formbook | 81c89c74bd3c21ddf71d0cf01ec2c104e0ec298e6d2c9430f6bb7ddd8e711d62

General

Target

New Order list.exe
Size

368KB
MD5

cfc84703691c6640926457cb908b1b48
SHA1

8ee0d777616fa968e23bb7ba70962729b2e2295b
SHA256

e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
SHA512

51ba82d682cc9923d1d727dbd4dd424f3f2e4ee032948031748ee3bf30afb1228782b790a8611ba60e1c66ae75f7ef167c75af3151b258e8996eadfa7e944717

Score

10^/10

formbook 3nop rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1092-59-0x0000000004880000-0x00000000048AD000-memory.dmp	formbook
behavioral1/memory/1968-64-0x000000000041E360-mapping.dmp	formbook
behavioral1/memory/1968-66-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1184-76-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe

pid	process
1684	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

New Order list.exeNew Order list.exehelp.exe

description	pid	process	target process
PID 1092 set thread context of 1968	1092	New Order list.exe	New Order list.exe
PID 1968 set thread context of 1272	1968	New Order list.exe	Explorer.EXE
PID 1968 set thread context of 1272	1968	New Order list.exe	Explorer.EXE
PID 1184 set thread context of 1272	1184	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1704 schtasks.exe

pid	process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

New Order list.exehelp.exe

pid	process
1968	New Order list.exe
1968	New Order list.exe
1968	New Order list.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe
1184	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

New Order list.exehelp.exe

pid process

1968 New Order list.exe
1968 New Order list.exe
1968 New Order list.exe
1968 New Order list.exe
1184 help.exe
1184 help.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New Order list.exehelp.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1968 New Order list.exe
Token: SeDebugPrivilege 1184 help.exe
Token: SeShutdownPrivilege 1272 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1968	New Order list.exe
Token: SeDebugPrivilege	1184	help.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

New Order list.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1092 wrote to memory of 1704	1092	New Order list.exe	schtasks.exe
PID 1092 wrote to memory of 1704	1092	New Order list.exe	schtasks.exe
PID 1092 wrote to memory of 1704	1092	New Order list.exe	schtasks.exe
PID 1092 wrote to memory of 1704	1092	New Order list.exe	schtasks.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1092 wrote to memory of 1968	1092	New Order list.exe	New Order list.exe
PID 1272 wrote to memory of 1184	1272	Explorer.EXE	help.exe
PID 1272 wrote to memory of 1184	1272	Explorer.EXE	help.exe
PID 1272 wrote to memory of 1184	1272	Explorer.EXE	help.exe
PID 1272 wrote to memory of 1184	1272	Explorer.EXE	help.exe
PID 1184 wrote to memory of 1684	1184	help.exe	cmd.exe
PID 1184 wrote to memory of 1684	1184	help.exe	cmd.exe
PID 1184 wrote to memory of 1684	1184	help.exe	cmd.exe
PID 1184 wrote to memory of 1684	1184	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\New Order list.exe
"C:\Users\Admin\AppData\Local\Temp\New Order list.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AIJLczyi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7C1.tmp"
3⤵
- Creates scheduled task(s)
PID:1704

C:\Users\Admin\AppData\Local\Temp\New Order list.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New Order list.exe"
3⤵
- Deletes itself
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE7C1.tmp
Filesize
1KB

MD5
a7e759693ec43d835c09f0422d4602fa

SHA1
77ef0129fc52911372daef4de7615531e2223f66

SHA256
d7af8335db99d5bd1d64bf9d95db71720edc920ee636d53522a5d240e915510f

SHA512
e017f733f15c3bfd57c61fd3a12aec8d85a69ff558b1cc12d5b125de71572d9f6341086fd98c5d1c57006da28bf5265c8e6b2e5020d762374ad62a82b3510d90

Download Submit
memory/1092-59-0x0000000004880000-0x00000000048AD000-memory.dmp

Filesize
180KB

Download
memory/1092-55-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1092-56-0x0000000004700000-0x000000000473A000-memory.dmp

Filesize
232KB

Download
memory/1092-54-0x0000000000980000-0x00000000009E2000-memory.dmp

Filesize
392KB

Download
memory/1184-73-0x0000000000000000-mapping.dmp

Download
memory/1184-75-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/1184-78-0x0000000000550000-0x00000000005E3000-memory.dmp

Filesize
588KB

Download
memory/1184-77-0x00000000007F0000-0x0000000000AF3000-memory.dmp

Filesize
3.0MB

Download
memory/1184-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1272-72-0x0000000004CA0000-0x0000000004D8F000-memory.dmp

Filesize
956KB

Download
memory/1272-69-0x0000000004770000-0x000000000485E000-memory.dmp

Filesize
952KB

Download
memory/1272-79-0x0000000006700000-0x000000000684D000-memory.dmp

Filesize
1.3MB

Download
memory/1684-74-0x0000000000000000-mapping.dmp

Download
memory/1704-57-0x0000000000000000-mapping.dmp

Download
memory/1968-68-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1968-71-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/1968-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-67-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/1968-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-64-0x000000000041E360-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads