formbook | 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9

General

Target

NUEVA ORDEN DE COMPRA.exe
Size

811KB
MD5

ba9aadaadc270f2311dc84a4c33c3a8e
SHA1

ea2bc535baa5f3d9efae8df9a1928f557c72b863
SHA256

43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
SHA512

33ec365aa550cd7c7d99055c5d7f434f2e65541ccdde1a4665f74e64050f42cb9fbb3f64ec09793805e0e1792e1dcd9288eb7580fa5fe8a4f21b874c0ed0d6f4
SSDEEP

12288:GkTDYsZ1DX/VDJtV7NuswRlClEl7xoDMvu/R9OPgpB0IOJc0:GyDYkMnoSLIMG/CPgT0Bc0

Score

10^/10

formbook d0a7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1496-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1496-69-0x000000000041F040-mapping.dmp	formbook
behavioral1/memory/1496-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1496-81-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1456-85-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1456-91-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

NUEVA ORDEN DE COMPRA.exeRegSvcs.exeipconfig.exe

description	pid	process	target process
PID 1068 set thread context of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1496 set thread context of 1284	1496	RegSvcs.exe	Explorer.EXE
PID 1496 set thread context of 1284	1496	RegSvcs.exe	Explorer.EXE
PID 1456 set thread context of 1284	1456	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1840 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1456 ipconfig.exe

pid	process
1840	schtasks.exe

pid	process
1456	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

RegSvcs.exepowershell.exeipconfig.exe

pid	process
1496	RegSvcs.exe
1496	RegSvcs.exe
1496	RegSvcs.exe
1436	powershell.exe
1456	ipconfig.exe
1456	ipconfig.exe
1456	ipconfig.exe
1456	ipconfig.exe
1456	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exeipconfig.exe

pid process

1496 RegSvcs.exe
1496 RegSvcs.exe
1496 RegSvcs.exe
1496 RegSvcs.exe
1456 ipconfig.exe
1456 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegSvcs.exepowershell.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1496 RegSvcs.exe
Token: SeDebugPrivilege 1436 powershell.exe
Token: SeDebugPrivilege 1456 ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1496	RegSvcs.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1456	ipconfig.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

NUEVA ORDEN DE COMPRA.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1068 wrote to memory of 1436	1068	NUEVA ORDEN DE COMPRA.exe	powershell.exe
PID 1068 wrote to memory of 1436	1068	NUEVA ORDEN DE COMPRA.exe	powershell.exe
PID 1068 wrote to memory of 1436	1068	NUEVA ORDEN DE COMPRA.exe	powershell.exe
PID 1068 wrote to memory of 1436	1068	NUEVA ORDEN DE COMPRA.exe	powershell.exe
PID 1068 wrote to memory of 1840	1068	NUEVA ORDEN DE COMPRA.exe	schtasks.exe
PID 1068 wrote to memory of 1840	1068	NUEVA ORDEN DE COMPRA.exe	schtasks.exe
PID 1068 wrote to memory of 1840	1068	NUEVA ORDEN DE COMPRA.exe	schtasks.exe
PID 1068 wrote to memory of 1840	1068	NUEVA ORDEN DE COMPRA.exe	schtasks.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1068 wrote to memory of 1496	1068	NUEVA ORDEN DE COMPRA.exe	RegSvcs.exe
PID 1284 wrote to memory of 1456	1284	Explorer.EXE	ipconfig.exe
PID 1284 wrote to memory of 1456	1284	Explorer.EXE	ipconfig.exe
PID 1284 wrote to memory of 1456	1284	Explorer.EXE	ipconfig.exe
PID 1284 wrote to memory of 1456	1284	Explorer.EXE	ipconfig.exe
PID 1284 wrote to memory of 852	1284	Explorer.EXE	wininit.exe
PID 1284 wrote to memory of 852	1284	Explorer.EXE	wininit.exe
PID 1284 wrote to memory of 852	1284	Explorer.EXE	wininit.exe
PID 1284 wrote to memory of 852	1284	Explorer.EXE	wininit.exe
PID 1456 wrote to memory of 1832	1456	ipconfig.exe	cmd.exe
PID 1456 wrote to memory of 1832	1456	ipconfig.exe	cmd.exe
PID 1456 wrote to memory of 1832	1456	ipconfig.exe	cmd.exe
PID 1456 wrote to memory of 1832	1456	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\NUEVA ORDEN DE COMPRA.exe
"C:\Users\Admin\AppData\Local\Temp\NUEVA ORDEN DE COMPRA.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZLEBiTF.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZLEBiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71D7.tmp"
3⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1992

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1832

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
PID:852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp71D7.tmp
Filesize
1KB

MD5
752b81a8973d7975c6d317d7e79b13ab

SHA1
de1db3b05cda4bf6daebde603f4af9ac08be748e

SHA256
b8147a195e80fcc24786d86650ebf2a63dc3591e6eb768c1cd06d0318cfed4c2

SHA512
fac93348ea990ac3ecba7d26a4cf7eca122ace8e1bec45e6ec06f4506d19c7a3c6ea5c283f3a6e8f18431e7642e55e90f0a2d87deb80e70d809834734c070095

Download Submit
memory/1068-55-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1068-56-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/1068-57-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1068-58-0x0000000005CB0000-0x0000000005D20000-memory.dmp

Filesize
448KB

Download
memory/1068-54-0x00000000010A0000-0x0000000001172000-memory.dmp

Filesize
840KB

Download
memory/1068-64-0x0000000000D40000-0x0000000000D74000-memory.dmp

Filesize
208KB

Download
memory/1284-89-0x0000000007540000-0x0000000007697000-memory.dmp

Filesize
1.3MB

Download
memory/1284-92-0x0000000007540000-0x0000000007697000-memory.dmp

Filesize
1.3MB

Download
memory/1284-90-0x0000000006C70000-0x0000000006E0B000-memory.dmp

Filesize
1.6MB

Download
memory/1284-74-0x00000000061D0000-0x00000000062F6000-memory.dmp

Filesize
1.1MB

Download
memory/1284-87-0x00000000061D0000-0x00000000062F6000-memory.dmp

Filesize
1.1MB

Download
memory/1284-77-0x0000000006C70000-0x0000000006E0B000-memory.dmp

Filesize
1.6MB

Download
memory/1436-63-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-79-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-78-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-59-0x0000000000000000-mapping.dmp

Download
memory/1456-91-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1456-85-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1456-86-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/1456-88-0x0000000001E60000-0x0000000001EF4000-memory.dmp

Filesize
592KB

Download
memory/1456-84-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1456-80-0x0000000000000000-mapping.dmp

Download
memory/1496-73-0x00000000002B0000-0x00000000002C5000-memory.dmp

Filesize
84KB

Download
memory/1496-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-76-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/1496-72-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1496-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-69-0x000000000041F040-mapping.dmp

Download
memory/1496-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-83-0x0000000000000000-mapping.dmp

Download
memory/1840-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads