formbook | 780f32cb42bd11ab9ae87d365c55c098051dba2784921ab5f7f7fd7d4ebe0c26

General

Target

QUOTATION.exe
Size

508KB
MD5

54cabe3124bae52f13dd9e772b6361e0
SHA1

8c80ce3af1573e5d48d536e112d5845aeee426f9
SHA256

780f32cb42bd11ab9ae87d365c55c098051dba2784921ab5f7f7fd7d4ebe0c26
SHA512

ac746875c4c919450c1955c8830d79585cd03ae87351064ab3453e549807c4e6abf9d4ae9ae383ed3a4b6062e172bfcf003966734f8c414fb00235e17539f39d

Score

10^/10

formbook n2t4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n2t4

Decoy

livingthroughthechaos.net

videobuzzmedia.com

felineformulas.com

theorganicbees.com

bizoeflow.com

gtbcked.com

immortalapenft.com

pacherasrl.com

defunddrip.black

fromefarm.com

newmedicalnetwork.com

nikosblue.com

kaecfu.online

arcane-stylish.com

7ox.info

osamaabuzawayed.com

noemielatour.com

baccaratjava.com

latinfoodandwinefestival.com

magiclandstudios.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1800-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1824-72-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1148 cmd.exe

pid	process
1148	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

QUOTATION.exeQUOTATION.exehelp.exe

description	pid	process	target process
PID 812 set thread context of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 1800 set thread context of 1436	1800	QUOTATION.exe	Explorer.EXE
PID 1824 set thread context of 1436	1824	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

112 schtasks.exe

pid	process
112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

QUOTATION.exeQUOTATION.exepowershell.exehelp.exe

pid	process
812	QUOTATION.exe
812	QUOTATION.exe
812	QUOTATION.exe
812	QUOTATION.exe
1800	QUOTATION.exe
1800	QUOTATION.exe
1248	powershell.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe
1824	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

QUOTATION.exehelp.exe

pid process

1800 QUOTATION.exe
1800 QUOTATION.exe
1800 QUOTATION.exe
1824 help.exe
1824 help.exe

pid	process
1800	QUOTATION.exe
1800	QUOTATION.exe
1800	QUOTATION.exe
1824	help.exe
1824	help.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

QUOTATION.exeQUOTATION.exepowershell.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	812	QUOTATION.exe
Token: SeDebugPrivilege	1800	QUOTATION.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1824	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1436 Explorer.EXE
1436 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1436 Explorer.EXE
1436 Explorer.EXE

pid	process
1436	Explorer.EXE
1436	Explorer.EXE

pid	process
1436	Explorer.EXE
1436	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

QUOTATION.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 812 wrote to memory of 1248	812	QUOTATION.exe	powershell.exe
PID 812 wrote to memory of 1248	812	QUOTATION.exe	powershell.exe
PID 812 wrote to memory of 1248	812	QUOTATION.exe	powershell.exe
PID 812 wrote to memory of 1248	812	QUOTATION.exe	powershell.exe
PID 812 wrote to memory of 112	812	QUOTATION.exe	schtasks.exe
PID 812 wrote to memory of 112	812	QUOTATION.exe	schtasks.exe
PID 812 wrote to memory of 112	812	QUOTATION.exe	schtasks.exe
PID 812 wrote to memory of 112	812	QUOTATION.exe	schtasks.exe
PID 812 wrote to memory of 864	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 864	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 864	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 864	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 900	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 900	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 900	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 900	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 812 wrote to memory of 1800	812	QUOTATION.exe	QUOTATION.exe
PID 1436 wrote to memory of 1824	1436	Explorer.EXE	help.exe
PID 1436 wrote to memory of 1824	1436	Explorer.EXE	help.exe
PID 1436 wrote to memory of 1824	1436	Explorer.EXE	help.exe
PID 1436 wrote to memory of 1824	1436	Explorer.EXE	help.exe
PID 1824 wrote to memory of 1148	1824	help.exe	cmd.exe
PID 1824 wrote to memory of 1148	1824	help.exe	cmd.exe
PID 1824 wrote to memory of 1148	1824	help.exe	cmd.exe
PID 1824 wrote to memory of 1148	1824	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xTSWHnBWgqC.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xTSWHnBWgqC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp"
3⤵
- Creates scheduled task(s)
PID:112

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
- Deletes itself
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
8fe7bb79adbb0f79688899b70f72fdca

SHA1
49abdeaa547861dfeb1cdd1a3e78e0345de76a67

SHA256
33f1f93194b4d7e9c82efa22b8f960eee4b94b462a2f3a98b916ecd51aa6b771

SHA512
d77b750d5ce539cb158ed66e9eb42f86458056993bd26a1c500a7b531a39fe3929229c2af897a748817210d713d7759b23a67701c135bbf4aa58928bafcc4d69

Download Submit
memory/812-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/812-55-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/812-56-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/812-57-0x0000000004E90000-0x0000000004EF6000-memory.dmp

Filesize
408KB

Download
memory/812-53-0x0000000000290000-0x0000000000316000-memory.dmp

Filesize
536KB

Download
memory/1248-68-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1248-66-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1436-75-0x00000000063E0000-0x00000000064DE000-memory.dmp

Filesize
1016KB

Download
memory/1436-70-0x0000000006C90000-0x0000000006E3F000-memory.dmp

Filesize
1.7MB

Download
memory/1800-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-67-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1800-69-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/1800-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-71-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1824-72-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1824-73-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1824-74-0x0000000000500000-0x00000000008C1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads