formbook | 2d8474bdd8b6122aa79a3b86f729f9aa4f83a2ccf6a51ab510d753b47fc01189

General

Target

N5teSBoBlVySUoq.exe
Size

501KB
MD5

6c914ab41b3b8fcd47d2b52458aa98ac
SHA1

dc01e0c3bca0facd2f4838ac42b94ff0c3c88bd1
SHA256

2d8474bdd8b6122aa79a3b86f729f9aa4f83a2ccf6a51ab510d753b47fc01189
SHA512

44cb0d199025cbf4bc6b6fedca53bc6aed9f676c436ded8a88eefef12a846d3ed8fb612bc9713cea6a7bd2d07fac88a009e1c659379cec43aa571fa69d800984

Score

10^/10

rat evasion trojan spyware stealer formbook

Malware Config

Extracted

Family

formbook

C2

http://www.mansiobok.info/h8ofs/

Decoy

totum-community.com

fintechguardian.com

playwithyourkid.com

jeanstrousers.com

alimentosprobioticos.com

innovationembassies.net

qmfwig.men

choose-vida.com

mcmontagem.com

2math4all.com

ubersize.com

epicmediasv.com

kombipetektemizligi.com

provinsijawabarat.com

godhasanaddress.com

neural.link

mobiola.biz

kuckoorock.com

hideawaytrails.com

coolbrunettegirlsvideo.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1908-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1908-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1908-9-0x000000000041ED70-mapping.dmp	formbook
behavioral1/memory/1648-10-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1628 cmd.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1628	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

N5teSBoBlVySUoq.exeN5teSBoBlVySUoq.exerundll32.exe

description	pid	process	target process
PID 752 set thread context of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 1908 set thread context of 1364	1908	N5teSBoBlVySUoq.exe	Explorer.EXE
PID 1648 set thread context of 1364	1648	rundll32.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1816 schtasks.exe

pid	process
1816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

N5teSBoBlVySUoq.exerundll32.exe

pid	process
1908	N5teSBoBlVySUoq.exe
1908	N5teSBoBlVySUoq.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

N5teSBoBlVySUoq.exerundll32.exe

pid process

1908 N5teSBoBlVySUoq.exe
1908 N5teSBoBlVySUoq.exe
1908 N5teSBoBlVySUoq.exe
1648 rundll32.exe
1648 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

N5teSBoBlVySUoq.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1908 N5teSBoBlVySUoq.exe
Token: SeDebugPrivilege 1648 rundll32.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1908	N5teSBoBlVySUoq.exe
Token: SeDebugPrivilege	1648	rundll32.exe

pid	process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

pid	process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

N5teSBoBlVySUoq.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	schtasks.exe
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	schtasks.exe
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	schtasks.exe
PID 752 wrote to memory of 1816	752	N5teSBoBlVySUoq.exe	schtasks.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 752 wrote to memory of 1908	752	N5teSBoBlVySUoq.exe	N5teSBoBlVySUoq.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1364 wrote to memory of 1648	1364	Explorer.EXE	rundll32.exe
PID 1648 wrote to memory of 1628	1648	rundll32.exe	cmd.exe
PID 1648 wrote to memory of 1628	1648	rundll32.exe	cmd.exe
PID 1648 wrote to memory of 1628	1648	rundll32.exe	cmd.exe
PID 1648 wrote to memory of 1628	1648	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe
"C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zaXeAacuXXqx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF17F.tmp"
3⤵
- Creates scheduled task(s)
PID:1816

C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe
"C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\N5teSBoBlVySUoq.exe"
3⤵
- Deletes itself
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF17F.tmp

Download Submit
memory/752-4-0x00000000008C0000-0x0000000000905000-memory.dmp

Filesize
276KB

Download
memory/752-3-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/752-0-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/752-5-0x00000000020C0000-0x00000000020F0000-memory.dmp

Filesize
192KB

Download
memory/752-1-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1628-12-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x0000000000000000-mapping.dmp

Download
memory/1648-11-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/1648-13-0x0000000001FE0000-0x00000000020C3000-memory.dmp

Filesize
908KB

Download
memory/1816-6-0x0000000000000000-mapping.dmp

Download
memory/1908-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1908-9-0x000000000041ED70-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads