formbook | b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4

General

Target

TT copy 2094782.exe
Size

358KB
MD5

9d4da0e623bb9bb818be455b4c5e97d8
SHA1

9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
SHA256

091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
SHA512

6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37

Score

10^/10

formbook app evasion persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

app

Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1724-61-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1724-62-0x000000000041E270-mapping.dmp	formbook
behavioral1/memory/1072-71-0x00000000000C0000-0x00000000000ED000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JRMXEFPPWFM = "C:\\Program Files (x86)\\Nuxl\\audiodgpdm.exe"	ipconfig.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TT copy 2094782.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TT copy 2094782.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TT copy 2094782.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

828 cmd.exe

pid	process
828	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

TT copy 2094782.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	TT copy 2094782.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	TT copy 2094782.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

TT copy 2094782.exeTT copy 2094782.exeipconfig.exe

description	pid	process	target process
PID 1280 set thread context of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1724 set thread context of 1212	1724	TT copy 2094782.exe	Explorer.EXE
PID 1072 set thread context of 1212	1072	ipconfig.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

ipconfig.exe

description ioc process

File opened for modification C:\Program Files (x86)\Nuxl\audiodgpdm.exe ipconfig.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1072 ipconfig.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Nuxl\audiodgpdm.exe	ipconfig.exe

pid	process
1292	schtasks.exe

pid	process
1072	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

TT copy 2094782.exeipconfig.exe

pid	process
1724	TT copy 2094782.exe
1724	TT copy 2094782.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe
1072	ipconfig.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

TT copy 2094782.exeipconfig.exe

pid process

1724 TT copy 2094782.exe
1724 TT copy 2094782.exe
1724 TT copy 2094782.exe
1072 ipconfig.exe
1072 ipconfig.exe
1072 ipconfig.exe
1072 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TT copy 2094782.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1724 TT copy 2094782.exe
Token: SeDebugPrivilege 1072 ipconfig.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1724	TT copy 2094782.exe
Token: SeDebugPrivilege	1072	ipconfig.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

TT copy 2094782.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1280 wrote to memory of 1292	1280	TT copy 2094782.exe	schtasks.exe
PID 1280 wrote to memory of 1292	1280	TT copy 2094782.exe	schtasks.exe
PID 1280 wrote to memory of 1292	1280	TT copy 2094782.exe	schtasks.exe
PID 1280 wrote to memory of 1292	1280	TT copy 2094782.exe	schtasks.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1280 wrote to memory of 1724	1280	TT copy 2094782.exe	TT copy 2094782.exe
PID 1212 wrote to memory of 1072	1212	Explorer.EXE	ipconfig.exe
PID 1212 wrote to memory of 1072	1212	Explorer.EXE	ipconfig.exe
PID 1212 wrote to memory of 1072	1212	Explorer.EXE	ipconfig.exe
PID 1212 wrote to memory of 1072	1212	Explorer.EXE	ipconfig.exe
PID 1072 wrote to memory of 828	1072	ipconfig.exe	cmd.exe
PID 1072 wrote to memory of 828	1072	ipconfig.exe	cmd.exe
PID 1072 wrote to memory of 828	1072	ipconfig.exe	cmd.exe
PID 1072 wrote to memory of 828	1072	ipconfig.exe	cmd.exe
PID 1072 wrote to memory of 868	1072	ipconfig.exe	Firefox.exe
PID 1072 wrote to memory of 868	1072	ipconfig.exe	Firefox.exe
PID 1072 wrote to memory of 868	1072	ipconfig.exe	Firefox.exe
PID 1072 wrote to memory of 868	1072	ipconfig.exe	Firefox.exe
PID 1072 wrote to memory of 868	1072	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe
"C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp214.tmp"
3⤵
- Creates scheduled task(s)
PID:1292

C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe"
3⤵
- Deletes itself
PID:828

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp214.tmp
Filesize
1KB

MD5
08c24f87384ce3ec15eca4f0559ce9ca

SHA1
7b0051273e81b256da5799d2ef10245df8b1483e

SHA256
d1d775f709e0d44f5286abe671144036399fb6ddf13e44b1714d617096b1f1fc

SHA512
97e7749a44ea8cb82878733234bd75b0d7f1ab3d89f0c7941930b6e9e2daa9df36d91f0005100611490d2cc7b704eec21246917bda8944d25dbc3521a796c8cc

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logim.jpeg
Filesize
70KB

MD5
f5552a69dbf7b83c12d338c9a29d79ec

SHA1
246972f7a995f3c7a39f1311edfe11ccb75f73eb

SHA256
1175ad02a11ead659bb121bcc007a775ea31e9e09dbeee35f173d0abfa565f9c

SHA512
670a4f26fdc12bbe270ed94930d4e655c97f60994957a1f8fe9b09bf60723e332c7d4a9f821b0e272d5ed28c788e48b07dbdca1e8c5a54c2602d7a60cc3606d9

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrf.ini
Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/828-69-0x0000000000000000-mapping.dmp

Download
memory/1072-67-0x0000000000000000-mapping.dmp

Download
memory/1072-73-0x0000000000390000-0x0000000000423000-memory.dmp

Filesize
588KB

Download
memory/1072-72-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/1072-71-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1072-70-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1212-66-0x00000000043E0000-0x000000000452F000-memory.dmp

Filesize
1.3MB

Download
memory/1212-74-0x0000000004230000-0x00000000042E1000-memory.dmp

Filesize
708KB

Download
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-56-0x0000000000000000-mapping.dmp

Download
memory/1724-65-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1724-64-0x0000000000CD0000-0x0000000000FD3000-memory.dmp

Filesize
3.0MB

Download
memory/1724-62-0x000000000041E270-mapping.dmp

Download
memory/1724-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1724-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1724-58-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads