formbook | 38dac51ef91ec8f45bdb2749e2eec758b07e7b9855f2b9b25d2e59783ba9ff41

General

Target

20210113155320.exe
Size

1.0MB
MD5

0f44dd4d1edea35e84e0d2495ac90b5b
SHA1

656e86e7556720bb16c0b8d760b87b0520ed8f20
SHA256

38dac51ef91ec8f45bdb2749e2eec758b07e7b9855f2b9b25d2e59783ba9ff41
SHA512

c8aef460935dd1cd8413648be5a7ed7ddffd9204a5bb38c558816274ccd350d9ab892e5c3884bf75bacb9036cb46ebe2108c86d1e2c66cab39d807defc541e5f

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.southsideflooringcreations.com/dkk/

Decoy

goldenfarmm.com

miproper.com

theutahan.com

efeteenerji.com

wellfarehealth.com

setricoo.com

enjoyablephotobooths.com

semaindustrial.com

jennywet.com

jackhughesart.com

cantgetryte.com

searko.com

zxrxhuny.icu

exoticorganicwine.com

fordexplorerproblems.com

locationwebtv.net

elinvoimainenperhe.com

mundoclik.com

nouvellenormale.com

talasnakliyat.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2096-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2096-15-0x000000000041EC00-mapping.dmp	formbook
behavioral2/memory/1408-17-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

20210113155320.exe20210113155320.execscript.exe

description	pid	process	target process
PID 4092 set thread context of 2096	4092	20210113155320.exe	20210113155320.exe
PID 2096 set thread context of 2756	2096	20210113155320.exe	Explorer.EXE
PID 2096 set thread context of 2756	2096	20210113155320.exe	Explorer.EXE
PID 1408 set thread context of 2756	1408	cscript.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe

pid	process
1096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

20210113155320.exe20210113155320.execscript.exe

pid	process
4092	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe
1408	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

20210113155320.execscript.exe

pid process

2096 20210113155320.exe
2096 20210113155320.exe
2096 20210113155320.exe
2096 20210113155320.exe
1408 cscript.exe
1408 cscript.exe

pid	process
2096	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
2096	20210113155320.exe
1408	cscript.exe
1408	cscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20210113155320.exe20210113155320.execscript.exe

description	pid	process
Token: SeDebugPrivilege	4092	20210113155320.exe
Token: SeDebugPrivilege	2096	20210113155320.exe
Token: SeDebugPrivilege	1408	cscript.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2756 Explorer.EXE

pid	process
2756	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

20210113155320.exe20210113155320.execscript.exe

description	pid	process	target process
PID 4092 wrote to memory of 1096	4092	20210113155320.exe	schtasks.exe
PID 4092 wrote to memory of 1096	4092	20210113155320.exe	schtasks.exe
PID 4092 wrote to memory of 1096	4092	20210113155320.exe	schtasks.exe
PID 4092 wrote to memory of 2096	4092	20210113155320.exe	20210113155320.exe
PID 4092 wrote to memory of 2096	4092	20210113155320.exe	20210113155320.exe
PID 4092 wrote to memory of 2096	4092	20210113155320.exe	20210113155320.exe
PID 4092 wrote to memory of 2096	4092	20210113155320.exe	20210113155320.exe
PID 4092 wrote to memory of 2096	4092	20210113155320.exe	20210113155320.exe
PID 4092 wrote to memory of 2096	4092	20210113155320.exe	20210113155320.exe
PID 2096 wrote to memory of 1408	2096	20210113155320.exe	cscript.exe
PID 2096 wrote to memory of 1408	2096	20210113155320.exe	cscript.exe
PID 2096 wrote to memory of 1408	2096	20210113155320.exe	cscript.exe
PID 1408 wrote to memory of 3892	1408	cscript.exe	cmd.exe
PID 1408 wrote to memory of 3892	1408	cscript.exe	cmd.exe
PID 1408 wrote to memory of 3892	1408	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:2756

C:\Users\Admin\AppData\Local\Temp\20210113155320.exe
"C:\Users\Admin\AppData\Local\Temp\20210113155320.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKKTFu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1202.tmp"
3⤵
- Creates scheduled task(s)
PID:1096

C:\Users\Admin\AppData\Local\Temp\20210113155320.exe
"C:\Users\Admin\AppData\Local\Temp\20210113155320.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\20210113155320.exe"
5⤵
PID:3892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1202.tmp
MD5
7b55548ff2066cfbf7e8d2bcc575e227

SHA1
12633d199a9b0be58e524362b727b793efd0edb4

SHA256
2bdd2c124b4fffb478190ba182d7a121c58ea782300569a7512d43649d68f2ba

SHA512
4b423c93ae064ae521f023113888643a80e58528f67c283cc33b2d82bfbd46624c4a314d49e7640e4fc6d9d831d7859c0830a5028a62e5e2170c331390c46388

Download Submit
memory/1096-12-0x0000000000000000-mapping.dmp

Download
memory/1408-21-0x0000000005DD0000-0x0000000005F45000-memory.dmp

Filesize
1.5MB

Download
memory/1408-19-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/1408-18-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/1408-17-0x0000000000000000-mapping.dmp

Download
memory/2096-15-0x000000000041EC00-mapping.dmp

Download
memory/2096-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2756-22-0x0000000002BF0000-0x0000000002CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-20-0x0000000000000000-mapping.dmp

Download
memory/4092-7-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4092-11-0x0000000005AE0000-0x0000000005B4B000-memory.dmp

Filesize
428KB

Download
memory/4092-10-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4092-9-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4092-8-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4092-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/4092-6-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/4092-5-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4092-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads