formbook | c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

General

Target

PI.exe
Size

229KB
MD5

faa85d608853f8f467909b19eac68daa
SHA1

2eafec60349d9a3cefd12e031f2597ca21c279b3
SHA256

c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c
SHA512

c3ccd2494c336d7479ec4cd70dbe61900c3ff2c9882fee7f84314151e2682ef2b335da85e3df175bb04b39a4148f376a4f279ae9009a961ee66ba60b51f9eb00

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.knighttechinca.com/dxe/

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2220-117-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1592-124-0x0000000000410000-0x000000000043E000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

PI.exe

pid process

1704 PI.exe

pid	process
1704	PI.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PI.exePI.execolorcpl.exe

description	pid	process	target process
PID 1704 set thread context of 2220	1704	PI.exe	PI.exe
PID 2220 set thread context of 2460	2220	PI.exe	Explorer.EXE
PID 1592 set thread context of 2460	1592	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

PI.execolorcpl.exe

pid	process
2220	PI.exe
2220	PI.exe
2220	PI.exe
2220	PI.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe
1592	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2460 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PI.exePI.execolorcpl.exe

pid process

1704 PI.exe
2220 PI.exe
2220 PI.exe
2220 PI.exe
1592 colorcpl.exe
1592 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PI.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 2220 PI.exe
Token: SeDebugPrivilege 1592 colorcpl.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2460 Explorer.EXE

pid	process
2460	Explorer.EXE

pid	process
1704	PI.exe
2220	PI.exe
2220	PI.exe
2220	PI.exe
1592	colorcpl.exe
1592	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	2220	PI.exe
Token: SeDebugPrivilege	1592	colorcpl.exe

pid	process
2460	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

PI.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1704 wrote to memory of 2220	1704	PI.exe	PI.exe
PID 1704 wrote to memory of 2220	1704	PI.exe	PI.exe
PID 1704 wrote to memory of 2220	1704	PI.exe	PI.exe
PID 1704 wrote to memory of 2220	1704	PI.exe	PI.exe
PID 2460 wrote to memory of 1592	2460	Explorer.EXE	colorcpl.exe
PID 2460 wrote to memory of 1592	2460	Explorer.EXE	colorcpl.exe
PID 2460 wrote to memory of 1592	2460	Explorer.EXE	colorcpl.exe
PID 1592 wrote to memory of 3720	1592	colorcpl.exe	cmd.exe
PID 1592 wrote to memory of 3720	1592	colorcpl.exe	cmd.exe
PID 1592 wrote to memory of 3720	1592	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\PI.exe
  "C:\Users\Admin\AppData\Local\Temp\PI.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\PI.exe
    "C:\Users\Admin\AppData\Local\Temp\PI.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
    3⤵
    PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso112E.tmp\al7n3.dll

MD5
d7b3e7bbb1ba396ae0a092b5dc4b9ed4

SHA1
1af08aca3583c37cd83c23c4b1f0eafb477c48b0

SHA256
a4361c7bf7b9859df0b622ee7c421c216cc036b910e70861f107d487e257c162

SHA512
123138e9a75bbe78e47bef5fb4e6f5e024efe094bf3fce13c3919c916dce9e8382e212fa83a97604afeb6c161205df5f8d83e0536ada82cffa7f9866d1545ded

Download Submit
memory/1592-121-0x0000000000000000-mapping.dmp

Download
memory/1592-126-0x0000000000D40000-0x0000000000DD3000-memory.dmp

Filesize
588KB

Download
memory/1592-125-0x0000000000E80000-0x00000000011A0000-memory.dmp

Filesize
3.1MB

Download
memory/1592-124-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download
memory/1592-123-0x0000000001330000-0x0000000001349000-memory.dmp

Filesize
100KB

Download
memory/1704-115-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/2220-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2220-118-0x0000000000A90000-0x0000000000DB0000-memory.dmp

Filesize
3.1MB

Download
memory/2220-119-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/2220-116-0x000000000041EAF0-mapping.dmp

Download
memory/2460-120-0x0000000005F50000-0x000000000609B000-memory.dmp

Filesize
1.3MB

Download
memory/2460-127-0x00000000007F0000-0x000000000088C000-memory.dmp

Filesize
624KB

Download
memory/3720-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads