formbook | 24297af3766db60f58d626d2c31e8647b2c596259a26d067481916c8cd16091d

General

Target

Promar Industrial Chemicals PO.exe
Size

419KB
MD5

c368451b88a7831a71d9f9e9cbdf6ce5
SHA1

dfd8f1ef334550cd94763e0bc60b5b4f243f3ebd
SHA256

2d982a64999857ad75996e06f4a858c43b1bd5e17422195414de62d5e344e413
SHA512

52c9208cad6f6ff477b4013d32e3b5f15a8e71d4b33dcc8825c21d7c5d0ef00dcbd9b805865340d57688fcd51726ddc5b0b74b6167c0586c7e0e7a6192fe1d17

Score

10^/10

formbook n2t4 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n2t4

Decoy

livingthroughthechaos.net

videobuzzmedia.com

felineformulas.com

theorganicbees.com

bizoeflow.com

gtbcked.com

immortalapenft.com

pacherasrl.com

defunddrip.black

fromefarm.com

newmedicalnetwork.com

nikosblue.com

kaecfu.online

arcane-stylish.com

7ox.info

osamaabuzawayed.com

noemielatour.com

baccaratjava.com

latinfoodandwinefestival.com

magiclandstudios.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2080-127-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3592-143-0x0000000000C20000-0x0000000000C4F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Promar Industrial Chemicals PO.exePromar Industrial Chemicals PO.execolorcpl.exe

description	pid	process	target process
PID 2464 set thread context of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 2080 set thread context of 3024	2080	Promar Industrial Chemicals PO.exe	Explorer.EXE
PID 3592 set thread context of 3024	3592	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

856 schtasks.exe

pid	process
856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exePromar Industrial Chemicals PO.execolorcpl.exe

pid	process
4044	powershell.exe
2080	Promar Industrial Chemicals PO.exe
2080	Promar Industrial Chemicals PO.exe
2080	Promar Industrial Chemicals PO.exe
2080	Promar Industrial Chemicals PO.exe
4044	powershell.exe
3592	colorcpl.exe
3592	colorcpl.exe
4044	powershell.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe
3592	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Promar Industrial Chemicals PO.execolorcpl.exe

pid	process
2080	Promar Industrial Chemicals PO.exe
2080	Promar Industrial Chemicals PO.exe
2080	Promar Industrial Chemicals PO.exe
3592	colorcpl.exe
3592	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exePromar Industrial Chemicals PO.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	2080	Promar Industrial Chemicals PO.exe
Token: SeDebugPrivilege	3592	colorcpl.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Promar Industrial Chemicals PO.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 2464 wrote to memory of 4044	2464	Promar Industrial Chemicals PO.exe	powershell.exe
PID 2464 wrote to memory of 4044	2464	Promar Industrial Chemicals PO.exe	powershell.exe
PID 2464 wrote to memory of 4044	2464	Promar Industrial Chemicals PO.exe	powershell.exe
PID 2464 wrote to memory of 856	2464	Promar Industrial Chemicals PO.exe	schtasks.exe
PID 2464 wrote to memory of 856	2464	Promar Industrial Chemicals PO.exe	schtasks.exe
PID 2464 wrote to memory of 856	2464	Promar Industrial Chemicals PO.exe	schtasks.exe
PID 2464 wrote to memory of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 2464 wrote to memory of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 2464 wrote to memory of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 2464 wrote to memory of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 2464 wrote to memory of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 2464 wrote to memory of 2080	2464	Promar Industrial Chemicals PO.exe	Promar Industrial Chemicals PO.exe
PID 3024 wrote to memory of 3592	3024	Explorer.EXE	colorcpl.exe
PID 3024 wrote to memory of 3592	3024	Explorer.EXE	colorcpl.exe
PID 3024 wrote to memory of 3592	3024	Explorer.EXE	colorcpl.exe
PID 3592 wrote to memory of 1452	3592	colorcpl.exe	cmd.exe
PID 3592 wrote to memory of 1452	3592	colorcpl.exe	cmd.exe
PID 3592 wrote to memory of 1452	3592	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Promar Industrial Chemicals PO.exe
"C:\Users\Admin\AppData\Local\Temp\Promar Industrial Chemicals PO.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LOJZtdXKgVLc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LOJZtdXKgVLc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6D6.tmp"
3⤵
- Creates scheduled task(s)
PID:856

C:\Users\Admin\AppData\Local\Temp\Promar Industrial Chemicals PO.exe
"C:\Users\Admin\AppData\Local\Temp\Promar Industrial Chemicals PO.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Promar Industrial Chemicals PO.exe"
3⤵
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC6D6.tmp
MD5
b44d2fa76e53c32785c46f73c7f2243d

SHA1
0cc6d385087bec106270cfcf90d777871dc4ccf3

SHA256
f7900323e3923943172c06955389dba68b2bb3a00799d88a84565c04dc3c9904

SHA512
9a454b8e4c35e8b570b54d1d39b815a152a5e6402a60ec08e834187fa3fb03dcfe27dcdcef393c751c62e98a8d337f18f560419df326325e99b1efd9b9ae319c

Download Submit
memory/2080-136-0x0000000001690000-0x00000000019B0000-memory.dmp

Filesize
3.1MB

Download
memory/2080-137-0x00000000014F0000-0x0000000001681000-memory.dmp

Filesize
1.6MB

Download
memory/2080-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-119-0x00000000057C0000-0x0000000005CBE000-memory.dmp

Filesize
5.0MB

Download
memory/2464-116-0x0000000005CC0000-0x00000000061BE000-memory.dmp

Filesize
5.0MB

Download
memory/2464-121-0x0000000007EE0000-0x0000000007F7C000-memory.dmp

Filesize
624KB

Download
memory/2464-122-0x0000000008170000-0x00000000081DA000-memory.dmp

Filesize
424KB

Download
memory/2464-118-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/2464-115-0x0000000000ED0000-0x0000000000F40000-memory.dmp

Filesize
448KB

Download
memory/2464-117-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/2464-120-0x00000000059A0000-0x00000000059AC000-memory.dmp

Filesize
48KB

Download
memory/3024-239-0x0000000005660000-0x000000000579A000-memory.dmp

Filesize
1.2MB

Download
memory/3024-138-0x0000000006510000-0x000000000666A000-memory.dmp

Filesize
1.4MB

Download
memory/3592-144-0x0000000004B90000-0x0000000004EB0000-memory.dmp

Filesize
3.1MB

Download
memory/3592-143-0x0000000000C20000-0x0000000000C4F000-memory.dmp

Filesize
188KB

Download
memory/3592-142-0x0000000000E30000-0x0000000000E49000-memory.dmp

Filesize
100KB

Download
memory/3592-237-0x00000000049F0000-0x0000000004B89000-memory.dmp

Filesize
1.6MB

Download
memory/4044-126-0x0000000000E00000-0x0000000000E36000-memory.dmp

Filesize
216KB

Download
memory/4044-153-0x0000000008E80000-0x0000000008EB3000-memory.dmp

Filesize
204KB

Download
memory/4044-133-0x0000000006CE0000-0x0000000006D46000-memory.dmp

Filesize
408KB

Download
memory/4044-139-0x0000000006920000-0x000000000693C000-memory.dmp

Filesize
112KB

Download
memory/4044-140-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/4044-141-0x0000000007DD0000-0x0000000007E46000-memory.dmp

Filesize
472KB

Download
memory/4044-129-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/4044-132-0x0000000006C70000-0x0000000006CD6000-memory.dmp

Filesize
408KB

Download
memory/4044-131-0x0000000006772000-0x0000000006773000-memory.dmp

Filesize
4KB

Download
memory/4044-134-0x00000000076C0000-0x0000000007A10000-memory.dmp

Filesize
3.3MB

Download
memory/4044-154-0x0000000008BA0000-0x0000000008BBE000-memory.dmp

Filesize
120KB

Download
memory/4044-159-0x0000000008FB0000-0x0000000009055000-memory.dmp

Filesize
660KB

Download
memory/4044-160-0x0000000009130000-0x00000000091C4000-memory.dmp

Filesize
592KB

Download
memory/4044-230-0x0000000006773000-0x0000000006774000-memory.dmp

Filesize
4KB

Download
memory/4044-229-0x000000007E6A0000-0x000000007E6A1000-memory.dmp

Filesize
4KB

Download
memory/4044-130-0x0000000006AD0000-0x0000000006AF2000-memory.dmp

Filesize
136KB

Download
memory/4044-128-0x0000000006DB0000-0x00000000073D8000-memory.dmp

Filesize
6.2MB

Download
memory/4044-357-0x0000000008B60000-0x0000000008B7A000-memory.dmp

Filesize
104KB

Download
memory/4044-362-0x0000000008B50000-0x0000000008B58000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads