formbook | 3aaa02e43bf91f8ba1f1f9811dcb52c5cadaa356b70514a5bb639d7247fc73db

General

Target

order draft.com.exe
Size

471KB
MD5

f010aecf40c6d5a592dc55c4f95d15aa
SHA1

4e202b8ccf0841562a9aa9fa5bef3333f25ba57f
SHA256

79b16be36de1dfa5a48d965e4a4c19c7c481b6972392e6d0e6edd00447297b96
SHA512

e10b463221730ee2362ded75711d3eb636c13f087fea2e01761706bc6382fe2fb51f34f7c5fae1b7250ed0de11ea8e1753b6807ec8ec5e25d2429d731e1e4367

Score

10^/10

formbook dn7r rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

C2

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3016-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3016-117-0x000000000041F200-mapping.dmp	formbook
behavioral2/memory/3016-122-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4188-130-0x0000000002E50000-0x0000000002E7F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

order draft.com.exe

pid process

3560 order draft.com.exe

pid	process
3560	order draft.com.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

order draft.com.exeorder draft.com.exemsiexec.exe

description	pid	process	target process
PID 3560 set thread context of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3016 set thread context of 3028	3016	order draft.com.exe	Explorer.EXE
PID 3016 set thread context of 3028	3016	order draft.com.exe	Explorer.EXE
PID 4188 set thread context of 3028	4188	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

order draft.com.exemsiexec.exe

pid	process
3016	order draft.com.exe
3016	order draft.com.exe
3016	order draft.com.exe
3016	order draft.com.exe
3016	order draft.com.exe
3016	order draft.com.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe
4188	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

order draft.com.exemsiexec.exe

pid process

3016 order draft.com.exe
3016 order draft.com.exe
3016 order draft.com.exe
3016 order draft.com.exe
4188 msiexec.exe
4188 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

order draft.com.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3016 order draft.com.exe
Token: SeDebugPrivilege 4188 msiexec.exe

pid	process
3028	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3016	order draft.com.exe
Token: SeDebugPrivilege	4188	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

order draft.com.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 3560 wrote to memory of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3560 wrote to memory of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3560 wrote to memory of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3560 wrote to memory of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3560 wrote to memory of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3560 wrote to memory of 3016	3560	order draft.com.exe	order draft.com.exe
PID 3028 wrote to memory of 4188	3028	Explorer.EXE	msiexec.exe
PID 3028 wrote to memory of 4188	3028	Explorer.EXE	msiexec.exe
PID 3028 wrote to memory of 4188	3028	Explorer.EXE	msiexec.exe
PID 4188 wrote to memory of 4364	4188	msiexec.exe	cmd.exe
PID 4188 wrote to memory of 4364	4188	msiexec.exe	cmd.exe
PID 4188 wrote to memory of 4364	4188	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\order draft.com.exe
"C:\Users\Admin\AppData\Local\Temp\order draft.com.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\order draft.com.exe
"C:\Users\Admin\AppData\Local\Temp\order draft.com.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\order draft.com.exe"
3⤵
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsqDFB3.tmp\ywnsrue.dll
MD5
e6d448f7689e4145e5ef68292eb7145a

SHA1
18d8cfa86b7d5463e888d48194a42584fc297959

SHA256
1c432a5e6d687dc495ccab5e2b532730219eb95bace8ab65ba50e26405b6b212

SHA512
b88698eebbd292f4cd1c6be0b707d1a14a797cf679bd719036b2b6b0448cd757156d8a77e0c23d09907efc4366fad5abcc1669bac1ba9e5a25a89ca92a2eabb7

Download Submit
memory/3016-123-0x0000000000A40000-0x0000000000A55000-memory.dmp

Filesize
84KB

Download
memory/3016-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-117-0x000000000041F200-mapping.dmp

Download
memory/3016-119-0x0000000000AC0000-0x0000000000DE0000-memory.dmp

Filesize
3.1MB

Download
memory/3016-121-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/3016-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-124-0x0000000004FA0000-0x0000000005109000-memory.dmp

Filesize
1.4MB

Download
memory/3028-120-0x0000000004E10000-0x0000000004F97000-memory.dmp

Filesize
1.5MB

Download
memory/3028-133-0x00000000026B0000-0x0000000002774000-memory.dmp

Filesize
784KB

Download
memory/4188-125-0x0000000000000000-mapping.dmp

Download
memory/4188-126-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4188-127-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4188-130-0x0000000002E50000-0x0000000002E7F000-memory.dmp

Filesize
188KB

Download
memory/4188-129-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/4188-131-0x0000000004CA0000-0x0000000004FC0000-memory.dmp

Filesize
3.1MB

Download
memory/4188-132-0x0000000004B00000-0x0000000004B94000-memory.dmp

Filesize
592KB

Download
memory/4364-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads