formbook | 3f37e123258dcf5b2a18a1ba8299f21ddb6fa585db1dac3a957022d7c763a184

General

Target

Shipping Docs.exe
Size

944KB
MD5

1c7c7a3b0cfb41627125bb609863675a
SHA1

83a9b9eec6dcc897b1406b7ca166e40c33f58d3d
SHA256

3f37e123258dcf5b2a18a1ba8299f21ddb6fa585db1dac3a957022d7c763a184
SHA512

d2b455fb31994cf79fe7d198917382822d772f95b00c913683ff539c351b36ae85c2545b163e934cca8282435650446d24e3614bc283486b9dfd49d7e636ec5b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://w��5 �@q[*��S=��m

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1104-65-0x000000000041EAC0-mapping.dmp	formbook
behavioral1/memory/1104-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/436-76-0x00000000000D0000-0x00000000000FE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe

pid	process
1496	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Shipping Docs.exeShipping Docs.exemstsc.exe

description	pid	process	target process
PID 1268 set thread context of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1104 set thread context of 1196	1104	Shipping Docs.exe	Explorer.EXE
PID 1104 set thread context of 1196	1104	Shipping Docs.exe	Explorer.EXE
PID 436 set thread context of 1196	436	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

544 schtasks.exe

pid	process
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Shipping Docs.exeShipping Docs.exemstsc.exe

pid	process
1268	Shipping Docs.exe
1268	Shipping Docs.exe
1268	Shipping Docs.exe
1104	Shipping Docs.exe
1104	Shipping Docs.exe
1104	Shipping Docs.exe
436	mstsc.exe
436	mstsc.exe
436	mstsc.exe
436	mstsc.exe
436	mstsc.exe
436	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Shipping Docs.exemstsc.exe

pid process

1104 Shipping Docs.exe
1104 Shipping Docs.exe
1104 Shipping Docs.exe
1104 Shipping Docs.exe
436 mstsc.exe
436 mstsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Shipping Docs.exeShipping Docs.exemstsc.exe

description pid process

Token: SeDebugPrivilege 1268 Shipping Docs.exe
Token: SeDebugPrivilege 1104 Shipping Docs.exe
Token: SeDebugPrivilege 436 mstsc.exe

pid	process
1104	Shipping Docs.exe
1104	Shipping Docs.exe
1104	Shipping Docs.exe
1104	Shipping Docs.exe
436	mstsc.exe
436	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	1268	Shipping Docs.exe
Token: SeDebugPrivilege	1104	Shipping Docs.exe
Token: SeDebugPrivilege	436	mstsc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Shipping Docs.exeShipping Docs.exemstsc.exe

description	pid	process	target process
PID 1268 wrote to memory of 544	1268	Shipping Docs.exe	schtasks.exe
PID 1268 wrote to memory of 544	1268	Shipping Docs.exe	schtasks.exe
PID 1268 wrote to memory of 544	1268	Shipping Docs.exe	schtasks.exe
PID 1268 wrote to memory of 544	1268	Shipping Docs.exe	schtasks.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1268 wrote to memory of 1104	1268	Shipping Docs.exe	Shipping Docs.exe
PID 1104 wrote to memory of 436	1104	Shipping Docs.exe	mstsc.exe
PID 1104 wrote to memory of 436	1104	Shipping Docs.exe	mstsc.exe
PID 1104 wrote to memory of 436	1104	Shipping Docs.exe	mstsc.exe
PID 1104 wrote to memory of 436	1104	Shipping Docs.exe	mstsc.exe
PID 436 wrote to memory of 1496	436	mstsc.exe	cmd.exe
PID 436 wrote to memory of 1496	436	mstsc.exe	cmd.exe
PID 436 wrote to memory of 1496	436	mstsc.exe	cmd.exe
PID 436 wrote to memory of 1496	436	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLcIzJDan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp"
3⤵
- Creates scheduled task(s)
PID:544

C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
5⤵
- Deletes itself
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp
MD5
de890f0aa6c42a9abb0057c2a26bed60

SHA1
1d2039c018a71532cde08b8c327711b9224ef471

SHA256
3bfcd7f6aae054ca32530923567809f0f3e8c505050497af5667dde1b1b3980c

SHA512
953a1e227a107993f0e80db9cf93385b2fc7d5084e378f4ede3f0acc7da9a6e8b9e1177c0911e4fbbdd8dadaf184402e36d7ec6c7ab41223166dfd65da9ef78a

Download Submit
memory/436-72-0x0000000000000000-mapping.dmp

Download
memory/436-75-0x00000000004D0000-0x00000000005D4000-memory.dmp

Filesize
1.0MB

Download
memory/436-78-0x0000000002060000-0x00000000020F3000-memory.dmp

Filesize
588KB

Download
memory/436-77-0x0000000002330000-0x0000000002633000-memory.dmp

Filesize
3.0MB

Download
memory/436-76-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/544-62-0x0000000000000000-mapping.dmp

Download
memory/1104-67-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1104-68-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/1104-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1104-65-0x000000000041EAC0-mapping.dmp

Download
memory/1104-70-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/1196-79-0x0000000004E30000-0x0000000004F3D000-memory.dmp

Filesize
1.1MB

Download
memory/1196-71-0x0000000004CA0000-0x0000000004E2C000-memory.dmp

Filesize
1.5MB

Download
memory/1196-69-0x00000000049B0000-0x0000000004A9D000-memory.dmp

Filesize
948KB

Download
memory/1268-61-0x0000000000A31000-0x0000000000A32000-memory.dmp

Filesize
4KB

Download
memory/1268-60-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1268-59-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1496-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads