formbook | 50dba2f344aa086c034ce37a3aea4e70629a0eeaa8c59b2b6f6395b4969b7dc1

General

Target

Siparis onayi eklendi.exe
Size

816KB
MD5

a6d1e703b380b1e716889f07cc087760
SHA1

f8abf6e3ecb0c332ace24b7ccdfcdfa50b0e968e
SHA256

50dba2f344aa086c034ce37a3aea4e70629a0eeaa8c59b2b6f6395b4969b7dc1
SHA512

658e5b8f08b3a0d4b0ef999386a4a7258d5630d3995049dd8cdd48c7992d9c201f38fc1b915817708a654a3c600dd38b602292dd4b58a51e49093f9ee3800f72

Score

10^/10

formbook 3nop persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2248-137-0x0000000072480000-0x00000000724AE000-memory.dmp	formbook
behavioral2/memory/3360-145-0x00000000025A0000-0x00000000025CE000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Siparis onayi eklendi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Itvjech = "C:\\Users\\Public\\hcejvtI.url"	Siparis onayi eklendi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exemsdt.exe

description	pid	process	target process
PID 2248 set thread context of 2436	2248	logagent.exe	Explorer.EXE
PID 3360 set thread context of 2436	3360	msdt.exe	Explorer.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

logagent.exemsdt.exepowershell.exe

pid	process
2248	logagent.exe
2248	logagent.exe
2248	logagent.exe
2248	logagent.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
2944	powershell.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
2944	powershell.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe
3360	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2436 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exemsdt.exe

pid process

2248 logagent.exe
2248 logagent.exe
2248 logagent.exe
3360 msdt.exe
3360 msdt.exe

pid	process
2436	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

logagent.exeExplorer.EXEmsdt.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2248	logagent.exe
Token: SeShutdownPrivilege	2436	Explorer.EXE
Token: SeCreatePagefilePrivilege	2436	Explorer.EXE
Token: SeDebugPrivilege	3360	msdt.exe
Token: SeShutdownPrivilege	2436	Explorer.EXE
Token: SeCreatePagefilePrivilege	2436	Explorer.EXE
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeShutdownPrivilege	2436	Explorer.EXE
Token: SeCreatePagefilePrivilege	2436	Explorer.EXE
Token: SeShutdownPrivilege	2436	Explorer.EXE
Token: SeCreatePagefilePrivilege	2436	Explorer.EXE
Token: SeShutdownPrivilege	2436	Explorer.EXE
Token: SeCreatePagefilePrivilege	2436	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Siparis onayi eklendi.execmd.execmd.exenet.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1144 wrote to memory of 2248	1144	Siparis onayi eklendi.exe	logagent.exe
PID 1144 wrote to memory of 2248	1144	Siparis onayi eklendi.exe	logagent.exe
PID 1144 wrote to memory of 2248	1144	Siparis onayi eklendi.exe	logagent.exe
PID 1144 wrote to memory of 2248	1144	Siparis onayi eklendi.exe	logagent.exe
PID 1144 wrote to memory of 2248	1144	Siparis onayi eklendi.exe	logagent.exe
PID 1144 wrote to memory of 2248	1144	Siparis onayi eklendi.exe	logagent.exe
PID 1144 wrote to memory of 3016	1144	Siparis onayi eklendi.exe	cmd.exe
PID 1144 wrote to memory of 3016	1144	Siparis onayi eklendi.exe	cmd.exe
PID 1144 wrote to memory of 3016	1144	Siparis onayi eklendi.exe	cmd.exe
PID 3016 wrote to memory of 452	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 452	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 452	3016	cmd.exe	cmd.exe
PID 452 wrote to memory of 2864	452	cmd.exe	net.exe
PID 452 wrote to memory of 2864	452	cmd.exe	net.exe
PID 452 wrote to memory of 2864	452	cmd.exe	net.exe
PID 2864 wrote to memory of 3888	2864	net.exe	net1.exe
PID 2864 wrote to memory of 3888	2864	net.exe	net1.exe
PID 2864 wrote to memory of 3888	2864	net.exe	net1.exe
PID 2436 wrote to memory of 3360	2436	Explorer.EXE	msdt.exe
PID 2436 wrote to memory of 3360	2436	Explorer.EXE	msdt.exe
PID 2436 wrote to memory of 3360	2436	Explorer.EXE	msdt.exe
PID 452 wrote to memory of 2944	452	cmd.exe	powershell.exe
PID 452 wrote to memory of 2944	452	cmd.exe	powershell.exe
PID 452 wrote to memory of 2944	452	cmd.exe	powershell.exe
PID 3360 wrote to memory of 376	3360	msdt.exe	cmd.exe
PID 3360 wrote to memory of 376	3360	msdt.exe	cmd.exe
PID 3360 wrote to memory of 376	3360	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\Siparis onayi eklendi.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis onayi eklendi.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Itvjecht.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\ItvjechO.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\net.exe
net session
5⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
6⤵
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Cdex.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\ItvjechO.bat
MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Itvjecht.bat
MD5
0a5c3b74c05c78f53183728ca1806768

SHA1
793e6a7f3ea1aa0583111244c106e321cc0870e2

SHA256
134d7af0771052e1c15f60b5bb32660709a56767037811f12703ca5cad1c40b1

SHA512
9538698e0501c4e9e790e0da00cd6020ac1e776ebe12ef1c7c7478cf7e69a1477f31c61a03003d1d6fb7e7aa144d285fa5cbc8d41547cef490ce7925b230c114

Download Submit
memory/1144-133-0x0000000003F16000-0x0000000003F17000-memory.dmp

Filesize
4KB

Download
memory/1144-130-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2248-136-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2248-137-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/2248-138-0x0000000004440000-0x000000000478A000-memory.dmp

Filesize
3.3MB

Download
memory/2248-141-0x000000007249E000-0x000000007249F000-memory.dmp

Filesize
4KB

Download
memory/2248-142-0x00000000027F0000-0x0000000002804000-memory.dmp

Filesize
80KB

Download
memory/2436-151-0x0000000008C70000-0x0000000008DDB000-memory.dmp

Filesize
1.4MB

Download
memory/2436-143-0x00000000073D0000-0x000000000750F000-memory.dmp

Filesize
1.2MB

Download
memory/2944-153-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2944-160-0x00000000053D5000-0x00000000053D7000-memory.dmp

Filesize
8KB

Download
memory/2944-149-0x00000000727C0000-0x0000000072F70000-memory.dmp

Filesize
7.7MB

Download
memory/2944-171-0x0000000009F40000-0x0000000009F48000-memory.dmp

Filesize
32KB

Download
memory/2944-170-0x0000000009F60000-0x0000000009F7A000-memory.dmp

Filesize
104KB

Download
memory/2944-152-0x0000000005420000-0x0000000005456000-memory.dmp

Filesize
216KB

Download
memory/2944-169-0x0000000009E50000-0x0000000009E5E000-memory.dmp

Filesize
56KB

Download
memory/2944-154-0x00000000053D2000-0x00000000053D3000-memory.dmp

Filesize
4KB

Download
memory/2944-155-0x0000000007B50000-0x0000000008178000-memory.dmp

Filesize
6.2MB

Download
memory/2944-156-0x0000000007970000-0x0000000007992000-memory.dmp

Filesize
136KB

Download
memory/2944-157-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/2944-158-0x00000000082F0000-0x0000000008356000-memory.dmp

Filesize
408KB

Download
memory/2944-159-0x00000000088B0000-0x00000000088CE000-memory.dmp

Filesize
120KB

Download
memory/2944-168-0x0000000009EA0000-0x0000000009F36000-memory.dmp

Filesize
600KB

Download
memory/2944-161-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/2944-162-0x0000000009A80000-0x0000000009AB2000-memory.dmp

Filesize
200KB

Download
memory/2944-163-0x0000000074B30000-0x0000000074B7C000-memory.dmp

Filesize
304KB

Download
memory/2944-164-0x0000000009AC0000-0x0000000009ADE000-memory.dmp

Filesize
120KB

Download
memory/2944-165-0x000000000A260000-0x000000000A8DA000-memory.dmp

Filesize
6.5MB

Download
memory/2944-166-0x0000000009C20000-0x0000000009C3A000-memory.dmp

Filesize
104KB

Download
memory/2944-167-0x0000000009CA0000-0x0000000009CAA000-memory.dmp

Filesize
40KB

Download
memory/3360-146-0x00000000048E0000-0x0000000004C2A000-memory.dmp

Filesize
3.3MB

Download
memory/3360-144-0x00000000001D0000-0x0000000000227000-memory.dmp

Filesize
348KB

Download
memory/3360-145-0x00000000025A0000-0x00000000025CE000-memory.dmp

Filesize
184KB

Download
memory/3360-150-0x00000000044A0000-0x0000000004533000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads