formbook | 39c3cb2bce96c98cde9bec9fff034acca99b592f0a4ebec39a6017f3554a56fa

General

Target

Invoice pdf.exe
Size

661KB
MD5

95ad0de0d121d51993dc0e546f82772c
SHA1

e2830744f6497321e7b4c2a49d8270ea91b923c8
SHA256

494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535
SHA512

07b83558bd2269cdafd56ca91ddbe396b1d76cc5466fe13f2fff102ce49afedcb446b734922cd4dd6f8f9d2ac80bdcd8f9287ac11415c3c1d3f6dceaef8fe5ae

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://w��5 �@q[*��S=��m

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/568-66-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/568-67-0x000000000041EAC0-mapping.dmp	formbook
behavioral1/memory/112-76-0x0000000000100000-0x000000000012E000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1968 cmd.exe

pid	process
1968	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Invoice pdf.exeInvoice pdf.exeipconfig.exe

description	pid	process	target process
PID 1104 set thread context of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 568 set thread context of 1240	568	Invoice pdf.exe	Explorer.EXE
PID 112 set thread context of 1240	112	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

804 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

112 ipconfig.exe

pid	process
804	schtasks.exe

pid	process
112	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Invoice pdf.exeInvoice pdf.exeipconfig.exe

pid	process
1104	Invoice pdf.exe
1104	Invoice pdf.exe
1104	Invoice pdf.exe
568	Invoice pdf.exe
568	Invoice pdf.exe
112	ipconfig.exe
112	ipconfig.exe
112	ipconfig.exe
112	ipconfig.exe
112	ipconfig.exe
112	ipconfig.exe
112	ipconfig.exe
112	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Invoice pdf.exeipconfig.exe

pid process

568 Invoice pdf.exe
568 Invoice pdf.exe
568 Invoice pdf.exe
112 ipconfig.exe
112 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Invoice pdf.exeInvoice pdf.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1104 Invoice pdf.exe
Token: SeDebugPrivilege 568 Invoice pdf.exe
Token: SeDebugPrivilege 112 ipconfig.exe

pid	process
568	Invoice pdf.exe
568	Invoice pdf.exe
568	Invoice pdf.exe
112	ipconfig.exe
112	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1104	Invoice pdf.exe
Token: SeDebugPrivilege	568	Invoice pdf.exe
Token: SeDebugPrivilege	112	ipconfig.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Invoice pdf.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1104 wrote to memory of 804	1104	Invoice pdf.exe	schtasks.exe
PID 1104 wrote to memory of 804	1104	Invoice pdf.exe	schtasks.exe
PID 1104 wrote to memory of 804	1104	Invoice pdf.exe	schtasks.exe
PID 1104 wrote to memory of 804	1104	Invoice pdf.exe	schtasks.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1104 wrote to memory of 568	1104	Invoice pdf.exe	Invoice pdf.exe
PID 1240 wrote to memory of 112	1240	Explorer.EXE	ipconfig.exe
PID 1240 wrote to memory of 112	1240	Explorer.EXE	ipconfig.exe
PID 1240 wrote to memory of 112	1240	Explorer.EXE	ipconfig.exe
PID 1240 wrote to memory of 112	1240	Explorer.EXE	ipconfig.exe
PID 112 wrote to memory of 1968	112	ipconfig.exe	cmd.exe
PID 112 wrote to memory of 1968	112	ipconfig.exe	cmd.exe
PID 112 wrote to memory of 1968	112	ipconfig.exe	cmd.exe
PID 112 wrote to memory of 1968	112	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gXUZJVkFviCTU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6CA.tmp"
3⤵
- Creates scheduled task(s)
PID:804

C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"
3⤵
- Deletes itself
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA6CA.tmp
MD5
913058c6cc7688e86d18c1325942fe21

SHA1
24256bd5b231aa9c6d52b7304adaa685d8ada878

SHA256
2ee0dbcbf46a558b45959063f8666636d0333df1a1b22dde760fae3ce7757ede

SHA512
89952ea1c3fe61c73508802408e3bb6d6dfdf43b59e674513eca213aa5ed7c9819d5dbb98cd3a1b8e8988947614b2e0c8791837e4991b244cdf89825677f4d34

Download Submit
memory/112-72-0x0000000000000000-mapping.dmp

Download
memory/112-78-0x0000000000AC0000-0x0000000000B53000-memory.dmp

Filesize
588KB

Download
memory/112-77-0x00000000021C0000-0x00000000024C3000-memory.dmp

Filesize
3.0MB

Download
memory/112-76-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/112-75-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download
memory/568-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/568-67-0x000000000041EAC0-mapping.dmp

Download
memory/568-69-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/568-70-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/804-64-0x0000000000000000-mapping.dmp

Download
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1104-63-0x000000007EF50000-0x000000007EF51000-memory.dmp

Filesize
4KB

Download
memory/1104-62-0x0000000000371000-0x0000000000372000-memory.dmp

Filesize
4KB

Download
memory/1104-61-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1240-71-0x00000000063E0000-0x0000000006502000-memory.dmp

Filesize
1.1MB

Download
memory/1240-79-0x0000000006970000-0x0000000006ACD000-memory.dmp

Filesize
1.4MB

Download
memory/1968-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads