formbook | 9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445

General

Target

Sales_Order description.exe
Size

476KB
MD5

9cf418b47ac9b4039e9d2f3073b525f0
SHA1

1cbd1fe3fcba287ccc7b1518e6da52918a1edda0
SHA256

9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445
SHA512

c5c5c0d190db2437039681746ce3d9e84666d6d660d86ec7e8ad3d8676e6b4bc32405b7fc6fadb025b3ed0a6555536be10a7015fcd3838226099e5b2da6df928

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.discorddeno.land/suod/

Decoy

casirivimab.info

johnvogia.com

lzdafang.com

tarihmarketi.com

singalongpress.com

three60farms.com

websky.pro

jacketsmecca.com

magentos6.com

brooksideseniorapts.com

onewhistleandflags.com

naturopathe-valdoise-france.com

reflexmem.com

kurumsalpanel.com

bhuwarecruitment.com

exponentialhealth.online

posttensionrepairs.com

prbrokerllc.com

aashealthcarestaffing.com

pubgeventcenter.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2092-19-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2092-20-0x000000000041ED90-mapping.dmp	formbook
behavioral2/memory/3996-28-0x0000000003000000-0x000000000302E000-memory.dmp	formbook

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

3172 AdvancedRun.exe
980 AdvancedRun.exe
3776 AdvancedRun.exe
1048 AdvancedRun.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Sales_Order description.exeSales_Order description.exesvchost.exe

description	pid	process	target process
PID 580 set thread context of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 2092 set thread context of 3008	2092	Sales_Order description.exe	Explorer.EXE
PID 3996 set thread context of 3008	3996	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeSales_Order description.exeSales_Order description.exesvchost.exe

pid	process
3172	AdvancedRun.exe
3172	AdvancedRun.exe
3172	AdvancedRun.exe
3172	AdvancedRun.exe
980	AdvancedRun.exe
980	AdvancedRun.exe
980	AdvancedRun.exe
980	AdvancedRun.exe
3776	AdvancedRun.exe
3776	AdvancedRun.exe
3776	AdvancedRun.exe
3776	AdvancedRun.exe
1048	AdvancedRun.exe
1048	AdvancedRun.exe
1048	AdvancedRun.exe
1048	AdvancedRun.exe
580	Sales_Order description.exe
580	Sales_Order description.exe
2092	Sales_Order description.exe
2092	Sales_Order description.exe
2092	Sales_Order description.exe
2092	Sales_Order description.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe
3996	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Sales_Order description.exesvchost.exe

pid process

2092 Sales_Order description.exe
2092 Sales_Order description.exe
2092 Sales_Order description.exe
3996 svchost.exe
3996 svchost.exe

pid	process
2092	Sales_Order description.exe
2092	Sales_Order description.exe
2092	Sales_Order description.exe
3996	svchost.exe
3996	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeSales_Order description.exeSales_Order description.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3172	AdvancedRun.exe
Token: SeImpersonatePrivilege	3172	AdvancedRun.exe
Token: SeDebugPrivilege	980	AdvancedRun.exe
Token: SeImpersonatePrivilege	980	AdvancedRun.exe
Token: SeDebugPrivilege	3776	AdvancedRun.exe
Token: SeImpersonatePrivilege	3776	AdvancedRun.exe
Token: SeDebugPrivilege	1048	AdvancedRun.exe
Token: SeImpersonatePrivilege	1048	AdvancedRun.exe
Token: SeDebugPrivilege	580	Sales_Order description.exe
Token: SeDebugPrivilege	2092	Sales_Order description.exe
Token: SeDebugPrivilege	3996	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
3008	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Sales_Order description.exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 580 wrote to memory of 3172	580	Sales_Order description.exe	AdvancedRun.exe
PID 580 wrote to memory of 3172	580	Sales_Order description.exe	AdvancedRun.exe
PID 580 wrote to memory of 3172	580	Sales_Order description.exe	AdvancedRun.exe
PID 3172 wrote to memory of 980	3172	AdvancedRun.exe	AdvancedRun.exe
PID 3172 wrote to memory of 980	3172	AdvancedRun.exe	AdvancedRun.exe
PID 3172 wrote to memory of 980	3172	AdvancedRun.exe	AdvancedRun.exe
PID 580 wrote to memory of 3776	580	Sales_Order description.exe	AdvancedRun.exe
PID 580 wrote to memory of 3776	580	Sales_Order description.exe	AdvancedRun.exe
PID 580 wrote to memory of 3776	580	Sales_Order description.exe	AdvancedRun.exe
PID 3776 wrote to memory of 1048	3776	AdvancedRun.exe	AdvancedRun.exe
PID 3776 wrote to memory of 1048	3776	AdvancedRun.exe	AdvancedRun.exe
PID 3776 wrote to memory of 1048	3776	AdvancedRun.exe	AdvancedRun.exe
PID 580 wrote to memory of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 580 wrote to memory of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 580 wrote to memory of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 580 wrote to memory of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 580 wrote to memory of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 580 wrote to memory of 2092	580	Sales_Order description.exe	Sales_Order description.exe
PID 3008 wrote to memory of 3996	3008	Explorer.EXE	svchost.exe
PID 3008 wrote to memory of 3996	3008	Explorer.EXE	svchost.exe
PID 3008 wrote to memory of 3996	3008	Explorer.EXE	svchost.exe
PID 3996 wrote to memory of 3828	3996	svchost.exe	cmd.exe
PID 3996 wrote to memory of 3828	3996	svchost.exe	cmd.exe
PID 3996 wrote to memory of 3828	3996	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe
"C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3172
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3776
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe
"C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Sales_Order description.exe"
3⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/580-8-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/580-3-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/580-9-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x0000000005170000-0x00000000051C3000-memory.dmp

Filesize
332KB

Download
memory/580-5-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/580-6-0x0000000005150000-0x0000000005152000-memory.dmp

Filesize
8KB

Download
memory/980-13-0x0000000000000000-mapping.dmp

Download
memory/1048-17-0x0000000000000000-mapping.dmp

Download
memory/2092-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2092-20-0x000000000041ED90-mapping.dmp

Download
memory/2092-22-0x00000000010D0000-0x00000000013F0000-memory.dmp

Filesize
3.1MB

Download
memory/2092-23-0x0000000000B70000-0x0000000000B84000-memory.dmp

Filesize
80KB

Download
memory/3008-31-0x0000000006860000-0x0000000006983000-memory.dmp

Filesize
1.1MB

Download
memory/3008-24-0x00000000055C0000-0x000000000573F000-memory.dmp

Filesize
1.5MB

Download
memory/3172-10-0x0000000000000000-mapping.dmp

Download
memory/3776-15-0x0000000000000000-mapping.dmp

Download
memory/3828-29-0x0000000000000000-mapping.dmp

Download
memory/3996-25-0x0000000000000000-mapping.dmp

Download
memory/3996-27-0x0000000003130000-0x0000000003450000-memory.dmp

Filesize
3.1MB

Download
memory/3996-26-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3996-28-0x0000000003000000-0x000000000302E000-memory.dmp

Filesize
184KB

Download
memory/3996-30-0x00000000034F0000-0x0000000003583000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads