formbook | df3960bb0cd231428eeb614a4814eb449d5c857b61bc2f2e568cf5615a949e8f

General

Target

DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
Size

1.1MB
MD5

a6cef924a4bd619a96f27e3ea6bb57df
SHA1

d0caa19884d168e786dbb8edb40673553a61634f
SHA256

4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574
SHA512

fc653c79211df1be06324979bd8d80cdc493e489a7d4775c967b11987c5ded36fbccbfdcca6705996348d9d126fe42b0971d4bf550db14963026fda3213c8f80
SSDEEP

12288:oX8lOqFSsZ40z3QjB2lr5fPx7Zh70WoQzV9hBoSFhAf1nAhglR:Q8ltFSQ3AB2zp7pcf1nAhglR

Score

10^/10

formbook modiloader ges9 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ges9

Decoy

lolofestival.store

amzin.info

pulsahokii.xyz

bahiszirve.com

animekoe.com

kansastaxaccountant.net

howgoodisgod.online

medakaravan.xyz

pesmagazine.net

americanpopulist.info

nepalihandicraft.com

mariabakermodeling.com

cavify.top

onlinewoonboulevard.com

furniture-22830.com

ophthalmicpersonneltraining.us

yz1204.com

extrawhite.site

tomo.store

martfind.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4120-152-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/4236-162-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/3692-163-0x0000000000DC0000-0x0000000000DEF000-memory.dmp	formbook
behavioral2/memory/3692-165-0x0000000000DC0000-0x0000000000DEF000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4120-134-0x0000000004600000-0x000000000462C000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Issdoppz = "C:\\Users\\Public\\Libraries\\zppodssI.url"	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexpress.exewscript.exe

description	pid	process	target process
PID 4236 set thread context of 3192	4236	iexpress.exe	Explorer.EXE
PID 3692 set thread context of 3192	3692	wscript.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exeiexpress.exewscript.exe

pid	process
4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
4236	iexpress.exe
4236	iexpress.exe
4236	iexpress.exe
4236	iexpress.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe
3692	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3192 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

iexpress.exewscript.exe

pid process

4236 iexpress.exe
4236 iexpress.exe
4236 iexpress.exe
3692 wscript.exe
3692 wscript.exe

pid	process
3192	Explorer.EXE

pid	process
4236	iexpress.exe
4236	iexpress.exe
4236	iexpress.exe
3692	wscript.exe
3692	wscript.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

iexpress.exeExplorer.EXEwscript.exe

description	pid	process
Token: SeDebugPrivilege	4236	iexpress.exe
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeDebugPrivilege	3692	wscript.exe
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 4120 wrote to memory of 4236	4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe	iexpress.exe
PID 4120 wrote to memory of 4236	4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe	iexpress.exe
PID 4120 wrote to memory of 4236	4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe	iexpress.exe
PID 4120 wrote to memory of 4236	4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe	iexpress.exe
PID 4120 wrote to memory of 4236	4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe	iexpress.exe
PID 4120 wrote to memory of 4236	4120	DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe	iexpress.exe
PID 3192 wrote to memory of 3692	3192	Explorer.EXE	wscript.exe
PID 3192 wrote to memory of 3692	3192	Explorer.EXE	wscript.exe
PID 3192 wrote to memory of 3692	3192	Explorer.EXE	wscript.exe
PID 3692 wrote to memory of 3384	3692	wscript.exe	cmd.exe
PID 3692 wrote to memory of 3384	3692	wscript.exe	cmd.exe
PID 3692 wrote to memory of 3384	3692	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
"C:\Users\Admin\AppData\Local\Temp\DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\iexpress.exe"
3⤵
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-158-0x0000000007D30000-0x0000000007E5D000-memory.dmp

Filesize
1.2MB

Download
memory/3192-171-0x0000000008760000-0x00000000088C6000-memory.dmp

Filesize
1.4MB

Download
memory/3192-169-0x0000000008760000-0x00000000088C6000-memory.dmp

Filesize
1.4MB

Download
memory/3192-168-0x0000000008760000-0x00000000088C6000-memory.dmp

Filesize
1.4MB

Download
memory/3692-164-0x0000000002EA0000-0x00000000031EA000-memory.dmp

Filesize
3.3MB

Download
memory/3692-165-0x0000000000DC0000-0x0000000000DEF000-memory.dmp

Filesize
188KB

Download
memory/3692-167-0x0000000002CE0000-0x0000000002D74000-memory.dmp

Filesize
592KB

Download
memory/3692-163-0x0000000000DC0000-0x0000000000DEF000-memory.dmp

Filesize
188KB

Download
memory/3692-161-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/3692-160-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/4120-152-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4120-133-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4120-151-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4120-136-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/4120-134-0x0000000004600000-0x000000000462C000-memory.dmp

Filesize
176KB

Download
memory/4236-162-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4236-157-0x0000000003E70000-0x0000000003E85000-memory.dmp

Filesize
84KB

Download
memory/4236-153-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4236-156-0x0000000003F30000-0x000000000427A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads