formbook | c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0

General

Target

PO-000202112.exe
Size

1.0MB
MD5

673900f8da4aa24a77f61417d0273d85
SHA1

0d04e357ccb332b63b1a8d9d4e9f6b889c2f0b77
SHA256

c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
SHA512

63c30b550f314620cdc961eb1dcb0c91e8f9b702aa722f34b0c81c308ac5f44ab9818bd12fb8e13aabc6ed3bab16b6df90b1727aed976fcf86ee4a0422adfde6

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.culturespk.com/kbl/

Decoy

flamesapp.com

ravenridgehoa.com

epraggma.com

stupidbooks.com

jointhesadls.com

estavisaapplication.com

12minhomebusiness.com

wwddww.com

stratusdetroitmail.com

storevanguard.com

cadeaux-et-gadgets.com

vbnfnleoba.club

ilikecircles.com

inspirednycharm.com

baizhongcai.com

medinius.info

call0815.com

vastu618.com

beautyshopin.com

looksplanet.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1628-9-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1628-10-0x000000000041EAC0-mapping.dmp	formbook
behavioral1/memory/1624-12-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1644 cmd.exe

pid	process
1644	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO-000202112.exePO-000202112.exesvchost.exe

description	pid	process	target process
PID 1068 set thread context of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1628 set thread context of 1236	1628	PO-000202112.exe	Explorer.EXE
PID 1628 set thread context of 1236	1628	PO-000202112.exe	Explorer.EXE
PID 1624 set thread context of 1236	1624	svchost.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

568 schtasks.exe

pid	process
568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

PO-000202112.exePO-000202112.exesvchost.exe

pid	process
1068	PO-000202112.exe
1628	PO-000202112.exe
1628	PO-000202112.exe
1628	PO-000202112.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO-000202112.exesvchost.exe

pid process

1628 PO-000202112.exe
1628 PO-000202112.exe
1628 PO-000202112.exe
1628 PO-000202112.exe
1624 svchost.exe
1624 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO-000202112.exePO-000202112.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1068 PO-000202112.exe
Token: SeDebugPrivilege 1628 PO-000202112.exe
Token: SeDebugPrivilege 1624 svchost.exe

pid	process
1628	PO-000202112.exe
1628	PO-000202112.exe
1628	PO-000202112.exe
1628	PO-000202112.exe
1624	svchost.exe
1624	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1068	PO-000202112.exe
Token: SeDebugPrivilege	1628	PO-000202112.exe
Token: SeDebugPrivilege	1624	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

PO-000202112.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1068 wrote to memory of 568	1068	PO-000202112.exe	schtasks.exe
PID 1068 wrote to memory of 568	1068	PO-000202112.exe	schtasks.exe
PID 1068 wrote to memory of 568	1068	PO-000202112.exe	schtasks.exe
PID 1068 wrote to memory of 568	1068	PO-000202112.exe	schtasks.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1068 wrote to memory of 1628	1068	PO-000202112.exe	PO-000202112.exe
PID 1236 wrote to memory of 1624	1236	Explorer.EXE	svchost.exe
PID 1236 wrote to memory of 1624	1236	Explorer.EXE	svchost.exe
PID 1236 wrote to memory of 1624	1236	Explorer.EXE	svchost.exe
PID 1236 wrote to memory of 1624	1236	Explorer.EXE	svchost.exe
PID 1624 wrote to memory of 1644	1624	svchost.exe	cmd.exe
PID 1624 wrote to memory of 1644	1624	svchost.exe	cmd.exe
PID 1624 wrote to memory of 1644	1624	svchost.exe	cmd.exe
PID 1624 wrote to memory of 1644	1624	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\PO-000202112.exe
"C:\Users\Admin\AppData\Local\Temp\PO-000202112.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KUrQojFHu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp"
3⤵
- Creates scheduled task(s)
PID:568

C:\Users\Admin\AppData\Local\Temp\PO-000202112.exe
"C:\Users\Admin\AppData\Local\Temp\PO-000202112.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO-000202112.exe"
3⤵
- Deletes itself
PID:1644

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp
MD5
da0350df4e583321d377aab062f93474

SHA1
6edf90010da6b512ad7702ca02bc82727ed043be

SHA256
9190d2e880dffd0dab8bcb93c002cba1313d38b4d86082bf2da18a6cb1734ec7

SHA512
c368a958e9e9daf3b560cb8535d844c7012f4e71f33c767403de2751eca3d7508c9423c6aff831066ab5a4d87ab85bc302992270773249b98218f6f5ca2181b9

Download Submit
memory/568-7-0x0000000000000000-mapping.dmp

Download
memory/1068-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1068-5-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1068-6-0x0000000004360000-0x00000000043CA000-memory.dmp

Filesize
424KB

Download
memory/1068-2-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1236-11-0x0000000007650000-0x00000000077B7000-memory.dmp

Filesize
1.4MB

Download
memory/1624-12-0x0000000000000000-mapping.dmp

Download
memory/1624-13-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/1624-15-0x0000000000640000-0x00000000006E1000-memory.dmp

Filesize
644KB

Download
memory/1628-10-0x000000000041EAC0-mapping.dmp

Download
memory/1628-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1644-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads