formbook | 2ffd794617caa37c56661fa29be97f34a50f7a49f76e4caa3570b6f2cadd7b34

General

Target

Nainlvkuhdtqpx.exe
Size

700KB
MD5

547abdfd3ecdbbc533c608b4a3168b99
SHA1

6b5b996871c2da3494cfcdc0d352acf35ad486c7
SHA256

2ffd794617caa37c56661fa29be97f34a50f7a49f76e4caa3570b6f2cadd7b34
SHA512

aee32e21489ed4b3c1cb6594996a34aa52242897a7fb2de6d3ee4a23cafb4c0bc7506f1561247d2afe5219cd0c6fec9e4cbe9935d2887fd4ea9f9acae1f2af27
SSDEEP

12288:bgBB6jXPwPtg1b0RYoaN8ntpKzHVKnqAFchi8oyn7nBad:byESSV4YCQzHMqSATB

Score

10^/10

formbook modiloader nvp4 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2760-132-0x0000000002870000-0x000000000289D000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Nainlvkuhdtqpx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nainlvku = "C:\\Users\\Public\\Libraries\\ukvlniaN.url"	Nainlvkuhdtqpx.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexpress.exeNETSTAT.EXE

description	pid	process	target process
PID 1960 set thread context of 2348	1960	iexpress.exe	Explorer.EXE
PID 2312 set thread context of 2348	2312	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2312 NETSTAT.EXE

pid	process
2312	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Nainlvkuhdtqpx.exeiexpress.exeNETSTAT.EXE

pid	process
2760	Nainlvkuhdtqpx.exe
2760	Nainlvkuhdtqpx.exe
2760	Nainlvkuhdtqpx.exe
2760	Nainlvkuhdtqpx.exe
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2348 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

iexpress.exeNETSTAT.EXE

pid process

1960 iexpress.exe
1960 iexpress.exe
1960 iexpress.exe
2312 NETSTAT.EXE
2312 NETSTAT.EXE
2312 NETSTAT.EXE
2312 NETSTAT.EXE

pid	process
2348	Explorer.EXE

pid	process
1960	iexpress.exe
1960	iexpress.exe
1960	iexpress.exe
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE
2312	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

iexpress.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1960	iexpress.exe
Token: SeShutdownPrivilege	2348	Explorer.EXE
Token: SeCreatePagefilePrivilege	2348	Explorer.EXE
Token: SeShutdownPrivilege	2348	Explorer.EXE
Token: SeCreatePagefilePrivilege	2348	Explorer.EXE
Token: SeDebugPrivilege	2312	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Nainlvkuhdtqpx.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2760 wrote to memory of 1960	2760	Nainlvkuhdtqpx.exe	iexpress.exe
PID 2760 wrote to memory of 1960	2760	Nainlvkuhdtqpx.exe	iexpress.exe
PID 2760 wrote to memory of 1960	2760	Nainlvkuhdtqpx.exe	iexpress.exe
PID 2760 wrote to memory of 1960	2760	Nainlvkuhdtqpx.exe	iexpress.exe
PID 2760 wrote to memory of 1960	2760	Nainlvkuhdtqpx.exe	iexpress.exe
PID 2760 wrote to memory of 1960	2760	Nainlvkuhdtqpx.exe	iexpress.exe
PID 2348 wrote to memory of 2312	2348	Explorer.EXE	NETSTAT.EXE
PID 2348 wrote to memory of 2312	2348	Explorer.EXE	NETSTAT.EXE
PID 2348 wrote to memory of 2312	2348	Explorer.EXE	NETSTAT.EXE
PID 2312 wrote to memory of 1488	2312	NETSTAT.EXE	Firefox.exe
PID 2312 wrote to memory of 1488	2312	NETSTAT.EXE	Firefox.exe
PID 2312 wrote to memory of 1488	2312	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\Nainlvkuhdtqpx.exe
"C:\Users\Admin\AppData\Local\Temp\Nainlvkuhdtqpx.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-143-0x0000000010432000-0x0000000010434000-memory.dmp

Filesize
8KB

Download
memory/1960-134-0x0000000000000000-mapping.dmp

Download
memory/1960-147-0x0000000010411000-0x000000001043F000-memory.dmp

Filesize
184KB

Download
memory/1960-146-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1960-140-0x0000000010411000-0x000000001043F000-memory.dmp

Filesize
184KB

Download
memory/1960-138-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1960-141-0x0000000003660000-0x00000000039AA000-memory.dmp

Filesize
3.3MB

Download
memory/1960-142-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2312-145-0x0000000000000000-mapping.dmp

Download
memory/2312-148-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/2312-149-0x0000000001080000-0x00000000010AD000-memory.dmp

Filesize
180KB

Download
memory/2312-150-0x0000000001740000-0x0000000001A8A000-memory.dmp

Filesize
3.3MB

Download
memory/2312-151-0x0000000001620000-0x00000000016AF000-memory.dmp

Filesize
572KB

Download
memory/2312-153-0x0000000001080000-0x00000000010AD000-memory.dmp

Filesize
180KB

Download
memory/2348-144-0x0000000008400000-0x0000000008531000-memory.dmp

Filesize
1.2MB

Download
memory/2348-152-0x0000000002FD0000-0x0000000003087000-memory.dmp

Filesize
732KB

Download
memory/2348-154-0x0000000002FD0000-0x0000000003087000-memory.dmp

Filesize
732KB

Download
memory/2760-132-0x0000000002870000-0x000000000289D000-memory.dmp

Filesize
180KB

Download
memory/2760-136-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2760-135-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads