formbook | a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399

General

Target

tmp.exe
Size

1.5MB
MD5

a1c4645815d0ab06831f62042cfa0da0
SHA1

e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee
SHA256

a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
SHA512

a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020

Score

10^/10

formbook nff evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1156-62-0x000000000041EAF0-mapping.dmp	formbook
behavioral1/memory/1156-61-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	tmp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1796 set thread context of 1156 1796 tmp.exe tmp.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

472 1156 WerFault.exe tmp.exe

description	pid	process	target process
PID 1796 set thread context of 1156	1796	tmp.exe	tmp.exe

pid	pid_target	process	target process
472	1156	WerFault.exe	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

tmp.exetmp.exe

description	pid	process	target process
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1796 wrote to memory of 1156	1796	tmp.exe	tmp.exe
PID 1156 wrote to memory of 472	1156	tmp.exe	WerFault.exe
PID 1156 wrote to memory of 472	1156	tmp.exe	WerFault.exe
PID 1156 wrote to memory of 472	1156	tmp.exe	WerFault.exe
PID 1156 wrote to memory of 472	1156	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 36
3⤵
- Program crash
PID:472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-63-0x0000000000000000-mapping.dmp

Download
memory/1156-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1156-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1156-62-0x000000000041EAF0-mapping.dmp

Download
memory/1156-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1796-54-0x0000000001010000-0x000000000119A000-memory.dmp

Filesize
1.5MB

Download
memory/1796-55-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/1796-56-0x0000000005510000-0x00000000055B2000-memory.dmp

Filesize
648KB

Download
memory/1796-57-0x0000000000660000-0x0000000000694000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads