formbook | 9603997de7895ccfbd7b9493e7c64a9a089adc98a4929308ff74f18e88f9eac7

General

Target

a96253a4b8d3dc0d9cece5aa9145813d.exe
Size

926KB
MD5

a96253a4b8d3dc0d9cece5aa9145813d
SHA1

1d318d45b369768974b793415243b2f120ac21da
SHA256

9603997de7895ccfbd7b9493e7c64a9a089adc98a4929308ff74f18e88f9eac7
SHA512

92b6695b9e0078433f7f02e4a7542d1082280c92fbe5580815faf79ff3e0671ed4aea4489a354a382025363d91911665080a8f87286dd2332ce3cb3e5a409921

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.poweruppowerwashing.com/21m/

Decoy

eoirfdklelkfdlfmd.com

veteransforgolden.com

psychtalent.com

crusder-coffee.com

sydneydetective.com

judahbbqjerk.com

core-sys.com

fukaikeji.com

xn--jpr220deud640b.com

joker91.com

artbyprslla.com

sms-email.xyz

coobook.credit

growerfertilizer.com

dollarbillnow1.com

alcanfor.net

tightsharkpoker.com

liveforlebanon.com

edupods.net

passoverindubai.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2180-19-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2180-20-0x000000000041EB90-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

a96253a4b8d3dc0d9cece5aa9145813d.exe

description pid process target process

PID 2604 set thread context of 2180 2604 a96253a4b8d3dc0d9cece5aa9145813d.exe a96253a4b8d3dc0d9cece5aa9145813d.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3256 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a96253a4b8d3dc0d9cece5aa9145813d.exea96253a4b8d3dc0d9cece5aa9145813d.exe

pid process

2604 a96253a4b8d3dc0d9cece5aa9145813d.exe
2180 a96253a4b8d3dc0d9cece5aa9145813d.exe
2180 a96253a4b8d3dc0d9cece5aa9145813d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a96253a4b8d3dc0d9cece5aa9145813d.exe

description pid process

Token: SeDebugPrivilege 2604 a96253a4b8d3dc0d9cece5aa9145813d.exe

description	pid	process	target process
PID 2604 set thread context of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe

pid	process
3256	schtasks.exe

pid	process
2604	a96253a4b8d3dc0d9cece5aa9145813d.exe
2180	a96253a4b8d3dc0d9cece5aa9145813d.exe
2180	a96253a4b8d3dc0d9cece5aa9145813d.exe

description	pid	process
Token: SeDebugPrivilege	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a96253a4b8d3dc0d9cece5aa9145813d.exe

description	pid	process	target process
PID 2604 wrote to memory of 3256	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	schtasks.exe
PID 2604 wrote to memory of 3256	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	schtasks.exe
PID 2604 wrote to memory of 3256	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	schtasks.exe
PID 2604 wrote to memory of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe
PID 2604 wrote to memory of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe
PID 2604 wrote to memory of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe
PID 2604 wrote to memory of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe
PID 2604 wrote to memory of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe
PID 2604 wrote to memory of 2180	2604	a96253a4b8d3dc0d9cece5aa9145813d.exe	a96253a4b8d3dc0d9cece5aa9145813d.exe

C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
"C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TNKpefNs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D8B.tmp"
2⤵
- Creates scheduled task(s)
PID:3256

C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
"C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1D8B.tmp
MD5
a0e5bda000ea13ada9c01b6f2a5ff5be

SHA1
4ca45abf778c0f0d7919734c9f2d0aa780916c0b

SHA256
7577278db518d8b68b0ed7f89d0ce213657b0253f4dbb0bbed5bc6f0b61483c7

SHA512
1394ca62e6825a276e584a46f16c01f3947d7a472b44eecdf52d3964c23258dd77335765935ed75ac43149fd5483fd8ac856e87a415adca350be5a93b661a62e

Download Submit
memory/2180-20-0x000000000041EB90-mapping.dmp

Download
memory/2180-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2604-11-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/2604-13-0x00000000472E0000-0x000000004732F000-memory.dmp

Filesize
316KB

Download
memory/2604-8-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2604-9-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2604-10-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-12-0x0000000026E70000-0x0000000046E58000-memory.dmp

Filesize
511.9MB

Download
memory/2604-7-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2604-14-0x0000000005C20000-0x0000000005C28000-memory.dmp

Filesize
32KB

Download
memory/2604-16-0x0000000047420000-0x0000000047451000-memory.dmp

Filesize
196KB

Download
memory/2604-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2604-6-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/2604-5-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3256-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads