formbook | 478d38451c9a4af35bb5de2ada58dfe7495a224d122d9639c6d68fc55c4bf411

General

Target

Nueva orden de compra.Pdf.exe
Size

365KB
MD5

59fc1e1a88d9c4968b50d8c07711da9b
SHA1

4f5ed7418b6af7e875608604efe3c7aec58fba92
SHA256

478d38451c9a4af35bb5de2ada58dfe7495a224d122d9639c6d68fc55c4bf411
SHA512

edc96bbfa0e1fb9a3711d3d59349ed281674f21a0da3474c1179ea075171d55f0d37363a028e4266c3d87fe166dd15186f11d11c0c97f3a1a893e9c44342d3a8

Score

10^/10

formbook dv9n rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv9n

C2

http://www.elianedefalco.com/dv9n/

Decoy

nblvqing.com

delmegebuildingproducts.com

xiongba8.com

latuawebreputation.online

nowcloud.tech

cckghs.com

tradeoo.ltd

ppapo.com

tphoaphuongdo.club

whitefoxy.site

bottle-sentences.net

computersewa.com

lushberryholidays.com

motobotz.com

shadurj.com

amazonlexdeveloper.com

shunli178.xyz

sjzzlmh.com

6eu09rp.xyz

novinmes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2504-125-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2504-126-0x000000000041F190-mapping.dmp	formbook
behavioral2/memory/680-134-0x00000000001B0000-0x00000000001DF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Nueva orden de compra.Pdf.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 1524 set thread context of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 2504 set thread context of 3064	2504	RegSvcs.exe	Explorer.EXE
PID 680 set thread context of 3064	680	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2088 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

680 NETSTAT.EXE

pid	process
2088	schtasks.exe

pid	process
680	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

Nueva orden de compra.Pdf.exeRegSvcs.exeNETSTAT.EXE

pid	process
1524	Nueva orden de compra.Pdf.exe
1524	Nueva orden de compra.Pdf.exe
1524	Nueva orden de compra.Pdf.exe
1524	Nueva orden de compra.Pdf.exe
2504	RegSvcs.exe
2504	RegSvcs.exe
2504	RegSvcs.exe
2504	RegSvcs.exe
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE
680	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

2504 RegSvcs.exe
2504 RegSvcs.exe
2504 RegSvcs.exe
680 NETSTAT.EXE
680 NETSTAT.EXE

pid	process
3064	Explorer.EXE

pid	process
2504	RegSvcs.exe
2504	RegSvcs.exe
2504	RegSvcs.exe
680	NETSTAT.EXE
680	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Nueva orden de compra.Pdf.exeRegSvcs.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1524	Nueva orden de compra.Pdf.exe
Token: SeDebugPrivilege	2504	RegSvcs.exe
Token: SeDebugPrivilege	680	NETSTAT.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Nueva orden de compra.Pdf.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1524 wrote to memory of 2088	1524	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 1524 wrote to memory of 2088	1524	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 1524 wrote to memory of 2088	1524	Nueva orden de compra.Pdf.exe	schtasks.exe
PID 1524 wrote to memory of 2852	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2852	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2852	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 1524 wrote to memory of 2504	1524	Nueva orden de compra.Pdf.exe	RegSvcs.exe
PID 3064 wrote to memory of 680	3064	Explorer.EXE	NETSTAT.EXE
PID 3064 wrote to memory of 680	3064	Explorer.EXE	NETSTAT.EXE
PID 3064 wrote to memory of 680	3064	Explorer.EXE	NETSTAT.EXE
PID 680 wrote to memory of 704	680	NETSTAT.EXE	cmd.exe
PID 680 wrote to memory of 704	680	NETSTAT.EXE	cmd.exe
PID 680 wrote to memory of 704	680	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\Nueva orden de compra.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Nueva orden de compra.Pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QvxslQsYkA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86DF.tmp"
3⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-131-0x0000000000000000-mapping.dmp

Download
memory/680-136-0x00000000009B0000-0x0000000000A43000-memory.dmp

Filesize
588KB

Download
memory/680-135-0x0000000002CC0000-0x0000000002FE0000-memory.dmp

Filesize
3.1MB

Download
memory/680-133-0x0000000000CB0000-0x0000000000CBB000-memory.dmp

Filesize
44KB

Download
memory/680-134-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/704-132-0x0000000000000000-mapping.dmp

Download
memory/1524-121-0x0000000004EE0000-0x0000000004EE7000-memory.dmp

Filesize
28KB

Download
memory/1524-115-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1524-117-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1524-123-0x0000000005920000-0x0000000005970000-memory.dmp

Filesize
320KB

Download
memory/1524-118-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1524-119-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/1524-120-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/1524-122-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/2088-124-0x0000000000000000-mapping.dmp

Download
memory/2504-126-0x000000000041F190-mapping.dmp

Download
memory/2504-128-0x0000000000F70000-0x0000000001290000-memory.dmp

Filesize
3.1MB

Download
memory/2504-129-0x0000000000F50000-0x0000000000F64000-memory.dmp

Filesize
80KB

Download
memory/2504-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-130-0x0000000006010000-0x00000000061BB000-memory.dmp

Filesize
1.7MB

Download
memory/3064-137-0x00000000027C0000-0x000000000285E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads