formbook | f5b24f949895b74aa3b6bbb47e215f55f1846bf82bf462db83eff295e72fb5f7

General

Target

nova narudžba.exe
Size

613KB
MD5

e3d04586f820d0b32ac72b9447890181
SHA1

8e34dafea4406548b0af762e6ecbd42d156a1b58
SHA256

f5b24f949895b74aa3b6bbb47e215f55f1846bf82bf462db83eff295e72fb5f7
SHA512

aceccdf0246730f9775855f2359f54b11e33d9d1aa8c71053f1894feaf0d0d6491f04bd019ead6173cc2f3d05b34ed4b3f0a9bd536cce2a8260ce8d0df86f475

Score

10^/10

formbook evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.quetech.info/ykl/

Decoy

856380056.xyz

collegesx.com

glenoindustrysupply.com

latingames.net

ykdxlfd.icu

donnapharris.com

thememoryofmiracles.com

youngbrotherhawaii.com

loolake.info

e-scrutiny.com

bebeautybehappy.com

ankhopxa.store

315520.com

octamira.com

dggy100.com

gkjpondokgede.com

yoursnips.com

analog-capture.com

wnetn.com

blmisajoke.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2940-151-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2940-152-0x000000000041EB20-mapping.dmp	formbook
behavioral2/memory/3348-200-0x0000000003080000-0x00000000030AE000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nova narudžba.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nova narudžba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nova narudžba.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nova narudžba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nova narudžba.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	nova narudžba.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nova narudžba.exeRegSvcs.exesystray.exe

description	pid	process	target process
PID 752 set thread context of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 2940 set thread context of 3060	2940	RegSvcs.exe	Explorer.EXE
PID 3348 set thread context of 3060	3348	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2196 schtasks.exe

pid	process
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

nova narudžba.exepowershell.exepowershell.exepowershell.exeRegSvcs.exesystray.exe

pid	process
752	nova narudžba.exe
752	nova narudžba.exe
752	nova narudžba.exe
3168	powershell.exe
2272	powershell.exe
3168	powershell.exe
752	nova narudžba.exe
2272	powershell.exe
1452	powershell.exe
2940	RegSvcs.exe
2940	RegSvcs.exe
2940	RegSvcs.exe
2940	RegSvcs.exe
3168	powershell.exe
2272	powershell.exe
1452	powershell.exe
1452	powershell.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe
3348	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exesystray.exe

pid process

2940 RegSvcs.exe
2940 RegSvcs.exe
2940 RegSvcs.exe
3348 systray.exe
3348 systray.exe

pid	process
2940	RegSvcs.exe
2940	RegSvcs.exe
2940	RegSvcs.exe
3348	systray.exe
3348	systray.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

nova narudžba.exepowershell.exepowershell.exepowershell.exeRegSvcs.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	752	nova narudžba.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2940	RegSvcs.exe
Token: SeDebugPrivilege	3348	systray.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

nova narudžba.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 752 wrote to memory of 3168	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 3168	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 3168	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 2272	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 2272	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 2272	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 2196	752	nova narudžba.exe	schtasks.exe
PID 752 wrote to memory of 2196	752	nova narudžba.exe	schtasks.exe
PID 752 wrote to memory of 2196	752	nova narudžba.exe	schtasks.exe
PID 752 wrote to memory of 1452	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 1452	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 1452	752	nova narudžba.exe	powershell.exe
PID 752 wrote to memory of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 752 wrote to memory of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 752 wrote to memory of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 752 wrote to memory of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 752 wrote to memory of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 752 wrote to memory of 2940	752	nova narudžba.exe	RegSvcs.exe
PID 3060 wrote to memory of 3348	3060	Explorer.EXE	systray.exe
PID 3060 wrote to memory of 3348	3060	Explorer.EXE	systray.exe
PID 3060 wrote to memory of 3348	3060	Explorer.EXE	systray.exe
PID 3348 wrote to memory of 2440	3348	systray.exe	cmd.exe
PID 3348 wrote to memory of 2440	3348	systray.exe	cmd.exe
PID 3348 wrote to memory of 2440	3348	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\nova narudžba.exe
"C:\Users\Admin\AppData\Local\Temp\nova narudžba.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\nova narudžba.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iCYGjjbzgNn.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iCYGjjbzgNn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2EBD.tmp"
3⤵
- Creates scheduled task(s)
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iCYGjjbzgNn.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2440

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cc148890b88bf1e66a483f37d73d214e

SHA1
e432581b3507161440b05150024229eb0d138319

SHA256
aa14174259560bbfc5ae4fa1b8b91235d933e1ef12b1be4a787cf42fc71345e3

SHA512
e25b99347be7691bc1dfd857a8cdce6f066c54f8c3c44c0ec6d734ba72e9643e79bf995dee1bc09252b1e0e34d182b8555b6be4ef0dfc364f5e89fb5dae7d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EBD.tmp
MD5
998cbb85bde8d1531502f1690cf42a5e

SHA1
b88d38d05b03490aac3ba754d1d667624cef093f

SHA256
d00e87a3e2a1254528f8e5a401d2154eb7a54741f2fe2820b88e8a09b5a5f24d

SHA512
2888a5e98de6a56521329ce0c8737de1ecf3d892826d8cb721955c7ea9a32d7f6bf80a4de20193a7f0b25f8928e5d21ac5d261018f9995a63da495eef712f489

Download Submit
memory/752-121-0x0000000005BE0000-0x0000000005BE9000-memory.dmp

Filesize
36KB

Download
memory/752-119-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/752-120-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/752-118-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/752-122-0x000000007F110000-0x000000007F111000-memory.dmp

Filesize
4KB

Download
memory/752-123-0x0000000001530000-0x00000000015A8000-memory.dmp

Filesize
480KB

Download
memory/752-124-0x00000000015F0000-0x0000000001623000-memory.dmp

Filesize
204KB

Download
memory/752-117-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/752-126-0x000000000BCD0000-0x000000000BCD1000-memory.dmp

Filesize
4KB

Download
memory/752-114-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/752-116-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/1452-150-0x0000000000000000-mapping.dmp

Download
memory/1452-160-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/1452-206-0x000000007EFE0000-0x000000007EFE1000-memory.dmp

Filesize
4KB

Download
memory/1452-161-0x0000000006AC2000-0x0000000006AC3000-memory.dmp

Filesize
4KB

Download
memory/1452-203-0x0000000006AC3000-0x0000000006AC4000-memory.dmp

Filesize
4KB

Download
memory/2196-133-0x0000000000000000-mapping.dmp

Download
memory/2272-145-0x0000000006F12000-0x0000000006F13000-memory.dmp

Filesize
4KB

Download
memory/2272-144-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2272-132-0x0000000000000000-mapping.dmp

Download
memory/2272-195-0x000000007F5E0000-0x000000007F5E1000-memory.dmp

Filesize
4KB

Download
memory/2272-204-0x0000000006F13000-0x0000000006F14000-memory.dmp

Filesize
4KB

Download
memory/2440-201-0x0000000000000000-mapping.dmp

Download
memory/2940-171-0x0000000001210000-0x0000000001224000-memory.dmp

Filesize
80KB

Download
memory/2940-151-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2940-152-0x000000000041EB20-mapping.dmp

Download
memory/2940-162-0x0000000001670000-0x0000000001990000-memory.dmp

Filesize
3.1MB

Download
memory/3060-172-0x0000000005AD0000-0x0000000005C1C000-memory.dmp

Filesize
1.3MB

Download
memory/3060-210-0x0000000006950000-0x0000000006A74000-memory.dmp

Filesize
1.1MB

Download
memory/3168-129-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/3168-142-0x00000000069A2000-0x00000000069A3000-memory.dmp

Filesize
4KB

Download
memory/3168-158-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3168-125-0x0000000000000000-mapping.dmp

Download
memory/3168-191-0x000000007F510000-0x000000007F511000-memory.dmp

Filesize
4KB

Download
memory/3168-156-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3168-193-0x00000000090B0000-0x00000000090E3000-memory.dmp

Filesize
204KB

Download
memory/3168-130-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/3168-131-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3168-163-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/3168-134-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/3168-141-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/3168-135-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/3168-205-0x00000000069A3000-0x00000000069A4000-memory.dmp

Filesize
4KB

Download
memory/3348-202-0x00000000045B0000-0x00000000048D0000-memory.dmp

Filesize
3.1MB

Download
memory/3348-200-0x0000000003080000-0x00000000030AE000-memory.dmp

Filesize
184KB

Download
memory/3348-198-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/3348-209-0x0000000004970000-0x0000000004A03000-memory.dmp

Filesize
588KB

Download
memory/3348-188-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads