formbook | 0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93

General

Target

Purchase Inquiry.Pdf.exe
Size

1.2MB
MD5

d6a51d185e394a8e26bd1a29406d283a
SHA1

26128b0684a819e3488158d040c4d1b906ff473d
SHA256

0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93
SHA512

3150c5cc23ca3b4b8ce3bbf9bf7097029e3cb3e5eebef590ca942c1c9424a178b890c39191815149752ef84c06ef2c98576590b2a7404e3d767feb5138d19ac8

Score

10^/10

formbook rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.papablogzzi.com/obow/

Decoy

hinetin.net

narrativebusters.com

jesusmusicatl.com

mywellnessbooking.com

830272.com

mainrein.com

kajeoneworld.com

directaccesss.com

igsecretos.com

campbone.com

socialvidiots.com

abditrade.com

purisopropyl.com

opticalapparatus.com

staveoffboredom.com

evinja.com

onlinebusinesstoolselector.com

todayonly2.info

elitedesign-dz.com

zgszgw.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/652-122-0x0000000000ED0000-0x0000000000EDB000-memory.dmp	CustAttr

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3764-138-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3764-139-0x000000000041EAC0-mapping.dmp	formbook
behavioral2/memory/3844-195-0x0000000000E10000-0x0000000000E3E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Inquiry.Pdf.exePurchase Inquiry.Pdf.exemsdt.exe

description	pid	process	target process
PID 652 set thread context of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 3764 set thread context of 2724	3764	Purchase Inquiry.Pdf.exe	Explorer.EXE
PID 3844 set thread context of 2724	3844	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

692 schtasks.exe

pid	process
692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Purchase Inquiry.Pdf.exepowershell.exepowershell.exepowershell.exePurchase Inquiry.Pdf.exemsdt.exe

pid	process
652	Purchase Inquiry.Pdf.exe
3880	powershell.exe
2128	powershell.exe
3796	powershell.exe
3764	Purchase Inquiry.Pdf.exe
3764	Purchase Inquiry.Pdf.exe
3764	Purchase Inquiry.Pdf.exe
3764	Purchase Inquiry.Pdf.exe
3796	powershell.exe
3880	powershell.exe
2128	powershell.exe
3880	powershell.exe
2128	powershell.exe
3796	powershell.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe
3844	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2724 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Purchase Inquiry.Pdf.exemsdt.exe

pid process

3764 Purchase Inquiry.Pdf.exe
3764 Purchase Inquiry.Pdf.exe
3764 Purchase Inquiry.Pdf.exe
3844 msdt.exe
3844 msdt.exe

pid	process
2724	Explorer.EXE

pid	process
3764	Purchase Inquiry.Pdf.exe
3764	Purchase Inquiry.Pdf.exe
3764	Purchase Inquiry.Pdf.exe
3844	msdt.exe
3844	msdt.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Purchase Inquiry.Pdf.exepowershell.exepowershell.exepowershell.exePurchase Inquiry.Pdf.exemsdt.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	652	Purchase Inquiry.Pdf.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3764	Purchase Inquiry.Pdf.exe
Token: SeDebugPrivilege	3844	msdt.exe
Token: SeShutdownPrivilege	2724	Explorer.EXE
Token: SeCreatePagefilePrivilege	2724	Explorer.EXE
Token: SeShutdownPrivilege	2724	Explorer.EXE
Token: SeCreatePagefilePrivilege	2724	Explorer.EXE
Token: SeShutdownPrivilege	2724	Explorer.EXE
Token: SeCreatePagefilePrivilege	2724	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2724 Explorer.EXE

pid	process
2724	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Purchase Inquiry.Pdf.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 652 wrote to memory of 2128	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 2128	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 2128	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 3880	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 3880	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 3880	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 692	652	Purchase Inquiry.Pdf.exe	schtasks.exe
PID 652 wrote to memory of 692	652	Purchase Inquiry.Pdf.exe	schtasks.exe
PID 652 wrote to memory of 692	652	Purchase Inquiry.Pdf.exe	schtasks.exe
PID 652 wrote to memory of 3796	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 3796	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 3796	652	Purchase Inquiry.Pdf.exe	powershell.exe
PID 652 wrote to memory of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 652 wrote to memory of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 652 wrote to memory of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 652 wrote to memory of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 652 wrote to memory of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 652 wrote to memory of 3764	652	Purchase Inquiry.Pdf.exe	Purchase Inquiry.Pdf.exe
PID 2724 wrote to memory of 3844	2724	Explorer.EXE	msdt.exe
PID 2724 wrote to memory of 3844	2724	Explorer.EXE	msdt.exe
PID 2724 wrote to memory of 3844	2724	Explorer.EXE	msdt.exe
PID 3844 wrote to memory of 3752	3844	msdt.exe	cmd.exe
PID 3844 wrote to memory of 3752	3844	msdt.exe	cmd.exe
PID 3844 wrote to memory of 3752	3844	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.Pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.Pdf.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PnjbjcWjC.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PnjbjcWjC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD20.tmp"
3⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PnjbjcWjC.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.Pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.Pdf.exe"
3⤵
PID:3752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f25325848cbc7d38a3e6f33a250e58c5

SHA1
44a56ce58ba2e51163760a33e6b63e91750a3cb5

SHA256
2ddb3ffd0a256f0d764f35ee6f96ed80fee41aac828410cee8ba5f3d70bf6511

SHA512
cd7fe1180bcdb3171e65d4532be5301678aa96eb0fa5ba046d134847e9f8421945d5108d27e9ad7e67bd0e00e7e9fc4a5bb3ad3c5e10e29f960dce188cb4bfad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4550ccf03abc66ba692dcfae572510a9

SHA1
39a5e24c5427c6eaa88586f52273efa24c3fc47c

SHA256
42360e22eb57968b9b6accf2813b250f895f7cc53f251229e6a5e3b8dba05d9e

SHA512
408cd6f0398a12491058705876f6aa7c9a31bc514ba0ddc96d8d7ca8bcb7e9e3e7930bd9f619747bc8e246b917dc548ca4e168010f124a6a736c4f57352d03b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD20.tmp
MD5
ed2702771453f026247c5d7e4f23f965

SHA1
527718bfc334d2c64dd1db3d067b85b772d91746

SHA256
7830a2778a49d47b99a77fa51183beb902f2febd70fdaed0f949f47409acb5b9

SHA512
8658df7e89ce45d8de1c6f3f8af7d4039cc055990fde9d05d04e2e9abf35aa2600482f7b9490819c2bab22ea1026b0a07d5ec0fa5e0534e298f9fb01798ffa50

Download Submit
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x0000000004F20000-0x000000000541E000-memory.dmp

Filesize
5.0MB

Download
memory/652-124-0x0000000005D20000-0x0000000005D54000-memory.dmp

Filesize
208KB

Download
memory/652-116-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

Filesize
44KB

Download
memory/652-117-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/652-118-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/652-121-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/652-120-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/652-123-0x0000000005CA0000-0x0000000005D18000-memory.dmp

Filesize
480KB

Download
memory/692-130-0x0000000000000000-mapping.dmp

Download
memory/2128-148-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2128-125-0x0000000000000000-mapping.dmp

Download
memory/2128-146-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/2128-149-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/2128-237-0x000000007E250000-0x000000007E251000-memory.dmp

Filesize
4KB

Download
memory/2128-253-0x00000000042D3000-0x00000000042D4000-memory.dmp

Filesize
4KB

Download
memory/2128-152-0x00000000042D2000-0x00000000042D3000-memory.dmp

Filesize
4KB

Download
memory/2128-154-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2128-131-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/2128-221-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/2128-129-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/2128-168-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/2128-165-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/2724-159-0x0000000006A70000-0x0000000006B96000-memory.dmp

Filesize
1.1MB

Download
memory/2724-516-0x0000000002CA0000-0x0000000002D49000-memory.dmp

Filesize
676KB

Download
memory/3752-187-0x0000000000000000-mapping.dmp

Download
memory/3764-139-0x000000000041EAC0-mapping.dmp

Download
memory/3764-158-0x0000000001400000-0x0000000001414000-memory.dmp

Filesize
80KB

Download
memory/3764-151-0x0000000001430000-0x0000000001750000-memory.dmp

Filesize
3.1MB

Download
memory/3764-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3796-157-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3796-252-0x00000000070B3000-0x00000000070B4000-memory.dmp

Filesize
4KB

Download
memory/3796-200-0x00000000096D0000-0x0000000009703000-memory.dmp

Filesize
204KB

Download
memory/3796-137-0x0000000000000000-mapping.dmp

Download
memory/3796-160-0x00000000070B2000-0x00000000070B3000-memory.dmp

Filesize
4KB

Download
memory/3796-234-0x000000007F860000-0x000000007F861000-memory.dmp

Filesize
4KB

Download
memory/3796-171-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/3844-180-0x0000000000000000-mapping.dmp

Download
memory/3844-196-0x0000000005010000-0x0000000005330000-memory.dmp

Filesize
3.1MB

Download
memory/3844-512-0x0000000004F10000-0x0000000004FA3000-memory.dmp

Filesize
588KB

Download
memory/3844-194-0x0000000001390000-0x0000000001503000-memory.dmp

Filesize
1.4MB

Download
memory/3844-195-0x0000000000E10000-0x0000000000E3E000-memory.dmp

Filesize
184KB

Download
memory/3880-251-0x0000000004E63000-0x0000000004E64000-memory.dmp

Filesize
4KB

Download
memory/3880-231-0x000000007F830000-0x000000007F831000-memory.dmp

Filesize
4KB

Download
memory/3880-156-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/3880-153-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3880-144-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3880-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads