formbook | 612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572

General

Target

106ada585df884b13cd6a8a71e404c78.exe
Size

706KB
MD5

106ada585df884b13cd6a8a71e404c78
SHA1

470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256

612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
SHA512

aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.mvcsecrets.com/op9s/

Decoy

uscoser.club

gustrad.com

sowftwer.com

psychicpatrol.com

lmouowgoaa.com

riandmoara.com

sushigardentogo.com

cannabimall.com

ecolodgesworld.com

mysandboxcsp.com

coxsmobility.com

sfs-distribution.info

tymict.com

u-bahn.online

chrisjohnsondrums.com

comfyscoffee.com

eastwoodlearningcenter.com

a-authenticate.com

greatroyalspices.com

legalparaprofessionalonline.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/940-70-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/940-71-0x000000000041ED40-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

106ada585df884b13cd6a8a71e404c78.exe

description pid process target process

PID 1832 set thread context of 940 1832 106ada585df884b13cd6a8a71e404c78.exe 106ada585df884b13cd6a8a71e404c78.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1108 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

106ada585df884b13cd6a8a71e404c78.exe

pid process

940 106ada585df884b13cd6a8a71e404c78.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

106ada585df884b13cd6a8a71e404c78.exe

pid process

1832 106ada585df884b13cd6a8a71e404c78.exe
1832 106ada585df884b13cd6a8a71e404c78.exe

description	pid	process	target process
PID 1832 set thread context of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe

pid	process
1108	schtasks.exe

pid	process
940	106ada585df884b13cd6a8a71e404c78.exe

pid	process
1832	106ada585df884b13cd6a8a71e404c78.exe
1832	106ada585df884b13cd6a8a71e404c78.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

106ada585df884b13cd6a8a71e404c78.exe

description	pid	process	target process
PID 1832 wrote to memory of 1108	1832	106ada585df884b13cd6a8a71e404c78.exe	schtasks.exe
PID 1832 wrote to memory of 1108	1832	106ada585df884b13cd6a8a71e404c78.exe	schtasks.exe
PID 1832 wrote to memory of 1108	1832	106ada585df884b13cd6a8a71e404c78.exe	schtasks.exe
PID 1832 wrote to memory of 1108	1832	106ada585df884b13cd6a8a71e404c78.exe	schtasks.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe
PID 1832 wrote to memory of 940	1832	106ada585df884b13cd6a8a71e404c78.exe	106ada585df884b13cd6a8a71e404c78.exe

C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe
"C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fendlKCsOIoiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB73E.tmp"
2⤵
- Creates scheduled task(s)
PID:1108

C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe
"C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB73E.tmp
MD5
c075e6f1cbf46155b4e600e10c332a41

SHA1
7f62b2a1f8e9a6a443f959ca412e890693a0b2e9

SHA256
f279f2322ed8baea8f698151105c2ce310b151c57a447941b716ee1f7e9474e5

SHA512
272126a2b0f54d72410aa25f99ba5b4bb2bf91a3f298de9361ab9018c3e53f93d14c2afe471a05f95f24033bebf80ff323b3239892c0202e913d6fd62fdd1095

Download Submit
memory/940-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/940-71-0x000000000041ED40-mapping.dmp

Download
memory/940-73-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1108-68-0x0000000000000000-mapping.dmp

Download
memory/1832-60-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/1832-62-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1832-63-0x0000000001211000-0x0000000001212000-memory.dmp

Filesize
4KB

Download
memory/1832-64-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/1832-65-0x0000000001212000-0x0000000001213000-memory.dmp

Filesize
4KB

Download
memory/1832-66-0x0000000005BF0000-0x0000000005C6F000-memory.dmp

Filesize
508KB

Download
memory/1832-67-0x0000000004BB0000-0x0000000004BE5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads