formbook | 5b37a66d9c4dce04b671f22c0746f1472e9dc089972e4b0c949d3884bfcb2b66

General

Target

202139769574 Shipping Documents.exe
Size

229KB
MD5

eee5f618718bc8237bb9c7a48154cf1a
SHA1

84dc873f65dc9e86978944d1adddb762efcf2631
SHA256

cc7b066e0fa912d406c27790458ad6feb171b27275b6e3fe46b7a7574da7bfce
SHA512

8f49fab9642c63814bc77ff302d05719d92404fe38bd220060a161c51b3f6f129bd5c4b2a4b3a2e1e239488e31f157f32b772505f8501003682cc9904d205c57

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2480-117-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3936-124-0x0000000000710000-0x000000000073E000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

202139769574 Shipping Documents.exe

pid process

2116 202139769574 Shipping Documents.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

202139769574 Shipping Documents.exe202139769574 Shipping Documents.exeNETSTAT.EXE

description	pid	process	target process
PID 2116 set thread context of 2480	2116	202139769574 Shipping Documents.exe	202139769574 Shipping Documents.exe
PID 2480 set thread context of 3020	2480	202139769574 Shipping Documents.exe	Explorer.EXE
PID 3936 set thread context of 3020	3936	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3936 NETSTAT.EXE

pid	process
3936	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

202139769574 Shipping Documents.exeNETSTAT.EXE

pid	process
2480	202139769574 Shipping Documents.exe
2480	202139769574 Shipping Documents.exe
2480	202139769574 Shipping Documents.exe
2480	202139769574 Shipping Documents.exe
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE
3936	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

202139769574 Shipping Documents.exe202139769574 Shipping Documents.exeNETSTAT.EXE

pid	process
2116	202139769574 Shipping Documents.exe
2480	202139769574 Shipping Documents.exe
2480	202139769574 Shipping Documents.exe
2480	202139769574 Shipping Documents.exe
3936	NETSTAT.EXE
3936	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

202139769574 Shipping Documents.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2480	202139769574 Shipping Documents.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeDebugPrivilege	3936	NETSTAT.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

202139769574 Shipping Documents.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2116 wrote to memory of 2480	2116	202139769574 Shipping Documents.exe	202139769574 Shipping Documents.exe
PID 2116 wrote to memory of 2480	2116	202139769574 Shipping Documents.exe	202139769574 Shipping Documents.exe
PID 2116 wrote to memory of 2480	2116	202139769574 Shipping Documents.exe	202139769574 Shipping Documents.exe
PID 2116 wrote to memory of 2480	2116	202139769574 Shipping Documents.exe	202139769574 Shipping Documents.exe
PID 3020 wrote to memory of 3936	3020	Explorer.EXE	NETSTAT.EXE
PID 3020 wrote to memory of 3936	3020	Explorer.EXE	NETSTAT.EXE
PID 3020 wrote to memory of 3936	3020	Explorer.EXE	NETSTAT.EXE
PID 3936 wrote to memory of 1004	3936	NETSTAT.EXE	cmd.exe
PID 3936 wrote to memory of 1004	3936	NETSTAT.EXE	cmd.exe
PID 3936 wrote to memory of 1004	3936	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\202139769574 Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\202139769574 Shipping Documents.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\202139769574 Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\202139769574 Shipping Documents.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\202139769574 Shipping Documents.exe"
3⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nss336C.tmp\22m80anrrsp.dll
MD5
a91a7f4f897a9e713b5773e389980197

SHA1
7b8bf8b09702848ef1e3fb0cfd8fa94fbf92ffc3

SHA256
e74da3284780511c44e53fc952a7dfe12578ddcb37c3bcff43c1c45d5a427b0a

SHA512
883a8957a712b3a83c90555b19cb71bd49ead9b8b042ff18515007b3a081208f7e1af38d56bdc0610d5a7f8d7758ff1dc3a8264e20dcf2e294cf852bb604b9df

Download Submit
memory/1004-122-0x0000000000000000-mapping.dmp

Download
memory/2116-116-0x0000000002370000-0x0000000002393000-memory.dmp

Filesize
140KB

Download
memory/2480-115-0x000000000041EBA0-mapping.dmp

Download
memory/2480-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-118-0x00000000009D0000-0x0000000000CF0000-memory.dmp

Filesize
3.1MB

Download
memory/2480-119-0x0000000000CF0000-0x0000000000D04000-memory.dmp

Filesize
80KB

Download
memory/3020-120-0x0000000005810000-0x000000000595E000-memory.dmp

Filesize
1.3MB

Download
memory/3020-127-0x0000000003080000-0x0000000003161000-memory.dmp

Filesize
900KB

Download
memory/3936-121-0x0000000000000000-mapping.dmp

Download
memory/3936-123-0x0000000001150000-0x000000000115B000-memory.dmp

Filesize
44KB

Download
memory/3936-124-0x0000000000710000-0x000000000073E000-memory.dmp

Filesize
184KB

Download
memory/3936-125-0x0000000003160000-0x0000000003480000-memory.dmp

Filesize
3.1MB

Download
memory/3936-126-0x0000000000E60000-0x0000000000EF3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads