formbook | f201f5ed829e08dbd5ccb40533f26010f5c3e75134fc1da3f9ed56eec6077300

General

Target

Purchase order PO045793 from Voile Trading Co.,Ltd.exe
Size

320KB
MD5

b02fb2439cd88a5e399683f14d6d80ff
SHA1

7098d5175626c3bef989a7d0e0344158a752ebc4
SHA256

c6bed06259f7c50c2b15e8161d5b1fa11690e69a7e5bb3261202debfb7d96708
SHA512

aff2394e671e8f8b33d7bf5a4444590fb53c74a2f6bc29faf3627a467652f0d2d7f1bd22c420bd46621638ff2849c30be265b71ecce89b14f83a4d68b6cf78ba

Score

10^/10

formbook mw9 persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mw9

Decoy

buyaii.com

zqdhrh.com

essentialsrefined.com

carbo-notifer.biz

cpahitr.com

westerntreasureseo.com

prowrestlingevent.com

hawthornbanksaves.com

vinhomes2.info

atriumindonesia.com

crunchinessretonation.com

masstorthedgefund.com

stroy-staleks.com

chinamarbleandtile.com

tv16878.info

hasegawa-takuma.com

cuxiaomao.com

umhhih.info

ieml.education

mwvllc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1572-54-0x0000000000561000-0x000000000058F000-memory.dmp	formbook
behavioral1/memory/1572-55-0x0000000000533000-0x0000000000584000-memory.dmp	formbook
behavioral1/memory/1572-59-0x0000000000533000-0x0000000000584000-memory.dmp	formbook
behavioral1/memory/1940-66-0x0000000000180000-0x00000000001AD000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\X8TPKTKHIBB = "C:\\Program Files (x86)\\Xcbcpfzx\\vganpwdbb.exe"	msdt.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

592 cmd.exe

pid	process
592	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase order PO045793 from Voile Trading Co.,Ltd.exemsdt.exe

description	pid	process	target process
PID 1572 set thread context of 1204	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe	Explorer.EXE
PID 1572 set thread context of 1204	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe	Explorer.EXE
PID 1940 set thread context of 1204	1940	msdt.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

msdt.exe

description ioc process

File opened for modification C:\Program Files (x86)\Xcbcpfzx\vganpwdbb.exe msdt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Xcbcpfzx\vganpwdbb.exe	msdt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Purchase order PO045793 from Voile Trading Co.,Ltd.exemsdt.exe

pid	process
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Purchase order PO045793 from Voile Trading Co.,Ltd.exemsdt.exe

pid	process
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe
1940	msdt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase order PO045793 from Voile Trading Co.,Ltd.exemsdt.exe

description pid process

Token: SeDebugPrivilege 1572 Purchase order PO045793 from Voile Trading Co.,Ltd.exe
Token: SeDebugPrivilege 1940 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe
Token: SeDebugPrivilege	1940	msdt.exe

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Purchase order PO045793 from Voile Trading Co.,Ltd.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1572 wrote to memory of 1940	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe	msdt.exe
PID 1572 wrote to memory of 1940	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe	msdt.exe
PID 1572 wrote to memory of 1940	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe	msdt.exe
PID 1572 wrote to memory of 1940	1572	Purchase order PO045793 from Voile Trading Co.,Ltd.exe	msdt.exe
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	colorcpl.exe
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	colorcpl.exe
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	colorcpl.exe
PID 1204 wrote to memory of 1748	1204	Explorer.EXE	colorcpl.exe
PID 1940 wrote to memory of 592	1940	msdt.exe	cmd.exe
PID 1940 wrote to memory of 592	1940	msdt.exe	cmd.exe
PID 1940 wrote to memory of 592	1940	msdt.exe	cmd.exe
PID 1940 wrote to memory of 592	1940	msdt.exe	cmd.exe
PID 1940 wrote to memory of 1356	1940	msdt.exe	Firefox.exe
PID 1940 wrote to memory of 1356	1940	msdt.exe	Firefox.exe
PID 1940 wrote to memory of 1356	1940	msdt.exe	Firefox.exe
PID 1940 wrote to memory of 1356	1940	msdt.exe	Firefox.exe
PID 1940 wrote to memory of 1356	1940	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\Purchase order PO045793 from Voile Trading Co.,Ltd.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order PO045793 from Voile Trading Co.,Ltd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
3⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase order PO045793 from Voile Trading Co.,Ltd.exe"
4⤵
- Deletes itself
PID:592

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
4⤵
PID:1356

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-64-0x0000000000000000-mapping.dmp

Download
memory/1204-58-0x0000000004980000-0x0000000004AC1000-memory.dmp

Filesize
1.3MB

Download
memory/1204-61-0x0000000003E30000-0x0000000003F19000-memory.dmp

Filesize
932KB

Download
memory/1204-69-0x0000000004BF0000-0x0000000004CE1000-memory.dmp

Filesize
964KB

Download
memory/1572-55-0x0000000000533000-0x0000000000584000-memory.dmp

Filesize
324KB

Download
memory/1572-56-0x0000000002CD0000-0x0000000002FD3000-memory.dmp

Filesize
3.0MB

Download
memory/1572-57-0x0000000000150000-0x0000000000164000-memory.dmp

Filesize
80KB

Download
memory/1572-59-0x0000000000533000-0x0000000000584000-memory.dmp

Filesize
324KB

Download
memory/1572-60-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1572-54-0x0000000000561000-0x000000000058F000-memory.dmp

Filesize
184KB

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/1940-65-0x0000000000080000-0x0000000000174000-memory.dmp

Filesize
976KB

Download
memory/1940-66-0x0000000000180000-0x00000000001AD000-memory.dmp

Filesize
180KB

Download
memory/1940-67-0x0000000002330000-0x0000000002633000-memory.dmp

Filesize
3.0MB

Download
memory/1940-68-0x0000000002060000-0x00000000020F3000-memory.dmp

Filesize
588KB

Download
memory/1940-63-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads