formbook | b1f9b3ef3e6192490d6ff9f23f8b360edf2c5b7722a2ba843d1ece24c2f990ce

General

Target

Project 88399287990.exe
Size

622KB
MD5

3837485b707ee00ae594d8b339c56ece
SHA1

df8dab1ca8581cdf2c8de899d0d4a8df8ca8d24c
SHA256

71ef3a1c1b5deecad87d419dff14667503ffbfb7f5a16f5b53eda57ae33bde7b
SHA512

6a243b10b4e556d4cf6c95f5f7d534f0ec8bd32f6cb5c153abfbdf2dcaa04c6adcb122a42cccb882cee90c98b6d50fc04bb9355f0de7a82a27e615ae10c39ba6

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.expensiveindia.com/ksb/

Decoy

rbscotl.net

mimascota10.com

ncylis.com

mariemdonacosmetics.com

elitecleaningnow.com

stockvisioner.com

whatsmodish.com

paghaze.com

weargoodsport.com

alesspace.com

rajputboarding.com

ctezna.site

athetheist.com

neurologistaandreialamberti.com

pindaz.com

ericsklavos.com

icare4me.com

xn--pypl-qoac.com

52swith.com

chetansenterprises.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3984-132-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3984-133-0x000000000041EB50-mapping.dmp	formbook
behavioral2/memory/2220-172-0x0000000002D80000-0x0000000002DAE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Project 88399287990.exeProject 88399287990.exemsiexec.exe

description	pid	process	target process
PID 652 set thread context of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 3984 set thread context of 3052	3984	Project 88399287990.exe	Explorer.EXE
PID 2220 set thread context of 3052	2220	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3856 schtasks.exe

pid	process
3856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Project 88399287990.exepowershell.exepowershell.exeProject 88399287990.exemsiexec.exe

pid	process
652	Project 88399287990.exe
3880	powershell.exe
2272	powershell.exe
3984	Project 88399287990.exe
3984	Project 88399287990.exe
3984	Project 88399287990.exe
3984	Project 88399287990.exe
2272	powershell.exe
3880	powershell.exe
3880	powershell.exe
2272	powershell.exe
2220	msiexec.exe
2220	msiexec.exe
2220	msiexec.exe
2220	msiexec.exe
2220	msiexec.exe
2220	msiexec.exe
2220	msiexec.exe
2220	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Project 88399287990.exemsiexec.exe

pid process

3984 Project 88399287990.exe
3984 Project 88399287990.exe
3984 Project 88399287990.exe
2220 msiexec.exe
2220 msiexec.exe

pid	process
3984	Project 88399287990.exe
3984	Project 88399287990.exe
3984	Project 88399287990.exe
2220	msiexec.exe
2220	msiexec.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Project 88399287990.exepowershell.exepowershell.exeProject 88399287990.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	652	Project 88399287990.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	3984	Project 88399287990.exe
Token: SeDebugPrivilege	2220	msiexec.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Project 88399287990.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 652 wrote to memory of 2272	652	Project 88399287990.exe	powershell.exe
PID 652 wrote to memory of 2272	652	Project 88399287990.exe	powershell.exe
PID 652 wrote to memory of 2272	652	Project 88399287990.exe	powershell.exe
PID 652 wrote to memory of 3856	652	Project 88399287990.exe	schtasks.exe
PID 652 wrote to memory of 3856	652	Project 88399287990.exe	schtasks.exe
PID 652 wrote to memory of 3856	652	Project 88399287990.exe	schtasks.exe
PID 652 wrote to memory of 3880	652	Project 88399287990.exe	powershell.exe
PID 652 wrote to memory of 3880	652	Project 88399287990.exe	powershell.exe
PID 652 wrote to memory of 3880	652	Project 88399287990.exe	powershell.exe
PID 652 wrote to memory of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 652 wrote to memory of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 652 wrote to memory of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 652 wrote to memory of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 652 wrote to memory of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 652 wrote to memory of 3984	652	Project 88399287990.exe	Project 88399287990.exe
PID 3052 wrote to memory of 2220	3052	Explorer.EXE	msiexec.exe
PID 3052 wrote to memory of 2220	3052	Explorer.EXE	msiexec.exe
PID 3052 wrote to memory of 2220	3052	Explorer.EXE	msiexec.exe
PID 2220 wrote to memory of 2616	2220	msiexec.exe	cmd.exe
PID 2220 wrote to memory of 2616	2220	msiexec.exe	cmd.exe
PID 2220 wrote to memory of 2616	2220	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe
"C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gIujDCSIo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C28.tmp"
3⤵
- Creates scheduled task(s)
PID:3856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gIujDCSIo.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe
"C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"
3⤵
PID:2616

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
48e29569a5bc74498be334d1fa94252b

SHA1
4028f60c0ea17ad64cad0370b26331cf9dc6b69a

SHA256
a6724eeafa64b8db2f4cf87473fcbade5694994bc3078edb6763837af6e0445d

SHA512
f7264ad1bba5160110b8d853015f860d9b6c2fde6933aa836884399a7f1b1f15046b25cd4590f200db8236bc5316beb93aad662892e473306e96d0c2a57675dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C28.tmp
MD5
19a4687405ac814f19ca392e6eef9777

SHA1
aebc95a34bf7ca67aea261aed723c796a2fa5146

SHA256
a7a6ef6100234c36a282e01684d6faee5cd224be08c2d052ce4b7a1539c5b8b4

SHA512
8ec1295ea58d6abb423c8da8400a92bd61b8b08665fbf1876b418d07bd123d14bf6a962f9088c47518e446c20a5f7a2deec3df9ec611deb51da37a0f00eeea9b

Download Submit
memory/652-123-0x0000000005550000-0x00000000055AB000-memory.dmp

Filesize
364KB

Download
memory/652-118-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/652-120-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/652-121-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x00000000050D0000-0x00000000050D9000-memory.dmp

Filesize
36KB

Download
memory/652-114-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/652-117-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/2220-196-0x0000000004C30000-0x0000000004F50000-memory.dmp

Filesize
3.1MB

Download
memory/2220-203-0x0000000004A80000-0x0000000004B13000-memory.dmp

Filesize
588KB

Download
memory/2220-172-0x0000000002D80000-0x0000000002DAE000-memory.dmp

Filesize
184KB

Download
memory/2220-171-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/2220-164-0x0000000000000000-mapping.dmp

Download
memory/2272-147-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/2272-194-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/2272-199-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/2272-143-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/2272-145-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/2272-134-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2272-197-0x000000007EE10000-0x000000007EE11000-memory.dmp

Filesize
4KB

Download
memory/2272-129-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/2272-135-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/2272-180-0x0000000009970000-0x00000000099A3000-memory.dmp

Filesize
204KB

Download
memory/2272-127-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2272-124-0x0000000000000000-mapping.dmp

Download
memory/2272-158-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/2616-185-0x0000000000000000-mapping.dmp

Download
memory/3052-153-0x0000000005C80000-0x0000000005DC6000-memory.dmp

Filesize
1.3MB

Download
memory/3052-204-0x0000000005DD0000-0x0000000005EFE000-memory.dmp

Filesize
1.2MB

Download
memory/3856-128-0x0000000000000000-mapping.dmp

Download
memory/3880-156-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/3880-154-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/3880-131-0x0000000000000000-mapping.dmp

Download
memory/3880-150-0x0000000005062000-0x0000000005063000-memory.dmp

Filesize
4KB

Download
memory/3880-149-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3880-198-0x0000000005063000-0x0000000005064000-memory.dmp

Filesize
4KB

Download
memory/3880-141-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/3880-200-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

Filesize
4KB

Download
memory/3984-151-0x00000000018A0000-0x0000000001BC0000-memory.dmp

Filesize
3.1MB

Download
memory/3984-132-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3984-133-0x000000000041EB50-mapping.dmp

Download
memory/3984-152-0x0000000001810000-0x0000000001824000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads