formbook | 4fcbb9ac5129df9ecf9aac331df477a647d2a8c7081b73f2d27aef62d1a6cbaa

General

Target

Order form.exe
Size

504KB
MD5

d4d2f0959d0b9197e2bc86880c543a92
SHA1

73823ab2066e8b461ad5b20575b64e6ca0b04640
SHA256

4fcbb9ac5129df9ecf9aac331df477a647d2a8c7081b73f2d27aef62d1a6cbaa
SHA512

fe5e2466b81462ef1df7ac62383f62e55675364d29ecd6f1db93def8bf1b6e21fdcf9adc45c2c134e1443314ad81c54941bfaf7d4167ce431bd2960da38c7ba9

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

C2

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1588-119-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1588-120-0x000000000041F200-mapping.dmp	formbook
behavioral2/memory/1460-128-0x0000000002BB0000-0x0000000002BDF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Order form.exe

pid process

2724 Order form.exe

pid	process
2724	Order form.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order form.exeOrder form.exewscript.exe

description	pid	process	target process
PID 2724 set thread context of 1588	2724	Order form.exe	Order form.exe
PID 1588 set thread context of 1920	1588	Order form.exe	Explorer.EXE
PID 1460 set thread context of 1920	1460	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Order form.exewscript.exe

pid	process
1588	Order form.exe
1588	Order form.exe
1588	Order form.exe
1588	Order form.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1920 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Order form.exewscript.exe

pid process

1588 Order form.exe
1588 Order form.exe
1588 Order form.exe
1460 wscript.exe
1460 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order form.exewscript.exe

description pid process

Token: SeDebugPrivilege 1588 Order form.exe
Token: SeDebugPrivilege 1460 wscript.exe

pid	process
1920	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1588	Order form.exe
Token: SeDebugPrivilege	1460	wscript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Order form.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2724 wrote to memory of 1588	2724	Order form.exe	Order form.exe
PID 2724 wrote to memory of 1588	2724	Order form.exe	Order form.exe
PID 2724 wrote to memory of 1588	2724	Order form.exe	Order form.exe
PID 2724 wrote to memory of 1588	2724	Order form.exe	Order form.exe
PID 2724 wrote to memory of 1588	2724	Order form.exe	Order form.exe
PID 2724 wrote to memory of 1588	2724	Order form.exe	Order form.exe
PID 1920 wrote to memory of 1460	1920	Explorer.EXE	wscript.exe
PID 1920 wrote to memory of 1460	1920	Explorer.EXE	wscript.exe
PID 1920 wrote to memory of 1460	1920	Explorer.EXE	wscript.exe
PID 1460 wrote to memory of 3260	1460	wscript.exe	cmd.exe
PID 1460 wrote to memory of 3260	1460	wscript.exe	cmd.exe
PID 1460 wrote to memory of 3260	1460	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\Order form.exe
"C:\Users\Admin\AppData\Local\Temp\Order form.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\Order form.exe
"C:\Users\Admin\AppData\Local\Temp\Order form.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order form.exe"
3⤵
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nss9695.tmp\kmuasy.dll
MD5
42a7fa285b5c17f492bb125b8b3d47ba

SHA1
744f37cecdaf575d948b67077d24315461bb0835

SHA256
de9642df7f7270d0a399a1d046a060eba02d63e189cdb037d2d3c36cb5e66781

SHA512
e3d57d2f86b0fe86ba06ebdf01e71cc4702dcfe3f843b58690620a00fa73b28c31787de6e239d4a9d63e74d6ab17afb071397548d9744da5e34f9076e165b133

Download Submit
memory/1460-128-0x0000000002BB0000-0x0000000002BDF000-memory.dmp

Filesize
188KB

Download
memory/1460-125-0x0000000000000000-mapping.dmp

Download
memory/1460-127-0x00000000048C0000-0x0000000004BE0000-memory.dmp

Filesize
3.1MB

Download
memory/1460-126-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1460-130-0x0000000004620000-0x00000000046B4000-memory.dmp

Filesize
592KB

Download
memory/1588-120-0x000000000041F200-mapping.dmp

Download
memory/1588-122-0x0000000000990000-0x0000000000CB0000-memory.dmp

Filesize
3.1MB

Download
memory/1588-123-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1588-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-124-0x0000000002AA0000-0x0000000002B72000-memory.dmp

Filesize
840KB

Download
memory/1920-131-0x0000000002C20000-0x0000000002CE8000-memory.dmp

Filesize
800KB

Download
memory/3260-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads