formbook | 759c173ba1e02ceead75c5a8b9295e4fef4404bf749c38ffcf5a4855863c4fed

General

Target

APERTURA DEBANCOS.doc (323 KB).exe
Size

722KB
MD5

182bcaad3def25a94746b2d3208ad567
SHA1

c1e652d582e1cd146c8faac376e05a8d13f1d878
SHA256

54fde966426bdd3b101d43647e23f1ed4a527312982372af0cc6a5768fb386ed
SHA512

155f370f0f476d4b94cfd6254077337c46f49c976320a71cb3eaad1a9296cf55aed7620338fe7a547c80175fbb3e75459d8238337db040cc907c4a19b21f3db0
SSDEEP

12288:HoDzEcLL4ZjVUi0EosOijSmrXO9Ax3mIEDs0wvw1ajSxFrXhy:HG4s0jVLyijxZx2qI1ISxdXE

Score

10^/10

formbook modiloader kmge persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/952-145-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/3772-155-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/4456-156-0x0000000000120000-0x000000000014F000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/952-133-0x00000000021D0000-0x00000000021FC000-memory.dmp	modiloader_stage2

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

APERTURA DEBANCOS.doc (323 KB).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vgucvrqh = "C:\\Users\\Public\\Libraries\\hqrvcugV.url"	APERTURA DEBANCOS.doc (323 KB).exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

colorcpl.exehelp.exe

description	pid	process	target process
PID 3772 set thread context of 2576	3772	colorcpl.exe	Explorer.EXE
PID 4456 set thread context of 2576	4456	help.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

APERTURA DEBANCOS.doc (323 KB).exe

pid	process
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe
952	APERTURA DEBANCOS.doc (323 KB).exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

colorcpl.exehelp.exe

pid process

3772 colorcpl.exe
3772 colorcpl.exe
3772 colorcpl.exe
4456 help.exe
4456 help.exe
4456 help.exe
4456 help.exe

pid	process
3772	colorcpl.exe
3772	colorcpl.exe
3772	colorcpl.exe
4456	help.exe
4456	help.exe
4456	help.exe
4456	help.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

colorcpl.exeExplorer.EXEhelp.exe

description	pid	process
Token: SeDebugPrivilege	3772	colorcpl.exe
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeDebugPrivilege	4456	help.exe
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

APERTURA DEBANCOS.doc (323 KB).exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 952 wrote to memory of 3772	952	APERTURA DEBANCOS.doc (323 KB).exe	colorcpl.exe
PID 952 wrote to memory of 3772	952	APERTURA DEBANCOS.doc (323 KB).exe	colorcpl.exe
PID 952 wrote to memory of 3772	952	APERTURA DEBANCOS.doc (323 KB).exe	colorcpl.exe
PID 952 wrote to memory of 3772	952	APERTURA DEBANCOS.doc (323 KB).exe	colorcpl.exe
PID 952 wrote to memory of 3772	952	APERTURA DEBANCOS.doc (323 KB).exe	colorcpl.exe
PID 952 wrote to memory of 3772	952	APERTURA DEBANCOS.doc (323 KB).exe	colorcpl.exe
PID 2576 wrote to memory of 4456	2576	Explorer.EXE	help.exe
PID 2576 wrote to memory of 4456	2576	Explorer.EXE	help.exe
PID 2576 wrote to memory of 4456	2576	Explorer.EXE	help.exe
PID 4456 wrote to memory of 2612	4456	help.exe	cmd.exe
PID 4456 wrote to memory of 2612	4456	help.exe	cmd.exe
PID 4456 wrote to memory of 2612	4456	help.exe	cmd.exe
PID 4456 wrote to memory of 4444	4456	help.exe	Firefox.exe
PID 4456 wrote to memory of 4444	4456	help.exe	Firefox.exe
PID 4456 wrote to memory of 4444	4456	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\APERTURA DEBANCOS.doc (323 KB).exe
"C:\Users\Admin\AppData\Local\Temp\APERTURA DEBANCOS.doc (323 KB).exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2612

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
memory/952-133-0x00000000021D0000-0x00000000021FC000-memory.dmp

Filesize
176KB

Download
memory/952-135-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/952-136-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/952-144-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/952-145-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2576-151-0x0000000008D20000-0x0000000008EAF000-memory.dmp

Filesize
1.6MB

Download
memory/3772-150-0x0000000005580000-0x0000000005594000-memory.dmp

Filesize
80KB

Download
memory/3772-149-0x00000000055D0000-0x000000000591A000-memory.dmp

Filesize
3.3MB

Download
memory/3772-155-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3772-146-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4456-154-0x0000000000D50000-0x0000000000D57000-memory.dmp

Filesize
28KB

Download
memory/4456-153-0x0000000000D50000-0x0000000000D57000-memory.dmp

Filesize
28KB

Download
memory/4456-156-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/4456-157-0x0000000000D60000-0x00000000010AA000-memory.dmp

Filesize
3.3MB

Download
memory/4456-174-0x0000000000870000-0x0000000000903000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads