formbook | e0586f6e028448a0dafda2bf958fd9d1d9b63636b29c8a8847e481a3122e71a2

General

Target

DHL_AWB_NO#907853880911.exe
Size

213KB
MD5

fb67faae4d6130eb562c38fc510dfeae
SHA1

1dde4f5576327e33d629a7ef382c149613f188b2
SHA256

e0586f6e028448a0dafda2bf958fd9d1d9b63636b29c8a8847e481a3122e71a2
SHA512

0aa32ce0ea540febe6bc3387235ec52fd5c7a8b4850f831aae0069acc9ea81455dfc422f61faba693782e6e5c899c0386aba0918f2c435fb43a0ef178c022502

Score

10^/10

formbook fw02 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2072-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2072-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3160-145-0x0000000000B70000-0x0000000000B9F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

nceystz.exenceystz.exe

pid process

5084 nceystz.exe
2072 nceystz.exe

pid	process
5084	nceystz.exe
2072	nceystz.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nceystz.exenceystz.exewscript.exe

description	pid	process	target process
PID 5084 set thread context of 2072	5084	nceystz.exe	nceystz.exe
PID 2072 set thread context of 1880	2072	nceystz.exe	Explorer.EXE
PID 3160 set thread context of 1880	3160	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

nceystz.exewscript.exe

pid	process
2072	nceystz.exe
2072	nceystz.exe
2072	nceystz.exe
2072	nceystz.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe
3160	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1880 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

nceystz.exewscript.exe

pid process

2072 nceystz.exe
2072 nceystz.exe
2072 nceystz.exe
3160 wscript.exe
3160 wscript.exe

pid	process
1880	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

nceystz.exewscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2072	nceystz.exe
Token: SeDebugPrivilege	3160	wscript.exe
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1880 Explorer.EXE
1880 Explorer.EXE

pid	process
1880	Explorer.EXE
1880	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DHL_AWB_NO#907853880911.exenceystz.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 4392 wrote to memory of 5084	4392	DHL_AWB_NO#907853880911.exe	nceystz.exe
PID 4392 wrote to memory of 5084	4392	DHL_AWB_NO#907853880911.exe	nceystz.exe
PID 4392 wrote to memory of 5084	4392	DHL_AWB_NO#907853880911.exe	nceystz.exe
PID 5084 wrote to memory of 2072	5084	nceystz.exe	nceystz.exe
PID 5084 wrote to memory of 2072	5084	nceystz.exe	nceystz.exe
PID 5084 wrote to memory of 2072	5084	nceystz.exe	nceystz.exe
PID 5084 wrote to memory of 2072	5084	nceystz.exe	nceystz.exe
PID 5084 wrote to memory of 2072	5084	nceystz.exe	nceystz.exe
PID 5084 wrote to memory of 2072	5084	nceystz.exe	nceystz.exe
PID 1880 wrote to memory of 3160	1880	Explorer.EXE	wscript.exe
PID 1880 wrote to memory of 3160	1880	Explorer.EXE	wscript.exe
PID 1880 wrote to memory of 3160	1880	Explorer.EXE	wscript.exe
PID 3160 wrote to memory of 2480	3160	wscript.exe	cmd.exe
PID 3160 wrote to memory of 2480	3160	wscript.exe	cmd.exe
PID 3160 wrote to memory of 2480	3160	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\nceystz.exe
C:\Users\Admin\AppData\Local\Temp\nceystz.exe C:\Users\Admin\AppData\Local\Temp\oqkvcyrte
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\nceystz.exe
C:\Users\Admin\AppData\Local\Temp\nceystz.exe C:\Users\Admin\AppData\Local\Temp\oqkvcyrte
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\nceystz.exe"
3⤵
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jc417bh38wtxp
Filesize
184KB

MD5
f099fbc4726b5a8ec66677fbd4d84c97

SHA1
8f4cff97664bce30e19596e8a0ab3dd51e84ad12

SHA256
d01d597fc03bb0e441c5d83bd0298c2ba37185dfbcab182f378ceacbd5f874eb

SHA512
7d9b734b9df0e53e26059dc37f0738a5e62e1eef427575796e4f7c71f24b7800abc2c9890fb8a3bde76cc6abf0cdd270312afe3541611a0c31b6f3f669231fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nceystz.exe
Filesize
3KB

MD5
8a6050af69a12ca8a3b820ec718fd7d8

SHA1
14270710f3a3c98f5ec41fc3a3b77851114881f0

SHA256
86474c7d4e6c80d28cbe983b9a305b4d1c7911a3af84975b1757cc104d0f35f5

SHA512
5c7cccc5389983d4aae25d6ee1bcd7d45c34e96818eede4876f5ca1ac2a4c38391ffdff5932670ea800bb023347d9f83b08c6877491348aa6c28f26837f25000

Download Submit
C:\Users\Admin\AppData\Local\Temp\nceystz.exe
Filesize
3KB

MD5
8a6050af69a12ca8a3b820ec718fd7d8

SHA1
14270710f3a3c98f5ec41fc3a3b77851114881f0

SHA256
86474c7d4e6c80d28cbe983b9a305b4d1c7911a3af84975b1757cc104d0f35f5

SHA512
5c7cccc5389983d4aae25d6ee1bcd7d45c34e96818eede4876f5ca1ac2a4c38391ffdff5932670ea800bb023347d9f83b08c6877491348aa6c28f26837f25000

Download Submit
C:\Users\Admin\AppData\Local\Temp\nceystz.exe
Filesize
3KB

MD5
8a6050af69a12ca8a3b820ec718fd7d8

SHA1
14270710f3a3c98f5ec41fc3a3b77851114881f0

SHA256
86474c7d4e6c80d28cbe983b9a305b4d1c7911a3af84975b1757cc104d0f35f5

SHA512
5c7cccc5389983d4aae25d6ee1bcd7d45c34e96818eede4876f5ca1ac2a4c38391ffdff5932670ea800bb023347d9f83b08c6877491348aa6c28f26837f25000

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqkvcyrte
Filesize
5KB

MD5
944b9f8116d9b2688b69a8f4a8ec6df6

SHA1
b7aa154fe6c87852123f760e00b1906ea6b9c39e

SHA256
370a10405e857c3f44059dd6cbd0e9ebb17302c3c2081fc6de73974ebcecc489

SHA512
a8c975df92fa0731a2729c9401cd967efc47cf3dec1e050fc117ecd8a310e05737408bd1f135e16f06016488bc4e97653c348b8b03afb22f0e4828f84b9cb0b6

Download Submit
memory/1880-141-0x0000000002F30000-0x000000000302B000-memory.dmp

Filesize
1004KB

Download
memory/1880-149-0x00000000086A0000-0x00000000087BB000-memory.dmp

Filesize
1.1MB

Download
memory/2072-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-140-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/2072-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-142-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2072-135-0x0000000000000000-mapping.dmp

Download
memory/2480-146-0x0000000000000000-mapping.dmp

Download
memory/3160-143-0x0000000000000000-mapping.dmp

Download
memory/3160-144-0x00000000005A0000-0x00000000005C7000-memory.dmp

Filesize
156KB

Download
memory/3160-145-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/3160-147-0x0000000002F20000-0x000000000326A000-memory.dmp

Filesize
3.3MB

Download
memory/3160-148-0x0000000002D50000-0x0000000002DE3000-memory.dmp

Filesize
588KB

Download
memory/5084-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads