formbook | b77167ef1dbe1ee6dcf7aef23a4b47087bf229237612ed5ca6f01c2cb2a28b3e

General

Target

BG032442552676.exe
Size

1.1MB
MD5

69d7fd7b1cc3a2517941731fb9c3aa2c
SHA1

70e96be6d19db9218684b29882e424e877071db4
SHA256

b8866409889805cd3132c7f3db0d02294eb25e747e0e095e913e2d75d437df59
SHA512

72ec387553a61718d8105b7ea9141c38edca49364616c9d0ce86b366c19ef75a4112be7d292dc7193077432cc353612a0539fcc349164efeec423d2e4c4a1d19

Score

10^/10

formbook modiloader 3nop persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1788-92-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral1/memory/568-95-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/568-120-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral1/memory/680-126-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

ModiLoader Second Stage 38 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1788-65-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-66-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-68-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-67-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-71-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-72-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-70-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-69-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-76-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-75-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-74-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-73-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-80-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-81-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-79-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-78-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-77-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-84-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-83-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-82-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-87-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-86-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-85-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-90-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-89-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-88-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-96-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-98-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-99-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-100-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-102-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-112-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-111-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-113-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-115-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-116-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-117-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-118-0x0000000004A80000-0x0000000004ADA000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BG032442552676.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xhsqehk = "C:\\Users\\Public\\Libraries\\kheqshX.url"	BG032442552676.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DpiScaling.exenetsh.exe

description	pid	process	target process
PID 568 set thread context of 1256	568	DpiScaling.exe	Explorer.EXE
PID 568 set thread context of 1256	568	DpiScaling.exe	Explorer.EXE
PID 680 set thread context of 1256	680	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

DpiScaling.exenetsh.exe

pid	process
568	DpiScaling.exe
568	DpiScaling.exe
568	DpiScaling.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe
680	netsh.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

DpiScaling.exenetsh.exe

pid process

568 DpiScaling.exe
568 DpiScaling.exe
568 DpiScaling.exe
568 DpiScaling.exe
680 netsh.exe
680 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DpiScaling.exenetsh.exe

description pid process

Token: SeDebugPrivilege 568 DpiScaling.exe
Token: SeDebugPrivilege 680 netsh.exe

description	pid	process
Token: SeDebugPrivilege	568	DpiScaling.exe
Token: SeDebugPrivilege	680	netsh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

BG032442552676.exeDpiScaling.exenetsh.exe

description	pid	process	target process
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 1788 wrote to memory of 568	1788	BG032442552676.exe	DpiScaling.exe
PID 568 wrote to memory of 680	568	DpiScaling.exe	netsh.exe
PID 568 wrote to memory of 680	568	DpiScaling.exe	netsh.exe
PID 568 wrote to memory of 680	568	DpiScaling.exe	netsh.exe
PID 568 wrote to memory of 680	568	DpiScaling.exe	netsh.exe
PID 680 wrote to memory of 1752	680	netsh.exe	cmd.exe
PID 680 wrote to memory of 1752	680	netsh.exe	cmd.exe
PID 680 wrote to memory of 1752	680	netsh.exe	cmd.exe
PID 680 wrote to memory of 1752	680	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\BG032442552676.exe
"C:\Users\Admin\AppData\Local\Temp\BG032442552676.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
5⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-93-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/568-95-0x0000000000000000-mapping.dmp

Download
memory/568-103-0x0000000002180000-0x0000000002483000-memory.dmp

Filesize
3.0MB

Download
memory/568-105-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/568-120-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/568-121-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/680-128-0x0000000000A80000-0x0000000000B13000-memory.dmp

Filesize
588KB

Download
memory/680-126-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/680-127-0x0000000000C10000-0x0000000000F13000-memory.dmp

Filesize
3.0MB

Download
memory/680-125-0x0000000001740000-0x000000000175B000-memory.dmp

Filesize
108KB

Download
memory/680-123-0x0000000000000000-mapping.dmp

Download
memory/1256-122-0x0000000004E00000-0x0000000004EEB000-memory.dmp

Filesize
940KB

Download
memory/1256-129-0x0000000004F30000-0x000000000503B000-memory.dmp

Filesize
1.0MB

Download
memory/1256-119-0x0000000004D10000-0x0000000004DF1000-memory.dmp

Filesize
900KB

Download
memory/1752-124-0x0000000000000000-mapping.dmp

Download
memory/1788-87-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-98-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-73-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-80-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-81-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-79-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-78-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-77-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-84-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-83-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-82-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-75-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-86-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-85-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-90-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-89-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-88-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-92-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/1788-96-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-74-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-99-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-100-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-102-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-112-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-111-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-113-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-115-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-116-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-117-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-76-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-69-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-70-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-72-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-71-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-67-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-68-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-66-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-65-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download
memory/1788-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1788-118-0x0000000004A80000-0x0000000004ADA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads