formbook | 29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708

General

Target

ORDER INQUIRY.exe
Size

279KB
MD5

6bd95e18dbd55ab2bb32d2bdef0c88e6
SHA1

5fb95f1577c4d4c810a2a663db4a87704031126e
SHA256

27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662
SHA512

483301dd5b6198feab4dbaf0b17039a7b99e423a0c2eeaff609a1973d9b66cb3f22c1afab28769fb9a4530a2e3bb5b19ab3b2a62233807630db3ec6ffcb4fb32

Score

10^/10

formbook 20w coreentity rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

20w

Decoy

cofounder.technology

mrbajaf.com

xn--w9s874cfjq5fk.com

haliciogluhali.net

vanessadunfordhere.com

lookguy.win

91javac.com

goldennd.com

nwatheeliteteam.net

tumpukganda.com

clarservicios.com

koghana.com

workingwithroland.com

yellowsocialbox.com

under-dawg.com

sdtjtzyz.com

banditaerialproductions.com

newssmog.com

tefnmp.men

rebelialabel.com

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1792-56-0x00000000002C0000-0x00000000002C8000-memory.dmp	coreentity

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/620-63-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/620-64-0x000000000041B680-mapping.dmp	formbook
behavioral1/memory/620-66-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/872-77-0x00000000000C0000-0x00000000000EA000-memory.dmp	formbook

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1792-57-0x0000000004780000-0x00000000047B8000-memory.dmp	rezer0

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

Processes:

ORDER INQUIRY.exevbc.exemstsc.exe

description	pid	process	target process
PID 1792 set thread context of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 620 set thread context of 1204	620	vbc.exe	Explorer.EXE
PID 620 set thread context of 1204	620	vbc.exe	Explorer.EXE
PID 872 set thread context of 1204	872	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1316 schtasks.exe

pid	process
1316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ORDER INQUIRY.exevbc.exemstsc.exe

pid	process
1792	ORDER INQUIRY.exe
1792	ORDER INQUIRY.exe
1792	ORDER INQUIRY.exe
1792	ORDER INQUIRY.exe
1792	ORDER INQUIRY.exe
1792	ORDER INQUIRY.exe
620	vbc.exe
620	vbc.exe
620	vbc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe
872	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exemstsc.exe

pid process

620 vbc.exe
620 vbc.exe
620 vbc.exe
620 vbc.exe
872 mstsc.exe
872 mstsc.exe

pid	process
620	vbc.exe
620	vbc.exe
620	vbc.exe
620	vbc.exe
872	mstsc.exe
872	mstsc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ORDER INQUIRY.exevbc.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1792	ORDER INQUIRY.exe
Token: SeDebugPrivilege	620	vbc.exe
Token: SeDebugPrivilege	872	mstsc.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

ORDER INQUIRY.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1792 wrote to memory of 1316	1792	ORDER INQUIRY.exe	schtasks.exe
PID 1792 wrote to memory of 1316	1792	ORDER INQUIRY.exe	schtasks.exe
PID 1792 wrote to memory of 1316	1792	ORDER INQUIRY.exe	schtasks.exe
PID 1792 wrote to memory of 1316	1792	ORDER INQUIRY.exe	schtasks.exe
PID 1792 wrote to memory of 1700	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1700	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1700	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1700	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1980	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1980	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1980	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1980	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1768	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1768	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1768	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 1768	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1792 wrote to memory of 620	1792	ORDER INQUIRY.exe	vbc.exe
PID 1204 wrote to memory of 872	1204	Explorer.EXE	mstsc.exe
PID 1204 wrote to memory of 872	1204	Explorer.EXE	mstsc.exe
PID 1204 wrote to memory of 872	1204	Explorer.EXE	mstsc.exe
PID 1204 wrote to memory of 872	1204	Explorer.EXE	mstsc.exe
PID 872 wrote to memory of 1696	872	mstsc.exe	cmd.exe
PID 872 wrote to memory of 1696	872	mstsc.exe	cmd.exe
PID 872 wrote to memory of 1696	872	mstsc.exe	cmd.exe
PID 872 wrote to memory of 1696	872	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\ORDER INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER INQUIRY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rsYfak" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70FC.tmp"
3⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70FC.tmp
Filesize
1KB

MD5
8609d968e92eeed74b1893b68da12980

SHA1
d1fc2daf37ca5036567259c4711ebf5a70b6b6f7

SHA256
1dfefec3f589e5bd44b616b6359745d53bf21437955ecbd6de3ad2713dd6d5de

SHA512
706ab49b96ff0cc570e73741ce813504fc3be18b28c48ff5b7d05787ae3e0d219546d4f574b8f493ce6b72a44bccec93c2c842b8d603c17c792ce42400a644b8

Download Submit
memory/620-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/620-71-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/620-67-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/620-64-0x000000000041B680-mapping.dmp

Download
memory/620-68-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/620-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/620-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/620-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/872-79-0x0000000001F90000-0x0000000002023000-memory.dmp

Filesize
588KB

Download
memory/872-78-0x0000000002180000-0x0000000002483000-memory.dmp

Filesize
3.0MB

Download
memory/872-76-0x0000000000710000-0x0000000000814000-memory.dmp

Filesize
1.0MB

Download
memory/872-73-0x0000000000000000-mapping.dmp

Download
memory/872-77-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1204-69-0x0000000002A50000-0x0000000002B46000-memory.dmp

Filesize
984KB

Download
memory/1204-80-0x0000000006EF0000-0x0000000007044000-memory.dmp

Filesize
1.3MB

Download
memory/1204-72-0x00000000068D0000-0x0000000006A4D000-memory.dmp

Filesize
1.5MB

Download
memory/1316-58-0x0000000000000000-mapping.dmp

Download
memory/1696-75-0x0000000000000000-mapping.dmp

Download
memory/1792-56-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1792-57-0x0000000004780000-0x00000000047B8000-memory.dmp

Filesize
224KB

Download
memory/1792-54-0x0000000000220000-0x000000000026C000-memory.dmp

Filesize
304KB

Download
memory/1792-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads