formbook | 3cc97e74a5fe7f0cea8e82512a8923a4dc1bb1afe702bb53876136b5362fbfe3

General

Target

llkir43123.exe
Size

306KB
MD5

75f07a08beea06b2f54754860db47a11
SHA1

a2e1b6d45881ba19e977e3f096a9a08a50f1aaf2
SHA256

3cc97e74a5fe7f0cea8e82512a8923a4dc1bb1afe702bb53876136b5362fbfe3
SHA512

9ff7b681212da848b9900f714d88ae02a457bb943637438469c457818aa1da45de91b404d32da0170b77eb5211effb8afdb36815bd500597f5347aace529f641

Score

10^/10

formbook rv9n rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rv9n

C2

http://www.cjspizza.net/rv9n/

Decoy

olivia-grace.show

zhuwww.com

keiretsu.xyz

olidnh.space

searuleansec.com

2fastrepair.com

brooklynmetalroof.com

scodol.com

novaprint.pro

the-loaner.com

nextroundscap.com

zbwlggs.com

internetautodealer.com

xn--tornrealestate-ekb.com

yunjiuhuo.com

skandinaviskakryptobanken.com

coxivarag.rest

ophthalmologylab.com

zzzzgjcdbqnn98.net

doeful.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2028-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2028-117-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/2064-124-0x00000000007D0000-0x00000000007FF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

llkir43123.exe

pid process

1844 llkir43123.exe

pid	process
1844	llkir43123.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

llkir43123.exellkir43123.execmd.exe

description	pid	process	target process
PID 1844 set thread context of 2028	1844	llkir43123.exe	llkir43123.exe
PID 2028 set thread context of 2848	2028	llkir43123.exe	Explorer.EXE
PID 2064 set thread context of 2848	2064	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

llkir43123.execmd.exe

pid	process
2028	llkir43123.exe
2028	llkir43123.exe
2028	llkir43123.exe
2028	llkir43123.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2848 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

llkir43123.execmd.exe

pid process

2028 llkir43123.exe
2028 llkir43123.exe
2028 llkir43123.exe
2064 cmd.exe
2064 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

llkir43123.execmd.exe

description pid process

Token: SeDebugPrivilege 2028 llkir43123.exe
Token: SeDebugPrivilege 2064 cmd.exe

pid	process
2848	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2028	llkir43123.exe
Token: SeDebugPrivilege	2064	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

llkir43123.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1844 wrote to memory of 2028	1844	llkir43123.exe	llkir43123.exe
PID 1844 wrote to memory of 2028	1844	llkir43123.exe	llkir43123.exe
PID 1844 wrote to memory of 2028	1844	llkir43123.exe	llkir43123.exe
PID 1844 wrote to memory of 2028	1844	llkir43123.exe	llkir43123.exe
PID 1844 wrote to memory of 2028	1844	llkir43123.exe	llkir43123.exe
PID 1844 wrote to memory of 2028	1844	llkir43123.exe	llkir43123.exe
PID 2848 wrote to memory of 2064	2848	Explorer.EXE	cmd.exe
PID 2848 wrote to memory of 2064	2848	Explorer.EXE	cmd.exe
PID 2848 wrote to memory of 2064	2848	Explorer.EXE	cmd.exe
PID 2064 wrote to memory of 2372	2064	cmd.exe	cmd.exe
PID 2064 wrote to memory of 2372	2064	cmd.exe	cmd.exe
PID 2064 wrote to memory of 2372	2064	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\llkir43123.exe
"C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\llkir43123.exe
"C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"
3⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj9E0C.tmp\mscl.dll
MD5
a927c32ce3cebed43a21984273851147

SHA1
a7b0b2a6d5abfea3d02ca16bbd10ffff77064043

SHA256
6c145dad27e87182daa4f1bfaaf00e51e7f76fc3b797d6760c147ea73476ef58

SHA512
5c79449a0606f5c6148f796f1c6eee22c0fe7cceb8ea366272210b10fc515da2913e41c102379de4df1b18291f1e84f013dbf3356ad3e4282d344fcfbf3fdb75

Download Submit
memory/2028-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-117-0x000000000041F120-mapping.dmp

Download
memory/2028-119-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2028-118-0x0000000000A00000-0x0000000000D20000-memory.dmp

Filesize
3.1MB

Download
memory/2064-121-0x0000000000000000-mapping.dmp

Download
memory/2064-123-0x0000000000920000-0x0000000000979000-memory.dmp

Filesize
356KB

Download
memory/2064-124-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/2064-125-0x0000000003340000-0x0000000003660000-memory.dmp

Filesize
3.1MB

Download
memory/2064-126-0x0000000003100000-0x0000000003193000-memory.dmp

Filesize
588KB

Download
memory/2372-122-0x0000000000000000-mapping.dmp

Download
memory/2848-120-0x0000000004A50000-0x0000000004B6D000-memory.dmp

Filesize
1.1MB

Download
memory/2848-127-0x00000000027D0000-0x00000000028BD000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads