formbook | 21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9

General

Target

auricular.exe
Size

84KB
MD5

5525bb8a978d3ac15812c8d8ca9b8a57
SHA1

dcb9549ff9c290e056f83639ad546b03206a0806
SHA256

21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
SHA512

0e5504ee2fc22ce87c1cac663e0c4cd76227025da20c2903d63ddafc0fc8a270d56a90b89c31d8ee448a61f881ace27037beb623f4409b9d1020a6b2a0a9f35b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.greatamericapolling.com/71m/

Decoy

heartprintclub.com

artstudio888.com

a2zitsol.com

azarblock.com

designwithravi.com

twoforksbakery.com

fundacionsinlimiteips.com

alephconference.site

smallpeo.com

ingpatrimoine.com

smartpancake.icu

sakiaza.com

hamptoninnbelton.com

captainamericashirts.com

belvederepublishing.com

trollingguide.com

sfgproposal.com

themindofafunnygirl.com

mishkatelm.com

biodis.cloud

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/752-10-0x0000000000401000-0x0000000000541000-memory.dmp	formbook
behavioral1/memory/560-19-0x0000000000150000-0x000000000017E000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

980 cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

auricular.exeauricular.exe

pid process

1864 auricular.exe
752 auricular.exe
752 auricular.exe

pid	process
980	cmd.exe

pid	process
1864	auricular.exe
752	auricular.exe
752	auricular.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

auricular.exeauricular.exerundll32.exe

description	pid	process	target process
PID 1864 set thread context of 752	1864	auricular.exe	auricular.exe
PID 752 set thread context of 1220	752	auricular.exe	Explorer.EXE
PID 752 set thread context of 1220	752	auricular.exe	Explorer.EXE
PID 560 set thread context of 1220	560	rundll32.exe	Explorer.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

auricular.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	auricular.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	auricular.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	auricular.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

auricular.exerundll32.exe

pid	process
752	auricular.exe
752	auricular.exe
752	auricular.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

auricular.exeauricular.exerundll32.exe

pid process

1864 auricular.exe
752 auricular.exe
752 auricular.exe
752 auricular.exe
752 auricular.exe
560 rundll32.exe
560 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

auricular.exerundll32.exe

description pid process

Token: SeDebugPrivilege 752 auricular.exe
Token: SeDebugPrivilege 560 rundll32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

auricular.exe

pid process

1864 auricular.exe

pid	process
1864	auricular.exe
752	auricular.exe
752	auricular.exe
752	auricular.exe
752	auricular.exe
560	rundll32.exe
560	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	752	auricular.exe
Token: SeDebugPrivilege	560	rundll32.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1864	auricular.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

auricular.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1864 wrote to memory of 752	1864	auricular.exe	auricular.exe
PID 1864 wrote to memory of 752	1864	auricular.exe	auricular.exe
PID 1864 wrote to memory of 752	1864	auricular.exe	auricular.exe
PID 1864 wrote to memory of 752	1864	auricular.exe	auricular.exe
PID 1864 wrote to memory of 752	1864	auricular.exe	auricular.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 1220 wrote to memory of 560	1220	Explorer.EXE	rundll32.exe
PID 560 wrote to memory of 980	560	rundll32.exe	cmd.exe
PID 560 wrote to memory of 980	560	rundll32.exe	cmd.exe
PID 560 wrote to memory of 980	560	rundll32.exe	cmd.exe
PID 560 wrote to memory of 980	560	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\auricular.exe
"C:\Users\Admin\AppData\Local\Temp\auricular.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\auricular.exe
"C:\Users\Admin\AppData\Local\Temp\auricular.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\auricular.exe"
3⤵
- Deletes itself
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-19-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/560-22-0x0000000001DC0000-0x0000000001E53000-memory.dmp

Filesize
588KB

Download
memory/560-20-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/560-18-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/560-16-0x0000000000000000-mapping.dmp

Download
memory/752-6-0x0000000000401498-mapping.dmp

Download
memory/752-7-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/752-10-0x0000000000401000-0x0000000000541000-memory.dmp

Filesize
1.2MB

Download
memory/752-12-0x000000001EA00000-0x000000001EA14000-memory.dmp

Filesize
80KB

Download
memory/752-11-0x000000001EB00000-0x000000001EE03000-memory.dmp

Filesize
3.0MB

Download
memory/752-14-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/980-21-0x0000000000000000-mapping.dmp

Download
memory/1220-13-0x0000000006390000-0x0000000006534000-memory.dmp

Filesize
1.6MB

Download
memory/1220-15-0x00000000070D0000-0x000000000720C000-memory.dmp

Filesize
1.2MB

Download
memory/1220-23-0x0000000004F10000-0x0000000005015000-memory.dmp

Filesize
1.0MB

Download
memory/1660-9-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/1864-4-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1864-5-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads