formbook | a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399

General

Target

tmp.exe
Size

1.5MB
MD5

a1c4645815d0ab06831f62042cfa0da0
SHA1

e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee
SHA256

a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
SHA512

a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020

Score

10^/10

formbook nff evasion rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3160-137-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3160-139-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4388-145-0x00000000008F0000-0x000000000091E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	tmp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.exeNETSTAT.EXE

description	pid	process	target process
PID 4268 set thread context of 3160	4268	tmp.exe	tmp.exe
PID 3160 set thread context of 1552	3160	tmp.exe	Explorer.EXE
PID 4388 set thread context of 1552	4388	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4388 NETSTAT.EXE

pid	process
4388	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

tmp.exetmp.exeNETSTAT.EXE

pid	process
4268	tmp.exe
3160	tmp.exe
3160	tmp.exe
3160	tmp.exe
3160	tmp.exe
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE
4388	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1552 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tmp.exeNETSTAT.EXE

pid process

3160 tmp.exe
3160 tmp.exe
3160 tmp.exe
4388 NETSTAT.EXE
4388 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exetmp.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4268 tmp.exe
Token: SeDebugPrivilege 3160 tmp.exe
Token: SeDebugPrivilege 4388 NETSTAT.EXE

pid	process
1552	Explorer.EXE

pid	process
3160	tmp.exe
3160	tmp.exe
3160	tmp.exe
4388	NETSTAT.EXE
4388	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4268	tmp.exe
Token: SeDebugPrivilege	3160	tmp.exe
Token: SeDebugPrivilege	4388	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4268 wrote to memory of 3160	4268	tmp.exe	tmp.exe
PID 4268 wrote to memory of 3160	4268	tmp.exe	tmp.exe
PID 4268 wrote to memory of 3160	4268	tmp.exe	tmp.exe
PID 4268 wrote to memory of 3160	4268	tmp.exe	tmp.exe
PID 4268 wrote to memory of 3160	4268	tmp.exe	tmp.exe
PID 4268 wrote to memory of 3160	4268	tmp.exe	tmp.exe
PID 1552 wrote to memory of 4388	1552	Explorer.EXE	NETSTAT.EXE
PID 1552 wrote to memory of 4388	1552	Explorer.EXE	NETSTAT.EXE
PID 1552 wrote to memory of 4388	1552	Explorer.EXE	NETSTAT.EXE
PID 4388 wrote to memory of 3128	4388	NETSTAT.EXE	cmd.exe
PID 4388 wrote to memory of 3128	4388	NETSTAT.EXE	cmd.exe
PID 4388 wrote to memory of 3128	4388	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-149-0x00000000026C0000-0x0000000002758000-memory.dmp

Filesize
608KB

Download
memory/1552-142-0x0000000007B20000-0x0000000007C32000-memory.dmp

Filesize
1.1MB

Download
memory/3128-146-0x0000000000000000-mapping.dmp

Download
memory/3160-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3160-141-0x0000000001500000-0x0000000001514000-memory.dmp

Filesize
80KB

Download
memory/3160-140-0x00000000011B0000-0x00000000014FA000-memory.dmp

Filesize
3.3MB

Download
memory/3160-136-0x0000000000000000-mapping.dmp

Download
memory/3160-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4268-134-0x0000000007900000-0x000000000799C000-memory.dmp

Filesize
624KB

Download
memory/4268-135-0x000000000D490000-0x000000000D4F6000-memory.dmp

Filesize
408KB

Download
memory/4268-130-0x0000000000850000-0x00000000009DA000-memory.dmp

Filesize
1.5MB

Download
memory/4268-133-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/4268-132-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/4268-131-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4388-143-0x0000000000000000-mapping.dmp

Download
memory/4388-144-0x0000000000870000-0x000000000087B000-memory.dmp

Filesize
44KB

Download
memory/4388-145-0x00000000008F0000-0x000000000091E000-memory.dmp

Filesize
184KB

Download
memory/4388-147-0x0000000001080000-0x00000000013CA000-memory.dmp

Filesize
3.3MB

Download
memory/4388-148-0x00000000013D0000-0x0000000001463000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads