formbook | facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3

General

Target

ETC-B72-LT-0149-03-AR.exe
Size

228KB
MD5

dc27e4474182fe41de857278c2488574
SHA1

0b5b93dc9e3389de1a3d04c4d03fa5c0532aef1e
SHA256

facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3
SHA512

9025ad32d289464770182ce597838a1a0c79aff8a337c0e9a3a5ecf4f7343f24029a7551c6a6559d36a6e4e624429241445984ef5e987c88952eb87529f01fed

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.shoprodeovegas.com/xcl/

Decoy

sewingtherose.com

thesmartshareholder.com

afasyah.com

marolamusic.com

lookupgeorgina.com

plataforyou.com

dijcan.com

pawtyparcels.com

interprediction.com

fairerfinancehackathon.net

thehmnshop.com

jocelynlopez.com

launcheffecthouston.com

joyeveryminute.com

spyforu.com

ronerasanjuan.com

gadgetsdesi.com

nmrconsultants.com

travellpod.com

ballparksportscards.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2512-117-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3944-124-0x00000000007C0000-0x00000000007EE000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

ETC-B72-LT-0149-03-AR.exe

pid process

3016 ETC-B72-LT-0149-03-AR.exe

pid	process
3016	ETC-B72-LT-0149-03-AR.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ETC-B72-LT-0149-03-AR.exeETC-B72-LT-0149-03-AR.execmd.exe

description	pid	process	target process
PID 3016 set thread context of 2512	3016	ETC-B72-LT-0149-03-AR.exe	ETC-B72-LT-0149-03-AR.exe
PID 2512 set thread context of 3036	2512	ETC-B72-LT-0149-03-AR.exe	Explorer.EXE
PID 3944 set thread context of 3036	3944	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

ETC-B72-LT-0149-03-AR.execmd.exe

pid	process
2512	ETC-B72-LT-0149-03-AR.exe
2512	ETC-B72-LT-0149-03-AR.exe
2512	ETC-B72-LT-0149-03-AR.exe
2512	ETC-B72-LT-0149-03-AR.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe
3944	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ETC-B72-LT-0149-03-AR.exeETC-B72-LT-0149-03-AR.execmd.exe

pid process

3016 ETC-B72-LT-0149-03-AR.exe
2512 ETC-B72-LT-0149-03-AR.exe
2512 ETC-B72-LT-0149-03-AR.exe
2512 ETC-B72-LT-0149-03-AR.exe
3944 cmd.exe
3944 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ETC-B72-LT-0149-03-AR.execmd.exe

description pid process

Token: SeDebugPrivilege 2512 ETC-B72-LT-0149-03-AR.exe
Token: SeDebugPrivilege 3944 cmd.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE

pid	process
3036	Explorer.EXE

pid	process
3016	ETC-B72-LT-0149-03-AR.exe
2512	ETC-B72-LT-0149-03-AR.exe
2512	ETC-B72-LT-0149-03-AR.exe
2512	ETC-B72-LT-0149-03-AR.exe
3944	cmd.exe
3944	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2512	ETC-B72-LT-0149-03-AR.exe
Token: SeDebugPrivilege	3944	cmd.exe

pid	process
3036	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ETC-B72-LT-0149-03-AR.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3016 wrote to memory of 2512	3016	ETC-B72-LT-0149-03-AR.exe	ETC-B72-LT-0149-03-AR.exe
PID 3016 wrote to memory of 2512	3016	ETC-B72-LT-0149-03-AR.exe	ETC-B72-LT-0149-03-AR.exe
PID 3016 wrote to memory of 2512	3016	ETC-B72-LT-0149-03-AR.exe	ETC-B72-LT-0149-03-AR.exe
PID 3016 wrote to memory of 2512	3016	ETC-B72-LT-0149-03-AR.exe	ETC-B72-LT-0149-03-AR.exe
PID 3036 wrote to memory of 3944	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3944	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3944	3036	Explorer.EXE	cmd.exe
PID 3944 wrote to memory of 1344	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 1344	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 1344	3944	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\ETC-B72-LT-0149-03-AR.exe
"C:\Users\Admin\AppData\Local\Temp\ETC-B72-LT-0149-03-AR.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\ETC-B72-LT-0149-03-AR.exe
"C:\Users\Admin\AppData\Local\Temp\ETC-B72-LT-0149-03-AR.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ETC-B72-LT-0149-03-AR.exe"
3⤵
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsm24C6.tmp\qbii7uu.dll

MD5
aa71628f8f750412e5598782696963c7

SHA1
5dd7ab9fce05bd2c5a72880983878846280f2cfb

SHA256
7449a16fc696e45fa2c1b96c9d2c785b9f54cca48c453f764fcaed0031943bac

SHA512
62c279a0df143581d7c94e76c62266d65514c2d8c7819cec1b92d7e8e0287ed9043a1b0c900d848bacb94bdb31c4593e29f6906fc4570ff9f5abaf17886b8677

Download Submit
memory/1344-122-0x0000000000000000-mapping.dmp

Download
memory/2512-119-0x00000000006F0000-0x0000000000704000-memory.dmp

Filesize
80KB

Download
memory/2512-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2512-118-0x00000000009E0000-0x0000000000D00000-memory.dmp

Filesize
3.1MB

Download
memory/2512-116-0x000000000041EB70-mapping.dmp

Download
memory/3016-115-0x0000000000790000-0x0000000000792000-memory.dmp

Filesize
8KB

Download
memory/3036-120-0x0000000005A30000-0x0000000005BB0000-memory.dmp

Filesize
1.5MB

Download
memory/3036-127-0x0000000005F20000-0x000000000603F000-memory.dmp

Filesize
1.1MB

Download
memory/3944-121-0x0000000000000000-mapping.dmp

Download
memory/3944-124-0x00000000007C0000-0x00000000007EE000-memory.dmp

Filesize
184KB

Download
memory/3944-125-0x0000000002C90000-0x0000000002DDA000-memory.dmp

Filesize
1.3MB

Download
memory/3944-123-0x0000000000C30000-0x0000000000C89000-memory.dmp

Filesize
356KB

Download
memory/3944-126-0x0000000003250000-0x00000000032E3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads