formbook | bcba0056c80d1a5c320dd74fea9caba51cc2f41c4d05215df1ab825a5ca10de4

General

Target

PAN OCEAN CO LTD-pdf.exe
Size

505KB
MD5

bbe4df3ac05fc6d8da76097b48671892
SHA1

dac9a8db9bc9cb91c0977b4477e62ffa77f3969d
SHA256

bcba0056c80d1a5c320dd74fea9caba51cc2f41c4d05215df1ab825a5ca10de4
SHA512

fd090c93491f62cca7ee47abf92dba5425f9933e6291fbd4b63cbf725671f524f0b3f4c2ad7e0863591bd91eee903168220838d0027ffba3ee0b39ec32c1f648

Score

10^/10

formbook m17y rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17y

Decoy

dental-implants-us-prices.site

eolegends.online

drskinstudio.com

miamivideomapping.com

cqytwater.com

fesfe.net

dlautostore.com

wwwpledge.com

trynutiliti.com

551milesoak.com

jemmetalfab.com

teamtrinitysellsncarolina.com

injurypersonallawyer.com

r3qcf2.xyz

djellaba-boutique.com

t6fwagd.xyz

lm-upto100.com

shyashijz.com

classicbasilicata.com

exactias.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1372-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1372-132-0x0000000001910000-0x0000000001AA1000-memory.dmp	formbook
behavioral2/memory/3220-141-0x0000000002F00000-0x0000000002F2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PAN OCEAN CO LTD-pdf.exePAN OCEAN CO LTD-pdf.exeNETSTAT.EXE

description	pid	process	target process
PID 1552 set thread context of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 1372 set thread context of 2968	1372	PAN OCEAN CO LTD-pdf.exe	Explorer.EXE
PID 3220 set thread context of 2968	3220	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1424 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3220 NETSTAT.EXE

pid	process
1424	schtasks.exe

pid	process
3220	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

PAN OCEAN CO LTD-pdf.exepowershell.exeNETSTAT.EXE

pid	process
1372	PAN OCEAN CO LTD-pdf.exe
1372	PAN OCEAN CO LTD-pdf.exe
1372	PAN OCEAN CO LTD-pdf.exe
1372	PAN OCEAN CO LTD-pdf.exe
3360	powershell.exe
3360	powershell.exe
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3360	powershell.exe
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE
3220	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2968 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PAN OCEAN CO LTD-pdf.exeNETSTAT.EXE

pid process

1372 PAN OCEAN CO LTD-pdf.exe
1372 PAN OCEAN CO LTD-pdf.exe
1372 PAN OCEAN CO LTD-pdf.exe
3220 NETSTAT.EXE
3220 NETSTAT.EXE

pid	process
2968	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exePAN OCEAN CO LTD-pdf.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	1372	PAN OCEAN CO LTD-pdf.exe
Token: SeDebugPrivilege	3220	NETSTAT.EXE
Token: SeShutdownPrivilege	2968	Explorer.EXE
Token: SeCreatePagefilePrivilege	2968	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PAN OCEAN CO LTD-pdf.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1552 wrote to memory of 3360	1552	PAN OCEAN CO LTD-pdf.exe	powershell.exe
PID 1552 wrote to memory of 3360	1552	PAN OCEAN CO LTD-pdf.exe	powershell.exe
PID 1552 wrote to memory of 3360	1552	PAN OCEAN CO LTD-pdf.exe	powershell.exe
PID 1552 wrote to memory of 1424	1552	PAN OCEAN CO LTD-pdf.exe	schtasks.exe
PID 1552 wrote to memory of 1424	1552	PAN OCEAN CO LTD-pdf.exe	schtasks.exe
PID 1552 wrote to memory of 1424	1552	PAN OCEAN CO LTD-pdf.exe	schtasks.exe
PID 1552 wrote to memory of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 1552 wrote to memory of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 1552 wrote to memory of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 1552 wrote to memory of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 1552 wrote to memory of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 1552 wrote to memory of 1372	1552	PAN OCEAN CO LTD-pdf.exe	PAN OCEAN CO LTD-pdf.exe
PID 2968 wrote to memory of 3220	2968	Explorer.EXE	NETSTAT.EXE
PID 2968 wrote to memory of 3220	2968	Explorer.EXE	NETSTAT.EXE
PID 2968 wrote to memory of 3220	2968	Explorer.EXE	NETSTAT.EXE
PID 3220 wrote to memory of 1720	3220	NETSTAT.EXE	cmd.exe
PID 3220 wrote to memory of 1720	3220	NETSTAT.EXE	cmd.exe
PID 3220 wrote to memory of 1720	3220	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\PAN OCEAN CO LTD-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAN OCEAN CO LTD-pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QEDNxgSjLwGfZi.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QEDNxgSjLwGfZi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE805.tmp"
3⤵
- Creates scheduled task(s)
PID:1424

C:\Users\Admin\AppData\Local\Temp\PAN OCEAN CO LTD-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAN OCEAN CO LTD-pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PAN OCEAN CO LTD-pdf.exe"
3⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE805.tmp
MD5
f81ad369fb780f0467f0adefbd0c5d16

SHA1
802268fbb880e1a86b17f5fead35aca3c2999724

SHA256
31a94d35c80512d7bd9b0f3eea872e32aeea0d1ab8414875bc38cc544d63f51d

SHA512
a52fa1db2709810ea0a2fa8cb27314edac070493a9137d327241f83391b9061735df284daf78c3ee08732bebe2832206bf0c26b423cc9971e28ac7fd19e0ed32

Download Submit
memory/1372-131-0x0000000001AB0000-0x0000000001DD0000-memory.dmp

Filesize
3.1MB

Download
memory/1372-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-132-0x0000000001910000-0x0000000001AA1000-memory.dmp

Filesize
1.6MB

Download
memory/1552-116-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1552-117-0x00000000031F0000-0x0000000003204000-memory.dmp

Filesize
80KB

Download
memory/1552-118-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/1552-119-0x0000000001500000-0x000000000159C000-memory.dmp

Filesize
624KB

Download
memory/1552-120-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/1552-121-0x0000000006370000-0x000000000686E000-memory.dmp

Filesize
5.0MB

Download
memory/1552-115-0x0000000000E40000-0x0000000000EC4000-memory.dmp

Filesize
528KB

Download
memory/2968-229-0x0000000007270000-0x000000000738E000-memory.dmp

Filesize
1.1MB

Download
memory/2968-133-0x0000000007140000-0x0000000007266000-memory.dmp

Filesize
1.1MB

Download
memory/3220-141-0x0000000002F00000-0x0000000002F2F000-memory.dmp

Filesize
188KB

Download
memory/3220-143-0x0000000003690000-0x00000000039B0000-memory.dmp

Filesize
3.1MB

Download
memory/3220-164-0x00000000034F0000-0x0000000003683000-memory.dmp

Filesize
1.6MB

Download
memory/3220-140-0x0000000000EF0000-0x0000000000EFB000-memory.dmp

Filesize
44KB

Download
memory/3360-136-0x0000000008080000-0x00000000080E6000-memory.dmp

Filesize
408KB

Download
memory/3360-152-0x00000000096F0000-0x0000000009723000-memory.dmp

Filesize
204KB

Download
memory/3360-137-0x00000000080F0000-0x0000000008440000-memory.dmp

Filesize
3.3MB

Download
memory/3360-138-0x0000000007F20000-0x0000000007F3C000-memory.dmp

Filesize
112KB

Download
memory/3360-139-0x0000000008540000-0x000000000858B000-memory.dmp

Filesize
300KB

Download
memory/3360-134-0x0000000007D80000-0x0000000007DA2000-memory.dmp

Filesize
136KB

Download
memory/3360-130-0x0000000007062000-0x0000000007063000-memory.dmp

Filesize
4KB

Download
memory/3360-142-0x0000000008860000-0x00000000088D6000-memory.dmp

Filesize
472KB

Download
memory/3360-129-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/3360-135-0x0000000007E20000-0x0000000007E86000-memory.dmp

Filesize
408KB

Download
memory/3360-153-0x0000000009570000-0x000000000958E000-memory.dmp

Filesize
120KB

Download
memory/3360-158-0x0000000009820000-0x00000000098C5000-memory.dmp

Filesize
660KB

Download
memory/3360-159-0x000000007E850000-0x000000007E851000-memory.dmp

Filesize
4KB

Download
memory/3360-160-0x0000000007063000-0x0000000007064000-memory.dmp

Filesize
4KB

Download
memory/3360-161-0x0000000009C20000-0x0000000009CB4000-memory.dmp

Filesize
592KB

Download
memory/3360-127-0x0000000007720000-0x0000000007D48000-memory.dmp

Filesize
6.2MB

Download
memory/3360-125-0x00000000070B0000-0x00000000070E6000-memory.dmp

Filesize
216KB

Download
memory/3360-356-0x0000000009AF0000-0x0000000009B0A000-memory.dmp

Filesize
104KB

Download
memory/3360-361-0x0000000009AE0000-0x0000000009AE8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads