formbook | 80513ce09728ee99387db56c825b6f2ec5ad274f5c90117d25ca822deeb98419

General

Target

INVOICE20210422990388921.exe
Size

927KB
MD5

0d1ba315df020e9a09a71fdfcc224e58
SHA1

28c5fcd5277f28e6dd902176fe5424253629a569
SHA256

80513ce09728ee99387db56c825b6f2ec5ad274f5c90117d25ca822deeb98419
SHA512

489793ddf48c2dde19a512c46fc38b5eed16e50ed7d55378635d62887fa5e1b1c38608d13c2903d1a4d3945d46009ad2334a73c56d56198d58ef20f9a45fda4a

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.merckcbd.com/dei5/

Decoy

studiomullerphoto.com

reallionairewear.com

dogsalondoggy-tail.com

excelmache.net

bigdiscounters.com

7986799.com

ignition.guru

xiaoxu.info

jpinpd.com

solpool.info

uchooswrewards.com

everestengineeringworks.com

qianglongzhipin.com

deepimper-325.com

appliedrate.com

radsazemehr.com

vivabematividadesfisicas.com

capacitalo.com

somecore.com

listingclass.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/648-142-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/648-144-0x000000000041ECD0-mapping.dmp	formbook
behavioral2/memory/3740-201-0x00000000008D0000-0x00000000008FE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

INVOICE20210422990388921.exeINVOICE20210422990388921.exeexplorer.exe

description	pid	process	target process
PID 1736 set thread context of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 648 set thread context of 3052	648	INVOICE20210422990388921.exe	Explorer.EXE
PID 3740 set thread context of 3052	3740	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3844 schtasks.exe

pid	process
3844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

INVOICE20210422990388921.exeINVOICE20210422990388921.exepowershell.exepowershell.exepowershell.exeexplorer.exe

pid	process
1736	INVOICE20210422990388921.exe
1736	INVOICE20210422990388921.exe
1736	INVOICE20210422990388921.exe
1736	INVOICE20210422990388921.exe
1736	INVOICE20210422990388921.exe
1736	INVOICE20210422990388921.exe
648	INVOICE20210422990388921.exe
648	INVOICE20210422990388921.exe
648	INVOICE20210422990388921.exe
648	INVOICE20210422990388921.exe
2264	powershell.exe
2112	powershell.exe
1360	powershell.exe
1360	powershell.exe
2112	powershell.exe
2264	powershell.exe
2112	powershell.exe
2264	powershell.exe
1360	powershell.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe
3740	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

INVOICE20210422990388921.exeexplorer.exe

pid process

648 INVOICE20210422990388921.exe
648 INVOICE20210422990388921.exe
648 INVOICE20210422990388921.exe
3740 explorer.exe
3740 explorer.exe

pid	process
648	INVOICE20210422990388921.exe
648	INVOICE20210422990388921.exe
648	INVOICE20210422990388921.exe
3740	explorer.exe
3740	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

INVOICE20210422990388921.exepowershell.exepowershell.exepowershell.exeINVOICE20210422990388921.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1736	INVOICE20210422990388921.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	648	INVOICE20210422990388921.exe
Token: SeDebugPrivilege	3740	explorer.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

INVOICE20210422990388921.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1736 wrote to memory of 2264	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 2264	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 2264	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 2112	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 2112	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 2112	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 3844	1736	INVOICE20210422990388921.exe	schtasks.exe
PID 1736 wrote to memory of 3844	1736	INVOICE20210422990388921.exe	schtasks.exe
PID 1736 wrote to memory of 3844	1736	INVOICE20210422990388921.exe	schtasks.exe
PID 1736 wrote to memory of 1360	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 1360	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 1360	1736	INVOICE20210422990388921.exe	powershell.exe
PID 1736 wrote to memory of 2192	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 2192	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 2192	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 1736 wrote to memory of 648	1736	INVOICE20210422990388921.exe	INVOICE20210422990388921.exe
PID 3052 wrote to memory of 3740	3052	Explorer.EXE	explorer.exe
PID 3052 wrote to memory of 3740	3052	Explorer.EXE	explorer.exe
PID 3052 wrote to memory of 3740	3052	Explorer.EXE	explorer.exe
PID 3740 wrote to memory of 2276	3740	explorer.exe	cmd.exe
PID 3740 wrote to memory of 2276	3740	explorer.exe	cmd.exe
PID 3740 wrote to memory of 2276	3740	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vkFTKG.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vkFTKG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC525.tmp"
3⤵
- Creates scheduled task(s)
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vkFTKG.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe"
3⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INVOICE20210422990388921.exe"
3⤵
PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2ff24514648abd1798032ad9c107ace0

SHA1
f46d14bac7239853d8e62a68b65fb28f146bbf00

SHA256
294c3f2b638167066370ff3b5215a65aab991c58eff5cc1111475bb6aca95ebc

SHA512
c0f930db5e5ea900fc39a20ad482b5f81a43bd77bf7950511e603c27f66ee779faa97c3056e2d0784561a7250948e321112532f81a5fe453430296edcc7c7322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a661cf3f0eb0680e9a00d4276783cdb5

SHA1
7cd3ad48c35d6477722d9d2f570267105f8d841e

SHA256
d87ce5c139c71a3a04e9485aee658d06162bca1015f82880f5ed075456f2e5aa

SHA512
fd33361ac990e4799acd33ceebf1b84ef6b20f2525e54eddf3e02bb863b48555ddbe09f9f399afd9d4886fe41473d7e39e45be87d69551972c0abf743a2fe592

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC525.tmp
MD5
eb1af54af6a4efa22a4124afb0d8f593

SHA1
c7362317646b8c0de89184469f9d98558988ba1d

SHA256
301821599b9e22734b5e890db5e6be7625131a0d5c5ed37115d255122b5f1a7a

SHA512
9d85c9eb335ba1248fa2fab4de89d304c745e118d14aa610ddb5fc8f13c699c5375272c0e119aa385156b6df58ebc356755562dd2f68bb451272f8c6de3ebb70

Download Submit
memory/648-165-0x0000000001030000-0x0000000001044000-memory.dmp

Filesize
80KB

Download
memory/648-164-0x00000000010D0000-0x00000000013F0000-memory.dmp

Filesize
3.1MB

Download
memory/648-144-0x000000000041ECD0-mapping.dmp

Download
memory/648-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1360-169-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/1360-138-0x0000000000000000-mapping.dmp

Download
memory/1360-163-0x0000000004432000-0x0000000004433000-memory.dmp

Filesize
4KB

Download
memory/1360-162-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/1360-166-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/1360-198-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

Filesize
4KB

Download
memory/1360-202-0x0000000004433000-0x0000000004434000-memory.dmp

Filesize
4KB

Download
memory/1736-119-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1736-122-0x0000000005AA0000-0x0000000005AA9000-memory.dmp

Filesize
36KB

Download
memory/1736-116-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/1736-117-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/1736-124-0x0000000008B40000-0x0000000008B7A000-memory.dmp

Filesize
232KB

Download
memory/1736-121-0x00000000058D0000-0x0000000005DCE000-memory.dmp

Filesize
5.0MB

Download
memory/1736-118-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/1736-123-0x0000000001940000-0x00000000019BC000-memory.dmp

Filesize
496KB

Download
memory/1736-114-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1736-120-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2112-172-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/2112-160-0x0000000007572000-0x0000000007573000-memory.dmp

Filesize
4KB

Download
memory/2112-159-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/2112-127-0x0000000000000000-mapping.dmp

Download
memory/2112-196-0x000000007E3D0000-0x000000007E3D1000-memory.dmp

Filesize
4KB

Download
memory/2112-203-0x0000000007573000-0x0000000007574000-memory.dmp

Filesize
4KB

Download
memory/2112-137-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2264-158-0x00000000067F2000-0x00000000067F3000-memory.dmp

Filesize
4KB

Download
memory/2264-130-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2264-156-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/2264-146-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/2264-197-0x000000007F4E0000-0x000000007F4E1000-memory.dmp

Filesize
4KB

Download
memory/2264-143-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2264-125-0x0000000000000000-mapping.dmp

Download
memory/2264-140-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/2264-131-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2264-204-0x00000000067F3000-0x00000000067F4000-memory.dmp

Filesize
4KB

Download
memory/2276-199-0x0000000000000000-mapping.dmp

Download
memory/3052-210-0x0000000002AD0000-0x0000000002B74000-memory.dmp

Filesize
656KB

Download
memory/3052-157-0x0000000005F50000-0x0000000006082000-memory.dmp

Filesize
1.2MB

Download
memory/3740-201-0x00000000008D0000-0x00000000008FE000-memory.dmp

Filesize
184KB

Download
memory/3740-205-0x0000000004940000-0x0000000004C60000-memory.dmp

Filesize
3.1MB

Download
memory/3740-200-0x0000000000DC0000-0x00000000011FF000-memory.dmp

Filesize
4.2MB

Download
memory/3740-209-0x00000000046A0000-0x0000000004733000-memory.dmp

Filesize
588KB

Download
memory/3740-190-0x0000000000000000-mapping.dmp

Download
memory/3844-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads