formbook | 0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27

General

Target

new_order.exe
Size

247KB
MD5

a0e70d1760e60d81e0f4ac2904fa8002
SHA1

0512dcf545274ac6512abf3fb31a6fff41614280
SHA256

0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27
SHA512

59c04bc30b9f279d434428011efe80d41fd5de99c92165c77dc2a097b742c60e676f65d6185c90d9e5ddfd181fd4a32c7d237ca75ed2be978c6b951be6ae8588

Score

10^/10

formbook os16 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

os16

Decoy

nautic-experts-hageboelling.com

fullharvestfundraising.com

xbdsm.club

duocaterers.com

prizebuddy.club

nillprive.com

firebreathingpenguin.com

buxledger.com

annual-journals.com

mydemosite0.com

noaoka.com

eblaghe-iran.xyz

globalyuncang.com

jacqueson-autocars.com

asiafinances.com

howtomakearesume.space

modernwarfaresecrets.com

dualamaquinaria.com

thrili.com

gracing-up.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2684-119-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3540-126-0x0000000002D80000-0x0000000002DAF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

new_order.exe

pid process

712 new_order.exe

pid	process
712	new_order.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

new_order.exenew_order.exemsdt.exe

description	pid	process	target process
PID 712 set thread context of 2684	712	new_order.exe	new_order.exe
PID 2684 set thread context of 3068	2684	new_order.exe	Explorer.EXE
PID 3540 set thread context of 3068	3540	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

new_order.exemsdt.exe

pid	process
2684	new_order.exe
2684	new_order.exe
2684	new_order.exe
2684	new_order.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe
3540	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

new_order.exemsdt.exe

pid process

2684 new_order.exe
2684 new_order.exe
2684 new_order.exe
3540 msdt.exe
3540 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

new_order.exemsdt.exe

description pid process

Token: SeDebugPrivilege 2684 new_order.exe
Token: SeDebugPrivilege 3540 msdt.exe

pid	process
3068	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2684	new_order.exe
Token: SeDebugPrivilege	3540	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

new_order.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 712 wrote to memory of 2684	712	new_order.exe	new_order.exe
PID 712 wrote to memory of 2684	712	new_order.exe	new_order.exe
PID 712 wrote to memory of 2684	712	new_order.exe	new_order.exe
PID 712 wrote to memory of 2684	712	new_order.exe	new_order.exe
PID 712 wrote to memory of 2684	712	new_order.exe	new_order.exe
PID 712 wrote to memory of 2684	712	new_order.exe	new_order.exe
PID 3068 wrote to memory of 3540	3068	Explorer.EXE	msdt.exe
PID 3068 wrote to memory of 3540	3068	Explorer.EXE	msdt.exe
PID 3068 wrote to memory of 3540	3068	Explorer.EXE	msdt.exe
PID 3540 wrote to memory of 1172	3540	msdt.exe	cmd.exe
PID 3540 wrote to memory of 1172	3540	msdt.exe	cmd.exe
PID 3540 wrote to memory of 1172	3540	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\new_order.exe
"C:\Users\Admin\AppData\Local\Temp\new_order.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:712

C:\Users\Admin\AppData\Local\Temp\new_order.exe
"C:\Users\Admin\AppData\Local\Temp\new_order.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\new_order.exe"
3⤵
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd6501.tmp\yvucmw.dll
MD5
86475a0dbd24b01bcd1b264fecfdf1a2

SHA1
745ce764eb6c9bf86e5ae65a5f365e7faf14a394

SHA256
4ce85a4d12aa0d5b072330dbc50393d2d29eba5321beb3b3bfc6c4a8e9306ad7

SHA512
e14dc2f083bd976482554b62b875645815f6f6bcb9b604b366b7f854e2620222de8f038bb8ddbc2026082476246a9cc1855c6aa1b1cc2a1415feb4a75b4eaca1

Download Submit
memory/712-120-0x0000000002350000-0x0000000002354000-memory.dmp

Filesize
16KB

Download
memory/2684-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-122-0x00000000009C0000-0x0000000000CE0000-memory.dmp

Filesize
3.1MB

Download
memory/2684-123-0x0000000000E40000-0x0000000000E54000-memory.dmp

Filesize
80KB

Download
memory/3068-124-0x00000000051B0000-0x00000000052EE000-memory.dmp

Filesize
1.2MB

Download
memory/3068-129-0x0000000006830000-0x0000000006935000-memory.dmp

Filesize
1.0MB

Download
memory/3540-125-0x00000000001E0000-0x0000000000353000-memory.dmp

Filesize
1.4MB

Download
memory/3540-126-0x0000000002D80000-0x0000000002DAF000-memory.dmp

Filesize
188KB

Download
memory/3540-127-0x00000000046E0000-0x0000000004A00000-memory.dmp

Filesize
3.1MB

Download
memory/3540-128-0x0000000004540000-0x00000000046DE000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads