formbook | e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759

General

Target

c6e799eeeba0345de98b4e9a6ac76b82.exe
Size

292KB
MD5

c6e799eeeba0345de98b4e9a6ac76b82
SHA1

268bafbd996997350d32521a0012602960c5d004
SHA256

e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759
SHA512

b229294931fe70480a7cb0937b33311fa838e5b5f1ac880a1e8fd06b67ddee6c4b691d9a0d93004be86deba5300faf55511cd910fad56f89c4e79b5eead6f681

Score

10^/10

formbook nk6l rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nk6l

Decoy

cbnextra.com

entitysystemsinc.com

55midwoodave.com

ebelizzi.com

khojcity.com

1527brokenoakdrive.site

housinghproperties.com

ratiousa.com

lrcrepresentacoes.net

tocoec.net

khadamatdemnate.com

davidkastner.xyz

gardeniaresort.com

qiantangguoji.com

visaprepaidprocessinq.com

cristinamadara.com

semapisus.xyz

mpwebagency.net

alibabasdeli.com

gigasupplies.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1072-64-0x000000000041F0F0-mapping.dmp	formbook
behavioral1/memory/1072-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1348-75-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

dvukljmnr.exedvukljmnr.exe

pid process

848 dvukljmnr.exe
1072 dvukljmnr.exe
Loads dropped DLL 2 IoCs

Processes:

c6e799eeeba0345de98b4e9a6ac76b82.exedvukljmnr.exe

pid process

1996 c6e799eeeba0345de98b4e9a6ac76b82.exe
848 dvukljmnr.exe

pid	process
848	dvukljmnr.exe
1072	dvukljmnr.exe

pid	process
1996	c6e799eeeba0345de98b4e9a6ac76b82.exe
848	dvukljmnr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dvukljmnr.exedvukljmnr.exeipconfig.exe

description	pid	process	target process
PID 848 set thread context of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 1072 set thread context of 1240	1072	dvukljmnr.exe	Explorer.EXE
PID 1348 set thread context of 1240	1348	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1348 ipconfig.exe

pid	process
1348	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

dvukljmnr.exeipconfig.exe

pid	process
1072	dvukljmnr.exe
1072	dvukljmnr.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe
1348	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dvukljmnr.exeipconfig.exe

pid process

1072 dvukljmnr.exe
1072 dvukljmnr.exe
1072 dvukljmnr.exe
1348 ipconfig.exe
1348 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dvukljmnr.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1072 dvukljmnr.exe
Token: SeDebugPrivilege 1348 ipconfig.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1072	dvukljmnr.exe
Token: SeDebugPrivilege	1348	ipconfig.exe

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

c6e799eeeba0345de98b4e9a6ac76b82.exedvukljmnr.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1996 wrote to memory of 848	1996	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1996 wrote to memory of 848	1996	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1996 wrote to memory of 848	1996	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 1996 wrote to memory of 848	1996	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 848 wrote to memory of 1072	848	dvukljmnr.exe	dvukljmnr.exe
PID 1240 wrote to memory of 1348	1240	Explorer.EXE	ipconfig.exe
PID 1240 wrote to memory of 1348	1240	Explorer.EXE	ipconfig.exe
PID 1240 wrote to memory of 1348	1240	Explorer.EXE	ipconfig.exe
PID 1240 wrote to memory of 1348	1240	Explorer.EXE	ipconfig.exe
PID 1348 wrote to memory of 1548	1348	ipconfig.exe	cmd.exe
PID 1348 wrote to memory of 1548	1348	ipconfig.exe	cmd.exe
PID 1348 wrote to memory of 1548	1348	ipconfig.exe	cmd.exe
PID 1348 wrote to memory of 1548	1348	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\c6e799eeeba0345de98b4e9a6ac76b82.exe
"C:\Users\Admin\AppData\Local\Temp\c6e799eeeba0345de98b4e9a6ac76b82.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe"
3⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qh31ayyhk84s8sjtofn
Filesize
184KB

MD5
17179b4032c3411541c24ca24c8c9aae

SHA1
13f54b0c026b6c7e53aa94df8f73fa24ecaa0393

SHA256
b82ca9a52d0ac42aeb246ed7fa0fd7f95c6248f6684b1ab8e6d973ee934ce0b9

SHA512
6127e76eec4d121be3ee8a45da44220a33ac57924255738f80edab3b92a7fd7d8f002779fa0f3296f3b795671767853e49dd2642eb43419e373284bfbd8b0201

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
Filesize
4KB

MD5
498c16613e82cebca0fc1541214be952

SHA1
23e7da2aa1b3ef5f3aec1ae51f797da4f421efc5

SHA256
7f40da6288c8e939afea7a6512e518933d1802f6b822817b21e3b457af445ce8

SHA512
ba6b040c01b60827f893f918de5478e83b53da511ef62d0b10b2a12ec17f64c2ff64bd50dc1be814809153ae90c913370010bacf22636fbd4820b409e6183a7b

Download Submit
\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
memory/848-56-0x0000000000000000-mapping.dmp

Download
memory/1072-64-0x000000000041F0F0-mapping.dmp

Download
memory/1072-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-68-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1072-69-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1240-78-0x0000000004B40000-0x0000000004BFA000-memory.dmp

Filesize
744KB

Download
memory/1240-70-0x0000000004360000-0x0000000004424000-memory.dmp

Filesize
784KB

Download
memory/1348-71-0x0000000000000000-mapping.dmp

Download
memory/1348-74-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/1348-75-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1348-76-0x0000000002270000-0x0000000002573000-memory.dmp

Filesize
3.0MB

Download
memory/1348-77-0x0000000000A10000-0x0000000000AA3000-memory.dmp

Filesize
588KB

Download
memory/1548-73-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads