formbook | b6af4d62365de0a1bd4af15eb2012438146996caba9eab8ac1a89e904c8eca30

General

Target

ORDEN DE COMPRA DE DICIEMBRE pdf.exe
Size

573KB
MD5

e5666f11a9f07f0b5754f6e24be28ee7
SHA1

df09902dda3e6917bed30d53505384b60dadfa0a
SHA256

dbbbb6acb1f5da76b3a7b03130d5e8235ac8fcb43f16fdb7e226bcc595fde196
SHA512

e14242f82ae798afdad460d99a70bc9977f8c566a7da6d19287b906b03b1e24425d7481fa5a4aa93cde9288bf6a7b3195f90147f28e7d6e76175fa4d4fb82caf
SSDEEP

12288:QqXGLLa1ptsstO8w0WRMCJO7BkFIqpwp:QqWvqhOsmIqpwp

Score

10^/10

formbook d0a7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5080-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5080-152-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5080-155-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2636-159-0x0000000000360000-0x000000000038F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ORDEN DE COMPRA DE DICIEMBRE pdf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exeRegSvcs.exeWWAHost.exe

description	pid	process	target process
PID 4132 set thread context of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 5080 set thread context of 2584	5080	RegSvcs.exe	Explorer.EXE
PID 5080 set thread context of 2584	5080	RegSvcs.exe	Explorer.EXE
PID 2636 set thread context of 2584	2636	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4480 schtasks.exe

pid	process
4480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exeRegSvcs.exeWWAHost.exe

pid	process
4608	powershell.exe
5080	RegSvcs.exe
5080	RegSvcs.exe
5080	RegSvcs.exe
5080	RegSvcs.exe
4608	powershell.exe
5080	RegSvcs.exe
5080	RegSvcs.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe
2636	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2584 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exeWWAHost.exe

pid process

5080 RegSvcs.exe
5080 RegSvcs.exe
5080 RegSvcs.exe
5080 RegSvcs.exe
2636 WWAHost.exe
2636 WWAHost.exe

pid	process
2584	Explorer.EXE

pid	process
5080	RegSvcs.exe
5080	RegSvcs.exe
5080	RegSvcs.exe
5080	RegSvcs.exe
2636	WWAHost.exe
2636	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeRegSvcs.exeWWAHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	5080	RegSvcs.exe
Token: SeDebugPrivilege	2636	WWAHost.exe
Token: SeShutdownPrivilege	2584	Explorer.EXE
Token: SeCreatePagefilePrivilege	2584	Explorer.EXE
Token: SeShutdownPrivilege	2584	Explorer.EXE
Token: SeCreatePagefilePrivilege	2584	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2584 Explorer.EXE
2584 Explorer.EXE

pid	process
2584	Explorer.EXE
2584	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 4132 wrote to memory of 4608	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 4132 wrote to memory of 4608	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 4132 wrote to memory of 4608	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 4132 wrote to memory of 4480	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 4132 wrote to memory of 4480	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 4132 wrote to memory of 4480	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 4132 wrote to memory of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 4132 wrote to memory of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 4132 wrote to memory of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 4132 wrote to memory of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 4132 wrote to memory of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 4132 wrote to memory of 5080	4132	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 2584 wrote to memory of 2636	2584	Explorer.EXE	WWAHost.exe
PID 2584 wrote to memory of 2636	2584	Explorer.EXE	WWAHost.exe
PID 2584 wrote to memory of 2636	2584	Explorer.EXE	WWAHost.exe
PID 2636 wrote to memory of 2380	2636	WWAHost.exe	cmd.exe
PID 2636 wrote to memory of 2380	2636	WWAHost.exe	cmd.exe
PID 2636 wrote to memory of 2380	2636	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA DE DICIEMBRE pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA DE DICIEMBRE pdf.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KiaSYgZ.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KiaSYgZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF30.tmp"
3⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFF30.tmp
Filesize
1KB

MD5
570ffe26dea0f6364e0bc3ce86d79d3d

SHA1
e659156aa55d7dbd4b772ff0813710b3b76fc689

SHA256
365eaa53fa73cd81c2982e7d83ca4121aaa596fcec1aa7434bee97308f6f1835

SHA512
05218f1848252eaf02b94a4f8a4ea7787ef1822578009288b2fbf874275a484eadf5c9a378ab2eec16d90da5d456221aee37950687616e34b469bca7eea08ec5

Download Submit
memory/2380-161-0x0000000000000000-mapping.dmp

Download
memory/2584-160-0x0000000002930000-0x00000000029EE000-memory.dmp

Filesize
760KB

Download
memory/2584-151-0x0000000008150000-0x0000000008297000-memory.dmp

Filesize
1.3MB

Download
memory/2584-154-0x0000000002930000-0x00000000029EE000-memory.dmp

Filesize
760KB

Download
memory/2584-167-0x0000000008430000-0x0000000008597000-memory.dmp

Filesize
1.4MB

Download
memory/2584-163-0x0000000008430000-0x0000000008597000-memory.dmp

Filesize
1.4MB

Download
memory/2636-156-0x0000000000000000-mapping.dmp

Download
memory/2636-157-0x0000000001520000-0x000000000186A000-memory.dmp

Filesize
3.3MB

Download
memory/2636-158-0x0000000000EE0000-0x0000000000FBC000-memory.dmp

Filesize
880KB

Download
memory/2636-162-0x00000000011C0000-0x0000000001254000-memory.dmp

Filesize
592KB

Download
memory/2636-159-0x0000000000360000-0x000000000038F000-memory.dmp

Filesize
188KB

Download
memory/4132-135-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/4132-132-0x0000000000610000-0x00000000006A6000-memory.dmp

Filesize
600KB

Download
memory/4132-133-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/4132-134-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4132-136-0x00000000072B0000-0x000000000734C000-memory.dmp

Filesize
624KB

Download
memory/4480-138-0x0000000000000000-mapping.dmp

Download
memory/4608-144-0x0000000005F80000-0x0000000005FA2000-memory.dmp

Filesize
136KB

Download
memory/4608-139-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/4608-137-0x0000000000000000-mapping.dmp

Download
memory/4608-170-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/4608-171-0x0000000007CD0000-0x0000000007D66000-memory.dmp

Filesize
600KB

Download
memory/4608-169-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/4608-168-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/4608-148-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4608-146-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4608-145-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/4608-166-0x0000000001280000-0x000000000129E000-memory.dmp

Filesize
120KB

Download
memory/4608-142-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/4608-165-0x0000000071B90000-0x0000000071BDC000-memory.dmp

Filesize
304KB

Download
memory/4608-164-0x0000000006CE0000-0x0000000006D12000-memory.dmp

Filesize
200KB

Download
memory/5080-141-0x0000000000000000-mapping.dmp

Download
memory/5080-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-149-0x0000000001840000-0x0000000001B8A000-memory.dmp

Filesize
3.3MB

Download
memory/5080-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-153-0x0000000003430000-0x0000000003445000-memory.dmp

Filesize
84KB

Download
memory/5080-150-0x0000000001390000-0x00000000013A5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads