formbook | 2d8474bdd8b6122aa79a3b86f729f9aa4f83a2ccf6a51ab510d753b47fc01189

General

Target

N5teSBoBlVySUoq.exe
Size

501KB
MD5

6c914ab41b3b8fcd47d2b52458aa98ac
SHA1

dc01e0c3bca0facd2f4838ac42b94ff0c3c88bd1
SHA256

2d8474bdd8b6122aa79a3b86f729f9aa4f83a2ccf6a51ab510d753b47fc01189
SHA512

44cb0d199025cbf4bc6b6fedca53bc6aed9f676c436ded8a88eefef12a846d3ed8fb612bc9713cea6a7bd2d07fac88a009e1c659379cec43aa571fa69d800984

Score

10^/10

rat evasion trojan spyware stealer formbook

Malware Config

Extracted

Family

formbook

C2

http://www.mansiobok.info/h8ofs/

Decoy

totum-community.com

fintechguardian.com

playwithyourkid.com

jeanstrousers.com

alimentosprobioticos.com

innovationembassies.net

qmfwig.men

choose-vida.com

mcmontagem.com

2math4all.com

ubersize.com

epicmediasv.com

kombipetektemizligi.com

provinsijawabarat.com

godhasanaddress.com

neural.link

mobiola.biz

kuckoorock.com

hideawaytrails.com

coolbrunettegirlsvideo.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1908-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1908-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1908-9-0x000000000041ED70-mapping.dmp	formbook
behavioral1/memory/1648-10-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1628	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Explorer.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

N5teSBoBlVySUoq.exeN5teSBoBlVySUoq.exerundll32.exe

description	pid	Process	procid_target
PID 752 set thread context of 1908	752	N5teSBoBlVySUoq.exe	28
PID 1908 set thread context of 1364	1908	N5teSBoBlVySUoq.exe	20
PID 1648 set thread context of 1364	1648	rundll32.exe	20

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

N5teSBoBlVySUoq.exerundll32.exe

pid	Process
1908	N5teSBoBlVySUoq.exe
1908	N5teSBoBlVySUoq.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

N5teSBoBlVySUoq.exerundll32.exe

pid	Process
1908	N5teSBoBlVySUoq.exe
1908	N5teSBoBlVySUoq.exe
1908	N5teSBoBlVySUoq.exe
1648	rundll32.exe
1648	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

N5teSBoBlVySUoq.exerundll32.exe

description	pid	Process
Token: SeDebugPrivilege	1908	N5teSBoBlVySUoq.exe
Token: SeDebugPrivilege	1648	rundll32.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid	Process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid	Process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

N5teSBoBlVySUoq.exeExplorer.EXErundll32.exe

description	pid	Process	procid_target
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	24
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	24
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	24
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	24
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	28
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	29
PID 1648 wrote to memory of 1628	1648	rundll32.exe	30
PID 1648 wrote to memory of 1628	1648	rundll32.exe	30
PID 1648 wrote to memory of 1628	1648	rundll32.exe	30
PID 1648 wrote to memory of 1628	1648	rundll32.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe
  "C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zaXeAacuXXqx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF17F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe
    "C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe"
    3⤵
    - Deletes itself
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF17F.tmp

Download Submit
memory/752-4-0x00000000008C0000-0x0000000000905000-memory.dmp

Filesize
276KB

Download
memory/752-3-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/752-0-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/752-5-0x00000000020C0000-0x00000000020F0000-memory.dmp

Filesize
192KB

Download
memory/752-1-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1628-12-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x0000000000000000-mapping.dmp

Download
memory/1648-11-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/1648-13-0x0000000001FE0000-0x00000000020C3000-memory.dmp

Filesize
908KB

Download
memory/1816-6-0x0000000000000000-mapping.dmp

Download
memory/1908-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1908-9-0x000000000041ED70-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads