formbook | 35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d

General

Target

QUOTATION PDF_SCAN_COPY.exe
Size

523KB
MD5

5e9af5b2056e4da639a9459e3b36193c
SHA1

b779402e9a6ecbbef6b68817814991bbcade12df
SHA256

35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d
SHA512

4f293bab428aeead9c4b0a411a9d0674bebd87cf89d92f2aa0b1ffc4d287d96b859365453f21040abc7b5dd4f452f52ed98661b8c16624d9915d4c40ecfe15ea

Score

10^/10

formbook n2t4 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n2t4

Decoy

livingthroughthechaos.net

videobuzzmedia.com

felineformulas.com

theorganicbees.com

bizoeflow.com

gtbcked.com

immortalapenft.com

pacherasrl.com

defunddrip.black

fromefarm.com

newmedicalnetwork.com

nikosblue.com

kaecfu.online

arcane-stylish.com

7ox.info

osamaabuzawayed.com

noemielatour.com

baccaratjava.com

latinfoodandwinefestival.com

magiclandstudios.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/404-127-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/976-240-0x0000000000D60000-0x0000000000D8F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exeQUOTATION PDF_SCAN_COPY.exemsdt.exe

description	pid	process	target process
PID 3664 set thread context of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 404 set thread context of 372	404	QUOTATION PDF_SCAN_COPY.exe	Explorer.EXE
PID 976 set thread context of 372	976	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3252 schtasks.exe

pid	process
3252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exepowershell.exeQUOTATION PDF_SCAN_COPY.exemsdt.exe

pid	process
3664	QUOTATION PDF_SCAN_COPY.exe
3664	QUOTATION PDF_SCAN_COPY.exe
3180	powershell.exe
404	QUOTATION PDF_SCAN_COPY.exe
404	QUOTATION PDF_SCAN_COPY.exe
404	QUOTATION PDF_SCAN_COPY.exe
404	QUOTATION PDF_SCAN_COPY.exe
3180	powershell.exe
3180	powershell.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe
976	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

372 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exemsdt.exe

pid process

404 QUOTATION PDF_SCAN_COPY.exe
404 QUOTATION PDF_SCAN_COPY.exe
404 QUOTATION PDF_SCAN_COPY.exe
976 msdt.exe
976 msdt.exe

pid	process
372	Explorer.EXE

pid	process
404	QUOTATION PDF_SCAN_COPY.exe
404	QUOTATION PDF_SCAN_COPY.exe
404	QUOTATION PDF_SCAN_COPY.exe
976	msdt.exe
976	msdt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exepowershell.exeQUOTATION PDF_SCAN_COPY.exemsdt.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3664	QUOTATION PDF_SCAN_COPY.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	404	QUOTATION PDF_SCAN_COPY.exe
Token: SeDebugPrivilege	976	msdt.exe
Token: SeShutdownPrivilege	372	Explorer.EXE
Token: SeCreatePagefilePrivilege	372	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

QUOTATION PDF_SCAN_COPY.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 3664 wrote to memory of 3180	3664	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 3664 wrote to memory of 3180	3664	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 3664 wrote to memory of 3180	3664	QUOTATION PDF_SCAN_COPY.exe	powershell.exe
PID 3664 wrote to memory of 3252	3664	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 3664 wrote to memory of 3252	3664	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 3664 wrote to memory of 3252	3664	QUOTATION PDF_SCAN_COPY.exe	schtasks.exe
PID 3664 wrote to memory of 4280	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 4280	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 4280	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 3664 wrote to memory of 404	3664	QUOTATION PDF_SCAN_COPY.exe	QUOTATION PDF_SCAN_COPY.exe
PID 372 wrote to memory of 976	372	Explorer.EXE	msdt.exe
PID 372 wrote to memory of 976	372	Explorer.EXE	msdt.exe
PID 372 wrote to memory of 976	372	Explorer.EXE	msdt.exe
PID 976 wrote to memory of 1212	976	msdt.exe	cmd.exe
PID 976 wrote to memory of 1212	976	msdt.exe	cmd.exe
PID 976 wrote to memory of 1212	976	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KHDScDG.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39C9.tmp"
3⤵
- Creates scheduled task(s)
PID:3252

C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
3⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION PDF_SCAN_COPY.exe"
3⤵
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp39C9.tmp
MD5
5c98c202c0f395c0162515b81bb365df

SHA1
3454a347487a1efb08e1a9bce74f6d2e49671be0

SHA256
36c789069731d76811b5f24338999dd8c15ab51b5bb8279d953498a464681a2c

SHA512
c981857772648bc0a8a0d9c841d31e3748979b984837c05299577f18d8ba9a18eae437cc8b91a7c9323090ca6c103d299854d50781abae559118e30c7f9c56a0

Download Submit
memory/372-375-0x0000000006870000-0x00000000069B1000-memory.dmp

Filesize
1.3MB

Download
memory/372-140-0x0000000007190000-0x0000000007291000-memory.dmp

Filesize
1.0MB

Download
memory/404-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-138-0x00000000016C0000-0x00000000019E0000-memory.dmp

Filesize
3.1MB

Download
memory/404-139-0x0000000001260000-0x0000000001275000-memory.dmp

Filesize
84KB

Download
memory/976-374-0x0000000004E50000-0x0000000004FE6000-memory.dmp

Filesize
1.6MB

Download
memory/976-242-0x00000000051D0000-0x00000000054F0000-memory.dmp

Filesize
3.1MB

Download
memory/976-240-0x0000000000D60000-0x0000000000D8F000-memory.dmp

Filesize
188KB

Download
memory/976-238-0x0000000000E40000-0x0000000000FB3000-memory.dmp

Filesize
1.4MB

Download
memory/3180-136-0x0000000007B60000-0x0000000007B7C000-memory.dmp

Filesize
112KB

Download
memory/3180-141-0x0000000008A50000-0x0000000008AC6000-memory.dmp

Filesize
472KB

Download
memory/3180-129-0x0000000007840000-0x0000000007862000-memory.dmp

Filesize
136KB

Download
memory/3180-130-0x00000000079E0000-0x0000000007A46000-memory.dmp

Filesize
408KB

Download
memory/3180-131-0x0000000007AC0000-0x0000000007B26000-memory.dmp

Filesize
408KB

Download
memory/3180-134-0x0000000008330000-0x0000000008680000-memory.dmp

Filesize
3.3MB

Download
memory/3180-133-0x0000000005012000-0x0000000005013000-memory.dmp

Filesize
4KB

Download
memory/3180-132-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3180-360-0x0000000005250000-0x0000000005258000-memory.dmp

Filesize
32KB

Download
memory/3180-137-0x0000000008740000-0x000000000878B000-memory.dmp

Filesize
300KB

Download
memory/3180-126-0x0000000004EF0000-0x0000000004F26000-memory.dmp

Filesize
216KB

Download
memory/3180-355-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/3180-173-0x000000007F520000-0x000000007F521000-memory.dmp

Filesize
4KB

Download
memory/3180-128-0x0000000007C00000-0x0000000008228000-memory.dmp

Filesize
6.2MB

Download
memory/3180-150-0x0000000009AC0000-0x0000000009AF3000-memory.dmp

Filesize
204KB

Download
memory/3180-151-0x0000000009A80000-0x0000000009A9E000-memory.dmp

Filesize
120KB

Download
memory/3180-156-0x0000000009BF0000-0x0000000009C95000-memory.dmp

Filesize
660KB

Download
memory/3180-157-0x0000000009E00000-0x0000000009E94000-memory.dmp

Filesize
592KB

Download
memory/3180-174-0x0000000005013000-0x0000000005014000-memory.dmp

Filesize
4KB

Download
memory/3664-121-0x00000000073B0000-0x000000000744C000-memory.dmp

Filesize
624KB

Download
memory/3664-120-0x0000000006B50000-0x0000000006B64000-memory.dmp

Filesize
80KB

Download
memory/3664-119-0x0000000004F20000-0x000000000541E000-memory.dmp

Filesize
5.0MB

Download
memory/3664-118-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/3664-122-0x0000000007530000-0x0000000007596000-memory.dmp

Filesize
408KB

Download
memory/3664-115-0x0000000000660000-0x00000000006EA000-memory.dmp

Filesize
552KB

Download
memory/3664-117-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/3664-116-0x0000000005420000-0x000000000591E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads