formbook | 45808e8aaed0b109e66d745787d59d1965c10b718eef167d7a2bae2c8df4b5f6

General

Target

PO.exe
Size

234KB
MD5

220dd8a37c0783d1e906525186ddc95c
SHA1

0153efd575f5ce0afeb5e8e7f40b6d0e0967e456
SHA256

7de63d57554daf81ef5bd3508fce96ae9d2eaae9bee30eb29d147095b3d9ea33
SHA512

5fab23a422fb69d302d4c60cc347007dee423af00657386a3a232ab7faadd70903d11ef7b3cfc957bad431b519bf205e328427f67af3a4303e25c9f009f2c224

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.middlehambooks.com/klf/

Decoy

podcastyourvote.com

northernlsx.com

guide4idiots.com

artebythesea.com

sapanyc.com

livinoutthedreamsco.com

thepowersinyou.com

protocolmodern.com

holdergear.com

betteringthehumanexperience.xyz

agnostec.com

royermaldonado.com

wealthtruckingco.com

artcode-software.com

microsoftpods.com

identityofplace.com

algoritas.com

grandpaurbanfarm.net

zahidibr.com

flawlessdrinking.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4900-118-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3076-126-0x0000000000ED0000-0x0000000000EFE000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

PO.exe

pid process

4432 PO.exe

pid	process
4432	PO.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO.exePO.exemsdt.exe

description	pid	process	target process
PID 4432 set thread context of 4900	4432	PO.exe	PO.exe
PID 4900 set thread context of 2416	4900	PO.exe	Explorer.EXE
PID 4900 set thread context of 2416	4900	PO.exe	Explorer.EXE
PID 3076 set thread context of 2416	3076	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

PO.exemsdt.exe

pid	process
4900	PO.exe
4900	PO.exe
4900	PO.exe
4900	PO.exe
4900	PO.exe
4900	PO.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe
3076	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2416 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

PO.exePO.exemsdt.exe

pid process

4432 PO.exe
4900 PO.exe
4900 PO.exe
4900 PO.exe
4900 PO.exe
3076 msdt.exe
3076 msdt.exe

pid	process
2416	Explorer.EXE

pid	process
4432	PO.exe
4900	PO.exe
4900	PO.exe
4900	PO.exe
4900	PO.exe
3076	msdt.exe
3076	msdt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

PO.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	4900	PO.exe
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeDebugPrivilege	3076	msdt.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

PO.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 4432 wrote to memory of 4900	4432	PO.exe	PO.exe
PID 4432 wrote to memory of 4900	4432	PO.exe	PO.exe
PID 4432 wrote to memory of 4900	4432	PO.exe	PO.exe
PID 4432 wrote to memory of 4900	4432	PO.exe	PO.exe
PID 2416 wrote to memory of 3076	2416	Explorer.EXE	msdt.exe
PID 2416 wrote to memory of 3076	2416	Explorer.EXE	msdt.exe
PID 2416 wrote to memory of 3076	2416	Explorer.EXE	msdt.exe
PID 3076 wrote to memory of 4064	3076	msdt.exe	cmd.exe
PID 3076 wrote to memory of 4064	3076	msdt.exe	cmd.exe
PID 3076 wrote to memory of 4064	3076	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"
3⤵
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsv9CB.tmp\55po.dll
MD5
f8b51fd6f70455d07c7a53a8ace81744

SHA1
91aa6dfa7c86b36fa1ddf92852f52325c013616d

SHA256
9cd220598c67347558abafebb4208c8c01c0ca692f517325bcc626e013d570ae

SHA512
40ab512f99a557252c77bd87d9aae14183272cb3461db8658bda83800293695f54fc6aa7741c02eb280a11805fef5a762ea3cdc61c6ed5bc47cb67ce1aa1a972

Download Submit
memory/2416-121-0x0000000005860000-0x00000000059AD000-memory.dmp

Filesize
1.3MB

Download
memory/2416-130-0x00000000069B0000-0x0000000006B1E000-memory.dmp

Filesize
1.4MB

Download
memory/2416-123-0x00000000059B0000-0x0000000005AEB000-memory.dmp

Filesize
1.2MB

Download
memory/3076-125-0x0000000000FF0000-0x0000000001163000-memory.dmp

Filesize
1.4MB

Download
memory/3076-124-0x0000000000000000-mapping.dmp

Download
memory/3076-126-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

Filesize
184KB

Download
memory/3076-127-0x00000000052E0000-0x0000000005600000-memory.dmp

Filesize
3.1MB

Download
memory/3076-129-0x0000000005040000-0x00000000050D3000-memory.dmp

Filesize
588KB

Download
memory/4064-128-0x0000000000000000-mapping.dmp

Download
memory/4432-116-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4432-117-0x0000000002711000-0x0000000002713000-memory.dmp

Filesize
8KB

Download
memory/4900-118-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4900-120-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/4900-119-0x0000000000970000-0x0000000000C90000-memory.dmp

Filesize
3.1MB

Download
memory/4900-122-0x0000000000920000-0x0000000000934000-memory.dmp

Filesize
80KB

Download
memory/4900-115-0x000000000041EB20-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads