formbook | 8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec

General

Target

8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
Size

709KB
MD5

ca8650a170da8f4dd140aa4192d9da94
SHA1

41245e2b222b1022006a85046c2d1c6e974c4edb
SHA256

8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec
SHA512

f22d5c26e9e5ac0ac96f052afae88f009ed5fb87d7fe7b2550d251b6a83f0b9a67400b745941876cf8c24c324b6be08ec1fa8b8c63d2689a53450ba826b49b34
SSDEEP

12288:/Au825XkTH8gfIwZKoT/U3RnuKsLJrX7MZowGm4:oFCkTowZKfhnuxVD7MZoa

Score

10^/10

formbook modiloader p6rd persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p6rd

Decoy

tractionjet.com

safaritraffic.website

tasmok.com

xmjeans.com

buybestdildos.com

erwewewcsds.com

streetfonia.com

forgrat.xyz

lonsop.com

canyonvilletigers.com

italiangpt.com

jpoyferre.com

azabunoreraku.tokyo

pelvicfloorexercises.website

cai6.love

chesterguiam.com

sushmapaxton.com

paperbound.store

muzidalipha.com

irenechan.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/464-148-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/4428-153-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/2312-159-0x00000000012C0000-0x00000000012EF000-memory.dmp	formbook
behavioral2/memory/2312-178-0x00000000012C0000-0x00000000012EF000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/464-133-0x00000000022C0000-0x00000000022EC000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mluvzqoq = "C:\\Users\\Public\\Libraries\\qoqzvulM.url"	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

colorcpl.execmstp.exe

description	pid	process	target process
PID 4428 set thread context of 3148	4428	colorcpl.exe	Explorer.EXE
PID 2312 set thread context of 3148	2312	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe

pid	process
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

colorcpl.execmstp.exe

pid process

4428 colorcpl.exe
4428 colorcpl.exe
4428 colorcpl.exe
2312 cmstp.exe
2312 cmstp.exe

pid	process
3148	Explorer.EXE

pid	process
4428	colorcpl.exe
4428	colorcpl.exe
4428	colorcpl.exe
2312	cmstp.exe
2312	cmstp.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

colorcpl.exeExplorer.EXEcmstp.exe

description	pid	process
Token: SeDebugPrivilege	4428	colorcpl.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	2312	cmstp.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE
3148 Explorer.EXE

pid	process
3148	Explorer.EXE
3148	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 464 wrote to memory of 4428	464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe	colorcpl.exe
PID 464 wrote to memory of 4428	464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe	colorcpl.exe
PID 464 wrote to memory of 4428	464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe	colorcpl.exe
PID 464 wrote to memory of 4428	464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe	colorcpl.exe
PID 464 wrote to memory of 4428	464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe	colorcpl.exe
PID 464 wrote to memory of 4428	464	8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe	colorcpl.exe
PID 3148 wrote to memory of 2312	3148	Explorer.EXE	cmstp.exe
PID 3148 wrote to memory of 2312	3148	Explorer.EXE	cmstp.exe
PID 3148 wrote to memory of 2312	3148	Explorer.EXE	cmstp.exe
PID 2312 wrote to memory of 4144	2312	cmstp.exe	cmd.exe
PID 2312 wrote to memory of 4144	2312	cmstp.exe	cmd.exe
PID 2312 wrote to memory of 4144	2312	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe
"C:\Users\Admin\AppData\Local\Temp\8f9dbb0313ac2bc7eee44b775e99053e0023472db4c3994c28561830d39bf5ec.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\colorcpl.exe"
3⤵
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/464-135-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/464-136-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/464-147-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/464-148-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/464-133-0x00000000022C0000-0x00000000022EC000-memory.dmp

Filesize
176KB

Download
memory/2312-158-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download
memory/2312-180-0x0000000003000000-0x0000000003093000-memory.dmp

Filesize
588KB

Download
memory/2312-178-0x00000000012C0000-0x00000000012EF000-memory.dmp

Filesize
188KB

Download
memory/2312-160-0x0000000003160000-0x00000000034AA000-memory.dmp

Filesize
3.3MB

Download
memory/2312-159-0x00000000012C0000-0x00000000012EF000-memory.dmp

Filesize
188KB

Download
memory/2312-157-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download
memory/3148-176-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-189-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-229-0x00000000029D0000-0x00000000029D2000-memory.dmp

Filesize
8KB

Download
memory/3148-161-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-162-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-163-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-164-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-165-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-166-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-167-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-168-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-169-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-171-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-172-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-170-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-173-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-174-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-175-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-218-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-177-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/3148-217-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-216-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-181-0x0000000008900000-0x0000000008A24000-memory.dmp

Filesize
1.1MB

Download
memory/3148-182-0x0000000008900000-0x0000000008A24000-memory.dmp

Filesize
1.1MB

Download
memory/3148-184-0x0000000008900000-0x0000000008A24000-memory.dmp

Filesize
1.1MB

Download
memory/3148-155-0x0000000002D50000-0x0000000002E46000-memory.dmp

Filesize
984KB

Download
memory/3148-190-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-191-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-192-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-193-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-194-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-195-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-196-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-197-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-198-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-199-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-200-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-201-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-202-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-203-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-204-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-205-0x00000000029D0000-0x00000000029D2000-memory.dmp

Filesize
8KB

Download
memory/3148-212-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-213-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-214-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3148-215-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/4428-149-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/4428-152-0x0000000005020000-0x000000000536A000-memory.dmp

Filesize
3.3MB

Download
memory/4428-153-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4428-154-0x0000000004DC0000-0x0000000004DD4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads