formbook | 3614d38f71c129eda85ef01488a00a61661e3bb0c7963b15fb6a3cbffdc54ba4

General

Target

nuovo ordine.exe
Size

391KB
MD5

7d7e555fa23b77a241816576939337e7
SHA1

e7360c15d4cc0dc0fa3ff747b64d6c0a52e41861
SHA256

c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03
SHA512

9a00f518afee39dd06ecd31f2dd7f91962570d8cb786096328478032c36df3300aa4eeff71d746bf521c6fe291144b48d005b808a44ede7beb0cadac4c138977

Score

10^/10

formbook kvsz rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2032-63-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2032-64-0x000000000041ECA0-mapping.dmp	formbook
behavioral1/memory/2032-66-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/676-73-0x0000000000070000-0x000000000009E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

nuovo ordine.exeRegSvcs.exewscript.exe

description	pid	process	target process
PID 1208 set thread context of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 2032 set thread context of 1284	2032	RegSvcs.exe	Explorer.EXE
PID 676 set thread context of 1284	676	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1328 schtasks.exe

pid	process
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

nuovo ordine.exeRegSvcs.exewscript.exe

pid	process
1208	nuovo ordine.exe
1208	nuovo ordine.exe
1208	nuovo ordine.exe
1208	nuovo ordine.exe
1208	nuovo ordine.exe
2032	RegSvcs.exe
2032	RegSvcs.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe
676	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewscript.exe

pid process

2032 RegSvcs.exe
2032 RegSvcs.exe
2032 RegSvcs.exe
676 wscript.exe
676 wscript.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

nuovo ordine.exeRegSvcs.exewscript.exe

description pid process

Token: SeDebugPrivilege 1208 nuovo ordine.exe
Token: SeDebugPrivilege 2032 RegSvcs.exe
Token: SeDebugPrivilege 676 wscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
2032	RegSvcs.exe
2032	RegSvcs.exe
2032	RegSvcs.exe
676	wscript.exe
676	wscript.exe

description	pid	process
Token: SeDebugPrivilege	1208	nuovo ordine.exe
Token: SeDebugPrivilege	2032	RegSvcs.exe
Token: SeDebugPrivilege	676	wscript.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

nuovo ordine.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1208 wrote to memory of 1328	1208	nuovo ordine.exe	schtasks.exe
PID 1208 wrote to memory of 1328	1208	nuovo ordine.exe	schtasks.exe
PID 1208 wrote to memory of 1328	1208	nuovo ordine.exe	schtasks.exe
PID 1208 wrote to memory of 1328	1208	nuovo ordine.exe	schtasks.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1208 wrote to memory of 2032	1208	nuovo ordine.exe	RegSvcs.exe
PID 1284 wrote to memory of 676	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 676	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 676	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 676	1284	Explorer.EXE	wscript.exe
PID 676 wrote to memory of 1912	676	wscript.exe	cmd.exe
PID 676 wrote to memory of 1912	676	wscript.exe	cmd.exe
PID 676 wrote to memory of 1912	676	wscript.exe	cmd.exe
PID 676 wrote to memory of 1912	676	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\nuovo ordine.exe
"C:\Users\Admin\AppData\Local\Temp\nuovo ordine.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iaSzQzjCf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA70A.tmp"
3⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA70A.tmp
Filesize
1KB

MD5
3a32647562d7e4e78b7f7f8b398fce55

SHA1
10990f34303928790d040704f3d4530db293cd68

SHA256
087f4c564d06dd9af188089b575cb26c6a9dcb9b1ddd91132cebfb8f95178623

SHA512
4f8b447e010a3191cb42acdbbf1e390148d64321882ee17898c2694826f8b505426dfd3f6a7a2e6629b0d75d90dbbbac005d42fa227685984aa779a2d1502fa7

Download Submit
memory/676-75-0x00000000004E0000-0x0000000000573000-memory.dmp

Filesize
588KB

Download
memory/676-70-0x0000000000000000-mapping.dmp

Download
memory/676-72-0x0000000000D90000-0x0000000000DB6000-memory.dmp

Filesize
152KB

Download
memory/676-73-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/676-74-0x0000000002350000-0x0000000002653000-memory.dmp

Filesize
3.0MB

Download
memory/1208-57-0x0000000000530000-0x0000000000564000-memory.dmp

Filesize
208KB

Download
memory/1208-56-0x00000000008F0000-0x000000000094A000-memory.dmp

Filesize
360KB

Download
memory/1208-54-0x00000000009C0000-0x0000000000A28000-memory.dmp

Filesize
416KB

Download
memory/1208-55-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1284-76-0x0000000006B20000-0x0000000006C47000-memory.dmp

Filesize
1.2MB

Download
memory/1284-69-0x00000000049F0000-0x0000000004B7C000-memory.dmp

Filesize
1.5MB

Download
memory/1328-58-0x0000000000000000-mapping.dmp

Download
memory/1912-71-0x0000000000000000-mapping.dmp

Download
memory/2032-68-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/2032-67-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/2032-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2032-64-0x000000000041ECA0-mapping.dmp

Download
memory/2032-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2032-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2032-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads