formbook | cf63918e0cb789a778c7eac7c1b5d896db35caa3fa9fd179b95a4101f5856af7

General

Target

Project review_Pdf.exe
Size

887KB
MD5

75cdd33d69536dd19e8d0d1bf70a6407
SHA1

5c15819e25ad22325097863803a639ab205d17e2
SHA256

cf63918e0cb789a778c7eac7c1b5d896db35caa3fa9fd179b95a4101f5856af7
SHA512

732a9f7d96fd1c3ed500bda65ae02a1a04c774d409d4dab853b1c10145af10c3a81691cecb085d4925ca0c596ce2a6892ba14291427128a21768f657066fe417

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.workonlinetimallen.com/dll/

Decoy

nyeconcreations.com

generar-k.com

refugiodelmate.com

elementclubhouse.com

freescorrs.xyz

tonesweettone.com

lojachicco.com

cyberxchange.net

strobelsolutions.com

tipsytravelerbar.com

shesheofnewyork.com

jdallmed.com

woefys.online

naviwatch.net

yuelvzuche.com

thehoneysuppliers.site

smokindeebflavors.com

preventvaccins.com

thepraisehouse.com

lgbtpridedirectory.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3140-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3140-13-0x000000000041EBD0-mapping.dmp	formbook
behavioral2/memory/744-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Project review_Pdf.exeProject review_Pdf.exechkdsk.exe

description	pid	process	target process
PID 3976 set thread context of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3140 set thread context of 3020	3140	Project review_Pdf.exe	Explorer.EXE
PID 744 set thread context of 3020	744	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

Project review_Pdf.exechkdsk.exe

pid	process
3140	Project review_Pdf.exe
3140	Project review_Pdf.exe
3140	Project review_Pdf.exe
3140	Project review_Pdf.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe
744	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Project review_Pdf.exechkdsk.exe

pid process

3140 Project review_Pdf.exe
3140 Project review_Pdf.exe
3140 Project review_Pdf.exe
744 chkdsk.exe
744 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Project review_Pdf.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 3140 Project review_Pdf.exe
Token: SeDebugPrivilege 744 chkdsk.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3140	Project review_Pdf.exe
Token: SeDebugPrivilege	744	chkdsk.exe

pid	process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Project review_Pdf.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 3976 wrote to memory of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3976 wrote to memory of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3976 wrote to memory of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3976 wrote to memory of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3976 wrote to memory of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3976 wrote to memory of 3140	3976	Project review_Pdf.exe	Project review_Pdf.exe
PID 3020 wrote to memory of 744	3020	Explorer.EXE	chkdsk.exe
PID 3020 wrote to memory of 744	3020	Explorer.EXE	chkdsk.exe
PID 3020 wrote to memory of 744	3020	Explorer.EXE	chkdsk.exe
PID 744 wrote to memory of 3368	744	chkdsk.exe	cmd.exe
PID 744 wrote to memory of 3368	744	chkdsk.exe	cmd.exe
PID 744 wrote to memory of 3368	744	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\Project review_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Project review_Pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\Project review_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Project review_Pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2140

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Project review_Pdf.exe"
3⤵
PID:3368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-18-0x0000000001130000-0x0000000001200000-memory.dmp

Filesize
832KB

Download
memory/744-16-0x0000000001320000-0x000000000132A000-memory.dmp

Filesize
40KB

Download
memory/744-15-0x0000000001320000-0x000000000132A000-memory.dmp

Filesize
40KB

Download
memory/744-14-0x0000000000000000-mapping.dmp

Download
memory/3140-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3140-13-0x000000000041EBD0-mapping.dmp

Download
memory/3368-17-0x0000000000000000-mapping.dmp

Download
memory/3976-7-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3976-11-0x0000000005A70000-0x0000000005ADD000-memory.dmp

Filesize
436KB

Download
memory/3976-10-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3976-9-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3976-8-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3976-2-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3976-6-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3976-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3976-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads