formbook | 619a462b761e8188e285d4122fe80ff0c3b2fca9cf491dcb5830a38f03d6610f

General

Target

6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
Size

674KB
MD5

9fe12cde3aa06a540dd00ef6b182c5d0
SHA1

5b71e9d19292cbd95d455ce778db5d5c86270ab0
SHA256

6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65
SHA512

b223de4772986e3c95c233d49711e538d566527ab7f8b2f0bdbcd75643587ddd6140815c29ff168ea4ab1bd8914053ea697913be81f4d7f37e5e3450a31be465

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.glittergalsboutique.com/8buc/

Decoy

affiliatetraining101.com

sun5new.com

localstuffunlimited.store

getmrn.com

nipandtucknurse.com

companycreater.com

painfullyperfect.com

3dmobilemammo.com

theredbeegroup.net

loochaan.com

alanoliveiramkt.com

lxwzsh.com

twobookramblers.com

cscardinalmalula.net

hanarzr.com

sabaicp.com

foodprocessmedia.com

tirongroup.com

dcentralizedcloud.com

xn--80abnkzb2a.xn--p1acf

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/772-138-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/772-140-0x000000000041ED80-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe

description	pid	process	target process
PID 3176 set thread context of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2344 schtasks.exe

pid	process
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exe6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exepowershell.exe6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exepowershell.exe

pid	process
184	powershell.exe
3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
1996	powershell.exe
772	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
772	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
416	powershell.exe
184	powershell.exe
1996	powershell.exe
416	powershell.exe
184	powershell.exe
1996	powershell.exe
416	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe

description	pid	process	target process
PID 3176 wrote to memory of 184	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 184	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 184	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 1996	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 1996	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 1996	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 2344	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	schtasks.exe
PID 3176 wrote to memory of 2344	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	schtasks.exe
PID 3176 wrote to memory of 2344	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	schtasks.exe
PID 3176 wrote to memory of 416	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 416	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 416	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	powershell.exe
PID 3176 wrote to memory of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
PID 3176 wrote to memory of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
PID 3176 wrote to memory of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
PID 3176 wrote to memory of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
PID 3176 wrote to memory of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
PID 3176 wrote to memory of 772	3176	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe	6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe

C:\Users\Admin\AppData\Local\Temp\6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
"C:\Users\Admin\AppData\Local\Temp\6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aNSuLti.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aNSuLti" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB01.tmp"
2⤵
- Creates scheduled task(s)
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aNSuLti.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Users\Admin\AppData\Local\Temp\6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe
"C:\Users\Admin\AppData\Local\Temp\6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14e54ca4387588b4ec77b7c8880015ca

SHA1
455c19212a22b629405ac3822193487bc28d4c96

SHA256
5515669bd44fac543a4e17dc9e5bd71135b2f2f6ff1a6e389641e7d5639208c7

SHA512
a869b570809666b5fd9d9d3d5e57f21a2a2b13ea17bb22d5b0b48a7104a3b990d5c6e453380ce274205f18802b01565070ebce48b0239a0894372aea93fec105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB01.tmp
MD5
b0df688fb90e38b3b158ac40ce158fa4

SHA1
877d59410849e8b0c453358509a6facb464ab414

SHA256
acae6867011b4dcaec9285f3840e1314a9e800ed23a13d11ff7f588a810e123f

SHA512
bedaedbbc638a686e06498d401eef56ff3240c2270d8835838b2751048ffe3479fc3ded6d6e9d10ec6f47c80c77cdb2b6928259b5f68c2ed8075bc30b2a8460d

Download Submit
memory/184-141-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/184-196-0x00000000070E3000-0x00000000070E4000-memory.dmp

Filesize
4KB

Download
memory/184-143-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/184-148-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/184-195-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

Filesize
4KB

Download
memory/184-168-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/184-125-0x0000000000000000-mapping.dmp

Download
memory/184-166-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/184-164-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/184-131-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/184-129-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/184-142-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/184-139-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/184-149-0x00000000070E2000-0x00000000070E3000-memory.dmp

Filesize
4KB

Download
memory/416-156-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/416-158-0x0000000004712000-0x0000000004713000-memory.dmp

Filesize
4KB

Download
memory/416-198-0x0000000004713000-0x0000000004714000-memory.dmp

Filesize
4KB

Download
memory/416-194-0x000000007F180000-0x000000007F181000-memory.dmp

Filesize
4KB

Download
memory/416-137-0x0000000000000000-mapping.dmp

Download
memory/772-140-0x000000000041ED80-mapping.dmp

Download
memory/772-152-0x00000000019B0000-0x0000000001CD0000-memory.dmp

Filesize
3.1MB

Download
memory/772-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1996-189-0x0000000008B60000-0x0000000008B93000-memory.dmp

Filesize
204KB

Download
memory/1996-150-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1996-153-0x0000000001022000-0x0000000001023000-memory.dmp

Filesize
4KB

Download
memory/1996-128-0x0000000000000000-mapping.dmp

Download
memory/1996-197-0x0000000001023000-0x0000000001024000-memory.dmp

Filesize
4KB

Download
memory/1996-193-0x000000007F560000-0x000000007F561000-memory.dmp

Filesize
4KB

Download
memory/2344-130-0x0000000000000000-mapping.dmp

Download
memory/3176-124-0x0000000008230000-0x0000000008265000-memory.dmp

Filesize
212KB

Download
memory/3176-114-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3176-119-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3176-123-0x0000000000FC0000-0x0000000001039000-memory.dmp

Filesize
484KB

Download
memory/3176-122-0x00000000054B0000-0x00000000054BE000-memory.dmp

Filesize
56KB

Download
memory/3176-117-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3176-116-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3176-118-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3176-121-0x0000000005000000-0x00000000054FE000-memory.dmp

Filesize
5.0MB

Download
memory/3176-120-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads