formbook | fe272bc2bdf59b23e1ff41b5aba9243faa18a92d3a3198924ffeb167e1a4236a

General

Target

009888389998789290000-pdf.exe
Size

876KB
MD5

c4dc14e8754c36300ae98fa8b4369a40
SHA1

9cd8e279dff02db6ffb9199cf6cb4ff5fc07cc37
SHA256

c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
SHA512

ba4280059eb153941d0c06533542a10d25f5c95c45bbebce620f042560df2557e1eae6ea3a405d6663c9552eb8dc49bb1cfccb2659e834a06fac4587373c7382

Score

10^/10

formbook hm2 persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

hm2

Decoy

vodu.ltd

arauderghem.net

bluebackpage.com

cheapairmaxsaleclearance.com

soldiersofarts.com

fbservice.info

x9e7x7.info

davidhenkel.com

plantrak.net

66sbleiv.com

cartierringprice.com

roupeiroblog.com

thxcn.com

baboondynasty.win

thecloudm.com

everythingreviews.net

zimmermansales.net

movie.kitchen

im.help

geebzor.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/624-63-0x0000000000070000-0x000000000009A000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTMT9LUPQ04 = "C:\\Program Files (x86)\\Q_nrp\\servicescbcdufw.exe"	wscript.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1696	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

009888389998789290000-pdf.exe009888389998789290000-pdf.exewscript.exe

description	pid	process	target process
PID 1728 set thread context of 1380	1728	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 1380 set thread context of 1256	1380	009888389998789290000-pdf.exe	Explorer.EXE
PID 624 set thread context of 1256	624	wscript.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wscript.exe

description ioc process

File opened for modification C:\Program Files (x86)\Q_nrp\servicescbcdufw.exe wscript.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Q_nrp\servicescbcdufw.exe	wscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

009888389998789290000-pdf.exe009888389998789290000-pdf.exewscript.exe

pid	process
1728	009888389998789290000-pdf.exe
1380	009888389998789290000-pdf.exe
1380	009888389998789290000-pdf.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe
624	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

009888389998789290000-pdf.exe009888389998789290000-pdf.exewscript.exe

pid	process
1728	009888389998789290000-pdf.exe
1380	009888389998789290000-pdf.exe
1380	009888389998789290000-pdf.exe
1380	009888389998789290000-pdf.exe
624	wscript.exe
624	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

009888389998789290000-pdf.exewscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1380	009888389998789290000-pdf.exe
Token: SeDebugPrivilege	624	wscript.exe
Token: SeShutdownPrivilege	1256	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

009888389998789290000-pdf.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1728 wrote to memory of 1380	1728	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 1728 wrote to memory of 1380	1728	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 1728 wrote to memory of 1380	1728	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 1728 wrote to memory of 1380	1728	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wscript.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wscript.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wscript.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wscript.exe
PID 624 wrote to memory of 1696	624	wscript.exe	cmd.exe
PID 624 wrote to memory of 1696	624	wscript.exe	cmd.exe
PID 624 wrote to memory of 1696	624	wscript.exe	cmd.exe
PID 624 wrote to memory of 1696	624	wscript.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:624

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"
3⤵
- Deletes itself
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-63-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/624-60-0x0000000000000000-mapping.dmp

Download
memory/624-62-0x0000000000C20000-0x0000000000C46000-memory.dmp

Filesize
152KB

Download
memory/624-64-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/624-65-0x0000000002360000-0x00000000023F3000-memory.dmp

Filesize
588KB

Download
memory/1256-59-0x0000000004A00000-0x0000000004B4C000-memory.dmp

Filesize
1.3MB

Download
memory/1256-66-0x0000000004C30000-0x0000000004D4C000-memory.dmp

Filesize
1.1MB

Download
memory/1380-55-0x000000000041B630-mapping.dmp

Download
memory/1380-57-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1380-58-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/1696-61-0x0000000000000000-mapping.dmp

Download
memory/1728-56-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/1728-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads