formbook | 9528017e989109cae2591f60299ef84b42f1eba732c24549ca000171a1edac85

General

Target

NR_ZAMOW.exe
Size

561KB
MD5

abb44d8629dbbae4b307b638fa35c921
SHA1

91b9b648dfcc9261d3c0135eea5c4a9da4e87985
SHA256

55d12f1706d497912ee1c846004edea135577d7e2eb2246e9c439740be365643
SHA512

c6226f1c6634e11a48c79668df2229d43476d6dec9351da239bf9da58500751e584dccf3eea2aba77e881b2eb9c8b116843b0cee5a7d2af21db0561c4e1661a2
SSDEEP

12288:KTMY1ltUnHhjgUciLJDrLmuychLXK8WEu:KThtejgUci9DvgcM8Wh

Score

10^/10

formbook il23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il23

Decoy

woodlandwoodworking.net

kitchen-deals-69155.com

hiddendia.xyz

xelaxaste.uk

sproutstrive.com

avlulu124.xyz

g-starnetwork.com

a-avdeeva.com

filmart.top

bustime411.com

besyor.xyz

joulex.live

christmastempjobsfinder.life

cxrh-official.com

themuzzy.co.uk

joshisarena.africa

dental4family.com

dietsandsixpacks.co.uk

innovativedigest.com

flyingphoenix.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/560-72-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/560-77-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/1544-84-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1544-86-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NR_ZAMOW.exeNR_ZAMOW.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	NR_ZAMOW.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	NR_ZAMOW.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1576 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

NR_ZAMOW.exe

pid process

1236 NR_ZAMOW.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

NR_ZAMOW.exe

pid process

560 NR_ZAMOW.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

NR_ZAMOW.exeNR_ZAMOW.exe

pid process

1236 NR_ZAMOW.exe
560 NR_ZAMOW.exe

pid	process
1576	cmd.exe

pid	process
1236	NR_ZAMOW.exe

pid	process
560	NR_ZAMOW.exe

pid	process
1236	NR_ZAMOW.exe
560	NR_ZAMOW.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

NR_ZAMOW.exeNR_ZAMOW.exesystray.exe

description	pid	process	target process
PID 1236 set thread context of 560	1236	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 560 set thread context of 1220	560	NR_ZAMOW.exe	Explorer.EXE
PID 1544 set thread context of 1220	1544	systray.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

NR_ZAMOW.exe

description ioc process

File opened for modification C:\Windows\resources\0409\Minatories\Araknofili\Expenditrix\Revalorization62.ini NR_ZAMOW.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

NR_ZAMOW.exesystray.exe

pid process

560 NR_ZAMOW.exe
560 NR_ZAMOW.exe
1544 systray.exe
1544 systray.exe
1544 systray.exe
1544 systray.exe
1544 systray.exe
1544 systray.exe
1544 systray.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

NR_ZAMOW.exeNR_ZAMOW.exesystray.exe

pid process

1236 NR_ZAMOW.exe
560 NR_ZAMOW.exe
560 NR_ZAMOW.exe
560 NR_ZAMOW.exe
1544 systray.exe
1544 systray.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NR_ZAMOW.exeExplorer.EXEsystray.exe

description pid process

Token: SeDebugPrivilege 560 NR_ZAMOW.exe
Token: SeShutdownPrivilege 1220 Explorer.EXE
Token: SeDebugPrivilege 1544 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

description	ioc	process
File opened for modification	C:\Windows\resources\0409\Minatories\Araknofili\Expenditrix\Revalorization62.ini	NR_ZAMOW.exe

pid	process
560	NR_ZAMOW.exe
560	NR_ZAMOW.exe
1544	systray.exe
1544	systray.exe
1544	systray.exe
1544	systray.exe
1544	systray.exe
1544	systray.exe
1544	systray.exe

pid	process
1236	NR_ZAMOW.exe
560	NR_ZAMOW.exe
560	NR_ZAMOW.exe
560	NR_ZAMOW.exe
1544	systray.exe
1544	systray.exe

description	pid	process
Token: SeDebugPrivilege	560	NR_ZAMOW.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1544	systray.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

NR_ZAMOW.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1236 wrote to memory of 560	1236	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 1236 wrote to memory of 560	1236	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 1236 wrote to memory of 560	1236	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 1236 wrote to memory of 560	1236	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 1236 wrote to memory of 560	1236	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 1220 wrote to memory of 1544	1220	Explorer.EXE	systray.exe
PID 1220 wrote to memory of 1544	1220	Explorer.EXE	systray.exe
PID 1220 wrote to memory of 1544	1220	Explorer.EXE	systray.exe
PID 1220 wrote to memory of 1544	1220	Explorer.EXE	systray.exe
PID 1544 wrote to memory of 1576	1544	systray.exe	cmd.exe
PID 1544 wrote to memory of 1576	1544	systray.exe	cmd.exe
PID 1544 wrote to memory of 1576	1544	systray.exe	cmd.exe
PID 1544 wrote to memory of 1576	1544	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe
"C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe
"C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"
3⤵
- Deletes itself
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\krammets.lnk
Filesize
1KB

MD5
2ea5c74dceaaa67b11daa1014628aeeb

SHA1
e143a193be55974ff5321442b694936f2f56d7d1

SHA256
b1c29716290276eb76640f6636137b8324495fba95646dd755c618544ce7d2b8

SHA512
373b5d21587f0a009448ff59176d9b5ae780142012d0ff6a5471464a1d846b13c50c1cfd3f2550c26b3af77e55a9959341e70a317f021454c3fa624e08b40fed

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1585.tmp\System.dll
Filesize
12KB

MD5
a1da6788aeaf78ca4ae1dece8019e49d

SHA1
d770155e6e9aa69223be198c44a8da26a1756d89

SHA256
b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81

SHA512
eada9c1528563ddfe3d4d8ed5dbc52b85a9190765535b68da90e6d623288bf0090adac5118e1ed6e3cb3e0abb9af025d3a2a73121413a4471a90fd04bc861e18

Download Submit
memory/560-74-0x0000000034B10000-0x0000000034E13000-memory.dmp

Filesize
3.0MB

Download
memory/560-70-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/560-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/560-73-0x0000000001470000-0x0000000004885000-memory.dmp

Filesize
52.1MB

Download
memory/560-75-0x00000000347B0000-0x00000000347C4000-memory.dmp

Filesize
80KB

Download
memory/560-77-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/560-69-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/560-79-0x0000000001470000-0x0000000004885000-memory.dmp

Filesize
52.1MB

Download
memory/1220-90-0x0000000006870000-0x000000000699D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-76-0x0000000004DC0000-0x0000000004F6C000-memory.dmp

Filesize
1.7MB

Download
memory/1220-94-0x0000000006870000-0x000000000699D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-91-0x0000000006870000-0x000000000699D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-89-0x0000000004DC0000-0x0000000004F6C000-memory.dmp

Filesize
1.7MB

Download
memory/1544-80-0x0000000000C00000-0x0000000000C05000-memory.dmp

Filesize
20KB

Download
memory/1544-88-0x00000000008E0000-0x0000000000973000-memory.dmp

Filesize
588KB

Download
memory/1544-86-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1544-85-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/1544-84-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1544-81-0x0000000000C00000-0x0000000000C05000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads