formbook | 7aa65f77c48841f9f1545c2e5bb7cb186cd259631c4c449400206f1bb3d16d5e

General

Target

SCAN_20210115140930669.exe
Size

892KB
MD5

c0aa1598d486cceab2fdea9a6c41ac0e
SHA1

21263c3f531b81d949bf15c486bc3aeb16b9bb00
SHA256

7aa65f77c48841f9f1545c2e5bb7cb186cd259631c4c449400206f1bb3d16d5e
SHA512

2bba64e13254b3b5dfe98fac0681335a23a801065ffc1a69a80e63d8144067f98edb8c0b252ab8953ac78798dc4b23e4bff188d9ad3508997f6dfa4b7e987c65

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.midnightblueinc.com/2kf/

Decoy

edmondscakes.com

doublewldr.online

tickets2usa.com

heyhxry.com

weightloss-gulfport.com

prosselius.com

newviewroofers.com

jacksonarearealestate.com

catparkas.xyz

pagos2020.com

sonwsefjrahi.online

franchisethings.com

nuocvietngaynay.com

sohelvai.com

mikeyroush.com

lamesaroofing.com

betbigo138.com

amazon-service-recovery.com

clockin.net

riostrader.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3156-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3156-15-0x000000000041EB30-mapping.dmp	formbook
behavioral2/memory/2144-16-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

SCAN_20210115140930669.exeSCAN_20210115140930669.exechkdsk.exe

description	pid	process	target process
PID 988 set thread context of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 3156 set thread context of 2784	3156	SCAN_20210115140930669.exe	Explorer.EXE
PID 2144 set thread context of 2784	2144	chkdsk.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2072 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

pid	process
2072	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

SCAN_20210115140930669.exeSCAN_20210115140930669.exechkdsk.exe

pid	process
988	SCAN_20210115140930669.exe
988	SCAN_20210115140930669.exe
988	SCAN_20210115140930669.exe
3156	SCAN_20210115140930669.exe
3156	SCAN_20210115140930669.exe
3156	SCAN_20210115140930669.exe
3156	SCAN_20210115140930669.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe
2144	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SCAN_20210115140930669.exechkdsk.exe

pid process

3156 SCAN_20210115140930669.exe
3156 SCAN_20210115140930669.exe
3156 SCAN_20210115140930669.exe
2144 chkdsk.exe
2144 chkdsk.exe

pid	process
3156	SCAN_20210115140930669.exe
3156	SCAN_20210115140930669.exe
3156	SCAN_20210115140930669.exe
2144	chkdsk.exe
2144	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SCAN_20210115140930669.exeSCAN_20210115140930669.exechkdsk.exe

description	pid	process
Token: SeDebugPrivilege	988	SCAN_20210115140930669.exe
Token: SeDebugPrivilege	3156	SCAN_20210115140930669.exe
Token: SeDebugPrivilege	2144	chkdsk.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2784 Explorer.EXE

pid	process
2784	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SCAN_20210115140930669.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 988 wrote to memory of 2072	988	SCAN_20210115140930669.exe	schtasks.exe
PID 988 wrote to memory of 2072	988	SCAN_20210115140930669.exe	schtasks.exe
PID 988 wrote to memory of 2072	988	SCAN_20210115140930669.exe	schtasks.exe
PID 988 wrote to memory of 432	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 432	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 432	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 988 wrote to memory of 3156	988	SCAN_20210115140930669.exe	SCAN_20210115140930669.exe
PID 2784 wrote to memory of 2144	2784	Explorer.EXE	chkdsk.exe
PID 2784 wrote to memory of 2144	2784	Explorer.EXE	chkdsk.exe
PID 2784 wrote to memory of 2144	2784	Explorer.EXE	chkdsk.exe
PID 2144 wrote to memory of 2432	2144	chkdsk.exe	cmd.exe
PID 2144 wrote to memory of 2432	2144	chkdsk.exe	cmd.exe
PID 2144 wrote to memory of 2432	2144	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CuWqoOcxq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A3D.tmp"
3⤵
- Creates scheduled task(s)
PID:2072

C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe"
3⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SCAN_20210115140930669.exe"
3⤵
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2A3D.tmp
MD5
6974e3dbb35b9ddb3586eb8cd08b0723

SHA1
8626c62f879ad851e99498348301fa6fc9d13d98

SHA256
1f91430c66f8025fc59ca2c9a5b483e9f405869a30b062a12a88292072de92cf

SHA512
446efb5b1ec3514e6dab38735c6d0a595b232d62c8d1b48fe640e65be711d527266f052c3d6b145c5c46a69fef306617721f9502e903b744d087f8f13f6038ab

Download Submit
memory/988-11-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/988-8-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/988-2-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/988-7-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/988-3-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/988-9-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/988-10-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/988-5-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/988-6-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2072-12-0x0000000000000000-mapping.dmp

Download
memory/2144-17-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2144-16-0x0000000000000000-mapping.dmp

Download
memory/2144-18-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2144-20-0x0000000005B90000-0x0000000005D06000-memory.dmp

Filesize
1.5MB

Download
memory/2432-19-0x0000000000000000-mapping.dmp

Download
memory/3156-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3156-15-0x000000000041EB30-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads