formbook | 7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0

General

Target

NEW PO.exe
Size

1.1MB
MD5

5b9d5dd439a7ed7bfc4fb62a17d04b4d
SHA1

ee8ac089fbf4f09861dc06b2298469eca12a9ac7
SHA256

7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0
SHA512

a17b947492ecd61d20cb49015d445a9a88b588f6333f2841a64da1040a0cf949035e0e452c9a945fffa46baa61ad3a2eae17c13093f1c5fd7c58cd3e7caba74b

Score

10^/10

formbook modiloader d27e persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d27e

Decoy

lilysbusride.com

cloud-sechs.com

danpro.co.uk

wendoortech.com

playgroundrebellion.com

betventures.xyz

digimediasolution.net

abrahambetrayedus.com

whinefree.com

realeurolicence.com

makelovetrip.com

damediaagency.com

pinaralsan.com

5bobitw.com

shootingkarelia.online

website-staging.pro

manassadhvi.online

bathroomandkitcenking.com

realtormarket.net

dfysupport.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4948-149-0x0000000050410000-0x000000005043F000-memory.dmp	formbook
behavioral2/memory/3116-193-0x0000000050410000-0x000000005043F000-memory.dmp	formbook
behavioral2/memory/3892-196-0x0000000000590000-0x00000000005BF000-memory.dmp	formbook
behavioral2/memory/3892-200-0x0000000000590000-0x00000000005BF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

NEW PO.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation NEW PO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	NEW PO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NEW PO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bctoiprjb = "C:\\Users\\Public\\Libraries\\bjrpiotcB.url"	NEW PO.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.exemstsc.exe

description	pid	process	target process
PID 3116 set thread context of 2928	3116	cmd.exe	Explorer.EXE
PID 3892 set thread context of 2928	3892	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

NEW PO.execmd.exemstsc.exe

pid	process
4948	NEW PO.exe
4948	NEW PO.exe
3116	cmd.exe
3116	cmd.exe
3116	cmd.exe
3116	cmd.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe
3892	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2928 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

cmd.exemstsc.exe

pid process

3116 cmd.exe
3116 cmd.exe
3116 cmd.exe
3892 mstsc.exe
3892 mstsc.exe

pid	process
2928	Explorer.EXE

pid	process
3116	cmd.exe
3116	cmd.exe
3116	cmd.exe
3892	mstsc.exe
3892	mstsc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

cmd.exeExplorer.EXEmstsc.exe

description	pid	process
Token: SeDebugPrivilege	3116	cmd.exe
Token: SeShutdownPrivilege	2928	Explorer.EXE
Token: SeCreatePagefilePrivilege	2928	Explorer.EXE
Token: SeShutdownPrivilege	2928	Explorer.EXE
Token: SeCreatePagefilePrivilege	2928	Explorer.EXE
Token: SeDebugPrivilege	3892	mstsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NEW PO.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 4948 wrote to memory of 3116	4948	NEW PO.exe	cmd.exe
PID 4948 wrote to memory of 3116	4948	NEW PO.exe	cmd.exe
PID 4948 wrote to memory of 3116	4948	NEW PO.exe	cmd.exe
PID 4948 wrote to memory of 3116	4948	NEW PO.exe	cmd.exe
PID 4948 wrote to memory of 3116	4948	NEW PO.exe	cmd.exe
PID 4948 wrote to memory of 3116	4948	NEW PO.exe	cmd.exe
PID 2928 wrote to memory of 3892	2928	Explorer.EXE	mstsc.exe
PID 2928 wrote to memory of 3892	2928	Explorer.EXE	mstsc.exe
PID 2928 wrote to memory of 3892	2928	Explorer.EXE	mstsc.exe
PID 3892 wrote to memory of 3612	3892	mstsc.exe	cmd.exe
PID 3892 wrote to memory of 3612	3892	mstsc.exe	cmd.exe
PID 3892 wrote to memory of 3612	3892	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\NEW PO.exe
"C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-191-0x00000000088E0000-0x0000000008A56000-memory.dmp

Filesize
1.5MB

Download
memory/2928-201-0x0000000008C50000-0x0000000008DA9000-memory.dmp

Filesize
1.3MB

Download
memory/2928-199-0x0000000008C50000-0x0000000008DA9000-memory.dmp

Filesize
1.3MB

Download
memory/3116-193-0x0000000050410000-0x000000005043F000-memory.dmp

Filesize
188KB

Download
memory/3116-190-0x0000000001330000-0x0000000001345000-memory.dmp

Filesize
84KB

Download
memory/3116-147-0x0000000000000000-mapping.dmp

Download
memory/3116-189-0x0000000001DB0000-0x00000000020FA000-memory.dmp

Filesize
3.3MB

Download
memory/3612-194-0x0000000000000000-mapping.dmp

Download
memory/3892-192-0x0000000000000000-mapping.dmp

Download
memory/3892-195-0x0000000000780000-0x00000000008BA000-memory.dmp

Filesize
1.2MB

Download
memory/3892-196-0x0000000000590000-0x00000000005BF000-memory.dmp

Filesize
188KB

Download
memory/3892-197-0x00000000029E0000-0x0000000002D2A000-memory.dmp

Filesize
3.3MB

Download
memory/3892-198-0x0000000002720000-0x00000000027B4000-memory.dmp

Filesize
592KB

Download
memory/3892-200-0x0000000000590000-0x00000000005BF000-memory.dmp

Filesize
188KB

Download
memory/4948-149-0x0000000050410000-0x000000005043F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads