formbook | 80db1952d4072b26cd44506d916c33b020a7cd8f85150d59725e2a4602a21a60

General

Target

20211015168444093723.exe
Size

261KB
MD5

4452b76f214c4a5f5e520e579da088d8
SHA1

fcad7662120fe40c1a7dc052e40be8e67dfd7a93
SHA256

51f987ef74839fa7ba0b2c959aee7ad244c30231259bc22b4b778a71760e7262
SHA512

32ed1bcd1385d105bcb2d0eba49e85fc71f15687bc42ce9eb80d9351d1e363c93c35f7589a0b013cb03f352dc4d50fc32c6c347f1cd6fa528e9b73e5d34d7482

Score

10^/10

formbook nd1w rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nd1w

C2

http://www.ahlongpteltd.com/nd1w/

Decoy

cartographieinterieure.store

de-tanautorisierung-6439.xyz

maxisezon.com

spottsalodio.xyz

thesocialguild.net

petemergencydoctor.com

czhtfmgj.com

incontrilocalimilano.com

132kingrd.com

clearviewsatellitesolutions.com

shopingmanplus.com

compuserviciosway.com

millportservicesltd.com

ticketinsurey.club

metro-club.com

aboutpoliticsofatom.com

brebawake.com

yurteam.com

dropadoo.com

wcsaroma2012.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/964-56-0x000000000041F170-mapping.dmp	formbook
behavioral1/memory/964-55-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/964-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/860-67-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

556 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

20211015168444093723.exe

pid process

1116 20211015168444093723.exe

pid	process
556	cmd.exe

pid	process
1116	20211015168444093723.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

20211015168444093723.exe20211015168444093723.exemsiexec.exe

description	pid	process	target process
PID 1116 set thread context of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 964 set thread context of 1420	964	20211015168444093723.exe	Explorer.EXE
PID 964 set thread context of 1420	964	20211015168444093723.exe	Explorer.EXE
PID 860 set thread context of 1420	860	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

20211015168444093723.exemsiexec.exe

pid	process
964	20211015168444093723.exe
964	20211015168444093723.exe
964	20211015168444093723.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

20211015168444093723.exemsiexec.exe

pid process

964 20211015168444093723.exe
964 20211015168444093723.exe
964 20211015168444093723.exe
964 20211015168444093723.exe
860 msiexec.exe
860 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20211015168444093723.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 964 20211015168444093723.exe
Token: SeDebugPrivilege 860 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE

pid	process
1420	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	964	20211015168444093723.exe
Token: SeDebugPrivilege	860	msiexec.exe

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

20211015168444093723.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1116 wrote to memory of 964	1116	20211015168444093723.exe	20211015168444093723.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 1420 wrote to memory of 860	1420	Explorer.EXE	msiexec.exe
PID 860 wrote to memory of 556	860	msiexec.exe	cmd.exe
PID 860 wrote to memory of 556	860	msiexec.exe	cmd.exe
PID 860 wrote to memory of 556	860	msiexec.exe	cmd.exe
PID 860 wrote to memory of 556	860	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe
"C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe
"C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"
3⤵
- Deletes itself
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdC5C0.tmp\jwwctlitql.dll
MD5
d0409fa7c39791daf02a4d27e6f2d83b

SHA1
17b8ac16f25a38f7db67b8b4a3027d3202d146e0

SHA256
2fae3b8fd55f815004c35af241c39035de10328fed85172886d343e8c895b78e

SHA512
41950d21941b4905f665ea20d9ef4807b54a1c6cf05fb1a339bdf99455d42058cfad6bf6679c536c1c6d4c35639468d4f49bd8e9537fb19f8a8d3cd87c79a37c

Download Submit
memory/556-68-0x0000000000000000-mapping.dmp

Download
memory/860-64-0x0000000000000000-mapping.dmp

Download
memory/860-70-0x0000000002060000-0x00000000020F3000-memory.dmp

Filesize
588KB

Download
memory/860-69-0x0000000002200000-0x0000000002503000-memory.dmp

Filesize
3.0MB

Download
memory/860-67-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/860-66-0x0000000000960000-0x0000000000974000-memory.dmp

Filesize
80KB

Download
memory/964-58-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/964-62-0x00000000006C0000-0x00000000006D4000-memory.dmp

Filesize
80KB

Download
memory/964-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/964-59-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/964-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/964-56-0x000000000041F170-mapping.dmp

Download
memory/1116-53-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1420-63-0x0000000007250000-0x0000000007324000-memory.dmp

Filesize
848KB

Download
memory/1420-60-0x0000000007030000-0x000000000711D000-memory.dmp

Filesize
948KB

Download
memory/1420-71-0x0000000007E00000-0x0000000007F5E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads