formbook | 2d7051de1420deab48e7d25638ae6c6a72ccc503c4c6d153139feec4861f573f

General

Target

Ordem de compra para julho.pdf.exe
Size

687KB
MD5

01ac3fb5a4476de95369f325ea906ea5
SHA1

e291db506ea6b82f60b1b5e035f764595d6b7f3c
SHA256

b6426721805cf7ba17f04f3ab2540c182758682a0b6397ee277f4f3aa3709bd1
SHA512

548686caf1858bb22aaebee04c0ee0a8fef3d4f4577a6700dbbfe213d34654e621be09927bbddff418c61c33c9380c8a6f92ffe3ae202ab53c149d5f80dd40ca

Score

10^/10

formbook de08 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de08

Decoy

retirecloudyyard.com

fabiyan.xyz

chrisarlyde.com

selapex.com

vivalosgales.com

specialty-medicine.com

contasesolucoes.com

satunusanews.net

allyibc.com

alameda1876.com

artofdala.com

yukoidusp.xyz

steeldrumbandnearme.com

stonewedgetechnology.com

kentonai.com

macquarie-private.com

ddgwy.com

megagreenhousekits.com

descomplicaomarketing.com

inclusiverealtor.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/320-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/320-157-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2576-163-0x0000000001010000-0x000000000103F000-memory.dmp	formbook
behavioral2/memory/2576-169-0x0000000001010000-0x000000000103F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ordem de compra para julho.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Ordem de compra para julho.pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ordem de compra para julho.pdf.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 1736 set thread context of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 320 set thread context of 676	320	RegSvcs.exe	Explorer.EXE
PID 2576 set thread context of 676	2576	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2276 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2576 NETSTAT.EXE

pid	process
2276	schtasks.exe

pid	process
2576	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

Ordem de compra para julho.pdf.exepowershell.exeRegSvcs.exeNETSTAT.EXE

pid	process
1736	Ordem de compra para julho.pdf.exe
1736	Ordem de compra para julho.pdf.exe
4420	powershell.exe
320	RegSvcs.exe
320	RegSvcs.exe
4420	powershell.exe
320	RegSvcs.exe
320	RegSvcs.exe
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE
2576	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

676 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

320 RegSvcs.exe
320 RegSvcs.exe
320 RegSvcs.exe
2576 NETSTAT.EXE
2576 NETSTAT.EXE

pid	process
676	Explorer.EXE

pid	process
320	RegSvcs.exe
320	RegSvcs.exe
320	RegSvcs.exe
2576	NETSTAT.EXE
2576	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Ordem de compra para julho.pdf.exepowershell.exeRegSvcs.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1736	Ordem de compra para julho.pdf.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	320	RegSvcs.exe
Token: SeDebugPrivilege	2576	NETSTAT.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Ordem de compra para julho.pdf.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1736 wrote to memory of 4420	1736	Ordem de compra para julho.pdf.exe	powershell.exe
PID 1736 wrote to memory of 4420	1736	Ordem de compra para julho.pdf.exe	powershell.exe
PID 1736 wrote to memory of 4420	1736	Ordem de compra para julho.pdf.exe	powershell.exe
PID 1736 wrote to memory of 2276	1736	Ordem de compra para julho.pdf.exe	schtasks.exe
PID 1736 wrote to memory of 2276	1736	Ordem de compra para julho.pdf.exe	schtasks.exe
PID 1736 wrote to memory of 2276	1736	Ordem de compra para julho.pdf.exe	schtasks.exe
PID 1736 wrote to memory of 752	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 752	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 752	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 1736 wrote to memory of 320	1736	Ordem de compra para julho.pdf.exe	RegSvcs.exe
PID 676 wrote to memory of 2576	676	Explorer.EXE	NETSTAT.EXE
PID 676 wrote to memory of 2576	676	Explorer.EXE	NETSTAT.EXE
PID 676 wrote to memory of 2576	676	Explorer.EXE	NETSTAT.EXE
PID 2576 wrote to memory of 3600	2576	NETSTAT.EXE	cmd.exe
PID 2576 wrote to memory of 3600	2576	NETSTAT.EXE	cmd.exe
PID 2576 wrote to memory of 3600	2576	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\Ordem de compra para julho.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ordem de compra para julho.pdf.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JXVNljtiVHwGbZ.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXVNljtiVHwGbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E.tmp"
3⤵
- Creates scheduled task(s)
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4E.tmp
Filesize
1KB

MD5
28554a40ee69f51be17bf7cda605fb72

SHA1
aa891784738e0eff912756074c68fd0f0c425065

SHA256
dda91db144f6917419bc8b953c830bbe2300035c7885e987e9a4639ffa45c6d4

SHA512
ea1a9fa4655cf14639a4fb4914b1a5b7c6ad78e600c2fc34ab493b12b74280f8101e2fe00ffb3011c5fca850f6493c6819906d6a16951ce3470e6f126b5a0f53

Download Submit
memory/320-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-141-0x0000000000000000-mapping.dmp

Download
memory/320-149-0x0000000001490000-0x00000000014A4000-memory.dmp

Filesize
80KB

Download
memory/320-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-148-0x0000000001920000-0x0000000001C6A000-memory.dmp

Filesize
3.3MB

Download
memory/676-170-0x0000000007CD0000-0x0000000007D6C000-memory.dmp

Filesize
624KB

Download
memory/676-168-0x0000000007CD0000-0x0000000007D6C000-memory.dmp

Filesize
624KB

Download
memory/676-150-0x0000000008710000-0x0000000008898000-memory.dmp

Filesize
1.5MB

Download
memory/752-140-0x0000000000000000-mapping.dmp

Download
memory/1736-132-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/1736-130-0x0000000000BE0000-0x0000000000C92000-memory.dmp

Filesize
712KB

Download
memory/1736-131-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/1736-134-0x0000000008FB0000-0x000000000904C000-memory.dmp

Filesize
624KB

Download
memory/1736-133-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/2276-136-0x0000000000000000-mapping.dmp

Download
memory/2576-161-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/2576-156-0x0000000000000000-mapping.dmp

Download
memory/2576-169-0x0000000001010000-0x000000000103F000-memory.dmp

Filesize
188KB

Download
memory/2576-167-0x0000000001570000-0x0000000001603000-memory.dmp

Filesize
588KB

Download
memory/2576-163-0x0000000001010000-0x000000000103F000-memory.dmp

Filesize
188KB

Download
memory/2576-162-0x00000000017D0000-0x0000000001B1A000-memory.dmp

Filesize
3.3MB

Download
memory/3600-159-0x0000000000000000-mapping.dmp

Download
memory/4420-153-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/4420-151-0x0000000006700000-0x0000000006732000-memory.dmp

Filesize
200KB

Download
memory/4420-154-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/4420-143-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/4420-158-0x00000000074B0000-0x00000000074BA000-memory.dmp

Filesize
40KB

Download
memory/4420-147-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/4420-160-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/4420-139-0x0000000005230000-0x0000000005858000-memory.dmp

Filesize
6.2MB

Download
memory/4420-152-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/4420-155-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/4420-164-0x0000000007670000-0x000000000767E000-memory.dmp

Filesize
56KB

Download
memory/4420-165-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/4420-166-0x0000000007760000-0x0000000007768000-memory.dmp

Filesize
32KB

Download
memory/4420-144-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4420-137-0x0000000004B90000-0x0000000004BC6000-memory.dmp

Filesize
216KB

Download
memory/4420-145-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4420-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads