formbook | 08fc30191cdb3900aad985dd7203f002dd7ac1176acd1ae7861021cc641b6a40

General

Target

quotation orda.exe
Size

685KB
MD5

79ac7b7624cbab492eb2444876e0fc7a
SHA1

8f59ff54e030341dd66debe13ccf3a80c630201e
SHA256

08fc30191cdb3900aad985dd7203f002dd7ac1176acd1ae7861021cc641b6a40
SHA512

ae184f1feae78804ffa2eb427b1b744a951cfea63d8005b259f81cabe145e876aab3a78df5c8e583c6916ff920d8a827e10e7254c47b91241c57e777d3a07864
SSDEEP

12288:2qKqnAoLzp6iEZrm4RQMIUa6ijcswvP5IwZ7poXduuW:9n38M4a4Li/0GwuXY

Score

10^/10

formbook n13e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n13e

Decoy

cowiemarketing.com

uniqueliquidz.co.uk

755259.com

7bw95.com

luxbarstools.co.uk

baccaratda.com

berkayakpinar.xyz

gistus.africa

hjd387.com

leave-fly.com

golfclubdaddy.com

engineeringea.buzz

countryrevisited.com

decoracioneskalite.com

imaginationlirbary.com

moneytransfer.africa

brainwaveproject.com

3039sjbqf2022.com

184hotels.com

aromamiaro.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2808-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2808-156-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4344-158-0x0000000000EF0000-0x0000000000F1F000-memory.dmp	formbook
behavioral2/memory/4344-160-0x0000000000EF0000-0x0000000000F1F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quotation orda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	quotation orda.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

quotation orda.exequotation orda.exesystray.exe

description	pid	process	target process
PID 2600 set thread context of 2808	2600	quotation orda.exe	quotation orda.exe
PID 2808 set thread context of 3152	2808	quotation orda.exe	Explorer.EXE
PID 4344 set thread context of 3152	4344	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3280 schtasks.exe

pid	process
3280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

quotation orda.exequotation orda.exesystray.exe

pid	process
2600	quotation orda.exe
2600	quotation orda.exe
2808	quotation orda.exe
2808	quotation orda.exe
2808	quotation orda.exe
2808	quotation orda.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe
4344	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

quotation orda.exesystray.exe

pid process

2808 quotation orda.exe
2808 quotation orda.exe
2808 quotation orda.exe
4344 systray.exe
4344 systray.exe

pid	process
3152	Explorer.EXE

pid	process
2808	quotation orda.exe
2808	quotation orda.exe
2808	quotation orda.exe
4344	systray.exe
4344	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

quotation orda.exequotation orda.exesystray.exe

description	pid	process
Token: SeDebugPrivilege	2600	quotation orda.exe
Token: SeDebugPrivilege	2808	quotation orda.exe
Token: SeDebugPrivilege	4344	systray.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

quotation orda.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2600 wrote to memory of 3280	2600	quotation orda.exe	schtasks.exe
PID 2600 wrote to memory of 3280	2600	quotation orda.exe	schtasks.exe
PID 2600 wrote to memory of 3280	2600	quotation orda.exe	schtasks.exe
PID 2600 wrote to memory of 3644	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 3644	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 3644	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 2808	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 2808	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 2808	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 2808	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 2808	2600	quotation orda.exe	quotation orda.exe
PID 2600 wrote to memory of 2808	2600	quotation orda.exe	quotation orda.exe
PID 3152 wrote to memory of 4344	3152	Explorer.EXE	systray.exe
PID 3152 wrote to memory of 4344	3152	Explorer.EXE	systray.exe
PID 3152 wrote to memory of 4344	3152	Explorer.EXE	systray.exe
PID 4344 wrote to memory of 1032	4344	systray.exe	cmd.exe
PID 4344 wrote to memory of 1032	4344	systray.exe	cmd.exe
PID 4344 wrote to memory of 1032	4344	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\quotation orda.exe
"C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tQEuZJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1702.tmp"
3⤵
- Creates scheduled task(s)
PID:3280

C:\Users\Admin\AppData\Local\Temp\quotation orda.exe
"{path}"
3⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\quotation orda.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"
3⤵
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1702.tmp
Filesize
1KB

MD5
ce4eefae0d8264a403f36153c8c7a482

SHA1
facd41da1b951f7f10ada34c28a058d7fbedc422

SHA256
2799fc5c9b13dc1a61c801dc1dbe4650c7ae569c34f8ea9a52d9c8daafeda8d4

SHA512
2ccfd8a92a7dbe8479fe7c43824391b1f054344ff25bcc36d2d2b7eb6baca880d3b417e7843d08cb288be4ccf5d521c45f19e9b16c962220be58238ea3330a5e

Download Submit
memory/2600-136-0x00000000003F0000-0x00000000004A2000-memory.dmp

Filesize
712KB

Download
memory/2600-137-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/2600-138-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/2600-139-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/2600-140-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/2600-141-0x00000000051A0000-0x00000000051F6000-memory.dmp

Filesize
344KB

Download
memory/2600-142-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2600-143-0x000000007EE20000-0x000000007EE30000-memory.dmp

Filesize
64KB

Download
memory/2600-144-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2600-145-0x000000007EE20000-0x000000007EE30000-memory.dmp

Filesize
64KB

Download
memory/2808-152-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/2808-153-0x0000000000DC0000-0x0000000000DD4000-memory.dmp

Filesize
80KB

Download
memory/2808-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3152-163-0x0000000004220000-0x00000000042FB000-memory.dmp

Filesize
876KB

Download
memory/3152-154-0x00000000082E0000-0x0000000008427000-memory.dmp

Filesize
1.3MB

Download
memory/3152-166-0x0000000004220000-0x00000000042FB000-memory.dmp

Filesize
876KB

Download
memory/3152-164-0x0000000004220000-0x00000000042FB000-memory.dmp

Filesize
876KB

Download
memory/4344-158-0x0000000000EF0000-0x0000000000F1F000-memory.dmp

Filesize
188KB

Download
memory/4344-160-0x0000000000EF0000-0x0000000000F1F000-memory.dmp

Filesize
188KB

Download
memory/4344-162-0x0000000002F10000-0x0000000002FA3000-memory.dmp

Filesize
588KB

Download
memory/4344-159-0x00000000030C0000-0x000000000340A000-memory.dmp

Filesize
3.3MB

Download
memory/4344-157-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/4344-155-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads