formbook | 494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535

General

Target

Invoice pdf.exe
Size

661KB
MD5

95ad0de0d121d51993dc0e546f82772c
SHA1

e2830744f6497321e7b4c2a49d8270ea91b923c8
SHA256

494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535
SHA512

07b83558bd2269cdafd56ca91ddbe396b1d76cc5466fe13f2fff102ce49afedcb446b734922cd4dd6f8f9d2ac80bdcd8f9287ac11415c3c1d3f6dceaef8fe5ae

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://w��5 �@q[*��S=��m

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1520-67-0x000000000041EAC0-mapping.dmp	formbook
behavioral1/memory/1520-66-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1556-77-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1576 cmd.exe

pid	process
1576	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Invoice pdf.exeInvoice pdf.execmmon32.exe

description	pid	process	target process
PID 1048 set thread context of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1520 set thread context of 1208	1520	Invoice pdf.exe	Explorer.EXE
PID 1520 set thread context of 1208	1520	Invoice pdf.exe	Explorer.EXE
PID 1556 set thread context of 1208	1556	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe

pid	process
1016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Invoice pdf.exeInvoice pdf.execmmon32.exe

pid	process
1048	Invoice pdf.exe
1048	Invoice pdf.exe
1048	Invoice pdf.exe
1520	Invoice pdf.exe
1520	Invoice pdf.exe
1520	Invoice pdf.exe
1556	cmmon32.exe
1556	cmmon32.exe
1556	cmmon32.exe
1556	cmmon32.exe
1556	cmmon32.exe
1556	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Invoice pdf.execmmon32.exe

pid process

1520 Invoice pdf.exe
1520 Invoice pdf.exe
1520 Invoice pdf.exe
1520 Invoice pdf.exe
1556 cmmon32.exe
1556 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Invoice pdf.exeInvoice pdf.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1048 Invoice pdf.exe
Token: SeDebugPrivilege 1520 Invoice pdf.exe
Token: SeDebugPrivilege 1556 cmmon32.exe

pid	process
1520	Invoice pdf.exe
1520	Invoice pdf.exe
1520	Invoice pdf.exe
1520	Invoice pdf.exe
1556	cmmon32.exe
1556	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1048	Invoice pdf.exe
Token: SeDebugPrivilege	1520	Invoice pdf.exe
Token: SeDebugPrivilege	1556	cmmon32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Invoice pdf.exeInvoice pdf.execmmon32.exe

description	pid	process	target process
PID 1048 wrote to memory of 1016	1048	Invoice pdf.exe	schtasks.exe
PID 1048 wrote to memory of 1016	1048	Invoice pdf.exe	schtasks.exe
PID 1048 wrote to memory of 1016	1048	Invoice pdf.exe	schtasks.exe
PID 1048 wrote to memory of 1016	1048	Invoice pdf.exe	schtasks.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1048 wrote to memory of 1520	1048	Invoice pdf.exe	Invoice pdf.exe
PID 1520 wrote to memory of 1556	1520	Invoice pdf.exe	cmmon32.exe
PID 1520 wrote to memory of 1556	1520	Invoice pdf.exe	cmmon32.exe
PID 1520 wrote to memory of 1556	1520	Invoice pdf.exe	cmmon32.exe
PID 1520 wrote to memory of 1556	1520	Invoice pdf.exe	cmmon32.exe
PID 1556 wrote to memory of 1576	1556	cmmon32.exe	cmd.exe
PID 1556 wrote to memory of 1576	1556	cmmon32.exe	cmd.exe
PID 1556 wrote to memory of 1576	1556	cmmon32.exe	cmd.exe
PID 1556 wrote to memory of 1576	1556	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gXUZJVkFviCTU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB0E.tmp"
3⤵
- Creates scheduled task(s)
PID:1016

C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"
5⤵
- Deletes itself
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB0E.tmp
MD5
913058c6cc7688e86d18c1325942fe21

SHA1
24256bd5b231aa9c6d52b7304adaa685d8ada878

SHA256
2ee0dbcbf46a558b45959063f8666636d0333df1a1b22dde760fae3ce7757ede

SHA512
89952ea1c3fe61c73508802408e3bb6d6dfdf43b59e674513eca213aa5ed7c9819d5dbb98cd3a1b8e8988947614b2e0c8791837e4991b244cdf89825677f4d34

Download Submit
memory/1016-64-0x0000000000000000-mapping.dmp

Download
memory/1048-60-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1048-62-0x00000000001A1000-0x00000000001A2000-memory.dmp

Filesize
4KB

Download
memory/1048-61-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1048-63-0x000000007EF50000-0x000000007EF51000-memory.dmp

Filesize
4KB

Download
memory/1208-71-0x0000000005010000-0x00000000050F2000-memory.dmp

Filesize
904KB

Download
memory/1208-80-0x0000000004A10000-0x0000000004AD9000-memory.dmp

Filesize
804KB

Download
memory/1208-73-0x0000000006FC0000-0x000000000713A000-memory.dmp

Filesize
1.5MB

Download
memory/1520-69-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1520-70-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/1520-67-0x000000000041EAC0-mapping.dmp

Download
memory/1520-72-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/1520-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1556-74-0x0000000000000000-mapping.dmp

Download
memory/1556-76-0x0000000000FD0000-0x0000000000FDD000-memory.dmp

Filesize
52KB

Download
memory/1556-77-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1556-78-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/1556-79-0x00000000009B0000-0x0000000000A43000-memory.dmp

Filesize
588KB

Download
memory/1576-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads