formbook | 2e94e9f9492519257c3ce0897b7e0b526d202e59e325149a4e292756bbe02dec

General

Target

PO10062020.exe
Size

344KB
MD5

02cf2e5ec0352d4e5ad016bf6a4c3ec1
SHA1

8b45260c7d9df1a0a1240c82ec173d7d2fe39dc3
SHA256

5ed8ce65c5a1e4b24a300d02167839e8f060bf38c7c407d4a7d2dc5e0d2c80b9
SHA512

3bf2c80200b053529afda0064544056b43d5bae40b1370e78555820cf0b4fe3c8a7361fedeb56b4cca99ebe2aab1d15f063c0c0448784eeef44d918bafbf7fe7

Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/844-63-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/844-64-0x000000000041E2A0-mapping.dmp	formbook
behavioral1/memory/1724-72-0x00000000000D0000-0x00000000000FD000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GBWHJFWH68GL = "C:\\Program Files (x86)\\Wqlr0\\igfxobcpor5.exe"	systray.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	systray.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO10062020.exesvchost.exesystray.exe

description	pid	process	target process
PID 2008 set thread context of 844	2008	PO10062020.exe	svchost.exe
PID 844 set thread context of 1264	844	svchost.exe	Explorer.EXE
PID 1724 set thread context of 1264	1724	systray.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

systray.exe

description ioc process

File opened for modification C:\Program Files (x86)\Wqlr0\igfxobcpor5.exe systray.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Wqlr0\igfxobcpor5.exe	systray.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

PO10062020.exesvchost.exesystray.exe

pid	process
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
2008	PO10062020.exe
844	svchost.exe
844	svchost.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

svchost.exesystray.exe

pid process

844 svchost.exe
844 svchost.exe
844 svchost.exe
1724 systray.exe
1724 systray.exe
1724 systray.exe
1724 systray.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO10062020.exesvchost.exesystray.exe

description pid process

Token: SeDebugPrivilege 2008 PO10062020.exe
Token: SeDebugPrivilege 844 svchost.exe
Token: SeDebugPrivilege 1724 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE

pid	process
844	svchost.exe
844	svchost.exe
844	svchost.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe
1724	systray.exe

description	pid	process
Token: SeDebugPrivilege	2008	PO10062020.exe
Token: SeDebugPrivilege	844	svchost.exe
Token: SeDebugPrivilege	1724	systray.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PO10062020.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 2008 wrote to memory of 844	2008	PO10062020.exe	svchost.exe
PID 1264 wrote to memory of 1724	1264	Explorer.EXE	systray.exe
PID 1264 wrote to memory of 1724	1264	Explorer.EXE	systray.exe
PID 1264 wrote to memory of 1724	1264	Explorer.EXE	systray.exe
PID 1264 wrote to memory of 1724	1264	Explorer.EXE	systray.exe
PID 1724 wrote to memory of 908	1724	systray.exe	cmd.exe
PID 1724 wrote to memory of 908	1724	systray.exe	cmd.exe
PID 1724 wrote to memory of 908	1724	systray.exe	cmd.exe
PID 1724 wrote to memory of 908	1724	systray.exe	cmd.exe
PID 1724 wrote to memory of 2040	1724	systray.exe	Firefox.exe
PID 1724 wrote to memory of 2040	1724	systray.exe	Firefox.exe
PID 1724 wrote to memory of 2040	1724	systray.exe	Firefox.exe
PID 1724 wrote to memory of 2040	1724	systray.exe	Firefox.exe
PID 1724 wrote to memory of 2040	1724	systray.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\PO10062020.exe
"C:\Users\Admin\AppData\Local\Temp\PO10062020.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:524

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:908

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-64-0x000000000041E2A0-mapping.dmp

Download
memory/844-67-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/844-66-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/844-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/844-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/844-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/908-70-0x0000000000000000-mapping.dmp

Download
memory/1264-75-0x00000000060E0000-0x0000000006244000-memory.dmp

Filesize
1.4MB

Download
memory/1264-68-0x0000000006520000-0x0000000006673000-memory.dmp

Filesize
1.3MB

Download
memory/1724-71-0x0000000000F50000-0x0000000000F55000-memory.dmp

Filesize
20KB

Download
memory/1724-69-0x0000000000000000-mapping.dmp

Download
memory/1724-72-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1724-73-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/1724-74-0x0000000000930000-0x00000000009C3000-memory.dmp

Filesize
588KB

Download
memory/2008-59-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2008-58-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2008-57-0x0000000000570000-0x00000000005AA000-memory.dmp

Filesize
232KB

Download
memory/2008-56-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2008-54-0x0000000000F80000-0x0000000000FDC000-memory.dmp

Filesize
368KB

Download
memory/2008-55-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads