formbook | 1893345e891ce74b4cfd82071d82f7566e3c44d8bf0e7a33f4207aa8d941632c

General

Target

Order Euro 890,000.exe
Size

393KB
MD5

972c8502ec6351a57fa5ae84fd39e185
SHA1

ea02ba185facd60978f365dae414326e920ec5a7
SHA256

1893345e891ce74b4cfd82071d82f7566e3c44d8bf0e7a33f4207aa8d941632c
SHA512

ecde556d4c6e769dcc6b81eddc507f3018387e3d017edf2df26e7432140765e97621e7e297f9a16b4cf921d2a52f44d4c82c7114616f6eb6f86164549929e893

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.owcbangalore.club/nbg/

Decoy

yogabaydioxil.xyz

ngdnwgtse.club

tsusocialisback.com

racialfires.com

sotomatch.com

tourdelacey.com

gracefullygiven.com

hyggespaceco.com

kinohhooite7.site

labellebrune.com

maniupwithapril.com

superstitionintuition.com

cuidao.net

cavitefreewifi.com

cortex-link.com

plantasmarketing.com

greenpower247.com

lemonaster.com

impact-health.com

winyourmillion.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1524-117-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2396-124-0x0000000002D40000-0x0000000002D6E000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Order Euro 890,000.exe

pid process

4060 Order Euro 890,000.exe

pid	process
4060	Order Euro 890,000.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order Euro 890,000.exeOrder Euro 890,000.exerundll32.exe

description	pid	process	target process
PID 4060 set thread context of 1524	4060	Order Euro 890,000.exe	Order Euro 890,000.exe
PID 1524 set thread context of 2460	1524	Order Euro 890,000.exe	Explorer.EXE
PID 2396 set thread context of 2460	2396	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Order Euro 890,000.exerundll32.exe

pid	process
1524	Order Euro 890,000.exe
1524	Order Euro 890,000.exe
1524	Order Euro 890,000.exe
1524	Order Euro 890,000.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2460 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order Euro 890,000.exeOrder Euro 890,000.exerundll32.exe

pid process

4060 Order Euro 890,000.exe
1524 Order Euro 890,000.exe
1524 Order Euro 890,000.exe
1524 Order Euro 890,000.exe
2396 rundll32.exe
2396 rundll32.exe

pid	process
2460	Explorer.EXE

pid	process
4060	Order Euro 890,000.exe
1524	Order Euro 890,000.exe
1524	Order Euro 890,000.exe
1524	Order Euro 890,000.exe
2396	rundll32.exe
2396	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Order Euro 890,000.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	1524	Order Euro 890,000.exe
Token: SeShutdownPrivilege	2460	Explorer.EXE
Token: SeCreatePagefilePrivilege	2460	Explorer.EXE
Token: SeShutdownPrivilege	2460	Explorer.EXE
Token: SeCreatePagefilePrivilege	2460	Explorer.EXE
Token: SeDebugPrivilege	2396	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2460 Explorer.EXE

pid	process
2460	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Order Euro 890,000.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4060 wrote to memory of 1524	4060	Order Euro 890,000.exe	Order Euro 890,000.exe
PID 4060 wrote to memory of 1524	4060	Order Euro 890,000.exe	Order Euro 890,000.exe
PID 4060 wrote to memory of 1524	4060	Order Euro 890,000.exe	Order Euro 890,000.exe
PID 4060 wrote to memory of 1524	4060	Order Euro 890,000.exe	Order Euro 890,000.exe
PID 2460 wrote to memory of 2396	2460	Explorer.EXE	rundll32.exe
PID 2460 wrote to memory of 2396	2460	Explorer.EXE	rundll32.exe
PID 2460 wrote to memory of 2396	2460	Explorer.EXE	rundll32.exe
PID 2396 wrote to memory of 3720	2396	rundll32.exe	cmd.exe
PID 2396 wrote to memory of 3720	2396	rundll32.exe	cmd.exe
PID 2396 wrote to memory of 3720	2396	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\Order Euro 890,000.exe
"C:\Users\Admin\AppData\Local\Temp\Order Euro 890,000.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\Order Euro 890,000.exe
"C:\Users\Admin\AppData\Local\Temp\Order Euro 890,000.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order Euro 890,000.exe"
3⤵
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsxEAC.tmp\dofls4.dll
MD5
5af6fd2c67592b9be8c2ae98cddbc738

SHA1
65b245355f18116d9837217f63f4157fd065ac06

SHA256
b96f6d8fb3daf46f60ef2b284edffdbdbbfcf87ee8631b652993c8afae86b53b

SHA512
599c3770c6fbb63fd0fbecace62187a307c67a0b7924ec1c26f88bf0e33f7f555aa790d9112c7574e6bc98cbc402ec04fab52c5260392ec157e7fdba7fda1aec

Download Submit
memory/1524-115-0x000000000041EB20-mapping.dmp

Download
memory/1524-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1524-119-0x00000000009D0000-0x00000000009E4000-memory.dmp

Filesize
80KB

Download
memory/1524-118-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/2396-124-0x0000000002D40000-0x0000000002D6E000-memory.dmp

Filesize
184KB

Download
memory/2396-126-0x0000000004970000-0x0000000004A03000-memory.dmp

Filesize
588KB

Download
memory/2396-121-0x0000000000000000-mapping.dmp

Download
memory/2396-125-0x0000000004AE0000-0x0000000004E00000-memory.dmp

Filesize
3.1MB

Download
memory/2396-123-0x00000000008D0000-0x00000000008E3000-memory.dmp

Filesize
76KB

Download
memory/2460-120-0x0000000005F50000-0x000000000607A000-memory.dmp

Filesize
1.2MB

Download
memory/2460-127-0x00000000064E0000-0x0000000006666000-memory.dmp

Filesize
1.5MB

Download
memory/3720-122-0x0000000000000000-mapping.dmp

Download
memory/4060-116-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads