formbook | b3a1efab40ba72a79ed8b8cc89b738bbdb356940074aee6983a1b21059baa516

General

Target

Quotation-pdf.exe
Size

573KB
MD5

43be7a6cfb1c2fae6ad5c9e0440be4f8
SHA1

af4be0100e8c2b00ec1d821d72d15174ab2197e4
SHA256

0337d7784d4021b8467b2652f8c6ca9703732a0f132a1aebcafae37673db026d
SHA512

18a88af955dda3fbfc44a44ee72f8dcd32aefcc1d998316980bb235b485de6b6fee09b1322a5bd863cab5036c6b9b16c6a8aaf30c918ba5862c5b83b29406643

Score

10^/10

formbook m17y rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17y

Decoy

dental-implants-us-prices.site

eolegends.online

drskinstudio.com

miamivideomapping.com

cqytwater.com

fesfe.net

dlautostore.com

wwwpledge.com

trynutiliti.com

551milesoak.com

jemmetalfab.com

teamtrinitysellsncarolina.com

injurypersonallawyer.com

r3qcf2.xyz

djellaba-boutique.com

t6fwagd.xyz

lm-upto100.com

shyashijz.com

classicbasilicata.com

exactias.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1128-127-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/912-148-0x0000000000FD0000-0x0000000000FFF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quotation-pdf.exeQuotation-pdf.exesvchost.exe

description	pid	process	target process
PID 2580 set thread context of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 1128 set thread context of 3040	1128	Quotation-pdf.exe	Explorer.EXE
PID 912 set thread context of 3040	912	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1952 schtasks.exe

pid	process
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

Quotation-pdf.exepowershell.exeQuotation-pdf.exesvchost.exe

pid	process
2580	Quotation-pdf.exe
2580	Quotation-pdf.exe
2580	Quotation-pdf.exe
2580	Quotation-pdf.exe
1508	powershell.exe
1128	Quotation-pdf.exe
1128	Quotation-pdf.exe
1128	Quotation-pdf.exe
1128	Quotation-pdf.exe
1508	powershell.exe
1508	powershell.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Quotation-pdf.exesvchost.exe

pid process

1128 Quotation-pdf.exe
1128 Quotation-pdf.exe
1128 Quotation-pdf.exe
912 svchost.exe
912 svchost.exe

pid	process
3040	Explorer.EXE

pid	process
1128	Quotation-pdf.exe
1128	Quotation-pdf.exe
1128	Quotation-pdf.exe
912	svchost.exe
912	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Quotation-pdf.exepowershell.exeQuotation-pdf.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2580	Quotation-pdf.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1128	Quotation-pdf.exe
Token: SeDebugPrivilege	912	svchost.exe
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Quotation-pdf.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 2580 wrote to memory of 1508	2580	Quotation-pdf.exe	powershell.exe
PID 2580 wrote to memory of 1508	2580	Quotation-pdf.exe	powershell.exe
PID 2580 wrote to memory of 1508	2580	Quotation-pdf.exe	powershell.exe
PID 2580 wrote to memory of 1952	2580	Quotation-pdf.exe	schtasks.exe
PID 2580 wrote to memory of 1952	2580	Quotation-pdf.exe	schtasks.exe
PID 2580 wrote to memory of 1952	2580	Quotation-pdf.exe	schtasks.exe
PID 2580 wrote to memory of 3268	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 3268	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 3268	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1348	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1348	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1348	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 2580 wrote to memory of 1128	2580	Quotation-pdf.exe	Quotation-pdf.exe
PID 3040 wrote to memory of 912	3040	Explorer.EXE	svchost.exe
PID 3040 wrote to memory of 912	3040	Explorer.EXE	svchost.exe
PID 3040 wrote to memory of 912	3040	Explorer.EXE	svchost.exe
PID 912 wrote to memory of 2972	912	svchost.exe	cmd.exe
PID 912 wrote to memory of 2972	912	svchost.exe	cmd.exe
PID 912 wrote to memory of 2972	912	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IfvVzYPE.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IfvVzYPE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4003.tmp"
3⤵
- Creates scheduled task(s)
PID:1952

C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
3⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
3⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
3⤵
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4003.tmp
MD5
ab029c5bffd0705519c6a2ff1db6069e

SHA1
b67716c948d7b871a5fe4cb14dd089a4bfe593a1

SHA256
e9003bd46a9fcbf66ba9a566796b3261a19969cdd9ab8f2ffb31e435b1412542

SHA512
e747d64872beb9c85226e402420078950f130fc459cb8556e963379418b20909b6cf20fcffcaa2af3d454372f729fc56f1ece82c7251faf39a9e739bc29cdc82

Download Submit
memory/912-369-0x0000000003990000-0x0000000003B20000-memory.dmp

Filesize
1.6MB

Download
memory/912-148-0x0000000000FD0000-0x0000000000FFF000-memory.dmp

Filesize
188KB

Download
memory/912-147-0x0000000003B20000-0x0000000003E40000-memory.dmp

Filesize
3.1MB

Download
memory/912-146-0x0000000001150000-0x000000000115C000-memory.dmp

Filesize
48KB

Download
memory/1128-137-0x0000000001300000-0x00000000013AE000-memory.dmp

Filesize
696KB

Download
memory/1128-136-0x0000000001590000-0x0000000001CE0000-memory.dmp

Filesize
7.3MB

Download
memory/1128-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-126-0x00000000069E0000-0x0000000006A16000-memory.dmp

Filesize
216KB

Download
memory/1508-141-0x0000000008180000-0x00000000081F6000-memory.dmp

Filesize
472KB

Download
memory/1508-360-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/1508-128-0x0000000007120000-0x0000000007748000-memory.dmp

Filesize
6.2MB

Download
memory/1508-129-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1508-130-0x0000000006AE2000-0x0000000006AE3000-memory.dmp

Filesize
4KB

Download
memory/1508-131-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

Filesize
136KB

Download
memory/1508-132-0x0000000006F70000-0x0000000006FD6000-memory.dmp

Filesize
408KB

Download
memory/1508-133-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/1508-134-0x0000000007A00000-0x0000000007D50000-memory.dmp

Filesize
3.3MB

Download
memory/1508-355-0x0000000008270000-0x000000000828A000-memory.dmp

Filesize
104KB

Download
memory/1508-162-0x0000000009560000-0x00000000095F4000-memory.dmp

Filesize
592KB

Download
memory/1508-161-0x0000000006AE3000-0x0000000006AE4000-memory.dmp

Filesize
4KB

Download
memory/1508-139-0x0000000006D20000-0x0000000006D3C000-memory.dmp

Filesize
112KB

Download
memory/1508-140-0x0000000008470000-0x00000000084BB000-memory.dmp

Filesize
300KB

Download
memory/1508-160-0x000000007F510000-0x000000007F511000-memory.dmp

Filesize
4KB

Download
memory/1508-159-0x0000000009190000-0x0000000009235000-memory.dmp

Filesize
660KB

Download
memory/1508-154-0x0000000009030000-0x000000000904E000-memory.dmp

Filesize
120KB

Download
memory/1508-153-0x0000000009050000-0x0000000009083000-memory.dmp

Filesize
204KB

Download
memory/2580-117-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/2580-118-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/2580-119-0x0000000005A30000-0x0000000005F2E000-memory.dmp

Filesize
5.0MB

Download
memory/2580-115-0x0000000000FD0000-0x0000000001066000-memory.dmp

Filesize
600KB

Download
memory/2580-120-0x0000000005DA0000-0x0000000005DAC000-memory.dmp

Filesize
48KB

Download
memory/2580-121-0x0000000008150000-0x00000000081EC000-memory.dmp

Filesize
624KB

Download
memory/2580-122-0x0000000008410000-0x000000000847A000-memory.dmp

Filesize
424KB

Download
memory/2580-116-0x0000000005F30000-0x000000000642E000-memory.dmp

Filesize
5.0MB

Download
memory/3040-138-0x00000000020E0000-0x00000000021C0000-memory.dmp

Filesize
896KB

Download
memory/3040-375-0x0000000005F10000-0x0000000006086000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads