formbook | 5965d771551e261280e191116d9ed9aeae23eefea54753f2a23792df5e315b02

General

Target

IMAGE-20210505-2001902818921.exe
Size

746KB
MD5

ca14ee6f98ab550e2e1c44f533302d07
SHA1

66304f4bcc82214ee9cdcfee76f3769be868ddee
SHA256

5965d771551e261280e191116d9ed9aeae23eefea54753f2a23792df5e315b02
SHA512

93eb40379e3ade148bff54bda92c8cd70ad887354ccc5af322dc98cc0661de881e6f6353762dc44f92a35ab1c62b799294d9cf1aae85958c5fdb58d1cfac123c

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.merckcbd.com/dei5/

Decoy

studiomullerphoto.com

reallionairewear.com

dogsalondoggy-tail.com

excelmache.net

bigdiscounters.com

7986799.com

ignition.guru

xiaoxu.info

jpinpd.com

solpool.info

uchooswrewards.com

everestengineeringworks.com

qianglongzhipin.com

deepimper-325.com

appliedrate.com

radsazemehr.com

vivabematividadesfisicas.com

capacitalo.com

somecore.com

listingclass.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2828-143-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2828-144-0x000000000041ECD0-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMAGE-20210505-2001902818921.exe

description pid process target process

PID 508 set thread context of 2828 508 IMAGE-20210505-2001902818921.exe IMAGE-20210505-2001902818921.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2132 schtasks.exe

description	pid	process	target process
PID 508 set thread context of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe

pid	process
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exeIMAGE-20210505-2001902818921.exepowershell.exeIMAGE-20210505-2001902818921.exe

pid	process
1972	powershell.exe
3968	powershell.exe
508	IMAGE-20210505-2001902818921.exe
508	IMAGE-20210505-2001902818921.exe
508	IMAGE-20210505-2001902818921.exe
508	IMAGE-20210505-2001902818921.exe
508	IMAGE-20210505-2001902818921.exe
508	IMAGE-20210505-2001902818921.exe
508	IMAGE-20210505-2001902818921.exe
1132	powershell.exe
1972	powershell.exe
2828	IMAGE-20210505-2001902818921.exe
2828	IMAGE-20210505-2001902818921.exe
3968	powershell.exe
1132	powershell.exe
3968	powershell.exe
1972	powershell.exe
1132	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeIMAGE-20210505-2001902818921.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	508	IMAGE-20210505-2001902818921.exe
Token: SeDebugPrivilege	1132	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

IMAGE-20210505-2001902818921.exe

description	pid	process	target process
PID 508 wrote to memory of 1972	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 1972	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 1972	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 3968	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 3968	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 3968	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 2132	508	IMAGE-20210505-2001902818921.exe	schtasks.exe
PID 508 wrote to memory of 2132	508	IMAGE-20210505-2001902818921.exe	schtasks.exe
PID 508 wrote to memory of 2132	508	IMAGE-20210505-2001902818921.exe	schtasks.exe
PID 508 wrote to memory of 1132	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 1132	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 1132	508	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 508 wrote to memory of 1284	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 1284	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 1284	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 416	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 416	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 416	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2684	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2684	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2684	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 508 wrote to memory of 2828	508	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe

C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AJWuOzen.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJWuOzen" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB33.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AJWuOzen.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
  "C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
  2⤵
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
  "C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
  2⤵
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
  "C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
  "C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
  2⤵
  PID:416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
65d38063afeb0ab170047c58e98eb4c3

SHA1
fb99322fd907e1241b23f9a82e7c1fd98760363d

SHA256
e57069561d9492c06f55e4fd17de62311c140d49878a61a3c1b5cc5a38ea0eb9

SHA512
e675eaa51f25f819f1c5a55967212d9ce272b118cc0377635a74641ca36a0b4b44121fff2a21540ecfe7c108d2a8a10dab9b9faf1629b19fe300709b5f2f19c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
65d38063afeb0ab170047c58e98eb4c3

SHA1
fb99322fd907e1241b23f9a82e7c1fd98760363d

SHA256
e57069561d9492c06f55e4fd17de62311c140d49878a61a3c1b5cc5a38ea0eb9

SHA512
e675eaa51f25f819f1c5a55967212d9ce272b118cc0377635a74641ca36a0b4b44121fff2a21540ecfe7c108d2a8a10dab9b9faf1629b19fe300709b5f2f19c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB33.tmp

MD5
a7751b6859928e7d01b70f50833c15d2

SHA1
944bbd783f8930bf053c2cf9f95f5836c7cbfea3

SHA256
57e68180dbe174a7233fd53cd0a6b0f1103e664029d5215a18ebd3e17ed3a8e2

SHA512
b5846035fe8a25303e3529a7244ded42fe404961793d6f9361f36d242b7ebddd52964c83d1e4d4935eab41442fcd15791e96727e95391341434262db6d6c2114

Download Submit
memory/508-116-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/508-117-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/508-118-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/508-119-0x0000000005550000-0x000000000555E000-memory.dmp

Filesize
56KB

Download
memory/508-120-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/508-121-0x00000000051D0000-0x000000000527D000-memory.dmp

Filesize
692KB

Download
memory/508-122-0x00000000011A0000-0x0000000001208000-memory.dmp

Filesize
416KB

Download
memory/508-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1132-195-0x000000007E8C0000-0x000000007E8C1000-memory.dmp

Filesize
4KB

Download
memory/1132-160-0x0000000004542000-0x0000000004543000-memory.dmp

Filesize
4KB

Download
memory/1132-159-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1132-138-0x0000000000000000-mapping.dmp

Download
memory/1132-198-0x0000000004543000-0x0000000004544000-memory.dmp

Filesize
4KB

Download
memory/1972-140-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/1972-129-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/1972-142-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/1972-197-0x0000000006E93000-0x0000000006E94000-memory.dmp

Filesize
4KB

Download
memory/1972-136-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/1972-137-0x0000000006E92000-0x0000000006E93000-memory.dmp

Filesize
4KB

Download
memory/1972-145-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/1972-123-0x0000000000000000-mapping.dmp

Download
memory/1972-135-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/1972-191-0x000000007E830000-0x000000007E831000-memory.dmp

Filesize
4KB

Download
memory/1972-186-0x0000000009350000-0x0000000009383000-memory.dmp

Filesize
204KB

Download
memory/1972-162-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/1972-164-0x0000000008640000-0x0000000008641000-memory.dmp

Filesize
4KB

Download
memory/1972-128-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/2132-127-0x0000000000000000-mapping.dmp

Download
memory/2828-161-0x0000000001930000-0x0000000001C50000-memory.dmp

Filesize
3.1MB

Download
memory/2828-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2828-144-0x000000000041ECD0-mapping.dmp

Download
memory/3968-139-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/3968-196-0x0000000006E53000-0x0000000006E54000-memory.dmp

Filesize
4KB

Download
memory/3968-194-0x000000007FC70000-0x000000007FC71000-memory.dmp

Filesize
4KB

Download
memory/3968-167-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/3968-141-0x0000000006E52000-0x0000000006E53000-memory.dmp

Filesize
4KB

Download
memory/3968-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads