formbook | e6aaec2b958d4b734ff02c7c63b7e24a619eef826efb16b955ebe5306b9953aa

General

Target

orde443123.exe
Size

250KB
MD5

bfb2b5d00165cb4984c29c172e0dad8d
SHA1

e5baa4cfe4b0ec678910e94fc8785fd28605bb6b
SHA256

e6aaec2b958d4b734ff02c7c63b7e24a619eef826efb16b955ebe5306b9953aa
SHA512

d0d20eda540283ead0b873c27f047c7f433c4f85e1a8b890c8c4ef7daeebc91c691c2aad59de1eccca26cc8748ba123f55200a183dd7a1421f98dbd264e96815

Score

10^/10

formbook rv9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rv9n

C2

http://www.cjspizza.net/rv9n/

Decoy

olivia-grace.show

zhuwww.com

keiretsu.xyz

olidnh.space

searuleansec.com

2fastrepair.com

brooklynmetalroof.com

scodol.com

novaprint.pro

the-loaner.com

nextroundscap.com

zbwlggs.com

internetautodealer.com

xn--tornrealestate-ekb.com

yunjiuhuo.com

skandinaviskakryptobanken.com

coxivarag.rest

ophthalmologylab.com

zzzzgjcdbqnn98.net

doeful.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/744-116-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/744-115-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3032-123-0x0000000000420000-0x000000000044F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

orde443123.exe

pid process

4648 orde443123.exe

pid	process
4648	orde443123.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

orde443123.exeorde443123.exeNETSTAT.EXE

description	pid	process	target process
PID 4648 set thread context of 744	4648	orde443123.exe	orde443123.exe
PID 744 set thread context of 3048	744	orde443123.exe	Explorer.EXE
PID 3032 set thread context of 3048	3032	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3032 NETSTAT.EXE

pid	process
3032	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

orde443123.exeNETSTAT.EXE

pid	process
744	orde443123.exe
744	orde443123.exe
744	orde443123.exe
744	orde443123.exe
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE
3032	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

orde443123.exeNETSTAT.EXE

pid process

744 orde443123.exe
744 orde443123.exe
744 orde443123.exe
3032 NETSTAT.EXE
3032 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

orde443123.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 744 orde443123.exe
Token: SeDebugPrivilege 3032 NETSTAT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE

pid	process
3048	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	744	orde443123.exe
Token: SeDebugPrivilege	3032	NETSTAT.EXE

pid	process
3048	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

orde443123.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4648 wrote to memory of 744	4648	orde443123.exe	orde443123.exe
PID 4648 wrote to memory of 744	4648	orde443123.exe	orde443123.exe
PID 4648 wrote to memory of 744	4648	orde443123.exe	orde443123.exe
PID 4648 wrote to memory of 744	4648	orde443123.exe	orde443123.exe
PID 4648 wrote to memory of 744	4648	orde443123.exe	orde443123.exe
PID 4648 wrote to memory of 744	4648	orde443123.exe	orde443123.exe
PID 3048 wrote to memory of 3032	3048	Explorer.EXE	NETSTAT.EXE
PID 3048 wrote to memory of 3032	3048	Explorer.EXE	NETSTAT.EXE
PID 3048 wrote to memory of 3032	3048	Explorer.EXE	NETSTAT.EXE
PID 3032 wrote to memory of 4184	3032	NETSTAT.EXE	cmd.exe
PID 3032 wrote to memory of 4184	3032	NETSTAT.EXE	cmd.exe
PID 3032 wrote to memory of 4184	3032	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\orde443123.exe
"C:\Users\Admin\AppData\Local\Temp\orde443123.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\orde443123.exe
"C:\Users\Admin\AppData\Local\Temp\orde443123.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\orde443123.exe"
3⤵
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nspAC44.tmp\irjzbmbgo.dll
MD5
3525f0279729cb34e886c8a83b5ce9c8

SHA1
b6edfeff839616e0155026cabed1e48de96a9063

SHA256
082c9b72407d063bb96c2830bcaf5f285d2d616e8a8d729a52b39ccbd30b8211

SHA512
2c74fc1a977204adb58a1af19850fa705716ca5c9b1d42f2b0d84dfe14a2e5c6af5f9e158b4cc132c1874de3b67cdd422cfc00e0dad63982718d5d0ce5f31f55

Download Submit
memory/744-116-0x000000000041F120-mapping.dmp

Download
memory/744-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-119-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/744-118-0x0000000000980000-0x0000000000CA0000-memory.dmp

Filesize
3.1MB

Download
memory/3032-121-0x0000000000000000-mapping.dmp

Download
memory/3032-123-0x0000000000420000-0x000000000044F000-memory.dmp

Filesize
188KB

Download
memory/3032-122-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/3032-125-0x0000000000B00000-0x0000000000E20000-memory.dmp

Filesize
3.1MB

Download
memory/3032-126-0x0000000000960000-0x00000000009F3000-memory.dmp

Filesize
588KB

Download
memory/3048-120-0x00000000051C0000-0x00000000052E1000-memory.dmp

Filesize
1.1MB

Download
memory/3048-127-0x00000000029B0000-0x0000000002A4D000-memory.dmp

Filesize
628KB

Download
memory/4184-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads