formbook | baef60b7ed8a0286e276a7b7d76c7a9d52a8a77c2688b0d2b2cc1d886954b1a0

General

Target

ROTONDI-NEW ORDER PT004.exe
Size

250KB
MD5

f536635d5e97e42c2094f8b55a1c6c28
SHA1

931da46b998bb65a6a08a01e90d41689653d4103
SHA256

baef60b7ed8a0286e276a7b7d76c7a9d52a8a77c2688b0d2b2cc1d886954b1a0
SHA512

07eccfbe1c8a9753eeee8e18b6d3f5de2e41f7c2e01f6da9234aba0b63985b20dac15061cda990023d4f905bbefa309edf192d157d1f19193601b9b7946a80a3

Score

10^/10

formbook a0p6 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a0p6

Decoy

taxlaws.info

porn-star-depot.com

cpf-comptes.com

metropark.xyz

transformselfhypnosis.com

wu8g8aerxgjr.xyz

jingzhouhan.net

granicors.com

monografiaonline.com

4972hillcrestdrive.com

gridironagriculturist.com

xtrasomething.com

scbndirects.com

agglutinatesmicromanagers.xyz

butsuyokulog.xyz

parttimejobsinuk.site

kriylzf.xyz

sinashakib.com

hpessoa.website

interscopealbums.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1884-56-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1884-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/860-66-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1204 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

ROTONDI-NEW ORDER PT004.exe

pid process

964 ROTONDI-NEW ORDER PT004.exe

pid	process
1204	cmd.exe

pid	process
964	ROTONDI-NEW ORDER PT004.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ROTONDI-NEW ORDER PT004.exeROTONDI-NEW ORDER PT004.exesvchost.exe

description	pid	process	target process
PID 964 set thread context of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 1884 set thread context of 1360	1884	ROTONDI-NEW ORDER PT004.exe	Explorer.EXE
PID 1884 set thread context of 1360	1884	ROTONDI-NEW ORDER PT004.exe	Explorer.EXE
PID 860 set thread context of 1360	860	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

ROTONDI-NEW ORDER PT004.exesvchost.exe

pid	process
1884	ROTONDI-NEW ORDER PT004.exe
1884	ROTONDI-NEW ORDER PT004.exe
1884	ROTONDI-NEW ORDER PT004.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe
860	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE

pid	process
1360	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ROTONDI-NEW ORDER PT004.exesvchost.exe

pid	process
1884	ROTONDI-NEW ORDER PT004.exe
1884	ROTONDI-NEW ORDER PT004.exe
1884	ROTONDI-NEW ORDER PT004.exe
1884	ROTONDI-NEW ORDER PT004.exe
860	svchost.exe
860	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ROTONDI-NEW ORDER PT004.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1884 ROTONDI-NEW ORDER PT004.exe
Token: SeDebugPrivilege 860 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1884	ROTONDI-NEW ORDER PT004.exe
Token: SeDebugPrivilege	860	svchost.exe

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ROTONDI-NEW ORDER PT004.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 964 wrote to memory of 1884	964	ROTONDI-NEW ORDER PT004.exe	ROTONDI-NEW ORDER PT004.exe
PID 1360 wrote to memory of 860	1360	Explorer.EXE	svchost.exe
PID 1360 wrote to memory of 860	1360	Explorer.EXE	svchost.exe
PID 1360 wrote to memory of 860	1360	Explorer.EXE	svchost.exe
PID 1360 wrote to memory of 860	1360	Explorer.EXE	svchost.exe
PID 860 wrote to memory of 1204	860	svchost.exe	cmd.exe
PID 860 wrote to memory of 1204	860	svchost.exe	cmd.exe
PID 860 wrote to memory of 1204	860	svchost.exe	cmd.exe
PID 860 wrote to memory of 1204	860	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\ROTONDI-NEW ORDER PT004.exe
"C:\Users\Admin\AppData\Local\Temp\ROTONDI-NEW ORDER PT004.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\ROTONDI-NEW ORDER PT004.exe
"C:\Users\Admin\AppData\Local\Temp\ROTONDI-NEW ORDER PT004.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ROTONDI-NEW ORDER PT004.exe"
3⤵
- Deletes itself
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoCB0.tmp\yeqyi.dll
MD5
da0a46c4a9a05d7e1ea5e501acad07ba

SHA1
e0ec05e2784b5865b431220f2f4aa0876c50ff5a

SHA256
1c446424ac31bf1c943882c8a054ce3ecbf018cca2c7c719eebfb4591f78a11f

SHA512
7c17abcca1ae262722abe64cd3b9625264c4585f78667a17fc22f2833bb06d340e93fcd9a9709464a13e53f8ffedede5bdf652771498c955261c975f5a714298

Download Submit
memory/860-68-0x00000000005F0000-0x0000000000683000-memory.dmp

Filesize
588KB

Download
memory/860-67-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/860-66-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/860-65-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/964-57-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/1360-64-0x0000000006DF0000-0x0000000006F42000-memory.dmp

Filesize
1.3MB

Download
memory/1360-61-0x0000000006A10000-0x0000000006B74000-memory.dmp

Filesize
1.4MB

Download
memory/1360-69-0x0000000004D30000-0x0000000004DE5000-memory.dmp

Filesize
724KB

Download
memory/1884-63-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/1884-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-60-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/1884-59-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/1884-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads