formbook | 83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8

General

Target

Znuvgbtsedoszb.exe
Size

2.8MB
MD5

d726d57563144b62b4688cc12e34cfda
SHA1

5ce5d9e655a8bc6bec4c5b823f1a2ad6bfeff327
SHA256

83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8
SHA512

010712d263144ae1cfd5a907ad66768fd8cf5b6654f80d8c8de7e136b73184a957000f3e022d473a49fb3432717068254fbb57a115eb803aad95b9d4288c6122
SSDEEP

49152:Xm/PpH8yc0/wU2lpe63ZrxKrVEbRIqiPt411Fehg1mQzZ:XOpcyV/wjpdZrxEVEtI14xqnY

Score

10^/10

formbook modiloader fadc persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fadc

Decoy

protechdream.com

faireco.life

bakrinhome.com

bustygirl.xyz

kbif.info

ningo.bond

hollywoodcircleevents.site

eapv-uabjo.com

852bets.com

nooption.online

global-strategy.pro

cartaonline.online

sacredbones2023.com

barsandbands.fun

liftchairs-info-mx.today

delamar.one

shuntianyuan.net

americanworldsolutions.com

julitv.net

criativax.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2736-9-0x0000000002A90000-0x0000000003A90000-memory.dmp	formbook
behavioral2/memory/2736-13-0x0000000002A90000-0x0000000003A90000-memory.dmp	formbook
behavioral2/memory/4040-20-0x0000000000620000-0x000000000064F000-memory.dmp	formbook
behavioral2/memory/4040-22-0x0000000000620000-0x000000000064F000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2572-2-0x0000000004400000-0x0000000005400000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Znuvgbtsedoszb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Znuvgbts = "C:\\Users\\Public\\Znuvgbts.url"	Znuvgbtsedoszb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SndVol.exerundll32.exe

description	pid	process	target process
PID 2736 set thread context of 3260	2736	SndVol.exe	Explorer.EXE
PID 4040 set thread context of 3260	4040	rundll32.exe	Explorer.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

Znuvgbtsedoszb.exeSndVol.exerundll32.exe

pid	process
2572	Znuvgbtsedoszb.exe
2572	Znuvgbtsedoszb.exe
2736	SndVol.exe
2736	SndVol.exe
2736	SndVol.exe
2736	SndVol.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3260 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SndVol.exerundll32.exe

pid process

2736 SndVol.exe
2736 SndVol.exe
2736 SndVol.exe
4040 rundll32.exe
4040 rundll32.exe

pid	process
3260	Explorer.EXE

pid	process
2736	SndVol.exe
2736	SndVol.exe
2736	SndVol.exe
4040	rundll32.exe
4040	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

SndVol.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	2736	SndVol.exe
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeDebugPrivilege	4040	rundll32.exe
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SndVol.exe

pid process

2736 SndVol.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SndVol.exe

pid process

2736 SndVol.exe
2736 SndVol.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3260 Explorer.EXE

pid	process
2736	SndVol.exe

pid	process
2736	SndVol.exe
2736	SndVol.exe

pid	process
3260	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Znuvgbtsedoszb.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2572 wrote to memory of 2736	2572	Znuvgbtsedoszb.exe	SndVol.exe
PID 2572 wrote to memory of 2736	2572	Znuvgbtsedoszb.exe	SndVol.exe
PID 2572 wrote to memory of 2736	2572	Znuvgbtsedoszb.exe	SndVol.exe
PID 2572 wrote to memory of 2736	2572	Znuvgbtsedoszb.exe	SndVol.exe
PID 3260 wrote to memory of 4040	3260	Explorer.EXE	rundll32.exe
PID 3260 wrote to memory of 4040	3260	Explorer.EXE	rundll32.exe
PID 3260 wrote to memory of 4040	3260	Explorer.EXE	rundll32.exe
PID 4040 wrote to memory of 1052	4040	rundll32.exe	cmd.exe
PID 4040 wrote to memory of 1052	4040	rundll32.exe	cmd.exe
PID 4040 wrote to memory of 1052	4040	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\Znuvgbtsedoszb.exe
"C:\Users\Admin\AppData\Local\Temp\Znuvgbtsedoszb.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\SndVol.exe"
3⤵
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-1-0x0000000004400000-0x0000000005400000-memory.dmp

Filesize
16.0MB

Download
memory/2572-2-0x0000000004400000-0x0000000005400000-memory.dmp

Filesize
16.0MB

Download
memory/2572-4-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2572-0-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2736-9-0x0000000002A90000-0x0000000003A90000-memory.dmp

Filesize
16.0MB

Download
memory/2736-11-0x00000000223F0000-0x000000002273A000-memory.dmp

Filesize
3.3MB

Download
memory/2736-13-0x0000000002A90000-0x0000000003A90000-memory.dmp

Filesize
16.0MB

Download
memory/2736-14-0x00000000222F0000-0x0000000022304000-memory.dmp

Filesize
80KB

Download
memory/3260-25-0x0000000008D00000-0x0000000008E01000-memory.dmp

Filesize
1.0MB

Download
memory/3260-18-0x00000000077C0000-0x00000000078A8000-memory.dmp

Filesize
928KB

Download
memory/3260-29-0x0000000008D00000-0x0000000008E01000-memory.dmp

Filesize
1.0MB

Download
memory/3260-26-0x0000000008D00000-0x0000000008E01000-memory.dmp

Filesize
1.0MB

Download
memory/4040-15-0x0000000000060000-0x0000000000074000-memory.dmp

Filesize
80KB

Download
memory/4040-22-0x0000000000620000-0x000000000064F000-memory.dmp

Filesize
188KB

Download
memory/4040-24-0x0000000002350000-0x00000000023E3000-memory.dmp

Filesize
588KB

Download
memory/4040-21-0x00000000024A0000-0x00000000027EA000-memory.dmp

Filesize
3.3MB

Download
memory/4040-20-0x0000000000620000-0x000000000064F000-memory.dmp

Filesize
188KB

Download
memory/4040-19-0x0000000000060000-0x0000000000074000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads