formbook | 8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c

General

Target

Quotation.exe
Size

222KB
MD5

1f86caaa19912ceb55c9f6121eb692bb
SHA1

2d4dd95fdb17937b22a3d6a41862704ed80acf70
SHA256

8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
SHA512

720c68b543c3d5eb2d026feb0ae46d0c77aa0eb71cd3302c520384cbff27e28fed1f9f0b3c761aed7bdea054fd2d3829f294f3250175d6d159d1167122f67a72

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.riceandginger.com/fcn/

Decoy

bellee-select.com

unlock-motorola.com

courtneyrunyon.com

hnzywjz.com

retrievingbest.net

ayescarrental.com

beyoutifulblessings.com

heritagediscovery.net

fasoum.com

wbz.xyz

lownak.com

alinkarmay.com

coffeyquiltco.com

validdreamers.com

yuksukcu.club

buildnextfrc.com

avantfarme.com

xyfs360.com

holisticpacific.com

banejia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3160-5-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2440-12-0x0000000002940000-0x000000000296E000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Quotation.exe

pid process

644 Quotation.exe

pid	process
644	Quotation.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quotation.exeQuotation.execolorcpl.exe

description	pid	process	target process
PID 644 set thread context of 3160	644	Quotation.exe	Quotation.exe
PID 3160 set thread context of 3052	3160	Quotation.exe	Explorer.EXE
PID 2440 set thread context of 3052	2440	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Quotation.execolorcpl.exe

pid	process
3160	Quotation.exe
3160	Quotation.exe
3160	Quotation.exe
3160	Quotation.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe
2440	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Quotation.exeQuotation.execolorcpl.exe

pid process

644 Quotation.exe
3160 Quotation.exe
3160 Quotation.exe
3160 Quotation.exe
2440 colorcpl.exe
2440 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quotation.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 3160 Quotation.exe
Token: SeDebugPrivilege 2440 colorcpl.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

pid	process
644	Quotation.exe
3160	Quotation.exe
3160	Quotation.exe
3160	Quotation.exe
2440	colorcpl.exe
2440	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	3160	Quotation.exe
Token: SeDebugPrivilege	2440	colorcpl.exe

pid	process
3052	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Quotation.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 644 wrote to memory of 3160	644	Quotation.exe	Quotation.exe
PID 644 wrote to memory of 3160	644	Quotation.exe	Quotation.exe
PID 644 wrote to memory of 3160	644	Quotation.exe	Quotation.exe
PID 644 wrote to memory of 3160	644	Quotation.exe	Quotation.exe
PID 3052 wrote to memory of 2440	3052	Explorer.EXE	colorcpl.exe
PID 3052 wrote to memory of 2440	3052	Explorer.EXE	colorcpl.exe
PID 3052 wrote to memory of 2440	3052	Explorer.EXE	colorcpl.exe
PID 2440 wrote to memory of 756	2440	colorcpl.exe	cmd.exe
PID 2440 wrote to memory of 756	2440	colorcpl.exe	cmd.exe
PID 2440 wrote to memory of 756	2440	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
3⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsh5858.tmp\laegtoh4.dll
MD5
f68cd7ef81a40b6dc714658aef692640

SHA1
377095c12352bea1ce2aa195f4354270f8571767

SHA256
b0511bd682e5d539f05be2c97d5e8e23dddc48cc32aaa6c25b6a6ecea4dee475

SHA512
4c412eb6c9b01ffe57b582373703864448db10b86d69a8b5ab9f2933917e6fd9fcd6124ff17a6a605a1c6d6569ea22df1b80877bef61b43f8d59b248d8791083

Download Submit
memory/644-4-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/756-14-0x0000000000000000-mapping.dmp

Download
memory/2440-12-0x0000000002940000-0x000000000296E000-memory.dmp

Filesize
184KB

Download
memory/2440-10-0x0000000000000000-mapping.dmp

Download
memory/2440-11-0x0000000000150000-0x0000000000169000-memory.dmp

Filesize
100KB

Download
memory/2440-13-0x00000000043C0000-0x00000000046E0000-memory.dmp

Filesize
3.1MB

Download
memory/2440-16-0x0000000004220000-0x00000000042B3000-memory.dmp

Filesize
588KB

Download
memory/3052-9-0x0000000002A30000-0x0000000002AF9000-memory.dmp

Filesize
804KB

Download
memory/3052-17-0x0000000004F60000-0x0000000005029000-memory.dmp

Filesize
804KB

Download
memory/3160-6-0x0000000000B40000-0x0000000000E60000-memory.dmp

Filesize
3.1MB

Download
memory/3160-8-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/3160-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3160-3-0x000000000041EAA0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads