formbook | 5965d771551e261280e191116d9ed9aeae23eefea54753f2a23792df5e315b02

General

Target

IMAGE-20210505-2001902818921.exe
Size

746KB
MD5

ca14ee6f98ab550e2e1c44f533302d07
SHA1

66304f4bcc82214ee9cdcfee76f3769be868ddee
SHA256

5965d771551e261280e191116d9ed9aeae23eefea54753f2a23792df5e315b02
SHA512

93eb40379e3ade148bff54bda92c8cd70ad887354ccc5af322dc98cc0661de881e6f6353762dc44f92a35ab1c62b799294d9cf1aae85958c5fdb58d1cfac123c

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.merckcbd.com/dei5/

Decoy

studiomullerphoto.com

reallionairewear.com

dogsalondoggy-tail.com

excelmache.net

bigdiscounters.com

7986799.com

ignition.guru

xiaoxu.info

jpinpd.com

solpool.info

uchooswrewards.com

everestengineeringworks.com

qianglongzhipin.com

deepimper-325.com

appliedrate.com

radsazemehr.com

vivabematividadesfisicas.com

capacitalo.com

somecore.com

listingclass.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2628-144-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2628-147-0x000000000041ECD0-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMAGE-20210505-2001902818921.exe

description pid process target process

PID 3968 set thread context of 2628 3968 IMAGE-20210505-2001902818921.exe IMAGE-20210505-2001902818921.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1412 schtasks.exe

description	pid	process	target process
PID 3968 set thread context of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe

pid	process
1412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exeIMAGE-20210505-2001902818921.exepowershell.exeIMAGE-20210505-2001902818921.exe

pid	process
3624	powershell.exe
3496	powershell.exe
3968	IMAGE-20210505-2001902818921.exe
3968	IMAGE-20210505-2001902818921.exe
3968	IMAGE-20210505-2001902818921.exe
3624	powershell.exe
3496	powershell.exe
2620	powershell.exe
2628	IMAGE-20210505-2001902818921.exe
2628	IMAGE-20210505-2001902818921.exe
2620	powershell.exe
3496	powershell.exe
3624	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeIMAGE-20210505-2001902818921.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	3968	IMAGE-20210505-2001902818921.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

IMAGE-20210505-2001902818921.exe

description	pid	process	target process
PID 3968 wrote to memory of 3624	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 3624	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 3624	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 3496	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 3496	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 3496	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 1412	3968	IMAGE-20210505-2001902818921.exe	schtasks.exe
PID 3968 wrote to memory of 1412	3968	IMAGE-20210505-2001902818921.exe	schtasks.exe
PID 3968 wrote to memory of 1412	3968	IMAGE-20210505-2001902818921.exe	schtasks.exe
PID 3968 wrote to memory of 2620	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 2620	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 2620	3968	IMAGE-20210505-2001902818921.exe	powershell.exe
PID 3968 wrote to memory of 2604	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2604	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2604	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe
PID 3968 wrote to memory of 2628	3968	IMAGE-20210505-2001902818921.exe	IMAGE-20210505-2001902818921.exe

C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AJWuOzen.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJWuOzen" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE83E.tmp"
2⤵
- Creates scheduled task(s)
PID:1412

C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
2⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE-20210505-2001902818921.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AJWuOzen.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f4fa045e0a60f50760122658357327a0

SHA1
f91a263f7f49f9095ca4ccd9af8fe29252e5521b

SHA256
ab41192c2988c6acf0b63d1bbfbb9f839b6a764faef02c66dc9a6b30ec99b5b4

SHA512
6bca603f097f3fea8e4935bd9e678153bc20d1d887389182ecc7ff2d8e326de1041d396ddba346fb7dd2f97ff933f04a111846e98fc66ccb409a63db2b0cd674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eeb35ad7da90be727c2e12d33222e169

SHA1
cb6372427b4801785d8ca6e8485be25683cad028

SHA256
9477fea6bdb502f6b770cb79a2801e599d861a3c7db576ee94783ac0191c6f1f

SHA512
9adf5b25a25369ba6469c261a56a65310556401f8c4471811f9fef1e19a1f07503b2072330cb79b823626555af18c0fcfd1f98a63626fb1301dc13d134d8684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE83E.tmp
MD5
a7751b6859928e7d01b70f50833c15d2

SHA1
944bbd783f8930bf053c2cf9f95f5836c7cbfea3

SHA256
57e68180dbe174a7233fd53cd0a6b0f1103e664029d5215a18ebd3e17ed3a8e2

SHA512
b5846035fe8a25303e3529a7244ded42fe404961793d6f9361f36d242b7ebddd52964c83d1e4d4935eab41442fcd15791e96727e95391341434262db6d6c2114

Download Submit
memory/1412-128-0x0000000000000000-mapping.dmp

Download
memory/2620-198-0x00000000075F3000-0x00000000075F4000-memory.dmp

Filesize
4KB

Download
memory/2620-195-0x000000007F3F0000-0x000000007F3F1000-memory.dmp

Filesize
4KB

Download
memory/2620-156-0x00000000075F2000-0x00000000075F3000-memory.dmp

Filesize
4KB

Download
memory/2620-155-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/2620-141-0x0000000000000000-mapping.dmp

Download
memory/2628-166-0x0000000001230000-0x0000000001550000-memory.dmp

Filesize
3.1MB

Download
memory/2628-144-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-147-0x000000000041ECD0-mapping.dmp

Download
memory/3496-193-0x000000007E480000-0x000000007E481000-memory.dmp

Filesize
4KB

Download
memory/3496-153-0x0000000006742000-0x0000000006743000-memory.dmp

Filesize
4KB

Download
memory/3496-126-0x0000000000000000-mapping.dmp

Download
memory/3496-137-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/3496-139-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/3496-142-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/3496-197-0x0000000006743000-0x0000000006744000-memory.dmp

Filesize
4KB

Download
memory/3496-158-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3496-145-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/3496-186-0x0000000008B30000-0x0000000008B63000-memory.dmp

Filesize
204KB

Download
memory/3496-152-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/3624-127-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/3624-194-0x000000007F170000-0x000000007F171000-memory.dmp

Filesize
4KB

Download
memory/3624-196-0x0000000004643000-0x0000000004644000-memory.dmp

Filesize
4KB

Download
memory/3624-129-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/3624-160-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/3624-165-0x0000000008120000-0x0000000008121000-memory.dmp

Filesize
4KB

Download
memory/3624-123-0x0000000000000000-mapping.dmp

Download
memory/3624-130-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3624-133-0x0000000004642000-0x0000000004643000-memory.dmp

Filesize
4KB

Download
memory/3968-116-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3968-120-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/3968-114-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3968-118-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/3968-119-0x0000000005440000-0x000000000544E000-memory.dmp

Filesize
56KB

Download
memory/3968-121-0x0000000001300000-0x00000000013AD000-memory.dmp

Filesize
692KB

Download
memory/3968-117-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3968-122-0x0000000005D30000-0x0000000005D98000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads