formbook | ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163

General

Target

Order Inquiry.exe
Size

222KB
MD5

6664568334aabc380dda1821fdd379d9
SHA1

8b847d59b54068e0cb5316c1e4f6e5db286d98d9
SHA256

ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163
SHA512

cb391712b7c9138cb12bc5f0176ddb7739f25db7e1c4da03b02ba0b68ba0cce00650341230f189fff1f398eab7ac0ac2584d4d171a5f6430c78130dbd6e431fa

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.c-voyageinc.com/r4ei/

Decoy

8clintonstreet.com

sherylhotpepperblends.com

eucham.asia

earnestqueen.com

vstexchange.com

theoutofbounds.com

allincursive.com

getgenevieved.com

commonlawpeoplesassembly.net

brideclubstorerastreamento.com

cngelectricaldesign.com

mizmaleather.com

nicolabenge.com

babyboxbuy.com

xaydungquan9.com

hclifechurch.com

cwyxonlp.icu

inocentkidd.com

worldhw.com

soul.exchange

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3028-6-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3576-12-0x0000000000E60000-0x0000000000E8E000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Order Inquiry.exe

pid process

580 Order Inquiry.exe

pid	process
580	Order Inquiry.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order Inquiry.exeOrder Inquiry.execontrol.exe

description	pid	process	target process
PID 580 set thread context of 3028	580	Order Inquiry.exe	Order Inquiry.exe
PID 3028 set thread context of 3032	3028	Order Inquiry.exe	Explorer.EXE
PID 3576 set thread context of 3032	3576	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Order Inquiry.execontrol.exe

pid	process
3028	Order Inquiry.exe
3028	Order Inquiry.exe
3028	Order Inquiry.exe
3028	Order Inquiry.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe
3576	control.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order Inquiry.exeOrder Inquiry.execontrol.exe

pid process

580 Order Inquiry.exe
3028 Order Inquiry.exe
3028 Order Inquiry.exe
3028 Order Inquiry.exe
3576 control.exe
3576 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order Inquiry.execontrol.exe

description pid process

Token: SeDebugPrivilege 3028 Order Inquiry.exe
Token: SeDebugPrivilege 3576 control.exe

pid	process
580	Order Inquiry.exe
3028	Order Inquiry.exe
3028	Order Inquiry.exe
3028	Order Inquiry.exe
3576	control.exe
3576	control.exe

description	pid	process
Token: SeDebugPrivilege	3028	Order Inquiry.exe
Token: SeDebugPrivilege	3576	control.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Order Inquiry.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 580 wrote to memory of 3028	580	Order Inquiry.exe	Order Inquiry.exe
PID 580 wrote to memory of 3028	580	Order Inquiry.exe	Order Inquiry.exe
PID 580 wrote to memory of 3028	580	Order Inquiry.exe	Order Inquiry.exe
PID 580 wrote to memory of 3028	580	Order Inquiry.exe	Order Inquiry.exe
PID 3032 wrote to memory of 3576	3032	Explorer.EXE	control.exe
PID 3032 wrote to memory of 3576	3032	Explorer.EXE	control.exe
PID 3032 wrote to memory of 3576	3032	Explorer.EXE	control.exe
PID 3576 wrote to memory of 208	3576	control.exe	cmd.exe
PID 3576 wrote to memory of 208	3576	control.exe	cmd.exe
PID 3576 wrote to memory of 208	3576	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"
3⤵
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsf53C4.tmp\u50p.dll
MD5
8339650c424842bdf21c460c26a92a92

SHA1
d3f9cb60ec1b8ca634bc4d24bb4a9579fdf10b96

SHA256
14ca3ecc145171f8fbd847a696c2a1f1d3c804fcfe6cec1a7f02f9c20285066d

SHA512
7e6b39a87c7cf81228e15bf3e916f785725e77544e6795dd9945cc53f1d5b10a46b0d6b1b8e47f68a0ef8e87bc18e4a314ffcfabe65ddbbe7d67d32cec44afca

Download Submit
memory/208-14-0x0000000000000000-mapping.dmp

Download
memory/580-3-0x0000000002620000-0x0000000002622000-memory.dmp

Filesize
8KB

Download
memory/3028-7-0x0000000000AF0000-0x0000000000E10000-memory.dmp

Filesize
3.1MB

Download
memory/3028-8-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/3028-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3028-4-0x000000000041ED40-mapping.dmp

Download
memory/3032-9-0x0000000005050000-0x00000000051A8000-memory.dmp

Filesize
1.3MB

Download
memory/3032-16-0x0000000002A00000-0x0000000002AC7000-memory.dmp

Filesize
796KB

Download
memory/3576-10-0x0000000000000000-mapping.dmp

Download
memory/3576-11-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

Filesize
128KB

Download
memory/3576-13-0x0000000004F60000-0x0000000005280000-memory.dmp

Filesize
3.1MB

Download
memory/3576-12-0x0000000000E60000-0x0000000000E8E000-memory.dmp

Filesize
184KB

Download
memory/3576-15-0x0000000004DC0000-0x0000000004E53000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads