formbook | 87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508

General

Target

Yeni siparis ekteki listede.exe
Size

962KB
MD5

a7ab9ba241d1caa4b43ee261be601d2f
SHA1

ffb7515430b7f27b50e70a4f14f86e18f12f1983
SHA256

87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508
SHA512

5f31695db32997f00c9a0740e139df94ab66db10f00f6231e3518f667285bb06072ce6fbcb5d4d1c6d448c56b4bec0409c91ac970c63244d81c7c860448e8fd0

Score

10^/10

formbook 3nop rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

C2

http://www.jakesplacebarbers.com/3nop/

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3948-128-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3948-129-0x000000000041ED20-mapping.dmp	formbook
behavioral2/memory/684-138-0x0000000000120000-0x000000000014E000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Yeni siparis ekteki listede.exeYeni siparis ekteki listede.execontrol.exe

description	pid	process	target process
PID 3556 set thread context of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3948 set thread context of 3008	3948	Yeni siparis ekteki listede.exe	Explorer.EXE
PID 3948 set thread context of 3008	3948	Yeni siparis ekteki listede.exe	Explorer.EXE
PID 684 set thread context of 3008	684	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1324 schtasks.exe

pid	process
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

Yeni siparis ekteki listede.exeYeni siparis ekteki listede.execontrol.exe

pid	process
3556	Yeni siparis ekteki listede.exe
3556	Yeni siparis ekteki listede.exe
3556	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe
684	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
3008	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Yeni siparis ekteki listede.execontrol.exe

pid	process
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
3948	Yeni siparis ekteki listede.exe
684	control.exe
684	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Yeni siparis ekteki listede.exeYeni siparis ekteki listede.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	3556	Yeni siparis ekteki listede.exe
Token: SeDebugPrivilege	3948	Yeni siparis ekteki listede.exe
Token: SeDebugPrivilege	684	control.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
3008	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Yeni siparis ekteki listede.exeYeni siparis ekteki listede.execontrol.exe

description	pid	process	target process
PID 3556 wrote to memory of 1324	3556	Yeni siparis ekteki listede.exe	schtasks.exe
PID 3556 wrote to memory of 1324	3556	Yeni siparis ekteki listede.exe	schtasks.exe
PID 3556 wrote to memory of 1324	3556	Yeni siparis ekteki listede.exe	schtasks.exe
PID 3556 wrote to memory of 2108	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 2108	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 2108	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3556 wrote to memory of 3948	3556	Yeni siparis ekteki listede.exe	Yeni siparis ekteki listede.exe
PID 3948 wrote to memory of 684	3948	Yeni siparis ekteki listede.exe	control.exe
PID 3948 wrote to memory of 684	3948	Yeni siparis ekteki listede.exe	control.exe
PID 3948 wrote to memory of 684	3948	Yeni siparis ekteki listede.exe	control.exe
PID 684 wrote to memory of 3796	684	control.exe	cmd.exe
PID 684 wrote to memory of 3796	684	control.exe	cmd.exe
PID 684 wrote to memory of 3796	684	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3008

C:\Users\Admin\AppData\Local\Temp\Yeni siparis ekteki listede.exe
"C:\Users\Admin\AppData\Local\Temp\Yeni siparis ekteki listede.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EbwSfSItxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6547.tmp"
3⤵
- Creates scheduled task(s)
PID:1324

C:\Users\Admin\AppData\Local\Temp\Yeni siparis ekteki listede.exe
"{path}"
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\Yeni siparis ekteki listede.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Yeni siparis ekteki listede.exe"
5⤵
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6547.tmp
MD5
08463178366a86ee199d649cf00a7475

SHA1
c904c84924e241b754728ce7fb75cbd277f7e6c2

SHA256
92ed9d1e715126ab62bf46bb9abeecdb546b2a661a560af8085a6c4ff75bff1a

SHA512
4a8282d6561ffb1cdd73e46725949ed33dc3cdfbc71d4cdc3175bc292ac11bbc78d47ce5095debef84b4df2261eaec5a6bddd9bc378db88841c5574550300597

Download Submit
memory/684-139-0x0000000000D70000-0x0000000001090000-memory.dmp

Filesize
3.1MB

Download
memory/684-135-0x0000000000000000-mapping.dmp

Download
memory/684-138-0x0000000000120000-0x000000000014E000-memory.dmp

Filesize
184KB

Download
memory/684-137-0x00000000010E0000-0x0000000001100000-memory.dmp

Filesize
128KB

Download
memory/684-140-0x0000000004500000-0x0000000004593000-memory.dmp

Filesize
588KB

Download
memory/1324-126-0x0000000000000000-mapping.dmp

Download
memory/3008-132-0x0000000004B90000-0x0000000004C81000-memory.dmp

Filesize
964KB

Download
memory/3008-141-0x0000000005AF0000-0x0000000005C4C000-memory.dmp

Filesize
1.4MB

Download
memory/3008-134-0x0000000004C90000-0x0000000004DE9000-memory.dmp

Filesize
1.3MB

Download
memory/3556-121-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3556-120-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3556-115-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/3556-124-0x0000000006750000-0x00000000067EB000-memory.dmp

Filesize
620KB

Download
memory/3556-122-0x0000000004990000-0x0000000004A2C000-memory.dmp

Filesize
624KB

Download
memory/3556-125-0x00000000064D0000-0x0000000006519000-memory.dmp

Filesize
292KB

Download
memory/3556-123-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/3556-119-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3556-118-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3556-117-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/3796-136-0x0000000000000000-mapping.dmp

Download
memory/3948-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3948-133-0x0000000001BC0000-0x0000000001BD4000-memory.dmp

Filesize
80KB

Download
memory/3948-131-0x0000000001B80000-0x0000000001B94000-memory.dmp

Filesize
80KB

Download
memory/3948-130-0x0000000001820000-0x0000000001B40000-memory.dmp

Filesize
3.1MB

Download
memory/3948-129-0x000000000041ED20-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads