formbook | ea8f1768c5f29a532d0c2a0d94991a4bf6d49fba87806efc4f333354fe1627f0

General

Target

RFQ_Cicor_012.exe
Size

968KB
MD5

27b5fcbd6865ea65fe7840f2557ae1de
SHA1

42ded4a3e5e2e21b1f596aae2174389ea29d255c
SHA256

36533f5c6cd7b6cf7e1c4cdfce1b185a9059a7fb0cc98ad1fdcbf11b54bb9fda
SHA512

a573affcbfbd1e82f106f0f6b36fa4dd7d27f29a513f5476ef1c9d44fb27b577203e29142dde17d4843a5fc4417d4c47b855f0a60f73d37b0ec5f44c920c3ebf

Score

10^/10

formbook rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.radissonhotelsusa.com/cp5/

Decoy

glcpunix.com

marabierta-coaching.com

osrs-remastered.com

lineagehealthxwellness.com

dunyadagezilecekyerler.com

negociosyfinanzasfaciles.com

bifa510.com

houseofutamasa.com

dopeneeds.com

sailacc.com

thewindgallery.com

elvinrisky.com

flowersassistedliving.com

lzbnwy.com

mrpentester.com

joinmytradingteam.com

jasabuatvisa.com

meherunnessa-foundation.com

notyourtypicaljocks.com

lobo-sports.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1252-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1252-68-0x000000000041EBF0-mapping.dmp	formbook
behavioral1/memory/1124-74-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1924 cmd.exe

pid	process
1924	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ_Cicor_012.exeRFQ_Cicor_012.execmmon32.exe

description	pid	process	target process
PID 1996 set thread context of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1252 set thread context of 1288	1252	RFQ_Cicor_012.exe	Explorer.EXE
PID 1124 set thread context of 1288	1124	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

524 schtasks.exe

pid	process
524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

RFQ_Cicor_012.exeRFQ_Cicor_012.execmmon32.exe

pid	process
1996	RFQ_Cicor_012.exe
1252	RFQ_Cicor_012.exe
1252	RFQ_Cicor_012.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe
1124	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ_Cicor_012.execmmon32.exe

pid process

1252 RFQ_Cicor_012.exe
1252 RFQ_Cicor_012.exe
1252 RFQ_Cicor_012.exe
1124 cmmon32.exe
1124 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ_Cicor_012.exeRFQ_Cicor_012.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1996 RFQ_Cicor_012.exe
Token: SeDebugPrivilege 1252 RFQ_Cicor_012.exe
Token: SeDebugPrivilege 1124 cmmon32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE

pid	process
1252	RFQ_Cicor_012.exe
1252	RFQ_Cicor_012.exe
1252	RFQ_Cicor_012.exe
1124	cmmon32.exe
1124	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1996	RFQ_Cicor_012.exe
Token: SeDebugPrivilege	1252	RFQ_Cicor_012.exe
Token: SeDebugPrivilege	1124	cmmon32.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RFQ_Cicor_012.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1996 wrote to memory of 524	1996	RFQ_Cicor_012.exe	schtasks.exe
PID 1996 wrote to memory of 524	1996	RFQ_Cicor_012.exe	schtasks.exe
PID 1996 wrote to memory of 524	1996	RFQ_Cicor_012.exe	schtasks.exe
PID 1996 wrote to memory of 524	1996	RFQ_Cicor_012.exe	schtasks.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1996 wrote to memory of 1252	1996	RFQ_Cicor_012.exe	RFQ_Cicor_012.exe
PID 1288 wrote to memory of 1124	1288	Explorer.EXE	cmmon32.exe
PID 1288 wrote to memory of 1124	1288	Explorer.EXE	cmmon32.exe
PID 1288 wrote to memory of 1124	1288	Explorer.EXE	cmmon32.exe
PID 1288 wrote to memory of 1124	1288	Explorer.EXE	cmmon32.exe
PID 1124 wrote to memory of 1924	1124	cmmon32.exe	cmd.exe
PID 1124 wrote to memory of 1924	1124	cmmon32.exe	cmd.exe
PID 1124 wrote to memory of 1924	1124	cmmon32.exe	cmd.exe
PID 1124 wrote to memory of 1924	1124	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\RFQ_Cicor_012.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_Cicor_012.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\okSIfG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8556.tmp"
3⤵
- Creates scheduled task(s)
PID:524

C:\Users\Admin\AppData\Local\Temp\RFQ_Cicor_012.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_Cicor_012.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ_Cicor_012.exe"
3⤵
- Deletes itself
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8556.tmp
MD5
17d9ace5fa4b427c3aa3e9942ed97044

SHA1
ec536aacfd46bd23a8709799bad913c607d1b28b

SHA256
a79d1e3bc9fd7b3a9a1e0dc6f042ccc98561b9130d92de83b8b4019a7cf6bb9d

SHA512
0127ad7f5bcf2194e7c9876e6d8a5d8c84d6b0ada83c1a52aea4ef8cc26b6135400c64ba0ff493522c1a807b75641e8e4bc3ef2a1890ba76454cb66dd38a2e59

Download Submit
memory/524-65-0x0000000000000000-mapping.dmp

Download
memory/1124-73-0x0000000000810000-0x000000000081D000-memory.dmp

Filesize
52KB

Download
memory/1124-72-0x0000000000000000-mapping.dmp

Download
memory/1124-77-0x0000000001E50000-0x0000000001EE3000-memory.dmp

Filesize
588KB

Download
memory/1124-76-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/1124-74-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1252-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1252-68-0x000000000041EBF0-mapping.dmp

Download
memory/1252-69-0x0000000000D80000-0x0000000001083000-memory.dmp

Filesize
3.0MB

Download
memory/1252-70-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1288-71-0x0000000007350000-0x00000000074C7000-memory.dmp

Filesize
1.5MB

Download
memory/1288-78-0x0000000006A20000-0x0000000006B27000-memory.dmp

Filesize
1.0MB

Download
memory/1924-75-0x0000000000000000-mapping.dmp

Download
memory/1996-60-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1996-64-0x0000000005120000-0x000000000518D000-memory.dmp

Filesize
436KB

Download
memory/1996-62-0x0000000000A60000-0x0000000000A83000-memory.dmp

Filesize
140KB

Download
memory/1996-63-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads