formbook | b6ca5260fe0d12121268026560ad699cf4f0dadf38b880359a12f283df97fed9

General

Target

Purchase Order List.exe
Size

368KB
MD5

962eef4cf460292ecc166f2b2fc98823
SHA1

c666349ef2d17b180d3121954e658d4df231d9e8
SHA256

61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
SHA512

32bc1b69343e11308da5309370e9b97969e4b47bf9c942aae97233b60e2ec6380e0c34a094c3d2260a9d48b1d4d821c8bc89071b10f54eaf27000c0625e715ab

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1048-59-0x0000000004A00000-0x0000000004A2D000-memory.dmp	formbook
behavioral1/memory/1584-64-0x000000000041E360-mapping.dmp	formbook
behavioral1/memory/1584-66-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/884-73-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1184 cmd.exe

pid	process
1184	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FLJPPREH = "C:\\Program Files (x86)\\V1b0x\\gdik6qliv8.exe"	systray.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order List.exePurchase Order List.exesystray.exe

description	pid	process	target process
PID 1048 set thread context of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1584 set thread context of 1232	1584	Purchase Order List.exe	Explorer.EXE
PID 884 set thread context of 1232	884	systray.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

systray.exe

description ioc process

File opened for modification C:\Program Files (x86)\V1b0x\gdik6qliv8.exe systray.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2028 schtasks.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\V1b0x\gdik6qliv8.exe	systray.exe

pid	process
2028	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Purchase Order List.exesystray.exe

pid	process
1584	Purchase Order List.exe
1584	Purchase Order List.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe
884	systray.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Purchase Order List.exesystray.exe

pid process

1584 Purchase Order List.exe
1584 Purchase Order List.exe
1584 Purchase Order List.exe
884 systray.exe
884 systray.exe
884 systray.exe
884 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order List.exesystray.exe

description pid process

Token: SeDebugPrivilege 1584 Purchase Order List.exe
Token: SeDebugPrivilege 884 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1584	Purchase Order List.exe
Token: SeDebugPrivilege	884	systray.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Purchase Order List.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1048 wrote to memory of 2028	1048	Purchase Order List.exe	schtasks.exe
PID 1048 wrote to memory of 2028	1048	Purchase Order List.exe	schtasks.exe
PID 1048 wrote to memory of 2028	1048	Purchase Order List.exe	schtasks.exe
PID 1048 wrote to memory of 2028	1048	Purchase Order List.exe	schtasks.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1048 wrote to memory of 1584	1048	Purchase Order List.exe	Purchase Order List.exe
PID 1232 wrote to memory of 884	1232	Explorer.EXE	systray.exe
PID 1232 wrote to memory of 884	1232	Explorer.EXE	systray.exe
PID 1232 wrote to memory of 884	1232	Explorer.EXE	systray.exe
PID 1232 wrote to memory of 884	1232	Explorer.EXE	systray.exe
PID 884 wrote to memory of 1184	884	systray.exe	cmd.exe
PID 884 wrote to memory of 1184	884	systray.exe	cmd.exe
PID 884 wrote to memory of 1184	884	systray.exe	cmd.exe
PID 884 wrote to memory of 1184	884	systray.exe	cmd.exe
PID 884 wrote to memory of 1372	884	systray.exe	Firefox.exe
PID 884 wrote to memory of 1372	884	systray.exe	Firefox.exe
PID 884 wrote to memory of 1372	884	systray.exe	Firefox.exe
PID 884 wrote to memory of 1372	884	systray.exe	Firefox.exe
PID 884 wrote to memory of 1372	884	systray.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZyEeet" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730F.tmp"
3⤵
- Creates scheduled task(s)
PID:2028

C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe"
3⤵
- Deletes itself
PID:1184

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp730F.tmp
Filesize
1KB

MD5
0f9a81a2d0635fce875cfb240ed96962

SHA1
a37d36f08fdd445d0df2b5a00daf5829c97e36fa

SHA256
d357e552bcba35ffd0abb2d598a061660f055002ab233adf4885225573dfbfbb

SHA512
68ffd5d1319b1b64a7500008c64c76654076c62ed200fcd5f50c945566d8fa2014a0632deb48768e48b0c0e1968cb2e67ebc5dc97e8ca68b515dd603ea499a85

Download Submit
memory/884-70-0x0000000000000000-mapping.dmp

Download
memory/884-77-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/884-75-0x0000000000540000-0x00000000005D3000-memory.dmp

Filesize
588KB

Download
memory/884-74-0x0000000001FF0000-0x00000000022F3000-memory.dmp

Filesize
3.0MB

Download
memory/884-73-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/884-72-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/1048-59-0x0000000004A00000-0x0000000004A2D000-memory.dmp

Filesize
180KB

Download
memory/1048-55-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1048-56-0x0000000004130000-0x000000000416A000-memory.dmp

Filesize
232KB

Download
memory/1048-54-0x0000000000C20000-0x0000000000C82000-memory.dmp

Filesize
392KB

Download
memory/1184-71-0x0000000000000000-mapping.dmp

Download
memory/1232-76-0x0000000006620000-0x0000000006760000-memory.dmp

Filesize
1.2MB

Download
memory/1232-69-0x00000000071A0000-0x000000000734C000-memory.dmp

Filesize
1.7MB

Download
memory/1584-68-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1584-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1584-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1584-64-0x000000000041E360-mapping.dmp

Download
memory/1584-67-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1584-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads