formbook | 5f98e18c91045da2be067a8769817a55f3200324ae7535229fa83e7b67616c54

General

Target

SWIT BANK PAPER PAYMENT.exe
Size

229KB
MD5

8f885ac76bebc591a72f73eb3deb3d73
SHA1

82af5568c6ed1af66f1f69616fc836e4c31cabb0
SHA256

7f81bdd235dca279812a46cec7f585bde9d681906dba1398e8ac86dfc877d079
SHA512

fb942be934ac962294c6534441c971e491f33f9d72c97f7f533edcb94e531ab675748e7775a663f133e20b3997f34e135ed663957cb8bb9ea7543fd2d2fb9d00

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1072-117-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/204-123-0x0000000000E80000-0x0000000000EAE000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

SWIT BANK PAPER PAYMENT.exe

pid process

1040 SWIT BANK PAPER PAYMENT.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SWIT BANK PAPER PAYMENT.exeSWIT BANK PAPER PAYMENT.execolorcpl.exe

description	pid	process	target process
PID 1040 set thread context of 1072	1040	SWIT BANK PAPER PAYMENT.exe	SWIT BANK PAPER PAYMENT.exe
PID 1072 set thread context of 2740	1072	SWIT BANK PAPER PAYMENT.exe	Explorer.EXE
PID 204 set thread context of 2740	204	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

SWIT BANK PAPER PAYMENT.execolorcpl.exe

pid	process
1072	SWIT BANK PAPER PAYMENT.exe
1072	SWIT BANK PAPER PAYMENT.exe
1072	SWIT BANK PAPER PAYMENT.exe
1072	SWIT BANK PAPER PAYMENT.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe
204	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE

pid	process
2740	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

SWIT BANK PAPER PAYMENT.exeSWIT BANK PAPER PAYMENT.execolorcpl.exe

pid	process
1040	SWIT BANK PAPER PAYMENT.exe
1072	SWIT BANK PAPER PAYMENT.exe
1072	SWIT BANK PAPER PAYMENT.exe
1072	SWIT BANK PAPER PAYMENT.exe
204	colorcpl.exe
204	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SWIT BANK PAPER PAYMENT.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1072 SWIT BANK PAPER PAYMENT.exe
Token: SeDebugPrivilege 204 colorcpl.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1072	SWIT BANK PAPER PAYMENT.exe
Token: SeDebugPrivilege	204	colorcpl.exe

pid	process
2740	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SWIT BANK PAPER PAYMENT.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1040 wrote to memory of 1072	1040	SWIT BANK PAPER PAYMENT.exe	SWIT BANK PAPER PAYMENT.exe
PID 1040 wrote to memory of 1072	1040	SWIT BANK PAPER PAYMENT.exe	SWIT BANK PAPER PAYMENT.exe
PID 1040 wrote to memory of 1072	1040	SWIT BANK PAPER PAYMENT.exe	SWIT BANK PAPER PAYMENT.exe
PID 1040 wrote to memory of 1072	1040	SWIT BANK PAPER PAYMENT.exe	SWIT BANK PAPER PAYMENT.exe
PID 2740 wrote to memory of 204	2740	Explorer.EXE	colorcpl.exe
PID 2740 wrote to memory of 204	2740	Explorer.EXE	colorcpl.exe
PID 2740 wrote to memory of 204	2740	Explorer.EXE	colorcpl.exe
PID 204 wrote to memory of 1284	204	colorcpl.exe	cmd.exe
PID 204 wrote to memory of 1284	204	colorcpl.exe	cmd.exe
PID 204 wrote to memory of 1284	204	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\SWIT BANK PAPER PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SWIT BANK PAPER PAYMENT.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\SWIT BANK PAPER PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SWIT BANK PAPER PAYMENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SWIT BANK PAPER PAYMENT.exe"
3⤵
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsq941A.tmp\kwq9wzwxz56exb.dll

MD5
95694f0a16bdcab0875c4eaee1a0e6aa

SHA1
cc31b625caea8f110986001234a3ce6fafe5fcf4

SHA256
3a6e5bd0e4ce4116b4b76cd3e2272a7d1197992bfa031de834d0c838e8dda7bb

SHA512
c1646c61e02182129182200cc48499dc81aedeb86a15b53e7e01b84fe7733bdb196bcd4f8a71eae5a8eb79cbcfcf810b2cee126fc101a0553869a170b61bf5e3

Download Submit
memory/204-121-0x0000000000000000-mapping.dmp

Download
memory/204-126-0x0000000004C30000-0x0000000004CC3000-memory.dmp

Filesize
588KB

Download
memory/204-125-0x0000000004EA0000-0x00000000051C0000-memory.dmp

Filesize
3.1MB

Download
memory/204-123-0x0000000000E80000-0x0000000000EAE000-memory.dmp

Filesize
184KB

Download
memory/204-122-0x0000000001020000-0x0000000001039000-memory.dmp

Filesize
100KB

Download
memory/1040-115-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/1072-118-0x0000000000A70000-0x0000000000D90000-memory.dmp

Filesize
3.1MB

Download
memory/1072-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1072-119-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/1072-116-0x000000000041EBA0-mapping.dmp

Download
memory/1284-124-0x0000000000000000-mapping.dmp

Download
memory/2740-120-0x0000000006B60000-0x0000000006CD6000-memory.dmp

Filesize
1.5MB

Download
memory/2740-127-0x0000000006CE0000-0x0000000006E5E000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads