formbook | 90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715

General

Target

rocviud123.exe
Size

254KB
MD5

9bb0511e947ca2a8ce34153f1b76400a
SHA1

311b128e5ef3995c04a754679237b778e85e7203
SHA256

90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715
SHA512

9741900e30ae1afee32dad16aceb55a98826be07d946a2d5a8dde8baeb5ad5a91ae9303b51f2a17d334c9335c63932f323f08102f9dbf287145f81c13f8a2bbf

Score

10^/10

formbook rv9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rv9n

C2

http://www.cjspizza.net/rv9n/

Decoy

olivia-grace.show

zhuwww.com

keiretsu.xyz

olidnh.space

searuleansec.com

2fastrepair.com

brooklynmetalroof.com

scodol.com

novaprint.pro

the-loaner.com

nextroundscap.com

zbwlggs.com

internetautodealer.com

xn--tornrealestate-ekb.com

yunjiuhuo.com

skandinaviskakryptobanken.com

coxivarag.rest

ophthalmologylab.com

zzzzgjcdbqnn98.net

doeful.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3564-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3564-117-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/4164-125-0x0000000002E60000-0x0000000002E8F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

rocviud123.exe

pid process

3580 rocviud123.exe

pid	process
3580	rocviud123.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

rocviud123.exerocviud123.exeNETSTAT.EXE

description	pid	process	target process
PID 3580 set thread context of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3564 set thread context of 3060	3564	rocviud123.exe	Explorer.EXE
PID 3564 set thread context of 3060	3564	rocviud123.exe	Explorer.EXE
PID 4164 set thread context of 3060	4164	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4164 NETSTAT.EXE

pid	process
4164	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

rocviud123.exeNETSTAT.EXE

pid	process
3564	rocviud123.exe
3564	rocviud123.exe
3564	rocviud123.exe
3564	rocviud123.exe
3564	rocviud123.exe
3564	rocviud123.exe
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE
4164	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rocviud123.exeNETSTAT.EXE

pid process

3564 rocviud123.exe
3564 rocviud123.exe
3564 rocviud123.exe
3564 rocviud123.exe
4164 NETSTAT.EXE
4164 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rocviud123.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3564 rocviud123.exe
Token: SeDebugPrivilege 4164 NETSTAT.EXE

pid	process
3060	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3564	rocviud123.exe
Token: SeDebugPrivilege	4164	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rocviud123.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3580 wrote to memory of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3580 wrote to memory of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3580 wrote to memory of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3580 wrote to memory of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3580 wrote to memory of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3580 wrote to memory of 3564	3580	rocviud123.exe	rocviud123.exe
PID 3060 wrote to memory of 4164	3060	Explorer.EXE	NETSTAT.EXE
PID 3060 wrote to memory of 4164	3060	Explorer.EXE	NETSTAT.EXE
PID 3060 wrote to memory of 4164	3060	Explorer.EXE	NETSTAT.EXE
PID 4164 wrote to memory of 3052	4164	NETSTAT.EXE	cmd.exe
PID 4164 wrote to memory of 3052	4164	NETSTAT.EXE	cmd.exe
PID 4164 wrote to memory of 3052	4164	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\rocviud123.exe
"C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\AppData\Local\Temp\rocviud123.exe
"C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"
3⤵
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsz85F0.tmp\sapoqnmyo.dll
MD5
877d8bff6420ad9e9a3c2f8b443e78bc

SHA1
2b30780849a48aeb353d02eaa3e2a53492c5035f

SHA256
5c6ed2bf2593fe951107cb6eb64eb8064b768194c3ff32ef02a76c43810ae5e8

SHA512
35091c2b43094df03c33e3b6eb87f2817dffab50dd0aa0259b722509ec54e7bc3c9c60379082e880c32d199c3fc6afe142684845479c18483c4ac2e12a9de0ee

Download Submit
memory/3052-127-0x0000000000000000-mapping.dmp

Download
memory/3060-120-0x0000000002790000-0x0000000002871000-memory.dmp

Filesize
900KB

Download
memory/3060-129-0x0000000004E80000-0x000000000500F000-memory.dmp

Filesize
1.6MB

Download
memory/3060-122-0x0000000004D30000-0x0000000004E79000-memory.dmp

Filesize
1.3MB

Download
memory/3564-121-0x0000000000720000-0x0000000000734000-memory.dmp

Filesize
80KB

Download
memory/3564-119-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/3564-118-0x00000000009F0000-0x0000000000D10000-memory.dmp

Filesize
3.1MB

Download
memory/3564-117-0x000000000041F120-mapping.dmp

Download
memory/3564-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-123-0x0000000000000000-mapping.dmp

Download
memory/4164-125-0x0000000002E60000-0x0000000002E8F000-memory.dmp

Filesize
188KB

Download
memory/4164-124-0x0000000000B70000-0x0000000000B7B000-memory.dmp

Filesize
44KB

Download
memory/4164-126-0x0000000002F40000-0x000000000308A000-memory.dmp

Filesize
1.3MB

Download
memory/4164-128-0x0000000003430000-0x00000000034C3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads