formbook | 6e3cc2750612c015abe4963c932e37e3fa02c6667d62ee0f728db9e9165c36a8

General

Target

7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
Size

910KB
MD5

7d9e7b27f0510fb4776c55c0165ab25f
SHA1

c12cd673f4c8c516b367b091f3c30d30bc9c11b1
SHA256

db0e998a1dd20e1b6c853cc778592c580971032cc8362d236d055dde3824ca44
SHA512

2bc8144f54b93fb7019ceccf8c62ac043a33e570e21445f3beb8b4e3940310a28116b08ed356f5ad09d237bf68a50b48c9b8dda03008a51e09264e631e44d256
SSDEEP

12288:cvI/SRZe0WFIQ38UWtwn/8vprceJz5Roy59N7axbIeYPG48SLuk8A1xdY5mQPmdx:cQ3SQ3XWtwn/8vB99mDkFyYQPE29K

Score

10^/10

formbook modiloader ges9 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ges9

Decoy

lolofestival.store

amzin.info

pulsahokii.xyz

bahiszirve.com

animekoe.com

kansastaxaccountant.net

howgoodisgod.online

medakaravan.xyz

pesmagazine.net

americanpopulist.info

nepalihandicraft.com

mariabakermodeling.com

cavify.top

onlinewoonboulevard.com

furniture-22830.com

ophthalmicpersonneltraining.us

yz1204.com

extrawhite.site

tomo.store

martfind.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4908-149-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/4172-159-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/1056-160-0x0000000001100000-0x000000000112F000-memory.dmp	formbook
behavioral2/memory/1056-162-0x0000000001100000-0x000000000112F000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4908-134-0x0000000003FC0000-0x0000000003FEC000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzarotih = "C:\\Users\\Public\\Libraries\\hitorazN.url"	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

colorcpl.execmmon32.exe

description	pid	process	target process
PID 4172 set thread context of 664	4172	colorcpl.exe	Explorer.EXE
PID 1056 set thread context of 664	1056	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.execolorcpl.execmmon32.exe

pid	process
4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
4172	colorcpl.exe
4172	colorcpl.exe
4172	colorcpl.exe
4172	colorcpl.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe
1056	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

664 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

colorcpl.execmmon32.exe

pid process

4172 colorcpl.exe
4172 colorcpl.exe
4172 colorcpl.exe
1056 cmmon32.exe
1056 cmmon32.exe

pid	process
664	Explorer.EXE

pid	process
4172	colorcpl.exe
4172	colorcpl.exe
4172	colorcpl.exe
1056	cmmon32.exe
1056	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

colorcpl.exeExplorer.EXEcmmon32.exe

description	pid	process
Token: SeDebugPrivilege	4172	colorcpl.exe
Token: SeShutdownPrivilege	664	Explorer.EXE
Token: SeCreatePagefilePrivilege	664	Explorer.EXE
Token: SeShutdownPrivilege	664	Explorer.EXE
Token: SeCreatePagefilePrivilege	664	Explorer.EXE
Token: SeDebugPrivilege	1056	cmmon32.exe
Token: SeShutdownPrivilege	664	Explorer.EXE
Token: SeCreatePagefilePrivilege	664	Explorer.EXE
Token: SeShutdownPrivilege	664	Explorer.EXE
Token: SeCreatePagefilePrivilege	664	Explorer.EXE
Token: SeShutdownPrivilege	664	Explorer.EXE
Token: SeCreatePagefilePrivilege	664	Explorer.EXE
Token: SeShutdownPrivilege	664	Explorer.EXE
Token: SeCreatePagefilePrivilege	664	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

664 Explorer.EXE
664 Explorer.EXE

pid	process
664	Explorer.EXE
664	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 4908 wrote to memory of 4172	4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	colorcpl.exe
PID 4908 wrote to memory of 4172	4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	colorcpl.exe
PID 4908 wrote to memory of 4172	4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	colorcpl.exe
PID 4908 wrote to memory of 4172	4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	colorcpl.exe
PID 4908 wrote to memory of 4172	4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	colorcpl.exe
PID 4908 wrote to memory of 4172	4908	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	colorcpl.exe
PID 664 wrote to memory of 1056	664	Explorer.EXE	cmmon32.exe
PID 664 wrote to memory of 1056	664	Explorer.EXE	cmmon32.exe
PID 664 wrote to memory of 1056	664	Explorer.EXE	cmmon32.exe
PID 1056 wrote to memory of 3884	1056	cmmon32.exe	cmd.exe
PID 1056 wrote to memory of 3884	1056	cmmon32.exe	cmd.exe
PID 1056 wrote to memory of 3884	1056	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
"C:\Users\Admin\AppData\Local\Temp\7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\colorcpl.exe"
3⤵
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-155-0x0000000003F20000-0x0000000003FF7000-memory.dmp

Filesize
860KB

Download
memory/664-168-0x0000000008480000-0x00000000085CC000-memory.dmp

Filesize
1.3MB

Download
memory/664-166-0x0000000008480000-0x00000000085CC000-memory.dmp

Filesize
1.3MB

Download
memory/664-165-0x0000000008480000-0x00000000085CC000-memory.dmp

Filesize
1.3MB

Download
memory/1056-162-0x0000000001100000-0x000000000112F000-memory.dmp

Filesize
188KB

Download
memory/1056-161-0x0000000003020000-0x000000000336A000-memory.dmp

Filesize
3.3MB

Download
memory/1056-164-0x0000000002E60000-0x0000000002EF4000-memory.dmp

Filesize
592KB

Download
memory/1056-160-0x0000000001100000-0x000000000112F000-memory.dmp

Filesize
188KB

Download
memory/1056-158-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1056-156-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/4172-154-0x0000000004890000-0x00000000048A5000-memory.dmp

Filesize
84KB

Download
memory/4172-159-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4172-152-0x00000000049D0000-0x0000000004D1A000-memory.dmp

Filesize
3.3MB

Download
memory/4172-150-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4908-148-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4908-149-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4908-133-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4908-137-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4908-136-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4908-134-0x0000000003FC0000-0x0000000003FEC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads