formbook | a71fbd975727c7a053966148f07aad688241ff53a9e0cacc31c1d0e80bd9111a

General

Target

SecuriteInfo.com.Scr.MalPbsgen1.15215.exe
Size

1.2MB
MD5

107a033ecac4b8a3c62f28a87d0d2452
SHA1

a0e5e1f23098300574e1e9d8d6a098515b079c7f
SHA256

a71fbd975727c7a053966148f07aad688241ff53a9e0cacc31c1d0e80bd9111a
SHA512

fe7198e5a02d53b8c36b2d7900587f2f4f54b9154a1171bec15a38144e6b8e64b7320bc4a3224f9666a6b1a95ce9ea590cb26dc20183bedccd9effc951989afe

Score

10^/10

formbook modiloader n7ak persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4416-170-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/3432-171-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3432-192-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/3432-200-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/2056-204-0x0000000000E80000-0x0000000000EAE000-memory.dmp	formbook
behavioral2/memory/2056-207-0x0000000000E80000-0x0000000000EAE000-memory.dmp	formbook

ModiLoader Second Stage 42 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4416-140-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-141-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-142-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-143-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-145-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-144-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-147-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-146-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-148-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-150-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-149-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-151-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-152-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-154-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-156-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-155-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-153-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-157-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-158-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-159-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-160-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-161-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-162-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-164-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-163-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-165-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-166-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-168-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-167-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-172-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-174-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-173-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-175-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-176-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-183-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-185-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-186-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-187-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-184-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-188-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-189-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-190-0x0000000005B70000-0x0000000005BCE000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Scr.MalPbsgen1.15215.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uixpxbeonp = "C:\\Users\\Public\\Libraries\\pnoebxpxiU.url"	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DpiScaling.exeNETSTAT.EXE

description	pid	process	target process
PID 3432 set thread context of 2528	3432	DpiScaling.exe	Explorer.EXE
PID 3432 set thread context of 2528	3432	DpiScaling.exe	Explorer.EXE
PID 2056 set thread context of 2528	2056	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2056 NETSTAT.EXE

pid	process
2056	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

DpiScaling.exeNETSTAT.EXE

pid	process
3432	DpiScaling.exe
3432	DpiScaling.exe
3432	DpiScaling.exe
3432	DpiScaling.exe
3432	DpiScaling.exe
3432	DpiScaling.exe
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE
2056	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2528 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

DpiScaling.exeNETSTAT.EXE

pid process

3432 DpiScaling.exe
3432 DpiScaling.exe
3432 DpiScaling.exe
3432 DpiScaling.exe
2056 NETSTAT.EXE
2056 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DpiScaling.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3432 DpiScaling.exe
Token: SeDebugPrivilege 2056 NETSTAT.EXE

pid	process
2528	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3432	DpiScaling.exe
Token: SeDebugPrivilege	2056	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Scr.MalPbsgen1.15215.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4416 wrote to memory of 3432	4416	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe	DpiScaling.exe
PID 4416 wrote to memory of 3432	4416	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe	DpiScaling.exe
PID 4416 wrote to memory of 3432	4416	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe	DpiScaling.exe
PID 4416 wrote to memory of 3432	4416	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe	DpiScaling.exe
PID 4416 wrote to memory of 3432	4416	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe	DpiScaling.exe
PID 4416 wrote to memory of 3432	4416	SecuriteInfo.com.Scr.MalPbsgen1.15215.exe	DpiScaling.exe
PID 2528 wrote to memory of 2056	2528	Explorer.EXE	NETSTAT.EXE
PID 2528 wrote to memory of 2056	2528	Explorer.EXE	NETSTAT.EXE
PID 2528 wrote to memory of 2056	2528	Explorer.EXE	NETSTAT.EXE
PID 2056 wrote to memory of 1156	2056	NETSTAT.EXE	cmd.exe
PID 2056 wrote to memory of 1156	2056	NETSTAT.EXE	cmd.exe
PID 2056 wrote to memory of 1156	2056	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Scr.MalPbsgen1.15215.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Scr.MalPbsgen1.15215.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:716

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3968

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3856

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2496

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
3⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-201-0x0000000000000000-mapping.dmp

Download
memory/2056-205-0x00000000013D0000-0x0000000001463000-memory.dmp

Filesize
588KB

Download
memory/2056-207-0x0000000000E80000-0x0000000000EAE000-memory.dmp

Filesize
184KB

Download
memory/2056-199-0x0000000000000000-mapping.dmp

Download
memory/2056-204-0x0000000000E80000-0x0000000000EAE000-memory.dmp

Filesize
184KB

Download
memory/2056-202-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/2056-203-0x0000000001660000-0x00000000019AA000-memory.dmp

Filesize
3.3MB

Download
memory/2528-198-0x00000000031C0000-0x0000000003296000-memory.dmp

Filesize
856KB

Download
memory/2528-206-0x0000000008E70000-0x0000000008FAD000-memory.dmp

Filesize
1.2MB

Download
memory/2528-208-0x0000000008E70000-0x0000000008FAD000-memory.dmp

Filesize
1.2MB

Download
memory/2528-195-0x00000000088F0000-0x0000000008A31000-memory.dmp

Filesize
1.3MB

Download
memory/3432-200-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/3432-171-0x0000000000000000-mapping.dmp

Download
memory/3432-197-0x0000000002530000-0x0000000002544000-memory.dmp

Filesize
80KB

Download
memory/3432-194-0x00000000024F0000-0x0000000002504000-memory.dmp

Filesize
80KB

Download
memory/3432-193-0x00000000028E0000-0x0000000002C2A000-memory.dmp

Filesize
3.3MB

Download
memory/3432-192-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/4416-155-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-186-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-159-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-160-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-161-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-162-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-164-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-163-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-165-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-166-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-168-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-167-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-170-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/4416-157-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-172-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-174-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-173-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-175-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-176-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-183-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-185-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-158-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-187-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-184-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-188-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-189-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-190-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-153-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-140-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-156-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-154-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-152-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-151-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-149-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-150-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-148-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-146-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-147-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-144-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-145-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-143-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-142-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download
memory/4416-141-0x0000000005B70000-0x0000000005BCE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads