formbook | 35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d

General

Target

QUOTATION PDF_SCAN_COPY.exe
Size

523KB
MD5

5e9af5b2056e4da639a9459e3b36193c
SHA1

b779402e9a6ecbbef6b68817814991bbcade12df
SHA256

35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d
SHA512

4f293bab428aeead9c4b0a411a9d0674bebd87cf89d92f2aa0b1ffc4d287d96b859365453f21040abc7b5dd4f452f52ed98661b8c16624d9915d4c40ecfe15ea

Score

10^/10

formbook n2t4 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n2t4

Decoy

livingthroughthechaos.net

videobuzzmedia.com

felineformulas.com

theorganicbees.com

bizoeflow.com

gtbcked.com

immortalapenft.com

pacherasrl.com

defunddrip.black

fromefarm.com

newmedicalnetwork.com

nikosblue.com

kaecfu.online

arcane-stylish.com

7ox.info

osamaabuzawayed.com

noemielatour.com

baccaratjava.com

latinfoodandwinefestival.com

magiclandstudios.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1768-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1928-73-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1052 cmd.exe

pid	process
1052	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exeQUOTATION PDF_SCAN_COPY.exemsiexec.exe

description	pid	process	target process
PID 1592 set thread context of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1768 set thread context of 1396	1768	QUOTATION PDF_SCAN_COPY.exe	Explorer.EXE
PID 1928 set thread context of 1396	1928	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1424 schtasks.exe

pid	process
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exepowershell.exemsiexec.exe

pid	process
1768	QUOTATION PDF_SCAN_COPY.exe
680	powershell.exe
1768	QUOTATION PDF_SCAN_COPY.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exemsiexec.exe

pid process

1768 QUOTATION PDF_SCAN_COPY.exe
1768 QUOTATION PDF_SCAN_COPY.exe
1768 QUOTATION PDF_SCAN_COPY.exe
1928 msiexec.exe
1928 msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeQUOTATION PDF_SCAN_COPY.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1768	QUOTATION PDF_SCAN_COPY.exe
Token: SeDebugPrivilege	1928	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1592 wrote to memory of 680	1592	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 1592 wrote to memory of 680	1592	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 1592 wrote to memory of 680	1592	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 1592 wrote to memory of 680	1592	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 1592 wrote to memory of 1424	1592	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 1592 wrote to memory of 1424	1592	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 1592 wrote to memory of 1424	1592	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 1592 wrote to memory of 1424	1592	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1592 wrote to memory of 1768	1592	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1396 wrote to memory of 1928	1396	Explorer.EXE	msiexec.exe
PID 1928 wrote to memory of 1052	1928	msiexec.exe	cmd.exe
PID 1928 wrote to memory of 1052	1928	msiexec.exe	cmd.exe
PID 1928 wrote to memory of 1052	1928	msiexec.exe	cmd.exe
PID 1928 wrote to memory of 1052	1928	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KHDScDG.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp"
3⤵
- Creates scheduled task(s)
PID:1424

C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
3⤵
- Deletes itself
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp
MD5
3276c466b3c54652ea41cfb7464f620b

SHA1
af330d6e123105f10a9fd5817dff772e3aa558da

SHA256
b6e3299046672210f0c3a4d82be7bc5a10370d6ded52cbcc6e8ffde4cbf449d3

SHA512
3ac5a5977c5981f978c583412cfea031021d2f3f6fa1dd7e0223e96de9d8741ec41c193bd464cba0bc7faf8ace1ca5da7f8ded195e77b4b47f24cf94e5e64329

Download Submit
memory/680-65-0x0000000002720000-0x000000000336A000-memory.dmp

Filesize
12.3MB

Download
memory/680-68-0x0000000002720000-0x000000000336A000-memory.dmp

Filesize
12.3MB

Download
memory/680-69-0x0000000002720000-0x000000000336A000-memory.dmp

Filesize
12.3MB

Download
memory/1396-67-0x0000000006CC0000-0x0000000006E6B000-memory.dmp

Filesize
1.7MB

Download
memory/1396-76-0x0000000007E60000-0x0000000007FC9000-memory.dmp

Filesize
1.4MB

Download
memory/1592-54-0x0000000000B40000-0x0000000000BCA000-memory.dmp

Filesize
552KB

Download
memory/1592-58-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/1592-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1592-56-0x00000000005A0000-0x0000000000700000-memory.dmp

Filesize
1.4MB

Download
memory/1592-57-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/1768-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-70-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/1768-66-0x0000000000210000-0x0000000000225000-memory.dmp

Filesize
84KB

Download
memory/1928-72-0x0000000000770000-0x0000000000784000-memory.dmp

Filesize
80KB

Download
memory/1928-73-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1928-74-0x00000000021C0000-0x00000000024C3000-memory.dmp

Filesize
3.0MB

Download
memory/1928-75-0x0000000002030000-0x00000000020C4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads