formbook | 9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
08-04-2021 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sales_Order description.exe
Size

476KB
MD5

9cf418b47ac9b4039e9d2f3073b525f0
SHA1

1cbd1fe3fcba287ccc7b1518e6da52918a1edda0
SHA256

9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445
SHA512

c5c5c0d190db2437039681746ce3d9e84666d6d660d86ec7e8ad3d8676e6b4bc32405b7fc6fadb025b3ed0a6555536be10a7015fcd3838226099e5b2da6df928

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

http://www.discorddeno.land/suod/

Decoy

casirivimab.info

johnvogia.com

lzdafang.com

tarihmarketi.com

singalongpress.com

three60farms.com

websky.pro

jacketsmecca.com

magentos6.com

brooksideseniorapts.com

onewhistleandflags.com

naturopathe-valdoise-france.com

reflexmem.com

kurumsalpanel.com

bhuwarecruitment.com

exponentialhealth.online

posttensionrepairs.com

prbrokerllc.com

aashealthcarestaffing.com

pubgeventcenter.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1940-29-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1940-30-0x000000000041ED90-mapping.dmp	formbook
behavioral1/memory/304-39-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Nirsoft 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

1980 AdvancedRun.exe
1764 AdvancedRun.exe
1776 AdvancedRun.exe
1364 AdvancedRun.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

988 cmd.exe

pid	process
988	cmd.exe

Loads dropped DLL 8 IoCs

Processes:

Sales_Order description.exeAdvancedRun.exeAdvancedRun.exe

pid	process
1108	Sales_Order description.exe
1108	Sales_Order description.exe
1980	AdvancedRun.exe
1980	AdvancedRun.exe
1108	Sales_Order description.exe
1108	Sales_Order description.exe
1776	AdvancedRun.exe
1776	AdvancedRun.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Sales_Order description.exeSales_Order description.exeexplorer.exe

description	pid	process	target process
PID 1108 set thread context of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1940 set thread context of 1264	1940	Sales_Order description.exe	Explorer.EXE
PID 304 set thread context of 1264	304	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeSales_Order description.exeSales_Order description.exeexplorer.exe

pid	process
1980	AdvancedRun.exe
1980	AdvancedRun.exe
1764	AdvancedRun.exe
1764	AdvancedRun.exe
1776	AdvancedRun.exe
1776	AdvancedRun.exe
1364	AdvancedRun.exe
1364	AdvancedRun.exe
1108	Sales_Order description.exe
1108	Sales_Order description.exe
1940	Sales_Order description.exe
1940	Sales_Order description.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Sales_Order description.exeexplorer.exe

pid process

1940 Sales_Order description.exe
1940 Sales_Order description.exe
1940 Sales_Order description.exe
304 explorer.exe
304 explorer.exe

pid	process
1940	Sales_Order description.exe
1940	Sales_Order description.exe
1940	Sales_Order description.exe
304	explorer.exe
304	explorer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeSales_Order description.exeSales_Order description.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1980	AdvancedRun.exe
Token: SeImpersonatePrivilege	1980	AdvancedRun.exe
Token: SeDebugPrivilege	1764	AdvancedRun.exe
Token: SeImpersonatePrivilege	1764	AdvancedRun.exe
Token: SeDebugPrivilege	1776	AdvancedRun.exe
Token: SeImpersonatePrivilege	1776	AdvancedRun.exe
Token: SeDebugPrivilege	1364	AdvancedRun.exe
Token: SeImpersonatePrivilege	1364	AdvancedRun.exe
Token: SeDebugPrivilege	1108	Sales_Order description.exe
Token: SeDebugPrivilege	1940	Sales_Order description.exe
Token: SeDebugPrivilege	304	explorer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Sales_Order description.exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1108 wrote to memory of 1980	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1980	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1980	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1980	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1980 wrote to memory of 1764	1980	AdvancedRun.exe	AdvancedRun.exe
PID 1980 wrote to memory of 1764	1980	AdvancedRun.exe	AdvancedRun.exe
PID 1980 wrote to memory of 1764	1980	AdvancedRun.exe	AdvancedRun.exe
PID 1980 wrote to memory of 1764	1980	AdvancedRun.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1776	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1776	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1776	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1776	1108	Sales_Order description.exe	AdvancedRun.exe
PID 1776 wrote to memory of 1364	1776	AdvancedRun.exe	AdvancedRun.exe
PID 1776 wrote to memory of 1364	1776	AdvancedRun.exe	AdvancedRun.exe
PID 1776 wrote to memory of 1364	1776	AdvancedRun.exe	AdvancedRun.exe
PID 1776 wrote to memory of 1364	1776	AdvancedRun.exe	AdvancedRun.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1108 wrote to memory of 1940	1108	Sales_Order description.exe	Sales_Order description.exe
PID 1264 wrote to memory of 304	1264	Explorer.EXE	explorer.exe
PID 1264 wrote to memory of 304	1264	Explorer.EXE	explorer.exe
PID 1264 wrote to memory of 304	1264	Explorer.EXE	explorer.exe
PID 1264 wrote to memory of 304	1264	Explorer.EXE	explorer.exe
PID 304 wrote to memory of 988	304	explorer.exe	cmd.exe
PID 304 wrote to memory of 988	304	explorer.exe	cmd.exe
PID 304 wrote to memory of 988	304	explorer.exe	cmd.exe
PID 304 wrote to memory of 988	304	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe
"C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1980
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1776
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe
"C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe"
3⤵
- Deletes itself
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/304-41-0x0000000002370000-0x0000000002673000-memory.dmp

Filesize
3.0MB

Download
memory/304-37-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/304-39-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/304-42-0x0000000002140000-0x00000000021D3000-memory.dmp

Filesize
588KB

Download
memory/304-35-0x0000000000000000-mapping.dmp

Download
memory/304-38-0x0000000000780000-0x0000000000A01000-memory.dmp

Filesize
2.5MB

Download
memory/988-40-0x0000000000000000-mapping.dmp

Download
memory/1108-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1108-5-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1108-3-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1108-6-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/1108-7-0x00000000020A0000-0x00000000020F3000-memory.dmp

Filesize
332KB

Download
memory/1264-43-0x0000000006880000-0x0000000006975000-memory.dmp

Filesize
980KB

Download
memory/1264-32-0x0000000006560000-0x000000000661A000-memory.dmp

Filesize
744KB

Download
memory/1364-26-0x0000000000000000-mapping.dmp

Download
memory/1764-16-0x0000000000000000-mapping.dmp

Download
memory/1776-21-0x0000000000000000-mapping.dmp

Download
memory/1940-34-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/1940-33-0x0000000000B10000-0x0000000000E13000-memory.dmp

Filesize
3.0MB

Download
memory/1940-30-0x000000000041ED90-mapping.dmp

Download
memory/1940-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1980-12-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1980-10-0x0000000000000000-mapping.dmp

Download