formbook | 16b2650737ecebc8c4006966a1ab94e2c8eeca2a627dbcdcc097f97ec97a3ce1

General

Target

7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
Size

910KB
MD5

7d9e7b27f0510fb4776c55c0165ab25f
SHA1

c12cd673f4c8c516b367b091f3c30d30bc9c11b1
SHA256

db0e998a1dd20e1b6c853cc778592c580971032cc8362d236d055dde3824ca44
SHA512

2bc8144f54b93fb7019ceccf8c62ac043a33e570e21445f3beb8b4e3940310a28116b08ed356f5ad09d237bf68a50b48c9b8dda03008a51e09264e631e44d256
SSDEEP

12288:cvI/SRZe0WFIQ38UWtwn/8vprceJz5Roy59N7axbIeYPG48SLuk8A1xdY5mQPmdx:cQ3SQ3XWtwn/8vB99mDkFyYQPE29K

Score

10^/10

formbook modiloader ges9 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ges9

Decoy

lolofestival.store

amzin.info

pulsahokii.xyz

bahiszirve.com

animekoe.com

kansastaxaccountant.net

howgoodisgod.online

medakaravan.xyz

pesmagazine.net

americanpopulist.info

nepalihandicraft.com

mariabakermodeling.com

cavify.top

onlinewoonboulevard.com

furniture-22830.com

ophthalmicpersonneltraining.us

yz1204.com

extrawhite.site

tomo.store

martfind.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2120-156-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/2528-165-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/1656-168-0x0000000000580000-0x00000000005AF000-memory.dmp	formbook
behavioral2/memory/1656-170-0x0000000000580000-0x00000000005AF000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2120-134-0x00000000025B0000-0x00000000025DC000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzarotih = "C:\\Users\\Public\\Libraries\\hitorazN.url"	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 3132	2528	iexpress.exe	46
PID 1656 set thread context of 3132	1656	rundll32.exe	46

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
2528	iexpress.exe
2528	iexpress.exe
2528	iexpress.exe
2528	iexpress.exe
1656	rundll32.exe
1656	rundll32.exe
1656	rundll32.exe
1656	rundll32.exe
1656	rundll32.exe
1656	rundll32.exe
1656	rundll32.exe
1656	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2528	iexpress.exe
2528	iexpress.exe
2528	iexpress.exe
1656	rundll32.exe
1656	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	iexpress.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeDebugPrivilege	1656	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2528	2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	95
PID 2120 wrote to memory of 2528	2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	95
PID 2120 wrote to memory of 2528	2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	95
PID 2120 wrote to memory of 2528	2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	95
PID 2120 wrote to memory of 2528	2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	95
PID 2120 wrote to memory of 2528	2120	7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe	95
PID 3132 wrote to memory of 1656	3132	Explorer.EXE	96
PID 3132 wrote to memory of 1656	3132	Explorer.EXE	96
PID 3132 wrote to memory of 1656	3132	Explorer.EXE	96
PID 1656 wrote to memory of 2380	1656	rundll32.exe	97
PID 1656 wrote to memory of 2380	1656	rundll32.exe	97
PID 1656 wrote to memory of 2380	1656	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
"C:\Users\Admin\AppData\Local\Temp\7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\iexpress.exe
  C:\Windows\System32\iexpress.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2528

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\iexpress.exe"
    3⤵
    PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-163-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download
memory/1656-172-0x0000000002450000-0x00000000024E4000-memory.dmp

Filesize
592KB

Download
memory/1656-170-0x0000000000580000-0x00000000005AF000-memory.dmp

Filesize
188KB

Download
memory/1656-169-0x0000000002610000-0x000000000295A000-memory.dmp

Filesize
3.3MB

Download
memory/1656-168-0x0000000000580000-0x00000000005AF000-memory.dmp

Filesize
188KB

Download
memory/1656-167-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download
memory/2120-156-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2120-133-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2120-155-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2120-136-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2120-134-0x00000000025B0000-0x00000000025DC000-memory.dmp

Filesize
176KB

Download
memory/2528-161-0x0000000004060000-0x0000000004075000-memory.dmp

Filesize
84KB

Download
memory/2528-160-0x00000000041B0000-0x00000000044FA000-memory.dmp

Filesize
3.3MB

Download
memory/2528-165-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2528-157-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/3132-162-0x0000000003130000-0x0000000003216000-memory.dmp

Filesize
920KB

Download
memory/3132-173-0x0000000003530000-0x00000000035FC000-memory.dmp

Filesize
816KB

Download
memory/3132-174-0x0000000003530000-0x00000000035FC000-memory.dmp

Filesize
816KB

Download
memory/3132-176-0x0000000003530000-0x00000000035FC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing