formbook | 398e6661f5ca757d0d7c777a0ed8ca1481b5c2df810008164e1f51deefc2ab48

General

Target

2e2eba416b6ec3efaace0621e8e229d2.exe
Size

333KB
MD5

2e2eba416b6ec3efaace0621e8e229d2
SHA1

c638e91299adc8ff3e0e21120e9417feed819861
SHA256

398e6661f5ca757d0d7c777a0ed8ca1481b5c2df810008164e1f51deefc2ab48
SHA512

eae1ceb02e8130b507041125c589e4ab2beea7e110abd600029b8f2a42beb6e1c14f0b1c3c4d654d715cf0c4dfe838740a83a09df3d2abbf5b2bd7c919282201

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.stepsaudio.com/mjl/

Decoy

assetscheck.com

domauritius.com

therealnotary.com

xcusehrreje.com

modernhub.info

ckr7.com

umbracreations.net

dikanji.com

gaonwale.com

behind-the-pink-door.com

xn--4dbaigbvbe5b1a.net

cbcsnesscity.com

db-mktdigital.com

jackaldenryan.com

china-xinkai.com

856380511.xyz

sonoraquwat.com

chinaiess.com

blockchainisgreat.com

yax98.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/436-65-0x0000000000401190-mapping.dmp	formbook
behavioral1/memory/436-64-0x0000000000400000-0x0000000000433000-memory.dmp	formbook
\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe	formbook
behavioral1/memory/436-71-0x0000000000400000-0x0000000000433000-memory.dmp	formbook
\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe	formbook
C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe	formbook
C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe	formbook
behavioral1/memory/588-83-0x0000000000090000-0x00000000000BE000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

FB_6529.tmp.exeFB_679A.tmp.exe

pid process

1512 FB_6529.tmp.exe
1564 FB_679A.tmp.exe

pid	process
1512	FB_6529.tmp.exe
1564	FB_679A.tmp.exe

Loads dropped DLL 4 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exe

pid	process
436	2e2eba416b6ec3efaace0621e8e229d2.exe
436	2e2eba416b6ec3efaace0621e8e229d2.exe
436	2e2eba416b6ec3efaace0621e8e229d2.exe
436	2e2eba416b6ec3efaace0621e8e229d2.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exeFB_679A.tmp.exemsiexec.exe

description	pid	process	target process
PID 1684 set thread context of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1564 set thread context of 1228	1564	FB_679A.tmp.exe	Explorer.EXE
PID 588 set thread context of 1228	588	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exeFB_679A.tmp.exemsiexec.exe

pid	process
1684	2e2eba416b6ec3efaace0621e8e229d2.exe
1684	2e2eba416b6ec3efaace0621e8e229d2.exe
1564	FB_679A.tmp.exe
1564	FB_679A.tmp.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe
588	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

FB_679A.tmp.exemsiexec.exe

pid process

1564 FB_679A.tmp.exe
1564 FB_679A.tmp.exe
1564 FB_679A.tmp.exe
588 msiexec.exe
588 msiexec.exe

pid	process
1564	FB_679A.tmp.exe
1564	FB_679A.tmp.exe
1564	FB_679A.tmp.exe
588	msiexec.exe
588	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exeFB_679A.tmp.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1684	2e2eba416b6ec3efaace0621e8e229d2.exe
Token: SeDebugPrivilege	1564	FB_679A.tmp.exe
Token: SeDebugPrivilege	588	msiexec.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exe2e2eba416b6ec3efaace0621e8e229d2.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 1684 wrote to memory of 436	1684	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 436 wrote to memory of 1512	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_6529.tmp.exe
PID 436 wrote to memory of 1512	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_6529.tmp.exe
PID 436 wrote to memory of 1512	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_6529.tmp.exe
PID 436 wrote to memory of 1512	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_6529.tmp.exe
PID 436 wrote to memory of 1564	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_679A.tmp.exe
PID 436 wrote to memory of 1564	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_679A.tmp.exe
PID 436 wrote to memory of 1564	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_679A.tmp.exe
PID 436 wrote to memory of 1564	436	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_679A.tmp.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 1228 wrote to memory of 588	1228	Explorer.EXE	msiexec.exe
PID 588 wrote to memory of 108	588	msiexec.exe	cmd.exe
PID 588 wrote to memory of 108	588	msiexec.exe	cmd.exe
PID 588 wrote to memory of 108	588	msiexec.exe	cmd.exe
PID 588 wrote to memory of 108	588	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
"C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\FB_6529.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_6529.tmp.exe"
4⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe"
3⤵
PID:108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_6529.tmp.exe
MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe
MD5
b4e443daba6d844cfaba63ca17ff5a09

SHA1
b1d7f9c5c94858acfeb75b8bdfea38e3c4f01eb6

SHA256
852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

SHA512
53a5f8b1feb147d671497f37032db0010c70d558f047f0370b4de1e825633c71f6ce123bb8b02ebd74e185b514efc48bd88cbbe9272416c34da9b68b4745e4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe
MD5
b4e443daba6d844cfaba63ca17ff5a09

SHA1
b1d7f9c5c94858acfeb75b8bdfea38e3c4f01eb6

SHA256
852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

SHA512
53a5f8b1feb147d671497f37032db0010c70d558f047f0370b4de1e825633c71f6ce123bb8b02ebd74e185b514efc48bd88cbbe9272416c34da9b68b4745e4b5

Download Submit
\Users\Admin\AppData\Local\Temp\FB_6529.tmp.exe
MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
\Users\Admin\AppData\Local\Temp\FB_6529.tmp.exe
MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe
MD5
b4e443daba6d844cfaba63ca17ff5a09

SHA1
b1d7f9c5c94858acfeb75b8bdfea38e3c4f01eb6

SHA256
852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

SHA512
53a5f8b1feb147d671497f37032db0010c70d558f047f0370b4de1e825633c71f6ce123bb8b02ebd74e185b514efc48bd88cbbe9272416c34da9b68b4745e4b5

Download Submit
\Users\Admin\AppData\Local\Temp\FB_679A.tmp.exe
MD5
b4e443daba6d844cfaba63ca17ff5a09

SHA1
b1d7f9c5c94858acfeb75b8bdfea38e3c4f01eb6

SHA256
852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

SHA512
53a5f8b1feb147d671497f37032db0010c70d558f047f0370b4de1e825633c71f6ce123bb8b02ebd74e185b514efc48bd88cbbe9272416c34da9b68b4745e4b5

Download Submit
memory/108-85-0x0000000000000000-mapping.dmp

Download
memory/436-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-66-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/436-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-65-0x0000000000401190-mapping.dmp

Download
memory/588-83-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/588-86-0x0000000000AE0000-0x0000000000B73000-memory.dmp

Filesize
588KB

Download
memory/588-82-0x0000000000CA0000-0x0000000000CB4000-memory.dmp

Filesize
80KB

Download
memory/588-84-0x0000000002250000-0x0000000002553000-memory.dmp

Filesize
3.0MB

Download
memory/588-79-0x0000000000000000-mapping.dmp

Download
memory/1228-87-0x0000000006470000-0x00000000065A3000-memory.dmp

Filesize
1.2MB

Download
memory/1228-78-0x0000000004220000-0x00000000042FD000-memory.dmp

Filesize
884KB

Download
memory/1512-69-0x0000000000000000-mapping.dmp

Download
memory/1564-74-0x0000000000000000-mapping.dmp

Download
memory/1564-77-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/1564-76-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1684-62-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/1684-61-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1684-63-0x0000000001E30000-0x0000000001E76000-memory.dmp

Filesize
280KB

Download
memory/1684-59-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads