formbook | ce010315e45ac1bbd373c48807b19c342de9b486d84adbf4e3a75324c5caea04

General

Target

Ref No.72705JA.exe
Size

1.0MB
MD5

c37c80e84441d6e33c065c562287f831
SHA1

3e3eae640ac15ad0c7163346f4b77d49248e0233
SHA256

ce010315e45ac1bbd373c48807b19c342de9b486d84adbf4e3a75324c5caea04
SHA512

e2ad5a912cfec1bfb906ad3a91dfe50f2759cbb26855354bd411001d653bc41da4d290e58ee333916607d4a1468e81e3a8c2824cfd6d000671453499f22bb4a3
SSDEEP

24576:v6R9yfVUXwTEfF59XADz3OjaZQQJ0nhUGfApfLM:v6mO0MF59XADzejakuGfAJM

Score

10^/10

formbook modiloader nvp4 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1952-133-0x00000000022C0000-0x00000000022EC000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ref No.72705JA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jxrhhqra = "C:\\Users\\Public\\Libraries\\arqhhrxJ.url"	Ref No.72705JA.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

colorcpl.exesvchost.exe

description	pid	process	target process
PID 3476 set thread context of 3148	3476	colorcpl.exe	Explorer.EXE
PID 3476 set thread context of 3148	3476	colorcpl.exe	Explorer.EXE
PID 4880 set thread context of 3148	4880	svchost.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ref No.72705JA.execolorcpl.exesvchost.exe

pid	process
1952	Ref No.72705JA.exe
1952	Ref No.72705JA.exe
1952	Ref No.72705JA.exe
1952	Ref No.72705JA.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

colorcpl.exesvchost.exe

pid process

3476 colorcpl.exe
3476 colorcpl.exe
3476 colorcpl.exe
3476 colorcpl.exe
4880 svchost.exe
4880 svchost.exe
4880 svchost.exe
4880 svchost.exe

pid	process
3148	Explorer.EXE

pid	process
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
3476	colorcpl.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

colorcpl.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	3476	colorcpl.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	4880	svchost.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Ref No.72705JA.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1952 wrote to memory of 3476	1952	Ref No.72705JA.exe	colorcpl.exe
PID 1952 wrote to memory of 3476	1952	Ref No.72705JA.exe	colorcpl.exe
PID 1952 wrote to memory of 3476	1952	Ref No.72705JA.exe	colorcpl.exe
PID 1952 wrote to memory of 3476	1952	Ref No.72705JA.exe	colorcpl.exe
PID 1952 wrote to memory of 3476	1952	Ref No.72705JA.exe	colorcpl.exe
PID 1952 wrote to memory of 3476	1952	Ref No.72705JA.exe	colorcpl.exe
PID 3148 wrote to memory of 4880	3148	Explorer.EXE	svchost.exe
PID 3148 wrote to memory of 4880	3148	Explorer.EXE	svchost.exe
PID 3148 wrote to memory of 4880	3148	Explorer.EXE	svchost.exe
PID 4880 wrote to memory of 2648	4880	svchost.exe	Firefox.exe
PID 4880 wrote to memory of 2648	4880	svchost.exe	Firefox.exe
PID 4880 wrote to memory of 2648	4880	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\Ref No.72705JA.exe
"C:\Users\Admin\AppData\Local\Temp\Ref No.72705JA.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1348

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-135-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1952-136-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1952-147-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1952-148-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1952-133-0x00000000022C0000-0x00000000022EC000-memory.dmp

Filesize
176KB

Download
memory/3148-159-0x0000000008140000-0x0000000008224000-memory.dmp

Filesize
912KB

Download
memory/3148-174-0x0000000008230000-0x00000000082E1000-memory.dmp

Filesize
708KB

Download
memory/3148-172-0x0000000008230000-0x00000000082E1000-memory.dmp

Filesize
708KB

Download
memory/3148-171-0x0000000008230000-0x00000000082E1000-memory.dmp

Filesize
708KB

Download
memory/3148-169-0x0000000008140000-0x0000000008224000-memory.dmp

Filesize
912KB

Download
memory/3148-156-0x0000000002C40000-0x0000000002D06000-memory.dmp

Filesize
792KB

Download
memory/3476-158-0x00000000047A0000-0x00000000047B0000-memory.dmp

Filesize
64KB

Download
memory/3476-155-0x0000000004690000-0x00000000046A0000-memory.dmp

Filesize
64KB

Download
memory/3476-163-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3476-154-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3476-153-0x00000000047D0000-0x0000000004B1A000-memory.dmp

Filesize
3.3MB

Download
memory/3476-152-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3476-149-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4880-161-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/4880-164-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/4880-165-0x0000000000880000-0x00000000008AD000-memory.dmp

Filesize
180KB

Download
memory/4880-166-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/4880-167-0x0000000000880000-0x00000000008AD000-memory.dmp

Filesize
180KB

Download
memory/4880-170-0x0000000001200000-0x000000000128F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads