formbook | 5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9

General

Target

dhlexcel9078.excel.exe
Size

462KB
MD5

f70df4cd6c3bb5f98021586d550d47d7
SHA1

297d8d7a7c8524914d78892e51fe92b034c47bc1
SHA256

5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9
SHA512

5eb7a7a7b8866d2a7f5b95cf51aa33b118f602d67fb99401bb56f025a6e5fb06c9e16022f6e8e42f2f64d0f857a7d5fe8a7d100de0ea40661cc37cefdff23488

Score

10^/10

formbook ct6s rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct6s

C2

http://www.metalzj.quest/ct6s/

Decoy

liaquatsibtian.com

erisa.cymru

theultimateone.world

petpartner.info

edison-press.com

ryanmurazik.icu

bukasystems.com

kitsusimplex.com

qatarstyleart.com

brkhot.top

paehdfdtrujdfhs.xyz

createdbybonk.com

kuihoon.com

deathtocustomerservice.com

iotimb.com

greendiamond.pw

millionaireproducers.academy

websitemolsa.com

cbshomeimprovement.com

eardunder.quest

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1156-56-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1156-57-0x000000000041F0C0-mapping.dmp	formbook
behavioral1/memory/540-66-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

816 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

dhlexcel9078.excel.exe

pid process

1776 dhlexcel9078.excel.exe

pid	process
816	cmd.exe

pid	process
1776	dhlexcel9078.excel.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dhlexcel9078.excel.exedhlexcel9078.excel.execmstp.exe

description	pid	process	target process
PID 1776 set thread context of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1156 set thread context of 1204	1156	dhlexcel9078.excel.exe	Explorer.EXE
PID 540 set thread context of 1204	540	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

dhlexcel9078.excel.execmstp.exe

pid	process
1156	dhlexcel9078.excel.exe
1156	dhlexcel9078.excel.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe
540	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dhlexcel9078.excel.execmstp.exe

pid process

1156 dhlexcel9078.excel.exe
1156 dhlexcel9078.excel.exe
1156 dhlexcel9078.excel.exe
540 cmstp.exe
540 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dhlexcel9078.excel.execmstp.exe

description pid process

Token: SeDebugPrivilege 1156 dhlexcel9078.excel.exe
Token: SeDebugPrivilege 540 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1156	dhlexcel9078.excel.exe
Token: SeDebugPrivilege	540	cmstp.exe

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dhlexcel9078.excel.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1776 wrote to memory of 1156	1776	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	cmstp.exe
PID 540 wrote to memory of 816	540	cmstp.exe	cmd.exe
PID 540 wrote to memory of 816	540	cmstp.exe	cmd.exe
PID 540 wrote to memory of 816	540	cmstp.exe	cmd.exe
PID 540 wrote to memory of 816	540	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe
"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe
"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"
3⤵
- Deletes itself
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdBC4E.tmp\czzinqps.dll
MD5
f0527931a6c735a6a86502f782c87fa3

SHA1
a36b487436cdca6bc61939fb0593c76ac4cdc75d

SHA256
0e678111629aa0995633ce91152e618c13abfa6235f86011cc5274fe19712313

SHA512
c3e0a2c61f2979936f0fa545c5f4520041b0e9c11f0b836062dbc272e126bf155e541553e8fca9652fe2ace2de409733583ca74a0378fe7bc6b085a48f851623

Download Submit
memory/540-62-0x0000000000000000-mapping.dmp

Download
memory/540-68-0x0000000001C90000-0x0000000001D23000-memory.dmp

Filesize
588KB

Download
memory/540-66-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/540-67-0x0000000001EC0000-0x00000000021C3000-memory.dmp

Filesize
3.0MB

Download
memory/540-65-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/816-64-0x0000000000000000-mapping.dmp

Download
memory/1156-57-0x000000000041F0C0-mapping.dmp

Download
memory/1156-59-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1156-60-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1156-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-61-0x0000000003F00000-0x000000000402A000-memory.dmp

Filesize
1.2MB

Download
memory/1204-69-0x0000000005F90000-0x0000000006080000-memory.dmp

Filesize
960KB

Download
memory/1776-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads