formbook | 3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d

General

Target

126-21-11HAR.exe
Size

755KB
MD5

778ae4319d1ec2798e51ca69f0be2e30
SHA1

99d9fa2fc2721ce77c83f57415c1d18ff3e7fc2c
SHA256

3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d
SHA512

aeaab0c1b4c0728df6a875a005677b3b1dc75ee3c7f0df4475919ea59439a50f5997e00d9ee87442bc0b0e23c0b203533f3fc9c7dd3c2a7d792ec42544809f15

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.kelurahanpatikidul.xyz/op9s/

Decoy

playsystems-j.one

exchange.digital

usaleadsretrieval.com

mervegulistanaydin.com

heavythreadclothing.com

attorneyperu.com

lamuerteesdulce.com

catxirulo.com

willowrunconnemaras.com

laospecial.com

anchotrading.com

mycreditebook.com

jiujiu.plus

juniperconsulting.site

millionairsmindset.com

coronaviruscuredrugs.com

services-office.com

escanaim.com

20svip.com

pistonpounder.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3872-127-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3872-128-0x000000000041ED70-mapping.dmp	formbook
behavioral2/memory/3092-135-0x0000000002D90000-0x0000000002DBE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

126-21-11HAR.exe126-21-11HAR.exemsdt.exe

description	pid	process	target process
PID 3944 set thread context of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 3872 set thread context of 2492	3872	126-21-11HAR.exe	Explorer.EXE
PID 3092 set thread context of 2492	3092	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3488 schtasks.exe

pid	process
3488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

126-21-11HAR.exemsdt.exe

pid	process
3872	126-21-11HAR.exe
3872	126-21-11HAR.exe
3872	126-21-11HAR.exe
3872	126-21-11HAR.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe
3092	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

126-21-11HAR.exemsdt.exe

pid process

3872 126-21-11HAR.exe
3872 126-21-11HAR.exe
3872 126-21-11HAR.exe
3092 msdt.exe
3092 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

126-21-11HAR.exemsdt.exe

description pid process

Token: SeDebugPrivilege 3872 126-21-11HAR.exe
Token: SeDebugPrivilege 3092 msdt.exe

description	pid	process
Token: SeDebugPrivilege	3872	126-21-11HAR.exe
Token: SeDebugPrivilege	3092	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

126-21-11HAR.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 3944 wrote to memory of 3488	3944	126-21-11HAR.exe	schtasks.exe
PID 3944 wrote to memory of 3488	3944	126-21-11HAR.exe	schtasks.exe
PID 3944 wrote to memory of 3488	3944	126-21-11HAR.exe	schtasks.exe
PID 3944 wrote to memory of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 3944 wrote to memory of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 3944 wrote to memory of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 3944 wrote to memory of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 3944 wrote to memory of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 3944 wrote to memory of 3872	3944	126-21-11HAR.exe	126-21-11HAR.exe
PID 2492 wrote to memory of 3092	2492	Explorer.EXE	msdt.exe
PID 2492 wrote to memory of 3092	2492	Explorer.EXE	msdt.exe
PID 2492 wrote to memory of 3092	2492	Explorer.EXE	msdt.exe
PID 3092 wrote to memory of 3344	3092	msdt.exe	cmd.exe
PID 3092 wrote to memory of 3344	3092	msdt.exe	cmd.exe
PID 3092 wrote to memory of 3344	3092	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe
"C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BuNOnvYKjNYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE30.tmp"
3⤵
- Creates scheduled task(s)
PID:3488

C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe
"C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"
3⤵
PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBE30.tmp

MD5
b623f5a63aff50ee8afb100ff2876dd2

SHA1
d5df05b2245aaab3e77b09af90ec250a0b5eba31

SHA256
e140bf1abd19bf5972be90218281ee2a9dab65bcee82c22cbea31f51ca8c9ecc

SHA512
0617c41aaed6d666cbc90dda1c5b49ed5d7fd085163481ec44514839a119cdc46d80754cd92ca0a52aa3a20d269575044a8ac366c177b965769b0305188abcf5

Download Submit
memory/2492-139-0x00000000059F0000-0x0000000005B2D000-memory.dmp

Filesize
1.2MB

Download
memory/2492-132-0x0000000001470000-0x0000000001563000-memory.dmp

Filesize
972KB

Download
memory/3092-138-0x00000000045E0000-0x0000000004673000-memory.dmp

Filesize
588KB

Download
memory/3092-137-0x00000000046E0000-0x0000000004A00000-memory.dmp

Filesize
3.1MB

Download
memory/3092-134-0x00000000000E0000-0x0000000000253000-memory.dmp

Filesize
1.4MB

Download
memory/3092-135-0x0000000002D90000-0x0000000002DBE000-memory.dmp

Filesize
184KB

Download
memory/3092-133-0x0000000000000000-mapping.dmp

Download
memory/3344-136-0x0000000000000000-mapping.dmp

Download
memory/3488-125-0x0000000000000000-mapping.dmp

Download
memory/3872-127-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3872-130-0x00000000016A0000-0x00000000019C0000-memory.dmp

Filesize
3.1MB

Download
memory/3872-131-0x0000000001600000-0x0000000001614000-memory.dmp

Filesize
80KB

Download
memory/3872-128-0x000000000041ED70-mapping.dmp

Download
memory/3944-122-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/3944-123-0x0000000005CD0000-0x0000000005D7A000-memory.dmp

Filesize
680KB

Download
memory/3944-114-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3944-124-0x0000000008240000-0x00000000082A4000-memory.dmp

Filesize
400KB

Download
memory/3944-121-0x0000000005290000-0x000000000529E000-memory.dmp

Filesize
56KB

Download
memory/3944-120-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3944-119-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3944-118-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads