formbook | 7bec2a01478bd943f3752937e56ac6dcd8d4d702b2a7eb91dc97b531a732fa6d

General

Target

power.ps1
Size

4KB
MD5

64d942a7c2e9dea577a1c062e6dc6bbd
SHA1

4b074b041c48ed8b4e1a175df1ff5dd5614d2c46
SHA256

7bec2a01478bd943f3752937e56ac6dcd8d4d702b2a7eb91dc97b531a732fa6d
SHA512

639cb9246fcda7046922a65408aa0fed462753398f24d030b5664f08bff27f3a0ba5e912568b6c78e7941633aa333b45296da3ff25e4f52a96c959bf016a6a71

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.groupoperationltd.com/mph/

Decoy

caravanmattressesforsale.com

romicalpk.com

procentrall.com

happyworkpro.com

barriobruja.com

olenfex.com

driftandcompile.com

heisen.club

materialmatch.online

maxmaldives.com

wzlxpscr.com

ytvksh.space

amonez.com

hatchmatchusa.com

mcfarlandfamilyevents.com

mcchoo.xyz

ravgugenheim.com

shapeshift.asia

defensebowl.store

styleliving.today

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3144-10-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3144-11-0x000000000041EB20-mapping.dmp	formbook
behavioral2/memory/3992-22-0x0000000003120000-0x000000000314E000-memory.dmp	formbook

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

8 2432 powershell.exe
10 2432 powershell.exe
12 2432 powershell.exe
14 2432 powershell.exe

flow	pid	process
8	2432	powershell.exe
10	2432	powershell.exe
12	2432	powershell.exe
14	2432	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.execontrol.exewscript.exe

description	pid	process	target process
PID 2432 set thread context of 3144	2432	powershell.exe	control.exe
PID 3144 set thread context of 1680	3144	control.exe	Explorer.EXE
PID 3144 set thread context of 1680	3144	control.exe	Explorer.EXE
PID 3992 set thread context of 1680	3992	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 67 IoCs

Processes:

powershell.execontrol.exewscript.exe

pid	process
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
3144	control.exe
3144	control.exe
3144	control.exe
3144	control.exe
3144	control.exe
3144	control.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe
3992	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

control.exewscript.exe

pid process

3144 control.exe
3144 control.exe
3144 control.exe
3144 control.exe
3992 wscript.exe
3992 wscript.exe

pid	process
3144	control.exe
3144	control.exe
3144	control.exe
3144	control.exe
3992	wscript.exe
3992	wscript.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

powershell.execontrol.exeExplorer.EXEwscript.exe

description	pid	process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	powershell.exe
Token: SeSecurityPrivilege	2432	powershell.exe
Token: SeTakeOwnershipPrivilege	2432	powershell.exe
Token: SeLoadDriverPrivilege	2432	powershell.exe
Token: SeSystemProfilePrivilege	2432	powershell.exe
Token: SeSystemtimePrivilege	2432	powershell.exe
Token: SeProfSingleProcessPrivilege	2432	powershell.exe
Token: SeIncBasePriorityPrivilege	2432	powershell.exe
Token: SeCreatePagefilePrivilege	2432	powershell.exe
Token: SeBackupPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2432	powershell.exe
Token: SeShutdownPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	2432	powershell.exe
Token: SeRemoteShutdownPrivilege	2432	powershell.exe
Token: SeUndockPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	2432	powershell.exe
Token: 33	2432	powershell.exe
Token: 34	2432	powershell.exe
Token: 35	2432	powershell.exe
Token: 36	2432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	powershell.exe
Token: SeSecurityPrivilege	2432	powershell.exe
Token: SeTakeOwnershipPrivilege	2432	powershell.exe
Token: SeLoadDriverPrivilege	2432	powershell.exe
Token: SeSystemProfilePrivilege	2432	powershell.exe
Token: SeSystemtimePrivilege	2432	powershell.exe
Token: SeProfSingleProcessPrivilege	2432	powershell.exe
Token: SeIncBasePriorityPrivilege	2432	powershell.exe
Token: SeCreatePagefilePrivilege	2432	powershell.exe
Token: SeBackupPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2432	powershell.exe
Token: SeShutdownPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	2432	powershell.exe
Token: SeRemoteShutdownPrivilege	2432	powershell.exe
Token: SeUndockPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	2432	powershell.exe
Token: 33	2432	powershell.exe
Token: 34	2432	powershell.exe
Token: 35	2432	powershell.exe
Token: 36	2432	powershell.exe
Token: SeDebugPrivilege	3144	control.exe
Token: SeShutdownPrivilege	1680	Explorer.EXE
Token: SeCreatePagefilePrivilege	1680	Explorer.EXE
Token: SeShutdownPrivilege	1680	Explorer.EXE
Token: SeCreatePagefilePrivilege	1680	Explorer.EXE
Token: SeDebugPrivilege	3992	wscript.exe
Token: SeShutdownPrivilege	1680	Explorer.EXE
Token: SeCreatePagefilePrivilege	1680	Explorer.EXE
Token: SeShutdownPrivilege	1680	Explorer.EXE
Token: SeCreatePagefilePrivilege	1680	Explorer.EXE
Token: SeShutdownPrivilege	1680	Explorer.EXE
Token: SeCreatePagefilePrivilege	1680	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1680 Explorer.EXE

pid	process
1680	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2432 wrote to memory of 3144	2432	powershell.exe	control.exe
PID 2432 wrote to memory of 3144	2432	powershell.exe	control.exe
PID 2432 wrote to memory of 3144	2432	powershell.exe	control.exe
PID 2432 wrote to memory of 3144	2432	powershell.exe	control.exe
PID 2432 wrote to memory of 3144	2432	powershell.exe	control.exe
PID 2432 wrote to memory of 3144	2432	powershell.exe	control.exe
PID 1680 wrote to memory of 3992	1680	Explorer.EXE	wscript.exe
PID 1680 wrote to memory of 3992	1680	Explorer.EXE	wscript.exe
PID 1680 wrote to memory of 3992	1680	Explorer.EXE	wscript.exe
PID 3992 wrote to memory of 3976	3992	wscript.exe	cmd.exe
PID 3992 wrote to memory of 3976	3992	wscript.exe	cmd.exe
PID 3992 wrote to memory of 3976	3992	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\power.ps1
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\WINDOWS\syswow64\control.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\cmd.exe
/c del "C:\WINDOWS\syswow64\control.exe"
3⤵
PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-17-0x0000000005FD0000-0x0000000006118000-memory.dmp

Filesize
1.3MB

Download
memory/1680-26-0x0000000002BB0000-0x0000000002C59000-memory.dmp

Filesize
676KB

Download
memory/1680-19-0x0000000006250000-0x000000000638A000-memory.dmp

Filesize
1.2MB

Download
memory/2432-12-0x000002391B2C9000-0x000002391B2CF000-memory.dmp

Filesize
24KB

Download
memory/2432-6-0x0000023935AA0000-0x0000023935AA1000-memory.dmp

Filesize
4KB

Download
memory/2432-7-0x000002391B2C6000-0x000002391B2C8000-memory.dmp

Filesize
8KB

Download
memory/2432-8-0x0000023936040000-0x0000023936085000-memory.dmp

Filesize
276KB

Download
memory/2432-9-0x000002391B2C8000-0x000002391B2C9000-memory.dmp

Filesize
4KB

Download
memory/2432-3-0x000002391B2C0000-0x000002391B2C2000-memory.dmp

Filesize
8KB

Download
memory/2432-4-0x000002391B2C3000-0x000002391B2C5000-memory.dmp

Filesize
8KB

Download
memory/2432-2-0x00007FFD893E0000-0x00007FFD89DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-5-0x000002391B2D0000-0x000002391B2D1000-memory.dmp

Filesize
4KB

Download
memory/3144-16-0x0000000002870000-0x0000000002884000-memory.dmp

Filesize
80KB

Download
memory/3144-15-0x0000000002E10000-0x0000000003130000-memory.dmp

Filesize
3.1MB

Download
memory/3144-11-0x000000000041EB20-mapping.dmp

Download
memory/3144-18-0x0000000003280000-0x0000000003294000-memory.dmp

Filesize
80KB

Download
memory/3144-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3976-23-0x0000000000000000-mapping.dmp

Download
memory/3992-20-0x0000000000000000-mapping.dmp

Download
memory/3992-22-0x0000000003120000-0x000000000314E000-memory.dmp

Filesize
184KB

Download
memory/3992-21-0x00000000000B0000-0x00000000000D7000-memory.dmp

Filesize
156KB

Download
memory/3992-24-0x00000000047D0000-0x0000000004AF0000-memory.dmp

Filesize
3.1MB

Download
memory/3992-25-0x0000000004B90000-0x0000000004C23000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads