formbook | 90f18e453ea2b0c1fa4d84d95499ab3bfd11db81a54caa2702cd3749f62c9dec

General

Target

proformaXfaturaXpdf.exe
Size

1.2MB
MD5

703eeb530cbd41d86e20113624a18bd7
SHA1

997930463f0362f53c5f9ee26afed94eff148505
SHA256

90f18e453ea2b0c1fa4d84d95499ab3bfd11db81a54caa2702cd3749f62c9dec
SHA512

89c1361a73c963985db922ec7d72e670f42eb09a2deba287ad535b93ce5e1c30aab53ea1a4e0395346b5647f060ec6f56650cb302d5a5db54d1e5fdd7a314e49
SSDEEP

24576:iFoEhCKAXS/1+O9P1Bza+78soKoxm5OST6Iytld3BIwbgKcQrE/k2+RVN:iF9ii/1+O9P1BB8soKXx7ytldxzV

Score

10^/10

formbook modiloader msev persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

msev

Decoy

brasforeyes.com

416js7.shop

hydratran.com

pro100.one

discuntasp.net

gxinee.com

sknwalker.com

finlandphotohides.com

helps.fyi

ingeciber-mailings.com

afswork.com

versebuild.xyz

supalupa.store

wagonlinework.com

wutaokyc.com

firecomponents.com

karaokezip.com

visoul.net

az-pinapcenter.click

nameswiki.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3044-17-0x0000000002530000-0x0000000003530000-memory.dmp	formbook
behavioral2/memory/3044-20-0x0000000002530000-0x0000000003530000-memory.dmp	formbook
behavioral2/memory/1676-29-0x0000000001210000-0x000000000123F000-memory.dmp	formbook
behavioral2/memory/1676-33-0x0000000001210000-0x000000000123F000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1636-2-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nysswthm = "C:\\Users\\Public\\Nysswthm.url"	proformaXfaturaXpdf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2548	3044	colorcpl.exe	53
PID 1676 set thread context of 2548	1676	cmd.exe	53

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1636	proformaXfaturaXpdf.exe
1636	proformaXfaturaXpdf.exe
3044	colorcpl.exe
3044	colorcpl.exe
3044	colorcpl.exe
3044	colorcpl.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3044	colorcpl.exe
3044	colorcpl.exe
3044	colorcpl.exe
1676	cmd.exe
1676	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	colorcpl.exe
Token: SeShutdownPrivilege	2548	Explorer.EXE
Token: SeCreatePagefilePrivilege	2548	Explorer.EXE
Token: SeShutdownPrivilege	2548	Explorer.EXE
Token: SeCreatePagefilePrivilege	2548	Explorer.EXE
Token: SeDebugPrivilege	1676	cmd.exe
Token: SeShutdownPrivilege	2548	Explorer.EXE
Token: SeCreatePagefilePrivilege	2548	Explorer.EXE
Token: SeShutdownPrivilege	2548	Explorer.EXE
Token: SeCreatePagefilePrivilege	2548	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 3044	1636	proformaXfaturaXpdf.exe	92
PID 1636 wrote to memory of 3044	1636	proformaXfaturaXpdf.exe	92
PID 1636 wrote to memory of 3044	1636	proformaXfaturaXpdf.exe	92
PID 1636 wrote to memory of 3044	1636	proformaXfaturaXpdf.exe	92
PID 2548 wrote to memory of 1676	2548	Explorer.EXE	98
PID 2548 wrote to memory of 1676	2548	Explorer.EXE	98
PID 2548 wrote to memory of 1676	2548	Explorer.EXE	98
PID 1676 wrote to memory of 2984	1676	cmd.exe	99
PID 1676 wrote to memory of 2984	1676	cmd.exe	99
PID 1676 wrote to memory of 2984	1676	cmd.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\proformaXfaturaXpdf.exe
  "C:\Users\Admin\AppData\Local\Temp\proformaXfaturaXpdf.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\colorcpl.exe
    C:\Windows\System32\colorcpl.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\colorcpl.exe"
    3⤵
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-0-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1636-1-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/1636-2-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/1636-4-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1636-5-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1676-29-0x0000000001210000-0x000000000123F000-memory.dmp

Filesize
188KB

Download
memory/1676-33-0x0000000001210000-0x000000000123F000-memory.dmp

Filesize
188KB

Download
memory/1676-26-0x00000000009D0000-0x0000000000A2A000-memory.dmp

Filesize
360KB

Download
memory/1676-28-0x00000000009D0000-0x0000000000A2A000-memory.dmp

Filesize
360KB

Download
memory/1676-35-0x0000000001940000-0x00000000019D3000-memory.dmp

Filesize
588KB

Download
memory/1676-30-0x0000000001C00000-0x0000000001F4A000-memory.dmp

Filesize
3.3MB

Download
memory/2548-37-0x0000000008A40000-0x0000000008BBE000-memory.dmp

Filesize
1.5MB

Download
memory/2548-22-0x00000000088F0000-0x0000000008A35000-memory.dmp

Filesize
1.3MB

Download
memory/2548-36-0x0000000008A40000-0x0000000008BBE000-memory.dmp

Filesize
1.5MB

Download
memory/2548-32-0x00000000088F0000-0x0000000008A35000-memory.dmp

Filesize
1.3MB

Download
memory/3044-21-0x000000000EDD0000-0x000000000EDE4000-memory.dmp

Filesize
80KB

Download
memory/3044-17-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/3044-18-0x000000000E720000-0x000000000EA6A000-memory.dmp

Filesize
3.3MB

Download
memory/3044-20-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads