formbook | 478d38451c9a4af35bb5de2ada58dfe7495a224d122d9639c6d68fc55c4bf411

General

Target

Nueva orden de compra.Pdf.exe
Size

365KB
MD5

59fc1e1a88d9c4968b50d8c07711da9b
SHA1

4f5ed7418b6af7e875608604efe3c7aec58fba92
SHA256

478d38451c9a4af35bb5de2ada58dfe7495a224d122d9639c6d68fc55c4bf411
SHA512

edc96bbfa0e1fb9a3711d3d59349ed281674f21a0da3474c1179ea075171d55f0d37363a028e4266c3d87fe166dd15186f11d11c0c97f3a1a893e9c44342d3a8

Score

10^/10

formbook dv9n rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv9n

C2

http://www.elianedefalco.com/dv9n/

Decoy

nblvqing.com

delmegebuildingproducts.com

xiongba8.com

latuawebreputation.online

nowcloud.tech

cckghs.com

tradeoo.ltd

ppapo.com

tphoaphuongdo.club

whitefoxy.site

bottle-sentences.net

computersewa.com

lushberryholidays.com

motobotz.com

shadurj.com

amazonlexdeveloper.com

shunli178.xyz

sjzzlmh.com

6eu09rp.xyz

novinmes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1216-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1216-63-0x000000000041F190-mapping.dmp	formbook
behavioral1/memory/1064-72-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Nueva orden de compra.Pdf.exeRegSvcs.exemsiexec.exe

description	pid	process	target process
PID 740 set thread context of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1216 set thread context of 1404	1216	RegSvcs.exe	Explorer.EXE
PID 1064 set thread context of 1404	1064	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1804 schtasks.exe

pid	process
1804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Nueva orden de compra.Pdf.exeRegSvcs.exemsiexec.exe

pid	process
740	Nueva orden de compra.Pdf.exe
740	Nueva orden de compra.Pdf.exe
1216	RegSvcs.exe
1216	RegSvcs.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe
1064	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exemsiexec.exe

pid process

1216 RegSvcs.exe
1216 RegSvcs.exe
1216 RegSvcs.exe
1064 msiexec.exe
1064 msiexec.exe

pid	process
1216	RegSvcs.exe
1216	RegSvcs.exe
1216	RegSvcs.exe
1064	msiexec.exe
1064	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Nueva orden de compra.Pdf.exeRegSvcs.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	740	Nueva orden de compra.Pdf.exe
Token: SeDebugPrivilege	1216	RegSvcs.exe
Token: SeDebugPrivilege	1064	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Nueva orden de compra.Pdf.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 740 wrote to memory of 1804	740	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 740 wrote to memory of 1804	740	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 740 wrote to memory of 1804	740	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 740 wrote to memory of 1804	740	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 740 wrote to memory of 1216	740	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1404 wrote to memory of 1064	1404	Explorer.EXE	msiexec.exe
PID 1064 wrote to memory of 1516	1064	msiexec.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	msiexec.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	msiexec.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\Nueva orden de compra.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Nueva orden de compra.Pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QvxslQsYkA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AB5.tmp"
3⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1936

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1628

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1672

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-56-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/740-57-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/740-58-0x0000000000F00000-0x0000000000F50000-memory.dmp

Filesize
320KB

Download
memory/740-54-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1064-68-0x0000000000000000-mapping.dmp

Download
memory/1064-74-0x0000000000B70000-0x0000000000C03000-memory.dmp

Filesize
588KB

Download
memory/1064-73-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/1064-72-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1064-71-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1064-69-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1216-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-65-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download
memory/1216-66-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/1216-63-0x000000000041F190-mapping.dmp

Download
memory/1216-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-67-0x0000000006A60000-0x0000000006BA9000-memory.dmp

Filesize
1.3MB

Download
memory/1404-75-0x00000000065C0000-0x0000000006674000-memory.dmp

Filesize
720KB

Download
memory/1516-70-0x0000000000000000-mapping.dmp

Download
memory/1804-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads