formbook | a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab

General

Target

RFQ5462-PO22000850.pdf.exe
Size

613KB
MD5

3ba5f2da42cf3865b04008a26744d346
SHA1

2b897b32de43663cce219db2e7c64aa7315ad6f5
SHA256

a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab
SHA512

5cda5d155abbb748a9845ba2e7b6a10dbc299101b4ad3c641da558b0420a418738c5b8397f6fe5b76c1afb8b54c83137c9803afe32de7fb9a57e42166bc81811

Score

10^/10

formbook t19g rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t19g

Decoy

playstationspiele.com

cakesbyannal.com

racepin.space

anti-offender.com

magnetque.com

farragorealtybrokerage.com

khuludmohammed.com

v33696.com

84ggg.com

d440.com

soccersmarthome.com

ofthis.world

fivestaryardcards.com

lusyard.com

gghft.com

viajesfortur.com

rationalirrationality.com

hanaramenrestaurant.com

exactlycleanse.com

martensenargentina.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/456-68-0x000000000041F1B0-mapping.dmp	formbook
behavioral1/memory/456-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/456-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1776-79-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ5462-PO22000850.pdf.exeRFQ5462-PO22000850.pdf.exenetsh.exe

description	pid	process	target process
PID 1592 set thread context of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 456 set thread context of 1372	456	RFQ5462-PO22000850.pdf.exe	Explorer.EXE
PID 1776 set thread context of 1372	1776	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1120 schtasks.exe

pid	process
1120	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

RFQ5462-PO22000850.pdf.exepowershell.exenetsh.exe

pid	process
456	RFQ5462-PO22000850.pdf.exe
952	powershell.exe
456	RFQ5462-PO22000850.pdf.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RFQ5462-PO22000850.pdf.exenetsh.exe

pid	process
456	RFQ5462-PO22000850.pdf.exe
456	RFQ5462-PO22000850.pdf.exe
456	RFQ5462-PO22000850.pdf.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe
1776	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeRFQ5462-PO22000850.pdf.exenetsh.exe

description	pid	process
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	456	RFQ5462-PO22000850.pdf.exe
Token: SeDebugPrivilege	1776	netsh.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

RFQ5462-PO22000850.pdf.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1592 wrote to memory of 952	1592	RFQ5462-PO22000850.pdf.exe	powershell.exe
PID 1592 wrote to memory of 952	1592	RFQ5462-PO22000850.pdf.exe	powershell.exe
PID 1592 wrote to memory of 952	1592	RFQ5462-PO22000850.pdf.exe	powershell.exe
PID 1592 wrote to memory of 952	1592	RFQ5462-PO22000850.pdf.exe	powershell.exe
PID 1592 wrote to memory of 1120	1592	RFQ5462-PO22000850.pdf.exe	schtasks.exe
PID 1592 wrote to memory of 1120	1592	RFQ5462-PO22000850.pdf.exe	schtasks.exe
PID 1592 wrote to memory of 1120	1592	RFQ5462-PO22000850.pdf.exe	schtasks.exe
PID 1592 wrote to memory of 1120	1592	RFQ5462-PO22000850.pdf.exe	schtasks.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1592 wrote to memory of 456	1592	RFQ5462-PO22000850.pdf.exe	RFQ5462-PO22000850.pdf.exe
PID 1372 wrote to memory of 1776	1372	Explorer.EXE	netsh.exe
PID 1372 wrote to memory of 1776	1372	Explorer.EXE	netsh.exe
PID 1372 wrote to memory of 1776	1372	Explorer.EXE	netsh.exe
PID 1372 wrote to memory of 1776	1372	Explorer.EXE	netsh.exe
PID 1776 wrote to memory of 1972	1776	netsh.exe	Firefox.exe
PID 1776 wrote to memory of 1972	1776	netsh.exe	Firefox.exe
PID 1776 wrote to memory of 1972	1776	netsh.exe	Firefox.exe
PID 1776 wrote to memory of 1972	1776	netsh.exe	Firefox.exe
PID 1776 wrote to memory of 1972	1776	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\RFQ5462-PO22000850.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ5462-PO22000850.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TUciHnCOcgcjY.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TUciHnCOcgcjY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE966.tmp"
3⤵
- Creates scheduled task(s)
PID:1120

C:\Users\Admin\AppData\Local\Temp\RFQ5462-PO22000850.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ5462-PO22000850.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE966.tmp
Filesize
1KB

MD5
ce3f11f43c65a62d350ad6d1e2ade00f

SHA1
998c05978d018f3fc9b5a9cb93945eebd7386402

SHA256
5004870752ae2aee5a43cf19ca97cf3adde234c907568460a03d5ab56c3fbdd7

SHA512
34b34ee1654dac4cf537002ef7de4d0a81d3da068336281706975a463a0a418445ff5a79d8a852e1ba77996ea69dbb0b9c00f73909a1199a1b9756a296e17397

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logim.jpeg
Filesize
65KB

MD5
b74b61d98f83182c043d32241cb8ca5b

SHA1
873b1570b6a935ba8499a2add61dcdfba4c105c0

SHA256
5c89850f4a25d3ef8080d7e9d86ebf4b055148bff76d73cd65042ff4af59b516

SHA512
72fc5774a38254fac8bb1c0a2a200ceb021bfa053356d3ddb5aa2e124c9aafb398bc72fcea5468b4723a9ddce6dbf07769aa7822dd943e45bcf79dd42cf04b50

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logrf.ini
Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/456-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-73-0x0000000000140000-0x0000000000155000-memory.dmp

Filesize
84KB

Download
memory/456-72-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/456-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-68-0x000000000041F1B0-mapping.dmp

Download
memory/952-75-0x000000006EB10000-0x000000006F0BB000-memory.dmp

Filesize
5.7MB

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/952-70-0x000000006EB10000-0x000000006F0BB000-memory.dmp

Filesize
5.7MB

Download
memory/1120-60-0x0000000000000000-mapping.dmp

Download
memory/1372-84-0x0000000006BF0000-0x0000000006D7B000-memory.dmp

Filesize
1.5MB

Download
memory/1372-74-0x0000000006420000-0x000000000651C000-memory.dmp

Filesize
1008KB

Download
memory/1372-82-0x0000000006BF0000-0x0000000006D7B000-memory.dmp

Filesize
1.5MB

Download
memory/1592-54-0x00000000009B0000-0x0000000000A50000-memory.dmp

Filesize
640KB

Download
memory/1592-63-0x0000000004ED0000-0x0000000004F04000-memory.dmp

Filesize
208KB

Download
memory/1592-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1592-56-0x0000000000470000-0x000000000048E000-memory.dmp

Filesize
120KB

Download
memory/1592-57-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/1592-58-0x0000000005020000-0x000000000508C000-memory.dmp

Filesize
432KB

Download
memory/1776-78-0x00000000016A0000-0x00000000016BB000-memory.dmp

Filesize
108KB

Download
memory/1776-83-0x0000000000AA0000-0x0000000000B34000-memory.dmp

Filesize
592KB

Download
memory/1776-81-0x0000000000AA0000-0x0000000000B34000-memory.dmp

Filesize
592KB

Download
memory/1776-80-0x0000000000D70000-0x0000000001073000-memory.dmp

Filesize
3.0MB

Download
memory/1776-79-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1776-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads