formbook | 25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf

General

Target

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Size

460KB
MD5

4bc84a1a436c849698fd54c0f921c2a1
SHA1

c7c7cb7b33da65ffc53ff9351b56802cb1561560
SHA256

25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf
SHA512

c86ec6b9fef554818af6aacdc7df24bb7ad1813390f6e708c7b9cd385a274286419c3f738d55ef411a1be82cbf462e483525ef20e27a4b6b24ceb4fc99001f19

Score

10^/10

formbook cnp0 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cnp0

C2

http://www.ccnsv.net/cnp0/

Decoy

jiarenyuanhunlian.com

xquizitelashesnwaxx.com

rentinerie.com

herbalpedia-id.com

openseagames.com

re-swap.com

william-cook.com

segensv.com

versebay.com

brendanlairdsound.com

bypestor.com

hospitaldelpc.net

wwwroadrunnerfinancial.com

waterhammerstudios.com

hustleandbank.photography

secure01bchslogin.com

rarepeperanking.com

greatland.company

happybirthdayjewel.com

raheok.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1908-64-0x000000000041F0D0-mapping.dmp	formbook
behavioral1/memory/1908-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1872-72-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe

pid	process
1988	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exeINQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exechkdsk.exe

description	pid	process	target process
PID 1764 set thread context of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1908 set thread context of 1264	1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	Explorer.EXE
PID 1872 set thread context of 1264	1872	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exechkdsk.exe

pid	process
1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe
1872	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exechkdsk.exe

pid	process
1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
1872	chkdsk.exe
1872	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1908 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Token: SeDebugPrivilege 1872 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1908	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Token: SeDebugPrivilege	1872	chkdsk.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1764 wrote to memory of 1908	1764	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 1264 wrote to memory of 1872	1264	Explorer.EXE	chkdsk.exe
PID 1264 wrote to memory of 1872	1264	Explorer.EXE	chkdsk.exe
PID 1264 wrote to memory of 1872	1264	Explorer.EXE	chkdsk.exe
PID 1264 wrote to memory of 1872	1264	Explorer.EXE	chkdsk.exe
PID 1872 wrote to memory of 1988	1872	chkdsk.exe	cmd.exe
PID 1872 wrote to memory of 1988	1872	chkdsk.exe	cmd.exe
PID 1872 wrote to memory of 1988	1872	chkdsk.exe	cmd.exe
PID 1872 wrote to memory of 1988	1872	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"
3⤵
- Deletes itself
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-68-0x0000000003B20000-0x0000000003C05000-memory.dmp

Filesize
916KB

Download
memory/1264-75-0x0000000006BD0000-0x0000000006CF5000-memory.dmp

Filesize
1.1MB

Download
memory/1764-57-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1764-58-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/1764-59-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1764-60-0x0000000000C50000-0x0000000000CA0000-memory.dmp

Filesize
320KB

Download
memory/1764-55-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1872-69-0x0000000000000000-mapping.dmp

Download
memory/1872-71-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/1872-72-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1872-73-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/1872-74-0x0000000001E40000-0x0000000001ED3000-memory.dmp

Filesize
588KB

Download
memory/1908-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-66-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1908-67-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1908-64-0x000000000041F0D0-mapping.dmp

Download
memory/1908-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads