formbook | 4f6a9d2f8c26c5106123e3684d72d2624e58226f0c845a265cadf80e67b49842

General

Target

Order Inquiry1.exe
Size

293KB
MD5

929d566cc846ea33935f22f0adc594ff
SHA1

0dfbe5f5805416cf65dba819b70a0f31717f7f18
SHA256

4f6a9d2f8c26c5106123e3684d72d2624e58226f0c845a265cadf80e67b49842
SHA512

ca0ce216ad180ccefb50339257514ebeb1b3b771331f4ff25288697faa68cc83d50e603932830317bf193f54e06b5ae96e46f3d9fc2b21b391b590bd6bb03e3f

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

C2

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/768-57-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/768-58-0x000000000041F200-mapping.dmp	formbook
behavioral1/memory/768-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/464-70-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1188 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

Order Inquiry1.exe

pid process

1684 Order Inquiry1.exe

pid	process
1188	cmd.exe

pid	process
1684	Order Inquiry1.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Order Inquiry1.exeOrder Inquiry1.exeraserver.exe

description	pid	process	target process
PID 1684 set thread context of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 768 set thread context of 1412	768	Order Inquiry1.exe	Explorer.EXE
PID 768 set thread context of 1412	768	Order Inquiry1.exe	Explorer.EXE
PID 464 set thread context of 1412	464	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Order Inquiry1.exeraserver.exe

pid	process
768	Order Inquiry1.exe
768	Order Inquiry1.exe
768	Order Inquiry1.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe
464	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order Inquiry1.exeraserver.exe

pid process

768 Order Inquiry1.exe
768 Order Inquiry1.exe
768 Order Inquiry1.exe
768 Order Inquiry1.exe
464 raserver.exe
464 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order Inquiry1.exeraserver.exe

description pid process

Token: SeDebugPrivilege 768 Order Inquiry1.exe
Token: SeDebugPrivilege 464 raserver.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

pid	process
1412	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	768	Order Inquiry1.exe
Token: SeDebugPrivilege	464	raserver.exe

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Order Inquiry1.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1684 wrote to memory of 768	1684	Order Inquiry1.exe	Order Inquiry1.exe
PID 1412 wrote to memory of 464	1412	Explorer.EXE	raserver.exe
PID 1412 wrote to memory of 464	1412	Explorer.EXE	raserver.exe
PID 1412 wrote to memory of 464	1412	Explorer.EXE	raserver.exe
PID 1412 wrote to memory of 464	1412	Explorer.EXE	raserver.exe
PID 464 wrote to memory of 1188	464	raserver.exe	cmd.exe
PID 464 wrote to memory of 1188	464	raserver.exe	cmd.exe
PID 464 wrote to memory of 1188	464	raserver.exe	cmd.exe
PID 464 wrote to memory of 1188	464	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"
3⤵
- Deletes itself
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstEAAE.tmp\uezelwxcsbm.dll
MD5
bfb8387dedc90fc0e6173e46b1dd9654

SHA1
79a1f4aee0a3ceb09ecfd38f80d08402584a76fd

SHA256
47e05ff045771b182dab82d2dda462e216d309b327db88c28156a3d4c0acfa06

SHA512
87783fb1a4b09816b678afab97a8d604b05f768381897f2c3b7d2c2f14a668b07577995b22da94b1a906f04524f37196ca23aaddba8f0813a51b26d8938b345f

Download Submit
memory/464-66-0x0000000000000000-mapping.dmp

Download
memory/464-72-0x0000000001CD0000-0x0000000001D64000-memory.dmp

Filesize
592KB

Download
memory/464-70-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/464-69-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/464-68-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/768-61-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/768-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-64-0x00000000003A0000-0x00000000003B5000-memory.dmp

Filesize
84KB

Download
memory/768-60-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/768-58-0x000000000041F200-mapping.dmp

Download
memory/768-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-71-0x0000000000000000-mapping.dmp

Download
memory/1412-65-0x0000000005160000-0x0000000005214000-memory.dmp

Filesize
720KB

Download
memory/1412-62-0x0000000006D10000-0x0000000006E9C000-memory.dmp

Filesize
1.5MB

Download
memory/1412-73-0x0000000007CE0000-0x0000000007E48000-memory.dmp

Filesize
1.4MB

Download
memory/1684-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads