formbook | ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b

General

Target

Payment_4372889.exe
Size

735KB
MD5

d7e382bb4854061f9fc7a9806da0d7af
SHA1

07150c8377209b185e017d858f0cd6704ab2c732
SHA256

ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
SHA512

2f1ae72ebc57a8b312740425113240a0de56aab10c2248f31b7f66e452a30f2583e32bfaaaacf9f3f4ee692aef09196477075441d5be24ad6be7630137b22a25

Score

10^/10

formbook evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.merckcbd.com/dei5/

Decoy

studiomullerphoto.com

reallionairewear.com

dogsalondoggy-tail.com

excelmache.net

bigdiscounters.com

7986799.com

ignition.guru

xiaoxu.info

jpinpd.com

solpool.info

uchooswrewards.com

everestengineeringworks.com

qianglongzhipin.com

deepimper-325.com

appliedrate.com

radsazemehr.com

vivabematividadesfisicas.com

capacitalo.com

somecore.com

listingclass.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/892-16-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/892-17-0x000000000041ECD0-mapping.dmp	formbook
behavioral2/memory/2344-25-0x0000000000F60000-0x0000000000F8E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment_4372889.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Payment_4372889.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Payment_4372889.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Payment_4372889.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Payment_4372889.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Payment_4372889.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment_4372889.exePayment_4372889.exeraserver.exe

description	pid	process	target process
PID 580 set thread context of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 892 set thread context of 3116	892	Payment_4372889.exe	Explorer.EXE
PID 2344 set thread context of 3116	2344	raserver.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2184 schtasks.exe

pid	process
2184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Payment_4372889.exePayment_4372889.exeraserver.exe

pid	process
580	Payment_4372889.exe
892	Payment_4372889.exe
892	Payment_4372889.exe
892	Payment_4372889.exe
892	Payment_4372889.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe
2344	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment_4372889.exeraserver.exe

pid process

892 Payment_4372889.exe
892 Payment_4372889.exe
892 Payment_4372889.exe
2344 raserver.exe
2344 raserver.exe

pid	process
892	Payment_4372889.exe
892	Payment_4372889.exe
892	Payment_4372889.exe
2344	raserver.exe
2344	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment_4372889.exePayment_4372889.exeraserver.exe

description	pid	process
Token: SeDebugPrivilege	580	Payment_4372889.exe
Token: SeDebugPrivilege	892	Payment_4372889.exe
Token: SeDebugPrivilege	2344	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment_4372889.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 580 wrote to memory of 2184	580	Payment_4372889.exe	schtasks.exe
PID 580 wrote to memory of 2184	580	Payment_4372889.exe	schtasks.exe
PID 580 wrote to memory of 2184	580	Payment_4372889.exe	schtasks.exe
PID 580 wrote to memory of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 580 wrote to memory of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 580 wrote to memory of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 580 wrote to memory of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 580 wrote to memory of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 580 wrote to memory of 892	580	Payment_4372889.exe	Payment_4372889.exe
PID 3116 wrote to memory of 2344	3116	Explorer.EXE	raserver.exe
PID 3116 wrote to memory of 2344	3116	Explorer.EXE	raserver.exe
PID 3116 wrote to memory of 2344	3116	Explorer.EXE	raserver.exe
PID 2344 wrote to memory of 2660	2344	raserver.exe	cmd.exe
PID 2344 wrote to memory of 2660	2344	raserver.exe	cmd.exe
PID 2344 wrote to memory of 2660	2344	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\Payment_4372889.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_4372889.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UEwFjeYBtPwSqZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFC9.tmp"
3⤵
- Creates scheduled task(s)
PID:2184

C:\Users\Admin\AppData\Local\Temp\Payment_4372889.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_4372889.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3192

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2348

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment_4372889.exe"
3⤵
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAFC9.tmp
MD5
f3243b78f1fd7b8a818be837e1146681

SHA1
f3d804d42378c82eb2bbd6e38ac8cb8668ad21e1

SHA256
94f0f42b36dbe62235f7355dc73444716b0c4cc44e5ee488a3d1d45ed41cf5f1

SHA512
6eb911581c1ecea5a53af3393f5736d8772ee5e6644f9c23f2e748c0a340921a5fde78d5b0f30f5ab84cb6ccbf7b4d0bf774b4b5e19eb56177efb8a1d730f959

Download Submit
memory/580-9-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/580-5-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/580-6-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/580-8-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/580-10-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/580-11-0x00000000050A0000-0x00000000050B3000-memory.dmp

Filesize
76KB

Download
memory/580-12-0x0000000000F10000-0x0000000000F7B000-memory.dmp

Filesize
428KB

Download
memory/580-13-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/580-3-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/892-20-0x0000000001800000-0x0000000001814000-memory.dmp

Filesize
80KB

Download
memory/892-19-0x0000000001490000-0x00000000017B0000-memory.dmp

Filesize
3.1MB

Download
memory/892-17-0x000000000041ECD0-mapping.dmp

Download
memory/892-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2184-14-0x0000000000000000-mapping.dmp

Download
memory/2344-26-0x00000000047C0000-0x0000000004AE0000-memory.dmp

Filesize
3.1MB

Download
memory/2344-22-0x0000000000000000-mapping.dmp

Download
memory/2344-24-0x0000000001360000-0x000000000137F000-memory.dmp

Filesize
124KB

Download
memory/2344-25-0x0000000000F60000-0x0000000000F8E000-memory.dmp

Filesize
184KB

Download
memory/2344-27-0x0000000004B80000-0x0000000004C13000-memory.dmp

Filesize
588KB

Download
memory/2660-23-0x0000000000000000-mapping.dmp

Download
memory/3116-21-0x0000000006400000-0x000000000650E000-memory.dmp

Filesize
1.1MB

Download
memory/3116-28-0x0000000006510000-0x000000000662F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads