formbook | e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa

General

Target

e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
Size

1.7MB
MD5

4fa301c6f5c6013be9d3b136ef6fbb96
SHA1

1e1e6227b2bc7426b168a492c4b8d202478be1a4
SHA256

e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
SHA512

797b816d9163ad032caafcaed0ec43f8c7f3e4689ca61ea71776ff1bc1a5d08aacf671fbb07cdd2be9e10736c2d3a7253763156cb2d91c107d8916e3f758bfc1
SSDEEP

49152:bZAtX8IxTqh0eJa3DZEe9sRuCVCW4lMyqChsQ:bZmXX8Za31CuCc5MXC+Q

Score

10^/10

formbook modiloader 6nrs persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

6nrs

Decoy

mteverestminiralwater.com

northlakesodllcgov.com

de-guru.com

iwz-69.com

323va.com

tiktokshopbuilder.com

sekisensei.com

jcpublicschoolsfoundation.com

yangguangdadao.net

dingshenghr.net

yzyz458.xyz

topmczonseo.com

financeconta.com

handtools-88870.bond

scymedia.online

rutman.store

qlpss.com

righitch.com

parentsrpeople2.com

appeal-request-review.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1800-9-0x00000000045C0000-0x00000000055C0000-memory.dmp	formbook
behavioral2/memory/1800-18-0x00000000045C0000-0x00000000055C0000-memory.dmp	formbook
behavioral2/memory/1812-24-0x00000000012D0000-0x00000000012FF000-memory.dmp	formbook
behavioral2/memory/1812-26-0x00000000012D0000-0x00000000012FF000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4548-3-0x0000000003170000-0x0000000004170000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kxoyjzlj = "C:\\Users\\Public\\Kxoyjzlj.url"	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

colorcpl.exeipconfig.exe

description	pid	process	target process
PID 1800 set thread context of 3344	1800	colorcpl.exe	Explorer.EXE
PID 1812 set thread context of 3344	1812	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1812 ipconfig.exe

pid	process
1812	ipconfig.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.execolorcpl.exeipconfig.exe

pid	process
4548	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
4548	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
1800	colorcpl.exe
1800	colorcpl.exe
1800	colorcpl.exe
1800	colorcpl.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe
1812	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3344 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

colorcpl.exeipconfig.exe

pid process

1800 colorcpl.exe
1800 colorcpl.exe
1800 colorcpl.exe
1812 ipconfig.exe
1812 ipconfig.exe

pid	process
3344	Explorer.EXE

pid	process
1800	colorcpl.exe
1800	colorcpl.exe
1800	colorcpl.exe
1812	ipconfig.exe
1812	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

colorcpl.exeExplorer.EXEipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1800	colorcpl.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeDebugPrivilege	1812	ipconfig.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3344 Explorer.EXE

pid	process
3344	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4548 wrote to memory of 1800	4548	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe	colorcpl.exe
PID 4548 wrote to memory of 1800	4548	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe	colorcpl.exe
PID 4548 wrote to memory of 1800	4548	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe	colorcpl.exe
PID 4548 wrote to memory of 1800	4548	e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe	colorcpl.exe
PID 3344 wrote to memory of 1812	3344	Explorer.EXE	ipconfig.exe
PID 3344 wrote to memory of 1812	3344	Explorer.EXE	ipconfig.exe
PID 3344 wrote to memory of 1812	3344	Explorer.EXE	ipconfig.exe
PID 1812 wrote to memory of 1752	1812	ipconfig.exe	cmd.exe
PID 1812 wrote to memory of 1752	1812	ipconfig.exe	cmd.exe
PID 1812 wrote to memory of 1752	1812	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3344

C:\Users\Admin\AppData\Local\Temp\e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
"C:\Users\Admin\AppData\Local\Temp\e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\colorcpl.exe"
3⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-9-0x00000000045C0000-0x00000000055C0000-memory.dmp

Filesize
16.0MB

Download
memory/1800-16-0x0000000022650000-0x000000002299A000-memory.dmp

Filesize
3.3MB

Download
memory/1800-18-0x00000000045C0000-0x00000000055C0000-memory.dmp

Filesize
16.0MB

Download
memory/1800-19-0x00000000225A0000-0x00000000225B5000-memory.dmp

Filesize
84KB

Download
memory/1812-21-0x0000000000C80000-0x0000000000C8B000-memory.dmp

Filesize
44KB

Download
memory/1812-28-0x00000000018A0000-0x0000000001934000-memory.dmp

Filesize
592KB

Download
memory/1812-26-0x00000000012D0000-0x00000000012FF000-memory.dmp

Filesize
188KB

Download
memory/1812-25-0x0000000001B60000-0x0000000001EAA000-memory.dmp

Filesize
3.3MB

Download
memory/1812-24-0x00000000012D0000-0x00000000012FF000-memory.dmp

Filesize
188KB

Download
memory/1812-23-0x0000000000C80000-0x0000000000C8B000-memory.dmp

Filesize
44KB

Download
memory/3344-20-0x00000000093D0000-0x000000000950A000-memory.dmp

Filesize
1.2MB

Download
memory/3344-29-0x0000000009790000-0x0000000009889000-memory.dmp

Filesize
996KB

Download
memory/3344-30-0x0000000009790000-0x0000000009889000-memory.dmp

Filesize
996KB

Download
memory/3344-33-0x0000000009790000-0x0000000009889000-memory.dmp

Filesize
996KB

Download
memory/4548-0-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4548-6-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4548-5-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4548-3-0x0000000003170000-0x0000000004170000-memory.dmp

Filesize
16.0MB

Download
memory/4548-2-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4548-1-0x0000000003170000-0x0000000004170000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads