formbook | 85465b3e86e0e4a460fcf28729773f52de6777db71890ead00e4bee867a3e3ec

General

Target

Swift Payment Copy .xla.exe
Size

793KB
MD5

1721e78ab207e52b366bf7a7723a656b
SHA1

d2cbaf931dc21807ae5f3ac477810f7f537d444e
SHA256

85465b3e86e0e4a460fcf28729773f52de6777db71890ead00e4bee867a3e3ec
SHA512

c03920bed87494876f7683ae7081c8977b90165e0645fe5b410dff13be305a61e60fef698972019a57074d7c9a2aa4ca0cf2089f66c323e70aaff73ee1a60510
SSDEEP

12288:VV2cbnbazcd5JluSVVvkYhrN+kZt+kXPqTdTB2O4rwSMpxwhxStY:V4cnOcd53uSVVJRskZQWq5oOqLM2xS+

Score

10^/10

formbook modiloader nvp4 persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21815&authkey=AO1B_84jlgMTl9c

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3536-132-0x0000000003E50000-0x0000000003E7C000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

50 1464 powershell.exe
57 1464 powershell.exe

flow	pid	process
50	1464	powershell.exe
57	1464	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Swift Payment Copy .xla.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wgelnqfe = "C:\\Users\\Public\\Libraries\\efqnlegW.url"	Swift Payment Copy .xla.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

colorcpl.exemsiexec.exe

description	pid	process	target process
PID 3488 set thread context of 2380	3488	colorcpl.exe	Explorer.EXE
PID 3304 set thread context of 2380	3304	msiexec.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exeSwift Payment Copy .xla.execolorcpl.exemsiexec.exe

pid	process
1464	powershell.exe
1464	powershell.exe
3536	Swift Payment Copy .xla.exe
3536	Swift Payment Copy .xla.exe
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3304	msiexec.exe
3304	msiexec.exe
3304	msiexec.exe
3304	msiexec.exe
3304	msiexec.exe
3304	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

colorcpl.exemsiexec.exe

pid process

3488 colorcpl.exe
3488 colorcpl.exe
3488 colorcpl.exe
3304 msiexec.exe
3304 msiexec.exe

pid	process
3488	colorcpl.exe
3488	colorcpl.exe
3488	colorcpl.exe
3304	msiexec.exe
3304	msiexec.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.execolorcpl.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3488	colorcpl.exe
Token: SeShutdownPrivilege	2380	Explorer.EXE
Token: SeCreatePagefilePrivilege	2380	Explorer.EXE
Token: SeShutdownPrivilege	2380	Explorer.EXE
Token: SeCreatePagefilePrivilege	2380	Explorer.EXE
Token: SeDebugPrivilege	3304	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Swift Payment Copy .xla.execmd.exeExplorer.EXE

description	pid	process	target process
PID 3536 wrote to memory of 4020	3536	Swift Payment Copy .xla.exe	cmd.exe
PID 3536 wrote to memory of 4020	3536	Swift Payment Copy .xla.exe	cmd.exe
PID 3536 wrote to memory of 4020	3536	Swift Payment Copy .xla.exe	cmd.exe
PID 4020 wrote to memory of 1464	4020	cmd.exe	powershell.exe
PID 4020 wrote to memory of 1464	4020	cmd.exe	powershell.exe
PID 4020 wrote to memory of 1464	4020	cmd.exe	powershell.exe
PID 3536 wrote to memory of 3488	3536	Swift Payment Copy .xla.exe	colorcpl.exe
PID 3536 wrote to memory of 3488	3536	Swift Payment Copy .xla.exe	colorcpl.exe
PID 3536 wrote to memory of 3488	3536	Swift Payment Copy .xla.exe	colorcpl.exe
PID 3536 wrote to memory of 3488	3536	Swift Payment Copy .xla.exe	colorcpl.exe
PID 3536 wrote to memory of 3488	3536	Swift Payment Copy .xla.exe	colorcpl.exe
PID 3536 wrote to memory of 3488	3536	Swift Payment Copy .xla.exe	colorcpl.exe
PID 2380 wrote to memory of 3304	2380	Explorer.EXE	msiexec.exe
PID 2380 wrote to memory of 3304	2380	Explorer.EXE	msiexec.exe
PID 2380 wrote to memory of 3304	2380	Explorer.EXE	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy .xla.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy .xla.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png

Filesize
185KB

MD5
3385285a8ae3b9aa8b29c9056f219725

SHA1
ce533bc605693d957c552e3bfada86c68c2f352b

SHA256
d630d5ab79ce2fc0f479a92226f945b7be51104f35e95ec0c9490d78ecc960e3

SHA512
689e87d6aa05bda334b18a4e2cd39d9445cfa8cb7e2495dec110aea7c851dc7abc5e00ae376884fd44f7479a1075e7121003d81b406be8cd9832d9c950db9321

Download Submit
C:\Users\Public\Libraries\png.bat

Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1

Filesize
241B

MD5
16347e9f1fab632cc9f3bda14900ac97

SHA1
9d7838e4d9693b0911028a1976d3179dfc17c583

SHA256
25cef2e7db529683a3725c54e4cf7a596c872a5e42519095ce2fe5730888e57e

SHA512
9bde664979109e99f7d9a3bc70783befd706a722f8e9b0e3f5da177e0d4c0746b15dd929d882439479817822edc1b384a645a3617585de8215bcdf90d9001f67

Download Submit
memory/1464-139-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/1464-137-0x00000000044F0000-0x0000000004526000-memory.dmp

Filesize
216KB

Download
memory/1464-138-0x0000000004C70000-0x0000000005298000-memory.dmp

Filesize
6.2MB

Download
memory/1464-140-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/1464-141-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/1464-142-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/1464-136-0x0000000000000000-mapping.dmp

Download
memory/1464-144-0x0000000007170000-0x00000000077EA000-memory.dmp

Filesize
6.5MB

Download
memory/1464-145-0x0000000005F70000-0x0000000005F8A000-memory.dmp

Filesize
104KB

Download
memory/2380-157-0x00000000031D0000-0x00000000032FD000-memory.dmp

Filesize
1.2MB

Download
memory/2380-165-0x00000000089E0000-0x0000000008B46000-memory.dmp

Filesize
1.4MB

Download
memory/2380-163-0x00000000089E0000-0x0000000008B46000-memory.dmp

Filesize
1.4MB

Download
memory/3304-158-0x0000000000000000-mapping.dmp

Download
memory/3304-160-0x0000000000410000-0x000000000043D000-memory.dmp

Filesize
180KB

Download
memory/3304-164-0x0000000000410000-0x000000000043D000-memory.dmp

Filesize
180KB

Download
memory/3304-162-0x0000000002150000-0x00000000021DF000-memory.dmp

Filesize
572KB

Download
memory/3304-161-0x00000000022C0000-0x000000000260A000-memory.dmp

Filesize
3.3MB

Download
memory/3304-159-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/3488-154-0x0000000005770000-0x0000000005ABA000-memory.dmp

Filesize
3.3MB

Download
memory/3488-156-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/3488-155-0x0000000010432000-0x0000000010434000-memory.dmp

Filesize
8KB

Download
memory/3488-153-0x0000000010411000-0x000000001043F000-memory.dmp

Filesize
184KB

Download
memory/3488-152-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3488-147-0x0000000000000000-mapping.dmp

Download
memory/3488-151-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3536-148-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3536-132-0x0000000003E50000-0x0000000003E7C000-memory.dmp

Filesize
176KB

Download
memory/3536-149-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4020-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads