formbook | bc1e7e59c022c6a18268526652635867ae48ca1463c0084bc59781976b794f58

General

Target

Payment_Advice.exe
Size

347KB
MD5

7743639ddcae00f91ce46f21bf73a9a8
SHA1

1daa2f866b0abf7cd48d43011562938ae6543b95
SHA256

b011f06c7ab6d49b0dd9285e1e2d9dee21efae17f6be4281ec7a6a26e2bed812
SHA512

8651283009598240de0e870e7d22ad0e9cec2f64a57b04ff094dece68a8cda917289c5985011c26ae91450a7e4e585989420d661f96f8a13105e3c95c2f93714

Score

10^/10

formbook oh75 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4668-134-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5064-144-0x0000000000F20000-0x0000000000F4F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ndwtcegu.exendwtcegu.exe

pid process

3716 ndwtcegu.exe
4668 ndwtcegu.exe

pid	process
3716	ndwtcegu.exe
4668	ndwtcegu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ndwtcegu.exendwtcegu.exeraserver.exe

description	pid	process	target process
PID 3716 set thread context of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 4668 set thread context of 2920	4668	ndwtcegu.exe	Explorer.EXE
PID 5064 set thread context of 2920	5064	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

ndwtcegu.exeraserver.exe

pid	process
4668	ndwtcegu.exe
4668	ndwtcegu.exe
4668	ndwtcegu.exe
4668	ndwtcegu.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe
5064	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2920 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ndwtcegu.exeraserver.exe

pid process

4668 ndwtcegu.exe
4668 ndwtcegu.exe
4668 ndwtcegu.exe
5064 raserver.exe
5064 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ndwtcegu.exeraserver.exe

description pid process

Token: SeDebugPrivilege 4668 ndwtcegu.exe
Token: SeDebugPrivilege 5064 raserver.exe

pid	process
2920	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4668	ndwtcegu.exe
Token: SeDebugPrivilege	5064	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment_Advice.exendwtcegu.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2792 wrote to memory of 3716	2792	Payment_Advice.exe	ndwtcegu.exe
PID 2792 wrote to memory of 3716	2792	Payment_Advice.exe	ndwtcegu.exe
PID 2792 wrote to memory of 3716	2792	Payment_Advice.exe	ndwtcegu.exe
PID 3716 wrote to memory of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 3716 wrote to memory of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 3716 wrote to memory of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 3716 wrote to memory of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 3716 wrote to memory of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 3716 wrote to memory of 4668	3716	ndwtcegu.exe	ndwtcegu.exe
PID 2920 wrote to memory of 5064	2920	Explorer.EXE	raserver.exe
PID 2920 wrote to memory of 5064	2920	Explorer.EXE	raserver.exe
PID 2920 wrote to memory of 5064	2920	Explorer.EXE	raserver.exe
PID 5064 wrote to memory of 552	5064	raserver.exe	cmd.exe
PID 5064 wrote to memory of 552	5064	raserver.exe	cmd.exe
PID 5064 wrote to memory of 552	5064	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe C:\Users\Admin\AppData\Local\Temp\jmwabcbx
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe C:\Users\Admin\AppData\Local\Temp\jmwabcbx
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe"
3⤵
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6veiai77a5
MD5
c9037e076486dd830a5991b26e863a6c

SHA1
614addbb9e6080ff98ffa4cf044817ff4efe1c55

SHA256
90a660a915fc7fdc772206d8e5a6ff2837cd58923497f2314826f1fdf1ee7b93

SHA512
fcecfc62bb5e7939f87febf08196cce1edf2ec18986263f2290f2acfdd1f9dddaf682c35eb6735ab9af961832964a3231fb3bf357f7bf05a4589be75dad4c8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmwabcbx
MD5
4ed244db6765b1087ab8418518adfa5f

SHA1
0096a7e1107ed124324e36752403c63ce9d79c0b

SHA256
05504ec086be56151f3808e61c5845c8f28b031c9a992772842ea6fb62fb13e9

SHA512
95568124d08cec2601fdee1b343e351ad07721f9626c426cc67060559db6959fb2afe158bf28b874b8605f457a65c0c29a339cd77b901820008e62a37701eb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe
MD5
c25603e52a6dbefa8f29394cdcfe8f0c

SHA1
64561c78eded3f3ef183b36b966fdaefc02d81a0

SHA256
656e1e9f05e4642314277019eb68dc3be47fb02d6017673537b7067623315202

SHA512
dcc0668345d9eba1d8a699c7c3e26e2487bf0658e92968d8fafcdadfcd17e893fc51cb3586e9f061c70260d30fe293b8bcc4ac2d27a755bbd052faf9134585ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe
MD5
c25603e52a6dbefa8f29394cdcfe8f0c

SHA1
64561c78eded3f3ef183b36b966fdaefc02d81a0

SHA256
656e1e9f05e4642314277019eb68dc3be47fb02d6017673537b7067623315202

SHA512
dcc0668345d9eba1d8a699c7c3e26e2487bf0658e92968d8fafcdadfcd17e893fc51cb3586e9f061c70260d30fe293b8bcc4ac2d27a755bbd052faf9134585ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe
MD5
c25603e52a6dbefa8f29394cdcfe8f0c

SHA1
64561c78eded3f3ef183b36b966fdaefc02d81a0

SHA256
656e1e9f05e4642314277019eb68dc3be47fb02d6017673537b7067623315202

SHA512
dcc0668345d9eba1d8a699c7c3e26e2487bf0658e92968d8fafcdadfcd17e893fc51cb3586e9f061c70260d30fe293b8bcc4ac2d27a755bbd052faf9134585ac

Download Submit
memory/2920-146-0x00000000078F0000-0x00000000079C1000-memory.dmp

Filesize
836KB

Download
memory/2920-141-0x0000000007F30000-0x000000000807C000-memory.dmp

Filesize
1.3MB

Download
memory/3716-136-0x0000000000810000-0x0000000000814000-memory.dmp

Filesize
16KB

Download
memory/4668-138-0x0000000001820000-0x0000000001B6A000-memory.dmp

Filesize
3.3MB

Download
memory/4668-140-0x00000000014B0000-0x00000000014C4000-memory.dmp

Filesize
80KB

Download
memory/4668-139-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/4668-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-142-0x0000000000560000-0x000000000057F000-memory.dmp

Filesize
124KB

Download
memory/5064-143-0x0000000002FC0000-0x000000000330A000-memory.dmp

Filesize
3.3MB

Download
memory/5064-144-0x0000000000F20000-0x0000000000F4F000-memory.dmp

Filesize
188KB

Download
memory/5064-145-0x0000000002E30000-0x0000000002EC3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads