formbook | e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95

General

Target

nakliye belgesi pdf.exe
Size

888KB
MD5

505103d52e7960ef145dcb886672daaa
SHA1

abc357e0b0d1f3dab2a787a16eedf3b602ab9b03
SHA256

e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95
SHA512

b8aa360d49c46b3145a9b8b6b1ba4905db1c74c372197a733a48e35d782ce7046e2b5e431924771e3656dcde5b72f73ecfffed1e0d0049f6aa29f28eb6ec1583
SSDEEP

12288:gFoKhU4W/qh9fuoDJure02Zgzcel/Ai4wGllh50elrQTy:GoKmz/Fodu2gzTl/kDzlrQT

Score

10^/10

formbook kmge rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1820-30-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1820-34-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1664-40-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1664-42-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Drops startup file 3 IoCs

Processes:

nakliye belgesi pdf.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.lnk	nakliye belgesi pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

skype.exe

pid process

2136 skype.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2880 cmd.exe
2880 cmd.exe

pid	process
2136	skype.exe

pid	process
2880	cmd.exe
2880	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

skype.exeAddInProcess32.exeipconfig.exe

description	pid	process	target process
PID 2136 set thread context of 1820	2136	skype.exe	AddInProcess32.exe
PID 1820 set thread context of 1204	1820	AddInProcess32.exe	Explorer.EXE
PID 1664 set thread context of 1204	1664	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1664 ipconfig.exe

pid	process
1664	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1268429524-3929314613-1992311491-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2608 PING.EXE
2656 PING.EXE

pid	process
2608	PING.EXE
2656	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

nakliye belgesi pdf.exeskype.exeskype.exeAddInProcess32.exeipconfig.exe

pid	process
2264	nakliye belgesi pdf.exe
2852	skype.exe
2852	skype.exe
2852	skype.exe
2852	skype.exe
2136	skype.exe
2136	skype.exe
1820	AddInProcess32.exe
1820	AddInProcess32.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

AddInProcess32.exeipconfig.exe

pid process

1820 AddInProcess32.exe
1820 AddInProcess32.exe
1820 AddInProcess32.exe
1664 ipconfig.exe
1664 ipconfig.exe
1664 ipconfig.exe
1664 ipconfig.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

nakliye belgesi pdf.exe

pid process

2264 nakliye belgesi pdf.exe

pid	process
1820	AddInProcess32.exe
1820	AddInProcess32.exe
1820	AddInProcess32.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe
1664	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

nakliye belgesi pdf.exeskype.exeskype.exeAddInProcess32.exeipconfig.exe

description	pid	process
Token: SeDebugPrivilege	2264	nakliye belgesi pdf.exe
Token: SeDebugPrivilege	2852	skype.exe
Token: SeDebugPrivilege	2136	skype.exe
Token: SeDebugPrivilege	1820	AddInProcess32.exe
Token: SeDebugPrivilege	1664	ipconfig.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

nakliye belgesi pdf.exeskype.execmd.exeskype.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 2264 wrote to memory of 2852	2264	nakliye belgesi pdf.exe	skype.exe
PID 2264 wrote to memory of 2852	2264	nakliye belgesi pdf.exe	skype.exe
PID 2264 wrote to memory of 2852	2264	nakliye belgesi pdf.exe	skype.exe
PID 2264 wrote to memory of 2852	2264	nakliye belgesi pdf.exe	skype.exe
PID 2852 wrote to memory of 2880	2852	skype.exe	cmd.exe
PID 2852 wrote to memory of 2880	2852	skype.exe	cmd.exe
PID 2852 wrote to memory of 2880	2852	skype.exe	cmd.exe
PID 2852 wrote to memory of 2880	2852	skype.exe	cmd.exe
PID 2880 wrote to memory of 2608	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2608	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2608	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2608	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2656	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2656	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2656	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2656	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 2136	2880	cmd.exe	skype.exe
PID 2880 wrote to memory of 2136	2880	cmd.exe	skype.exe
PID 2880 wrote to memory of 2136	2880	cmd.exe	skype.exe
PID 2880 wrote to memory of 2136	2880	cmd.exe	skype.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 2136 wrote to memory of 1820	2136	skype.exe	AddInProcess32.exe
PID 1204 wrote to memory of 1664	1204	Explorer.EXE	ipconfig.exe
PID 1204 wrote to memory of 1664	1204	Explorer.EXE	ipconfig.exe
PID 1204 wrote to memory of 1664	1204	Explorer.EXE	ipconfig.exe
PID 1204 wrote to memory of 1664	1204	Explorer.EXE	ipconfig.exe
PID 1664 wrote to memory of 1128	1664	ipconfig.exe	Firefox.exe
PID 1664 wrote to memory of 1128	1664	ipconfig.exe	Firefox.exe
PID 1664 wrote to memory of 1128	1664	ipconfig.exe	Firefox.exe
PID 1664 wrote to memory of 1128	1664	ipconfig.exe	Firefox.exe
PID 1664 wrote to memory of 1128	1664	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\nakliye belgesi pdf.exe
"C:\Users\Admin\AppData\Local\Temp\nakliye belgesi pdf.exe"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\skype.exe
"C:\Users\Admin\AppData\Local\Temp\skype.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
5⤵
- Runs ping.exe
PID:2608

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
5⤵
- Runs ping.exe
PID:2656

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
192KB

MD5
e837f51853fd015542cc4a16d74399db

SHA1
3842ca57ee8e2869336e91fb765ffb997f74714b

SHA256
82b4c28bde354e76fb6c2466482a6c1b78fd844813edb314179f117e81983158

SHA512
9d9809c6817dd2dc79ffd5fcae529fadf9d5da1d1236a5fb081055bce717c84e2033946765fded84eafaee4cb35fe04bcce70f9c1afdfd1b6977652caaadc723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
64KB

MD5
43463adf679da1b53e34076548682c0c

SHA1
e5fd1b7533080da574db03db18eaad0e9321599e

SHA256
0fe096acd8e99558cddfb7785678c43933435006987ce969f226438476865c74

SHA512
f82620c8abf4890662771c9440080e7140c0a0096919a42ae52814f6ea59a0a75ada34f91088313d9b38d2d9768da99d8665cd39b113cdec73820c794cd63798

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
136KB

MD5
4892e5359c2ef091b536c08ccd076b70

SHA1
d6cf6ecf1710a82014a0ec4fd4d43563a484fde7

SHA256
304baece316179514298e302069a749a41fe94abf8e9195972e8d448ed2e6002

SHA512
e75a272a0189a56bba93a5a5d47dbef0aa2e2d36debdc620e965d5d7ba0dd53b36ed360d771626391779f2c3634e1307cd275942615b9c12bc989ac671cb659f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
888KB

MD5
505103d52e7960ef145dcb886672daaa

SHA1
abc357e0b0d1f3dab2a787a16eedf3b602ab9b03

SHA256
e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95

SHA512
b8aa360d49c46b3145a9b8b6b1ba4905db1c74c372197a733a48e35d782ce7046e2b5e431924771e3656dcde5b72f73ecfffed1e0d0049f6aa29f28eb6ec1583

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
128KB

MD5
01d75d52141c31b23a12606b0268e468

SHA1
3bac47894229ea8fc4ebd3eb2e5ec6e92aced8b1

SHA256
5530b60e9137db3db08fe6c04f0620f0730aaac0993dea5414f0f3379dfa8081

SHA512
63fb614a81951c044f8ba3db97532d37a518f106a6688924256bff87f7ecd9ff7501fa14a286cf4bfc8f14f9421e7f880246099dd3b7f03fe25f50fa2f936b44

Download Submit
memory/1204-37-0x0000000008B50000-0x0000000008CE2000-memory.dmp

Filesize
1.6MB

Download
memory/1204-49-0x0000000008B50000-0x0000000008CE2000-memory.dmp

Filesize
1.6MB

Download
memory/1204-35-0x0000000002D10000-0x0000000002E10000-memory.dmp

Filesize
1024KB

Download
memory/1664-46-0x0000000000650000-0x00000000006E3000-memory.dmp

Filesize
588KB

Download
memory/1664-39-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1664-40-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1664-41-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/1664-42-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1664-38-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1664-53-0x0000000000650000-0x00000000006E3000-memory.dmp

Filesize
588KB

Download
memory/1820-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-32-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1820-36-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/1820-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-20-0x0000000000100000-0x00000000001E4000-memory.dmp

Filesize
912KB

Download
memory/2136-22-0x0000000002020000-0x000000000203A000-memory.dmp

Filesize
104KB

Download
memory/2136-28-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-31-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-19-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-29-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2136-21-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2136-23-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/2136-24-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2264-0-0x0000000000100000-0x00000000001E4000-memory.dmp

Filesize
912KB

Download
memory/2264-5-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2264-3-0x0000000004750000-0x0000000004794000-memory.dmp

Filesize
272KB

Download
memory/2264-2-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/2264-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-8-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-7-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2852-6-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads