formbook | df417213b446bedf049255ef08d9deca75544ec1f6931633b7d58c31ea167f13

General

Target

1TOFpZKvqyRVuuy.exe
Size

302KB
MD5

4a15e3620504681438565df947f5a702
SHA1

750e4c022b615a9cc9ff4a8ebb3091e66244815f
SHA256

b43bca6dcc03b6c289b15fd6dde4bde2dee13d024f08b0ca47efefc9d9aa3d8c
SHA512

60d107c9a2d75c899919a69f55020ca60053ce164a8a796af78202fa1b56127c595d7b846da36c22da16390e1f0d51fdfca7902e8d7e25b3735115c16f4472e4

Score

10^/10

formbook duj evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1848-61-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1848-62-0x000000000041E2E0-mapping.dmp	formbook
behavioral1/memory/1848-64-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/984-70-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1TOFpZKvqyRVuuy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1TOFpZKvqyRVuuy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1TOFpZKvqyRVuuy.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1TOFpZKvqyRVuuy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1TOFpZKvqyRVuuy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	1TOFpZKvqyRVuuy.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1TOFpZKvqyRVuuy.exeMSBuild.exeNETSTAT.EXE

description	pid	process	target process
PID 1084 set thread context of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1848 set thread context of 1272	1848	MSBuild.exe	Explorer.EXE
PID 984 set thread context of 1272	984	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1932 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

984 NETSTAT.EXE

pid	process
1932	schtasks.exe

pid	process
984	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

1TOFpZKvqyRVuuy.exeMSBuild.exeNETSTAT.EXE

pid	process
1084	1TOFpZKvqyRVuuy.exe
1084	1TOFpZKvqyRVuuy.exe
1084	1TOFpZKvqyRVuuy.exe
1848	MSBuild.exe
1848	MSBuild.exe
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.exeNETSTAT.EXE

pid process

1848 MSBuild.exe
1848 MSBuild.exe
1848 MSBuild.exe
984 NETSTAT.EXE
984 NETSTAT.EXE

pid	process
1848	MSBuild.exe
1848	MSBuild.exe
1848	MSBuild.exe
984	NETSTAT.EXE
984	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1TOFpZKvqyRVuuy.exeMSBuild.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1084	1TOFpZKvqyRVuuy.exe
Token: SeDebugPrivilege	1848	MSBuild.exe
Token: SeDebugPrivilege	984	NETSTAT.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

1TOFpZKvqyRVuuy.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1084 wrote to memory of 1932	1084	1TOFpZKvqyRVuuy.exe	schtasks.exe
PID 1084 wrote to memory of 1932	1084	1TOFpZKvqyRVuuy.exe	schtasks.exe
PID 1084 wrote to memory of 1932	1084	1TOFpZKvqyRVuuy.exe	schtasks.exe
PID 1084 wrote to memory of 1932	1084	1TOFpZKvqyRVuuy.exe	schtasks.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1084 wrote to memory of 1848	1084	1TOFpZKvqyRVuuy.exe	MSBuild.exe
PID 1272 wrote to memory of 984	1272	Explorer.EXE	NETSTAT.EXE
PID 1272 wrote to memory of 984	1272	Explorer.EXE	NETSTAT.EXE
PID 1272 wrote to memory of 984	1272	Explorer.EXE	NETSTAT.EXE
PID 1272 wrote to memory of 984	1272	Explorer.EXE	NETSTAT.EXE
PID 984 wrote to memory of 1696	984	NETSTAT.EXE	cmd.exe
PID 984 wrote to memory of 1696	984	NETSTAT.EXE	cmd.exe
PID 984 wrote to memory of 1696	984	NETSTAT.EXE	cmd.exe
PID 984 wrote to memory of 1696	984	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\1TOFpZKvqyRVuuy.exe
"C:\Users\Admin\AppData\Local\Temp\1TOFpZKvqyRVuuy.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NgLQLPa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D2.tmp"
3⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D2.tmp

Filesize
1KB

MD5
5e4b306d693f56b5c6e52a1e66bf9f51

SHA1
52597a5f4f767226b9fdcc04ecd34dfc359297ef

SHA256
f2ad873c0327da78e8af14a053722db74b46671b033906d6d24bb0e3e948c170

SHA512
32b1ff2fa3e4457d43eb6dcbfd6aaa2876f54b584c9002a568861be73a15c89bd4c905cac1b3fefa3201ade13a3bc4fc47fe825573f51df09a81aa46f96de469

Download Submit
memory/984-73-0x0000000001E00000-0x0000000001E93000-memory.dmp

Filesize
588KB

Download
memory/984-71-0x00000000021C0000-0x00000000024C3000-memory.dmp

Filesize
3.0MB

Download
memory/984-70-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/984-69-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/984-68-0x0000000000000000-mapping.dmp

Download
memory/1084-55-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-54-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1272-67-0x00000000074C0000-0x000000000762C000-memory.dmp

Filesize
1.4MB

Download
memory/1272-74-0x00000000046C0000-0x00000000047A8000-memory.dmp

Filesize
928KB

Download
memory/1696-72-0x0000000000000000-mapping.dmp

Download
memory/1848-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1848-66-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1848-65-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download
memory/1848-64-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1848-62-0x000000000041E2E0-mapping.dmp

Download
memory/1848-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1848-58-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads