formbook | 0daa09469850448a4e784e04448e25ebd6e7bdc26d61e0017a3ae602025da1bb

General

Target

new_po_098847excel.exe
Size

608KB
MD5

941bf5aee26ff5069ee30be727d3371b
SHA1

1fd3ef2cd0294bd0c9d00d6221da50e3015111c3
SHA256

0daa09469850448a4e784e04448e25ebd6e7bdc26d61e0017a3ae602025da1bb
SHA512

01d47239d868d7075235fc6d91e2e987dc476b32923f729f74891ab219767a6eda5d2253e33be2e846f7f19ad42c495077d7641bd19652fffb081b73fc2a7a2d

Score

10^/10

formbook sc21 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sc21

Decoy

fan-y-guff.net

blockraptor.com

in-value.com

mobilehomeflorida.com

supreme-ink-namibia.com

fitseek.website

thermalchar.com

arbsevices.com

jacksongary.com

ukoproducciones.com

inginnoedutxt.com

xeentours.com

kokinet.xyz

mojatrznica.online

hdjag.com

jjsjoint.com

xggzgjmy.com

truvshop.com

partyvulcan.com

angrymongol.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/668-57-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/668-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/920-66-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1380 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

new_po_098847excel.exe

pid process

1100 new_po_098847excel.exe

pid	process
1380	cmd.exe

pid	process
1100	new_po_098847excel.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

new_po_098847excel.exenew_po_098847excel.exewuapp.exe

description	pid	process	target process
PID 1100 set thread context of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 668 set thread context of 1420	668	new_po_098847excel.exe	Explorer.EXE
PID 668 set thread context of 1420	668	new_po_098847excel.exe	Explorer.EXE
PID 920 set thread context of 1420	920	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

new_po_098847excel.exewuapp.exe

pid	process
668	new_po_098847excel.exe
668	new_po_098847excel.exe
668	new_po_098847excel.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe
920	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

new_po_098847excel.exewuapp.exe

pid process

668 new_po_098847excel.exe
668 new_po_098847excel.exe
668 new_po_098847excel.exe
668 new_po_098847excel.exe
920 wuapp.exe
920 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

new_po_098847excel.exewuapp.exe

description pid process

Token: SeDebugPrivilege 668 new_po_098847excel.exe
Token: SeDebugPrivilege 920 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE

pid	process
1420	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	668	new_po_098847excel.exe
Token: SeDebugPrivilege	920	wuapp.exe

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

new_po_098847excel.exenew_po_098847excel.exewuapp.exe

description	pid	process	target process
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 1100 wrote to memory of 668	1100	new_po_098847excel.exe	new_po_098847excel.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 668 wrote to memory of 920	668	new_po_098847excel.exe	wuapp.exe
PID 920 wrote to memory of 1380	920	wuapp.exe	cmd.exe
PID 920 wrote to memory of 1380	920	wuapp.exe	cmd.exe
PID 920 wrote to memory of 1380	920	wuapp.exe	cmd.exe
PID 920 wrote to memory of 1380	920	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420

C:\Users\Admin\AppData\Local\Temp\new_po_098847excel.exe
"C:\Users\Admin\AppData\Local\Temp\new_po_098847excel.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\new_po_098847excel.exe
"C:\Users\Admin\AppData\Local\Temp\new_po_098847excel.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\new_po_098847excel.exe"
5⤵
- Deletes itself
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyC998.tmp\utfnocnmrel.dll
MD5
736fc3b69e117dd2cfd7858606362059

SHA1
201e31025f33a5cafe699b53234268a2144782fb

SHA256
76b9ab99218c413a774620ff0dded40a227f0aaadc7a3831464b22e346054533

SHA512
1d07b2b06bfe06bb446160d03d97d4383bba583c3eec86ebbad87d3913b22168af495763d750e677612ec20803dacb3bd609c143b00ab54aafdf0f38c82928ca

Download Submit
memory/668-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-59-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/668-60-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/668-63-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download
memory/920-65-0x00000000013C0000-0x00000000013CB000-memory.dmp

Filesize
44KB

Download
memory/920-66-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/920-67-0x0000000000AB0000-0x0000000000DB3000-memory.dmp

Filesize
3.0MB

Download
memory/920-68-0x0000000000920000-0x00000000009B3000-memory.dmp

Filesize
588KB

Download
memory/1100-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/1420-61-0x0000000007040000-0x0000000007194000-memory.dmp

Filesize
1.3MB

Download
memory/1420-64-0x0000000004930000-0x00000000049E5000-memory.dmp

Filesize
724KB

Download
memory/1420-69-0x00000000071A0000-0x000000000730A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads