formbook | 0d69c9eb2b2f399ff9df0724e08963a0be9f957013c2f78899d7b7a92930227d

General

Target

Specifiche dell'ordine.com.exe
Size

252KB
MD5

58d5b91e06edbf8ace5b5ebe98cdf558
SHA1

39c4c5887e7f0d0165dfa4ab9d1d48583f33b529
SHA256

0cdc382e574649336b29e110c3d121e8158e895b3d2de22ba5db63fa61cf01c8
SHA512

2071222a8bf6c4e969a2c2a2c987b163cbc7bb0380983ced1bcc7e79aa7ae9fc96479a565c479602b70b7530b6008514786fbdce7e202df38415e6a2d3599e7f

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

C2

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3852-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3852-117-0x000000000041F200-mapping.dmp	formbook
behavioral2/memory/2256-124-0x0000000000E50000-0x0000000000E7F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Specifiche dell'ordine.com.exe

pid process

1844 Specifiche dell'ordine.com.exe

pid	process
1844	Specifiche dell'ordine.com.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Specifiche dell'ordine.com.exeSpecifiche dell'ordine.com.exeNETSTAT.EXE

description	pid	process	target process
PID 1844 set thread context of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 3852 set thread context of 2848	3852	Specifiche dell'ordine.com.exe	Explorer.EXE
PID 2256 set thread context of 2848	2256	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2256 NETSTAT.EXE

pid	process
2256	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Specifiche dell'ordine.com.exeNETSTAT.EXE

pid	process
3852	Specifiche dell'ordine.com.exe
3852	Specifiche dell'ordine.com.exe
3852	Specifiche dell'ordine.com.exe
3852	Specifiche dell'ordine.com.exe
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE
2256	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2848 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Specifiche dell'ordine.com.exeNETSTAT.EXE

pid process

3852 Specifiche dell'ordine.com.exe
3852 Specifiche dell'ordine.com.exe
3852 Specifiche dell'ordine.com.exe
2256 NETSTAT.EXE
2256 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Specifiche dell'ordine.com.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3852 Specifiche dell'ordine.com.exe
Token: SeDebugPrivilege 2256 NETSTAT.EXE

pid	process
2848	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3852	Specifiche dell'ordine.com.exe
Token: SeDebugPrivilege	2256	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Specifiche dell'ordine.com.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1844 wrote to memory of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 1844 wrote to memory of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 1844 wrote to memory of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 1844 wrote to memory of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 1844 wrote to memory of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 1844 wrote to memory of 3852	1844	Specifiche dell'ordine.com.exe	Specifiche dell'ordine.com.exe
PID 2848 wrote to memory of 2256	2848	Explorer.EXE	NETSTAT.EXE
PID 2848 wrote to memory of 2256	2848	Explorer.EXE	NETSTAT.EXE
PID 2848 wrote to memory of 2256	2848	Explorer.EXE	NETSTAT.EXE
PID 2256 wrote to memory of 1764	2256	NETSTAT.EXE	cmd.exe
PID 2256 wrote to memory of 1764	2256	NETSTAT.EXE	cmd.exe
PID 2256 wrote to memory of 1764	2256	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\Specifiche dell'ordine.com.exe
"C:\Users\Admin\AppData\Local\Temp\Specifiche dell'ordine.com.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\Specifiche dell'ordine.com.exe
"C:\Users\Admin\AppData\Local\Temp\Specifiche dell'ordine.com.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Specifiche dell'ordine.com.exe"
3⤵
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nseA72F.tmp\cumngswsx.dll
MD5
4057e57c6e1875d064b9121cb8938305

SHA1
9236cd3432026b30eb775eb150226f7d011ea972

SHA256
535b06a16ef271c819284452045366e46cdbc3c6c8c6ed01b64d46b269e2fff0

SHA512
4b1b5689440c4bd29adfe3daaad6ca0febb0a9b963cd19ba99a7323993221e33e5baf469b652bd8ffc9c46eb6a86a1e8c3c1100fb3d4b664b6c43a4e955cdc78

Download Submit
memory/1764-125-0x0000000000000000-mapping.dmp

Download
memory/2256-122-0x0000000000000000-mapping.dmp

Download
memory/2256-124-0x0000000000E50000-0x0000000000E7F000-memory.dmp

Filesize
188KB

Download
memory/2256-123-0x0000000000F60000-0x0000000000F6B000-memory.dmp

Filesize
44KB

Download
memory/2256-126-0x0000000003590000-0x00000000038B0000-memory.dmp

Filesize
3.1MB

Download
memory/2256-127-0x0000000003450000-0x00000000034E4000-memory.dmp

Filesize
592KB

Download
memory/2848-121-0x0000000005DC0000-0x0000000005F35000-memory.dmp

Filesize
1.5MB

Download
memory/2848-128-0x0000000004FB0000-0x000000000512C000-memory.dmp

Filesize
1.5MB

Download
memory/3852-120-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3852-119-0x0000000000B20000-0x0000000000E40000-memory.dmp

Filesize
3.1MB

Download
memory/3852-117-0x000000000041F200-mapping.dmp

Download
memory/3852-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads