formbook | e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759

General

Target

c6e799eeeba0345de98b4e9a6ac76b82.exe
Size

292KB
MD5

c6e799eeeba0345de98b4e9a6ac76b82
SHA1

268bafbd996997350d32521a0012602960c5d004
SHA256

e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759
SHA512

b229294931fe70480a7cb0937b33311fa838e5b5f1ac880a1e8fd06b67ddee6c4b691d9a0d93004be86deba5300faf55511cd910fad56f89c4e79b5eead6f681

Score

10^/10

formbook nk6l rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nk6l

Decoy

cbnextra.com

entitysystemsinc.com

55midwoodave.com

ebelizzi.com

khojcity.com

1527brokenoakdrive.site

housinghproperties.com

ratiousa.com

lrcrepresentacoes.net

tocoec.net

khadamatdemnate.com

davidkastner.xyz

gardeniaresort.com

qiantangguoji.com

visaprepaidprocessinq.com

cristinamadara.com

semapisus.xyz

mpwebagency.net

alibabasdeli.com

gigasupplies.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1004-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1004-64-0x000000000041F0F0-mapping.dmp	formbook
behavioral1/memory/1004-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1796-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

dvukljmnr.exedvukljmnr.exe

pid process

1988 dvukljmnr.exe
1004 dvukljmnr.exe
Loads dropped DLL 2 IoCs

Processes:

c6e799eeeba0345de98b4e9a6ac76b82.exedvukljmnr.exe

pid process

1784 c6e799eeeba0345de98b4e9a6ac76b82.exe
1988 dvukljmnr.exe

pid	process
1988	dvukljmnr.exe
1004	dvukljmnr.exe

pid	process
1784	c6e799eeeba0345de98b4e9a6ac76b82.exe
1988	dvukljmnr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dvukljmnr.exedvukljmnr.exeexplorer.exe

description	pid	process	target process
PID 1988 set thread context of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1004 set thread context of 1212	1004	dvukljmnr.exe	Explorer.EXE
PID 1796 set thread context of 1212	1796	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

dvukljmnr.exeexplorer.exe

pid	process
1004	dvukljmnr.exe
1004	dvukljmnr.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dvukljmnr.exeexplorer.exe

pid process

1004 dvukljmnr.exe
1004 dvukljmnr.exe
1004 dvukljmnr.exe
1796 explorer.exe
1796 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dvukljmnr.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 1004 dvukljmnr.exe
Token: SeDebugPrivilege 1796 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1004	dvukljmnr.exe
Token: SeDebugPrivilege	1796	explorer.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

c6e799eeeba0345de98b4e9a6ac76b82.exedvukljmnr.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1784 wrote to memory of 1988	1784	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1784 wrote to memory of 1988	1784	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1784 wrote to memory of 1988	1784	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1784 wrote to memory of 1988	1784	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1988 wrote to memory of 1004	1988	dvukljmnr.exe	dvukljmnr.exe
PID 1212 wrote to memory of 1796	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1796	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1796	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1796	1212	Explorer.EXE	explorer.exe
PID 1796 wrote to memory of 1316	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 1316	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 1316	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 1316	1796	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\c6e799eeeba0345de98b4e9a6ac76b82.exe
  "C:\Users\Admin\AppData\Local\Temp\c6e799eeeba0345de98b4e9a6ac76b82.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
    C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
      C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1004
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe"
    3⤵
    PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qh31ayyhk84s8sjtofn

Filesize
184KB

MD5
17179b4032c3411541c24ca24c8c9aae

SHA1
13f54b0c026b6c7e53aa94df8f73fa24ecaa0393

SHA256
b82ca9a52d0ac42aeb246ed7fa0fd7f95c6248f6684b1ab8e6d973ee934ce0b9

SHA512
6127e76eec4d121be3ee8a45da44220a33ac57924255738f80edab3b92a7fd7d8f002779fa0f3296f3b795671767853e49dd2642eb43419e373284bfbd8b0201

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw

Filesize
4KB

MD5
498c16613e82cebca0fc1541214be952

SHA1
23e7da2aa1b3ef5f3aec1ae51f797da4f421efc5

SHA256
7f40da6288c8e939afea7a6512e518933d1802f6b822817b21e3b457af445ce8

SHA512
ba6b040c01b60827f893f918de5478e83b53da511ef62d0b10b2a12ec17f64c2ff64bd50dc1be814809153ae90c913370010bacf22636fbd4820b409e6183a7b

Download Submit
\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
memory/1004-68-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/1004-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1004-64-0x000000000041F0F0-mapping.dmp

Download
memory/1004-69-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1004-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-70-0x0000000004AC0000-0x0000000004BEA000-memory.dmp

Filesize
1.2MB

Download
memory/1212-79-0x0000000004420000-0x000000000450F000-memory.dmp

Filesize
956KB

Download
memory/1316-76-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1796-71-0x0000000000000000-mapping.dmp

Download
memory/1796-73-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1796-74-0x00000000009E0000-0x0000000000C61000-memory.dmp

Filesize
2.5MB

Download
memory/1796-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1796-77-0x0000000002440000-0x0000000002743000-memory.dmp

Filesize
3.0MB

Download
memory/1796-78-0x0000000002210000-0x00000000022A3000-memory.dmp

Filesize
588KB

Download
memory/1988-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads