formbook | 4ad4f511c43369e73655e833bac1c22c63c5e9fd56245990266b2d03c54a0fc2

General

Target

Enquiry Letter 2021_39 PDF .exe
Size

706KB
MD5

ebf459ab9f9e3280e01aa2afc78235cb
SHA1

b78ba9874e119e3be2521471f0e9bdc6b22d0452
SHA256

8357119ef28bc4518732db5fea2e1aae12a779c36c3beb0a732a224f460abddb
SHA512

0831473ccb3bf1314199dd1085075967c8867a1261ec7fe03f5c3da58b2a7dd3158b41b1fa5d2496e722bea04fb0230e306baccbc4459523b21698ee0d2a8094

Score

10^/10

formbook k2w persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

k2w

Decoy

brittanybeck.com

idapple.mobi

sharoncement.win

smerchenko.com

citizenssenergygroup.com

landhawktactical.com

yilingshenghuo.com

lifa97.com

8160pe.com

sf-purify.com

bloomingamaizing.com

thymeshares.com

rainwatercollectionhq.com

jaseba.net

whoistom.net

gn70.com

payperclickad.info

jessicagorbet.com

portlockproperty.com

mindset-beratung.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1688-64-0x0000000000090000-0x00000000000BA000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1488 cmd.exe

pid	process
1488	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8PALGXO0WL = "C:\\Program Files (x86)\\Ynpdx\\chkdskmpxpgvo.exe"	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Enquiry Letter 2021_39 PDF .exeEnquiry Letter 2021_39 PDF .exemsiexec.exe

description	pid	process	target process
PID 112 set thread context of 1588	112	Enquiry Letter 2021_39 PDF .exe	Enquiry Letter 2021_39 PDF .exe
PID 1588 set thread context of 1244	1588	Enquiry Letter 2021_39 PDF .exe	Explorer.EXE
PID 1688 set thread context of 1244	1688	msiexec.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ynpdx\chkdskmpxpgvo.exe msiexec.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ynpdx\chkdskmpxpgvo.exe	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Enquiry Letter 2021_39 PDF .exeEnquiry Letter 2021_39 PDF .exemsiexec.exe

pid	process
112	Enquiry Letter 2021_39 PDF .exe
1588	Enquiry Letter 2021_39 PDF .exe
1588	Enquiry Letter 2021_39 PDF .exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Enquiry Letter 2021_39 PDF .exeEnquiry Letter 2021_39 PDF .exemsiexec.exe

pid	process
112	Enquiry Letter 2021_39 PDF .exe
1588	Enquiry Letter 2021_39 PDF .exe
1588	Enquiry Letter 2021_39 PDF .exe
1588	Enquiry Letter 2021_39 PDF .exe
1688	msiexec.exe
1688	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Enquiry Letter 2021_39 PDF .exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1588 Enquiry Letter 2021_39 PDF .exe
Token: SeDebugPrivilege 1688 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1588	Enquiry Letter 2021_39 PDF .exe
Token: SeDebugPrivilege	1688	msiexec.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Enquiry Letter 2021_39 PDF .exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 112 wrote to memory of 1588	112	Enquiry Letter 2021_39 PDF .exe	Enquiry Letter 2021_39 PDF .exe
PID 112 wrote to memory of 1588	112	Enquiry Letter 2021_39 PDF .exe	Enquiry Letter 2021_39 PDF .exe
PID 112 wrote to memory of 1588	112	Enquiry Letter 2021_39 PDF .exe	Enquiry Letter 2021_39 PDF .exe
PID 112 wrote to memory of 1588	112	Enquiry Letter 2021_39 PDF .exe	Enquiry Letter 2021_39 PDF .exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1244 wrote to memory of 1688	1244	Explorer.EXE	msiexec.exe
PID 1688 wrote to memory of 1488	1688	msiexec.exe	cmd.exe
PID 1688 wrote to memory of 1488	1688	msiexec.exe	cmd.exe
PID 1688 wrote to memory of 1488	1688	msiexec.exe	cmd.exe
PID 1688 wrote to memory of 1488	1688	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1760

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"
3⤵
- Deletes itself
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logim.jpeg
Filesize
62KB

MD5
8d392f4a274658e3b8d6180d8a5b4308

SHA1
b57e37bab17c65c74314ab259e415822a2031399

SHA256
d6823b690f6a53e76cab51695cb0b6e1e60e7651aade7ed45140aa7fe538b8c9

SHA512
7a8a1f10d59bde0053f360191514c9b4675afa4f56b643fab65c7595b369f1a185d354b79d68ff5d24a5a71328c0cbc1099507e0be61412471fb6d38af28e7da

Download Submit
C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/112-56-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/112-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1244-67-0x0000000004B90000-0x0000000004C8F000-memory.dmp

Filesize
1020KB

Download
memory/1244-59-0x0000000007190000-0x0000000007301000-memory.dmp

Filesize
1.4MB

Download
memory/1488-62-0x0000000000000000-mapping.dmp

Download
memory/1588-58-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/1588-57-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1588-55-0x000000000041B6C0-mapping.dmp

Download
memory/1688-64-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/1688-65-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/1688-66-0x00000000020A0000-0x0000000002133000-memory.dmp

Filesize
588KB

Download
memory/1688-63-0x0000000000730000-0x0000000000744000-memory.dmp

Filesize
80KB

Download
memory/1688-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads