formbook | d2b2d54f03ed22179f9317d2c7bfbcdf669e1378a35727cde4147ac41f669dd1

General

Target

PO4502151388.excel.exe
Size

310KB
MD5

042981e463e96d427fb66d475ff62c17
SHA1

588a8cc23b96a5f0c3744729f114b67da78bf183
SHA256

d2b2d54f03ed22179f9317d2c7bfbcdf669e1378a35727cde4147ac41f669dd1
SHA512

6aded5d389779bafc5dabae3b7d589d67e4a0b7fa3cacccf3191aa518e6c5416ac216c6d24855cc6cdb5c387f25e924acdf02e09831d8e76218b31d5c717ef32

Score

10^/10

formbook ct6s rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct6s

C2

http://www.metalzj.quest/ct6s/

Decoy

liaquatsibtian.com

erisa.cymru

theultimateone.world

petpartner.info

edison-press.com

ryanmurazik.icu

bukasystems.com

kitsusimplex.com

qatarstyleart.com

brkhot.top

paehdfdtrujdfhs.xyz

createdbybonk.com

kuihoon.com

deathtocustomerservice.com

iotimb.com

greendiamond.pw

millionaireproducers.academy

websitemolsa.com

cbshomeimprovement.com

eardunder.quest

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/572-57-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/572-58-0x000000000041F0C0-mapping.dmp	formbook
behavioral1/memory/572-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/536-69-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1952 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

PO4502151388.excel.exe

pid process

1900 PO4502151388.excel.exe

pid	process
1952	cmd.exe

pid	process
1900	PO4502151388.excel.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO4502151388.excel.exePO4502151388.excel.exenetsh.exe

description	pid	process	target process
PID 1900 set thread context of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 572 set thread context of 1212	572	PO4502151388.excel.exe	Explorer.EXE
PID 572 set thread context of 1212	572	PO4502151388.excel.exe	Explorer.EXE
PID 536 set thread context of 1212	536	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

PO4502151388.excel.exenetsh.exe

pid	process
572	PO4502151388.excel.exe
572	PO4502151388.excel.exe
572	PO4502151388.excel.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe
536	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO4502151388.excel.exenetsh.exe

pid process

572 PO4502151388.excel.exe
572 PO4502151388.excel.exe
572 PO4502151388.excel.exe
572 PO4502151388.excel.exe
536 netsh.exe
536 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO4502151388.excel.exenetsh.exe

description pid process

Token: SeDebugPrivilege 572 PO4502151388.excel.exe
Token: SeDebugPrivilege 536 netsh.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	572	PO4502151388.excel.exe
Token: SeDebugPrivilege	536	netsh.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO4502151388.excel.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1900 wrote to memory of 572	1900	PO4502151388.excel.exe	PO4502151388.excel.exe
PID 1212 wrote to memory of 536	1212	Explorer.EXE	netsh.exe
PID 1212 wrote to memory of 536	1212	Explorer.EXE	netsh.exe
PID 1212 wrote to memory of 536	1212	Explorer.EXE	netsh.exe
PID 1212 wrote to memory of 536	1212	Explorer.EXE	netsh.exe
PID 536 wrote to memory of 1952	536	netsh.exe	cmd.exe
PID 536 wrote to memory of 1952	536	netsh.exe	cmd.exe
PID 536 wrote to memory of 1952	536	netsh.exe	cmd.exe
PID 536 wrote to memory of 1952	536	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe
"C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe
"C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"
3⤵
- Deletes itself
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyCA33.tmp\bpgoeab.dll
MD5
f2f838f6f712004c0241e7fd01ade606

SHA1
4f7a810c38ca6bfcfaccef702f4fc6e215c03b37

SHA256
3be058bf9a059946f869bc4e791b71dd7aaf7b303e30832696181d0ae3925e2b

SHA512
0e0844d3af3488bd986317df53f11f770bba3e0854a491764e47a49f9d69fe9b4cfbb14a770b12adda9f47200b52de6b2c42d1a2ff9530a0ed38227fd82d1c57

Download Submit
memory/536-66-0x0000000000000000-mapping.dmp

Download
memory/536-71-0x00000000008C0000-0x0000000000953000-memory.dmp

Filesize
588KB

Download
memory/536-68-0x00000000015A0000-0x00000000015BB000-memory.dmp

Filesize
108KB

Download
memory/536-70-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/536-69-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/572-61-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/572-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-64-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/572-60-0x00000000006F0000-0x00000000009F3000-memory.dmp

Filesize
3.0MB

Download
memory/572-58-0x000000000041F0C0-mapping.dmp

Download
memory/572-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-65-0x0000000007500000-0x0000000007612000-memory.dmp

Filesize
1.1MB

Download
memory/1212-62-0x0000000006E90000-0x0000000006FF0000-memory.dmp

Filesize
1.4MB

Download
memory/1212-72-0x0000000007FF0000-0x0000000008105000-memory.dmp

Filesize
1.1MB

Download
memory/1900-55-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1952-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads