formbook | 3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d

General

Target

126-21-11HAR.exe
Size

755KB
MD5

778ae4319d1ec2798e51ca69f0be2e30
SHA1

99d9fa2fc2721ce77c83f57415c1d18ff3e7fc2c
SHA256

3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d
SHA512

aeaab0c1b4c0728df6a875a005677b3b1dc75ee3c7f0df4475919ea59439a50f5997e00d9ee87442bc0b0e23c0b203533f3fc9c7dd3c2a7d792ec42544809f15

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.kelurahanpatikidul.xyz/op9s/

Decoy

playsystems-j.one

exchange.digital

usaleadsretrieval.com

mervegulistanaydin.com

heavythreadclothing.com

attorneyperu.com

lamuerteesdulce.com

catxirulo.com

willowrunconnemaras.com

laospecial.com

anchotrading.com

mycreditebook.com

jiujiu.plus

juniperconsulting.site

millionairsmindset.com

coronaviruscuredrugs.com

services-office.com

escanaim.com

20svip.com

pistonpounder.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/992-68-0x000000000041ED70-mapping.dmp	formbook
behavioral1/memory/992-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1536-78-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1624 cmd.exe

pid	process
1624	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

126-21-11HAR.exe126-21-11HAR.exeexplorer.exe

description	pid	process	target process
PID 484 set thread context of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 992 set thread context of 1196	992	126-21-11HAR.exe	Explorer.EXE
PID 1536 set thread context of 1196	1536	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1108 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

126-21-11HAR.exeexplorer.exe

pid process

992 126-21-11HAR.exe
992 126-21-11HAR.exe
1536 explorer.exe
1536 explorer.exe
1536 explorer.exe
1536 explorer.exe
1536 explorer.exe
1536 explorer.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

126-21-11HAR.exeexplorer.exe

pid process

992 126-21-11HAR.exe
992 126-21-11HAR.exe
992 126-21-11HAR.exe
1536 explorer.exe
1536 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

126-21-11HAR.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 992 126-21-11HAR.exe
Token: SeDebugPrivilege 1536 explorer.exe

pid	process
1108	schtasks.exe

pid	process
992	126-21-11HAR.exe
992	126-21-11HAR.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe

pid	process
992	126-21-11HAR.exe
992	126-21-11HAR.exe
992	126-21-11HAR.exe
1536	explorer.exe
1536	explorer.exe

description	pid	process
Token: SeDebugPrivilege	992	126-21-11HAR.exe
Token: SeDebugPrivilege	1536	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

126-21-11HAR.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 484 wrote to memory of 1108	484	126-21-11HAR.exe	schtasks.exe
PID 484 wrote to memory of 1108	484	126-21-11HAR.exe	schtasks.exe
PID 484 wrote to memory of 1108	484	126-21-11HAR.exe	schtasks.exe
PID 484 wrote to memory of 1108	484	126-21-11HAR.exe	schtasks.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 484 wrote to memory of 992	484	126-21-11HAR.exe	126-21-11HAR.exe
PID 1196 wrote to memory of 1536	1196	Explorer.EXE	explorer.exe
PID 1196 wrote to memory of 1536	1196	Explorer.EXE	explorer.exe
PID 1196 wrote to memory of 1536	1196	Explorer.EXE	explorer.exe
PID 1196 wrote to memory of 1536	1196	Explorer.EXE	explorer.exe
PID 1536 wrote to memory of 1624	1536	explorer.exe	cmd.exe
PID 1536 wrote to memory of 1624	1536	explorer.exe	cmd.exe
PID 1536 wrote to memory of 1624	1536	explorer.exe	cmd.exe
PID 1536 wrote to memory of 1624	1536	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe
"C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BuNOnvYKjNYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp"
3⤵
- Creates scheduled task(s)
PID:1108

C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe
"C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"
3⤵
- Deletes itself
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp

MD5
ba953103dbfa5d4812ab44126f0291a0

SHA1
39e7052e93e038d1ceebf4f3f9d62c42ad8c57fb

SHA256
cd73b1d21b66de9e9c5f642143821375e1e8758ff6551f6b8460d7cdf7cdbf98

SHA512
5484af70ea3e33900e1de3b2cb5dd380f7df7f78f4c3ef4cbeeda88f74f621bec91be92dac667f65c972ffa8c06ac4cf293762247b5fe85f6687553292b7d6ee

Download Submit
memory/484-61-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/484-62-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/484-63-0x0000000005160000-0x000000000520A000-memory.dmp

Filesize
680KB

Download
memory/484-64-0x00000000020B0000-0x0000000002114000-memory.dmp

Filesize
400KB

Download
memory/484-59-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/992-71-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/992-68-0x000000000041ED70-mapping.dmp

Download
memory/992-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/992-70-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1108-65-0x0000000000000000-mapping.dmp

Download
memory/1196-72-0x0000000004B20000-0x0000000004C42000-memory.dmp

Filesize
1.1MB

Download
memory/1196-81-0x0000000006050000-0x0000000006144000-memory.dmp

Filesize
976KB

Download
memory/1536-73-0x0000000000000000-mapping.dmp

Download
memory/1536-74-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1536-75-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download
memory/1536-76-0x0000000000B00000-0x0000000000D81000-memory.dmp

Filesize
2.5MB

Download
memory/1536-77-0x0000000002320000-0x0000000002623000-memory.dmp

Filesize
3.0MB

Download
memory/1536-78-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1536-80-0x0000000000A60000-0x0000000000AF3000-memory.dmp

Filesize
588KB

Download
memory/1624-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads