formbook | ba06bef45227ff0ac912a66434014b848348f6be9780e8d86de0ffcc8c5c2c12

General

Target

4.exe
Size

643KB
MD5

9c8c50b10343843f860fff79ac4511af
SHA1

c6f52f87914312e817655fc0492815b86d053e90
SHA256

ba06bef45227ff0ac912a66434014b848348f6be9780e8d86de0ffcc8c5c2c12
SHA512

9e6380d41e80a312f2f0e0b588381e57519b50203e436587ab936344787cb54aac7b85c739e048996d729ecc297d6e09ec4a72a7a7e948d554d131ef9647c350

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.ostecosarcomamd.com/gmn/

Decoy

phulieutockemnghiaanhtuyet.com

shortbarrelspirits.com

livestreamreport.com

shopthemuze.com

fmtourist.com

competitionlaw.info

saint-elmos.club

foxcar.net

automatedwoodworks.com

abenillc.net

sfccservices.com

vegeteur.com

bitinnovo.com

in-home-theater.com

yakinikugenki.com

zeednee.com

hospiceinpomona.com

techservicesreviews.com

silkandhoney.store

sport-stars.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1648-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1648-68-0x000000000041EB20-mapping.dmp	formbook
behavioral1/memory/1124-76-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

4.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 368 set thread context of 1648	368	4.exe	RegSvcs.exe
PID 1648 set thread context of 1244	1648	RegSvcs.exe	Explorer.EXE
PID 1124 set thread context of 1244	1124	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

984 schtasks.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

4.exeRegSvcs.execmd.exe

pid process

368 4.exe
368 4.exe
1648 RegSvcs.exe
1648 RegSvcs.exe
1124 cmd.exe
1124 cmd.exe
1124 cmd.exe
1124 cmd.exe
1124 cmd.exe
1124 cmd.exe
1124 cmd.exe
1124 cmd.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmd.exe

pid process

1648 RegSvcs.exe
1648 RegSvcs.exe
1648 RegSvcs.exe
1124 cmd.exe
1124 cmd.exe

pid	process
984	schtasks.exe

pid	process
368	4.exe
368	4.exe
1648	RegSvcs.exe
1648	RegSvcs.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe

pid	process
1648	RegSvcs.exe
1648	RegSvcs.exe
1648	RegSvcs.exe
1124	cmd.exe
1124	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4.exeRegSvcs.execmd.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	368	4.exe
Token: SeDebugPrivilege	1648	RegSvcs.exe
Token: SeDebugPrivilege	1124	cmd.exe
Token: SeShutdownPrivilege	1244	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 368 wrote to memory of 984	368	4.exe	schtasks.exe
PID 368 wrote to memory of 984	368	4.exe	schtasks.exe
PID 368 wrote to memory of 984	368	4.exe	schtasks.exe
PID 368 wrote to memory of 984	368	4.exe	schtasks.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 368 wrote to memory of 1648	368	4.exe	RegSvcs.exe
PID 1244 wrote to memory of 1124	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1124	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1124	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1124	1244	Explorer.EXE	cmd.exe
PID 1124 wrote to memory of 1864	1124	cmd.exe	cmd.exe
PID 1124 wrote to memory of 1864	1124	cmd.exe	cmd.exe
PID 1124 wrote to memory of 1864	1124	cmd.exe	cmd.exe
PID 1124 wrote to memory of 1864	1124	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vGDImNjzE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp"
3⤵
- Creates scheduled task(s)
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:688

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:828

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:472

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:768

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:560

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1312

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1864

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp
MD5
f6e4dc6b9c3e02106c6506dd46abef11

SHA1
e7bc4ab878d3d89a96106307cba83e8d23ddfa53

SHA256
027ab69c6fe52b2871036751813eef14525f617784d6a6405453d9e7ac292355

SHA512
6db725a536ee5f442284a6fe92243e6ecb4142f673b638b5766a57701aca32360018080dc7143ae3c5acfb853bfedefd3a9082f1fb17e76df453e2f079a14f7d

Download Submit
memory/368-59-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/368-61-0x00000000002B0000-0x00000000002BD000-memory.dmp

Filesize
52KB

Download
memory/368-62-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/368-63-0x0000000005180000-0x0000000005209000-memory.dmp

Filesize
548KB

Download
memory/368-64-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/984-65-0x0000000000000000-mapping.dmp

Download
memory/1124-73-0x0000000000000000-mapping.dmp

Download
memory/1124-75-0x000000004A570000-0x000000004A5BC000-memory.dmp

Filesize
304KB

Download
memory/1124-76-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1124-77-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/1124-78-0x0000000001E00000-0x0000000001E93000-memory.dmp

Filesize
588KB

Download
memory/1244-72-0x0000000006CC0000-0x0000000006E13000-memory.dmp

Filesize
1.3MB

Download
memory/1648-68-0x000000000041EB20-mapping.dmp

Download
memory/1648-70-0x0000000000C20000-0x0000000000F23000-memory.dmp

Filesize
3.0MB

Download
memory/1648-71-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1648-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1864-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads