formbook | 4f227641cdcdea06d222012087bfc21a3eb4bf62ffaac2990e2f01bf0ec62809

General

Target

Epludok.exe
Size

760KB
MD5

44d3e3a2192ac3389703aa8dd76cc2a4
SHA1

c804473e0d109785e6684190406657322e14b79b
SHA256

4f227641cdcdea06d222012087bfc21a3eb4bf62ffaac2990e2f01bf0ec62809
SHA512

ba31417ea20644ab29a62723db058ef2a3f3f2ddc340b69505e73beed1b2c26234ffd3175f1b70882e95b072523747ffad0daeb4c34eb3400df99e09d8910f3f

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2992-139-0x0000000072480000-0x00000000724AE000-memory.dmp	formbook
behavioral2/memory/4404-159-0x0000000000F10000-0x0000000000F3E000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Epludok.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epludok = "C:\\Users\\Public\\kodulpE.url"	Epludok.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exeNETSTAT.EXE

description	pid	process	target process
PID 2992 set thread context of 2488	2992	logagent.exe	Explorer.EXE
PID 4404 set thread context of 2488	4404	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4404 NETSTAT.EXE
Runs net.exe

pid	process
4404	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

logagent.exepowershell.exeNETSTAT.EXE

pid	process
2992	logagent.exe
2992	logagent.exe
2992	logagent.exe
2992	logagent.exe
3644	powershell.exe
3644	powershell.exe
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE
4404	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2488 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exeNETSTAT.EXE

pid process

2992 logagent.exe
2992 logagent.exe
2992 logagent.exe
4404 NETSTAT.EXE
4404 NETSTAT.EXE

pid	process
2488	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

logagent.exepowershell.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2992	logagent.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	2488	Explorer.EXE
Token: SeCreatePagefilePrivilege	2488	Explorer.EXE
Token: SeDebugPrivilege	4404	NETSTAT.EXE
Token: SeShutdownPrivilege	2488	Explorer.EXE
Token: SeCreatePagefilePrivilege	2488	Explorer.EXE
Token: SeShutdownPrivilege	2488	Explorer.EXE
Token: SeCreatePagefilePrivilege	2488	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Epludok.execmd.execmd.exenet.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3816 wrote to memory of 2992	3816	Epludok.exe	logagent.exe
PID 3816 wrote to memory of 2992	3816	Epludok.exe	logagent.exe
PID 3816 wrote to memory of 2992	3816	Epludok.exe	logagent.exe
PID 3816 wrote to memory of 2992	3816	Epludok.exe	logagent.exe
PID 3816 wrote to memory of 2992	3816	Epludok.exe	logagent.exe
PID 3816 wrote to memory of 2992	3816	Epludok.exe	logagent.exe
PID 3816 wrote to memory of 2132	3816	Epludok.exe	cmd.exe
PID 3816 wrote to memory of 2132	3816	Epludok.exe	cmd.exe
PID 3816 wrote to memory of 2132	3816	Epludok.exe	cmd.exe
PID 2132 wrote to memory of 3016	2132	cmd.exe	cmd.exe
PID 2132 wrote to memory of 3016	2132	cmd.exe	cmd.exe
PID 2132 wrote to memory of 3016	2132	cmd.exe	cmd.exe
PID 3016 wrote to memory of 3364	3016	cmd.exe	net.exe
PID 3016 wrote to memory of 3364	3016	cmd.exe	net.exe
PID 3016 wrote to memory of 3364	3016	cmd.exe	net.exe
PID 3364 wrote to memory of 3584	3364	net.exe	net1.exe
PID 3364 wrote to memory of 3584	3364	net.exe	net1.exe
PID 3364 wrote to memory of 3584	3364	net.exe	net1.exe
PID 3016 wrote to memory of 3644	3016	cmd.exe	powershell.exe
PID 3016 wrote to memory of 3644	3016	cmd.exe	powershell.exe
PID 3016 wrote to memory of 3644	3016	cmd.exe	powershell.exe
PID 2488 wrote to memory of 4404	2488	Explorer.EXE	NETSTAT.EXE
PID 2488 wrote to memory of 4404	2488	Explorer.EXE	NETSTAT.EXE
PID 2488 wrote to memory of 4404	2488	Explorer.EXE	NETSTAT.EXE
PID 4404 wrote to memory of 4756	4404	NETSTAT.EXE	cmd.exe
PID 4404 wrote to memory of 4756	4404	NETSTAT.EXE	cmd.exe
PID 4404 wrote to memory of 4756	4404	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\Epludok.exe
"C:\Users\Admin\AppData\Local\Temp\Epludok.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Epludokt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\EpludokO.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\net.exe
net session
5⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
6⤵
PID:3584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Cdex.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\EpludokO.bat
MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Epludokt.bat
MD5
f229d960a7904ac2ec6065f25ca9333b

SHA1
7702e067ec3edc567bb29f8da56723d2740f9939

SHA256
75bc1cd2ea27a701ff672aa9d3f28630bc079c8df41ba17ea9331c55261b3c25

SHA512
3d980b3d7153385acda0732e9eda29f34aeb4105415d8effb3f4fbd5309828d511bb22d8c406a3375586391cf6a4bfd0d25964f755918c1bf91959c03ec38b84

Download Submit
memory/2488-170-0x0000000008CB0000-0x0000000008E24000-memory.dmp

Filesize
1.5MB

Download
memory/2488-152-0x00000000089F0000-0x0000000008AFC000-memory.dmp

Filesize
1.0MB

Download
memory/2992-147-0x00000000031F0000-0x000000000353A000-memory.dmp

Filesize
3.3MB

Download
memory/2992-139-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/2992-138-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2992-151-0x0000000001820000-0x0000000001834000-memory.dmp

Filesize
80KB

Download
memory/2992-150-0x000000007249E000-0x000000007249F000-memory.dmp

Filesize
4KB

Download
memory/3644-141-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/3644-162-0x00000000077A0000-0x0000000007E1A000-memory.dmp

Filesize
6.5MB

Download
memory/3644-144-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/3644-143-0x0000000004F30000-0x0000000004F52000-memory.dmp

Filesize
136KB

Download
memory/3644-146-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3644-148-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/3644-149-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/3644-168-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/3644-140-0x0000000004950000-0x0000000004986000-memory.dmp

Filesize
216KB

Download
memory/3644-167-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/3644-153-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/3644-154-0x0000000006390000-0x00000000063C2000-memory.dmp

Filesize
200KB

Download
memory/3644-155-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/3644-156-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/3644-166-0x0000000007310000-0x000000000731E000-memory.dmp

Filesize
56KB

Download
memory/3644-165-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/3644-160-0x000000007F420000-0x000000007F421000-memory.dmp

Filesize
4KB

Download
memory/3644-157-0x0000000004A25000-0x0000000004A27000-memory.dmp

Filesize
8KB

Download
memory/3644-164-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/3644-145-0x0000000072AA0000-0x0000000073250000-memory.dmp

Filesize
7.7MB

Download
memory/3644-163-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/3816-137-0x0000000003926000-0x0000000003927000-memory.dmp

Filesize
4KB

Download
memory/3816-131-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3816-132-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4404-161-0x0000000001930000-0x0000000001C7A000-memory.dmp

Filesize
3.3MB

Download
memory/4404-159-0x0000000000F10000-0x0000000000F3E000-memory.dmp

Filesize
184KB

Download
memory/4404-158-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/4404-169-0x00000000016A0000-0x0000000001733000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads