formbook | bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819

General

Target

shipping documents, INV+BL.exe
Size

430KB
MD5

528803eb79a155fc433c390a194ae344
SHA1

3e85abf112dbe5d5cb3b36f82cb5e5aba4f54757
SHA256

5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1
SHA512

b3a29219e6287103d6443ef39891d29b9f95cb72c6b39537c576d7f47fcb53a910fc6d9524a8f90fe26fc42674dedf59b3d39859f0636ed578f16f4fc5a3140d

Score

10^/10

formbook otn persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

otn

Decoy

thewoodwideweb.net

broadconnectionpm.com

tuzlametro.net

vjpqdk.info

vietnamtimetravel.com

notice-close-n217.online

verif22-mail999-pymts76.com

bestgreenhouseplan.com

brangain.top

cukaapelbragg.com

stileincucina.com

veloflambe.com

virtualsupportservicesllc.com

smpl.site

mezo.ltd

incidenciasarty.com

everglamp.com

theflowerfarmplanner.com

oasis-base.net

jnrhsh.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2016-64-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2016-65-0x000000000041E2D0-mapping.dmp	formbook
behavioral1/memory/2016-67-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1292-74-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wlanext.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XXSDJX6XXZCL = "C:\\Program Files (x86)\\Ppdr\\helpolrx.exe"	wlanext.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1892 cmd.exe

pid	process
1892	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

shipping documents, INV+BL.exeshipping documents, INV+BL.exewlanext.exe

description	pid	process	target process
PID 852 set thread context of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 2016 set thread context of 1428	2016	shipping documents, INV+BL.exe	Explorer.EXE
PID 1292 set thread context of 1428	1292	wlanext.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wlanext.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ppdr\helpolrx.exe wlanext.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ppdr\helpolrx.exe	wlanext.exe

pid	process
1076	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

shipping documents, INV+BL.exeshipping documents, INV+BL.exewlanext.exe

pid	process
852	shipping documents, INV+BL.exe
852	shipping documents, INV+BL.exe
2016	shipping documents, INV+BL.exe
2016	shipping documents, INV+BL.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

shipping documents, INV+BL.exewlanext.exe

pid	process
2016	shipping documents, INV+BL.exe
2016	shipping documents, INV+BL.exe
2016	shipping documents, INV+BL.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe
1292	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shipping documents, INV+BL.exeshipping documents, INV+BL.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	852	shipping documents, INV+BL.exe
Token: SeDebugPrivilege	2016	shipping documents, INV+BL.exe
Token: SeDebugPrivilege	1292	wlanext.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

shipping documents, INV+BL.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 852 wrote to memory of 1076	852	shipping documents, INV+BL.exe	schtasks.exe
PID 852 wrote to memory of 1076	852	shipping documents, INV+BL.exe	schtasks.exe
PID 852 wrote to memory of 1076	852	shipping documents, INV+BL.exe	schtasks.exe
PID 852 wrote to memory of 1076	852	shipping documents, INV+BL.exe	schtasks.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 852 wrote to memory of 2016	852	shipping documents, INV+BL.exe	shipping documents, INV+BL.exe
PID 1428 wrote to memory of 1292	1428	Explorer.EXE	wlanext.exe
PID 1428 wrote to memory of 1292	1428	Explorer.EXE	wlanext.exe
PID 1428 wrote to memory of 1292	1428	Explorer.EXE	wlanext.exe
PID 1428 wrote to memory of 1292	1428	Explorer.EXE	wlanext.exe
PID 1292 wrote to memory of 1892	1292	wlanext.exe	cmd.exe
PID 1292 wrote to memory of 1892	1292	wlanext.exe	cmd.exe
PID 1292 wrote to memory of 1892	1292	wlanext.exe	cmd.exe
PID 1292 wrote to memory of 1892	1292	wlanext.exe	cmd.exe
PID 1292 wrote to memory of 1500	1292	wlanext.exe	Firefox.exe
PID 1292 wrote to memory of 1500	1292	wlanext.exe	Firefox.exe
PID 1292 wrote to memory of 1500	1292	wlanext.exe	Firefox.exe
PID 1292 wrote to memory of 1500	1292	wlanext.exe	Firefox.exe
PID 1292 wrote to memory of 1500	1292	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2BD.tmp"
3⤵
- Creates scheduled task(s)
PID:1076

C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe"
3⤵
- Deletes itself
PID:1892

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB2BD.tmp
Filesize
1KB

MD5
d2aa72e1e0a9b7dcb81af5082540153a

SHA1
69f84c985fea812daa2fcfd1941a7d60facb4a7e

SHA256
c7a368be198491672c06e17b5626878b39a06de3bb28c0f028cc3aff46e43d3d

SHA512
541bbb3c838c14bfc2c91d1394a99a72f76ad8c3534da1215336ffdc3d63922d456af573ced60d5dff7f9e70fc1f7c8f3cd8ad997374356ecb784695ea312692

Download Submit
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logim.jpeg
Filesize
66KB

MD5
f8ae50510bfc62ce3154f53d4befd195

SHA1
e150b1d481591d91991174bdb03576b80e8328fc

SHA256
557dc42941c3d3b53acb5db7327f17dd6dcbd9358be66c1faf7f680846144ac3

SHA512
71279a037f9234044cde6ec8a330f719da31f57bf8c59511d09dd73644d86247348c663ae0368091e3ece2adb058e32f73c193c8f46d4667db95d0e05bc54d16

Download Submit
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logrf.ini
Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/852-54-0x0000000000960000-0x00000000009D2000-memory.dmp

Filesize
456KB

Download
memory/852-55-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/852-56-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/852-57-0x0000000004280000-0x00000000042E4000-memory.dmp

Filesize
400KB

Download
memory/852-58-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/1076-59-0x0000000000000000-mapping.dmp

Download
memory/1292-73-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/1292-74-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1292-76-0x00000000006F0000-0x0000000000783000-memory.dmp

Filesize
588KB

Download
memory/1292-75-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/1292-71-0x0000000000000000-mapping.dmp

Download
memory/1428-77-0x0000000007CD0000-0x0000000007E4A000-memory.dmp

Filesize
1.5MB

Download
memory/1428-68-0x00000000068C0000-0x0000000006A07000-memory.dmp

Filesize
1.3MB

Download
memory/1892-72-0x0000000000000000-mapping.dmp

Download
memory/2016-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2016-70-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/2016-69-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2016-65-0x000000000041E2D0-mapping.dmp

Download
memory/2016-64-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2016-62-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2016-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads