formbook | 5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9

General

Target

dhlexcel9078.excel.exe
Size

462KB
MD5

f70df4cd6c3bb5f98021586d550d47d7
SHA1

297d8d7a7c8524914d78892e51fe92b034c47bc1
SHA256

5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9
SHA512

5eb7a7a7b8866d2a7f5b95cf51aa33b118f602d67fb99401bb56f025a6e5fb06c9e16022f6e8e42f2f64d0f857a7d5fe8a7d100de0ea40661cc37cefdff23488

Score

10^/10

formbook ct6s rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct6s

C2

http://www.metalzj.quest/ct6s/

Decoy

liaquatsibtian.com

erisa.cymru

theultimateone.world

petpartner.info

edison-press.com

ryanmurazik.icu

bukasystems.com

kitsusimplex.com

qatarstyleart.com

brkhot.top

paehdfdtrujdfhs.xyz

createdbybonk.com

kuihoon.com

deathtocustomerservice.com

iotimb.com

greendiamond.pw

millionaireproducers.academy

websitemolsa.com

cbshomeimprovement.com

eardunder.quest

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2324-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2324-117-0x000000000041F0C0-mapping.dmp	formbook
behavioral2/memory/684-125-0x0000000002F90000-0x0000000002FBF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

dhlexcel9078.excel.exe

pid process

2668 dhlexcel9078.excel.exe

pid	process
2668	dhlexcel9078.excel.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dhlexcel9078.excel.exedhlexcel9078.excel.execmmon32.exe

description	pid	process	target process
PID 2668 set thread context of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 2324 set thread context of 3020	2324	dhlexcel9078.excel.exe	Explorer.EXE
PID 684 set thread context of 3020	684	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

dhlexcel9078.excel.execmmon32.exe

pid	process
2324	dhlexcel9078.excel.exe
2324	dhlexcel9078.excel.exe
2324	dhlexcel9078.excel.exe
2324	dhlexcel9078.excel.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe
684	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dhlexcel9078.excel.execmmon32.exe

pid process

2324 dhlexcel9078.excel.exe
2324 dhlexcel9078.excel.exe
2324 dhlexcel9078.excel.exe
684 cmmon32.exe
684 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dhlexcel9078.excel.execmmon32.exe

description pid process

Token: SeDebugPrivilege 2324 dhlexcel9078.excel.exe
Token: SeDebugPrivilege 684 cmmon32.exe

pid	process
3020	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2324	dhlexcel9078.excel.exe
Token: SeDebugPrivilege	684	cmmon32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dhlexcel9078.excel.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2668 wrote to memory of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 2668 wrote to memory of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 2668 wrote to memory of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 2668 wrote to memory of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 2668 wrote to memory of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 2668 wrote to memory of 2324	2668	dhlexcel9078.excel.exe	dhlexcel9078.excel.exe
PID 3020 wrote to memory of 684	3020	Explorer.EXE	cmmon32.exe
PID 3020 wrote to memory of 684	3020	Explorer.EXE	cmmon32.exe
PID 3020 wrote to memory of 684	3020	Explorer.EXE	cmmon32.exe
PID 684 wrote to memory of 1060	684	cmmon32.exe	cmd.exe
PID 684 wrote to memory of 1060	684	cmmon32.exe	cmd.exe
PID 684 wrote to memory of 1060	684	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe
"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe
"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"
3⤵
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nszDBAC.tmp\czzinqps.dll
MD5
f0527931a6c735a6a86502f782c87fa3

SHA1
a36b487436cdca6bc61939fb0593c76ac4cdc75d

SHA256
0e678111629aa0995633ce91152e618c13abfa6235f86011cc5274fe19712313

SHA512
c3e0a2c61f2979936f0fa545c5f4520041b0e9c11f0b836062dbc272e126bf155e541553e8fca9652fe2ace2de409733583ca74a0378fe7bc6b085a48f851623

Download Submit
memory/684-125-0x0000000002F90000-0x0000000002FBF000-memory.dmp

Filesize
188KB

Download
memory/684-122-0x0000000000000000-mapping.dmp

Download
memory/684-124-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/684-126-0x00000000046C0000-0x00000000049E0000-memory.dmp

Filesize
3.1MB

Download
memory/684-127-0x0000000004A80000-0x0000000004B13000-memory.dmp

Filesize
588KB

Download
memory/1060-123-0x0000000000000000-mapping.dmp

Download
memory/2324-117-0x000000000041F0C0-mapping.dmp

Download
memory/2324-120-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/2324-119-0x0000000000B50000-0x0000000000E70000-memory.dmp

Filesize
3.1MB

Download
memory/2324-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-121-0x0000000005480000-0x000000000561C000-memory.dmp

Filesize
1.6MB

Download
memory/3020-128-0x0000000006550000-0x00000000066CA000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads