262838351cc0e7a486dd809d3404d8afda6deb04429aa8c5bc

Download Submit
C:\Users\Admin\AppData\Roaming\-65A6372\-65logim.jpeg
MD5
e9e5a59b622d08f7b2dedd7fb2bfd006

SHA1
8a669ab6f4e76aa1130b52c27a821cb0d7dddcd1

SHA256
8c88884af3bd2b464b2e748472fc8a1dc92578ab6f5f40c52be22413ad869ff6

SHA512
470ac98a8db479ce06be50a09199f23fad29001bc434ac7b1e31b6609e5b80d8b1d4e311d7f7a43c14ef2fa2e75f5de42c4988ef67b76bd75f132b7909d73278

Download Submit
C:\Users\Admin\AppData\Roaming\-65A6372\-65logrf.ini
MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\-65A6372\-65logri.ini
MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\-65A6372\-65logrv.ini
MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe
MD5
a9b4ac2880dbc00edc0b62fb63b1e447

SHA1
062ef6e5beac11ae5d408646a02d04e5e6e7cd8b

SHA256
2b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a

SHA512
88d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe
MD5
a9b4ac2880dbc00edc0b62fb63b1e447

SHA1
062ef6e5beac11ae5d408646a02d04e5e6e7cd8b

SHA256
2b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a

SHA512
88d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe
MD5
a9b4ac2880dbc00edc0b62fb63b1e447

SHA1
062ef6e5beac11ae5d408646a02d04e5e6e7cd8b

SHA256
2b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a

SHA512
88d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9

Download Submit
memory/528-20-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/528-15-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/528-16-0x0000000000000000-mapping.dmp

Download
memory/528-18-0x0000000010410000-0x000000001043D000-memory.dmp

Filesize
180KB

Download
memory/528-19-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/828-27-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1036-22-0x0000000000000000-mapping.dmp

Download
memory/1036-23-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/1036-24-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1036-25-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/1036-28-0x0000000001DE0000-0x0000000001E73000-memory.dmp

Filesize
588KB

Download
memory/1272-21-0x0000000003F30000-0x0000000003FE3000-memory.dmp

Filesize
716KB

Download
memory/1272-32-0x0000000006920000-0x0000000006A7A000-memory.dmp

Filesize
1.4MB

Download
memory/1292-12-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1292-9-0x0000000000000000-mapping.dmp

Download
memory/1656-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1656-4-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/1984-29-0x0000000000000000-mapping.dmp

Download
memory/1984-31-0x0000000001260000-0x00000000013DA000-memory.dmp

Filesize
1.5MB

Download
memory/1984-30-0x000000013F7E0000-0x000000013F873000-memory.dmp

Filesize
588KB

Download
memory/2044-11-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2044-5-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download