formbook | 199e6cb2e7f907f2f9ff30a25edb130dd330a44fdd6873c83abd4731e2d5f262

General

Target

RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Size

664KB
MD5

e635ebf84417ed9ed97d4516de0cdaba
SHA1

33716297dd627e23010332c9fefd443447aeb47b
SHA256

cb0386454b283917d742dc6833ef4d7f5aaeeb5cd92acf9d54bb495752cdcda6
SHA512

e8ceacf9fcb559776237ba2de9518ee557ba8a073820403d59fa1f592c5047d349897003b304f3ee53c075413d7eebbd3a5c962dcf1b3d71f14c642fd4f8c5da

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.royalelectricvehicle.com/m8uk/

Decoy

blackcountryteshirts.com

pioneergeoscience.com

calacciwedding.com

theelegantdoorbow.com

graciosera.com

kwikversity.com

izita.xyz

drivewiththebest.co.uk

kakback.xyz

sachascott.net

lifeenterprisesystems.com

interimgirl.com

myviralplatform.com

spainmatrimony.com

supergenx.com

leglehla.icu

otlhswdok.icu

1stfdsqnre.com

xxxcentral.net

movimentare.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/612-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/612-68-0x000000000041ED10-mapping.dmp	formbook
behavioral1/memory/1216-76-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1516 cmd.exe

pid	process
1516	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.exenetsh.exe

description	pid	process	target process
PID 484 set thread context of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 612 set thread context of 1288	612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	Explorer.EXE
PID 1216 set thread context of 1288	1216	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

332 schtasks.exe

pid	process
332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exenetsh.exe

pid	process
612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
1216	netsh.exe
1216	netsh.exe
1216	netsh.exe
1216	netsh.exe
1216	netsh.exe
1216	netsh.exe
1216	netsh.exe
1216	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exenetsh.exe

pid	process
612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
1216	netsh.exe
1216	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exenetsh.exe

description pid process

Token: SeDebugPrivilege 612 RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Token: SeDebugPrivilege 1216 netsh.exe

description	pid	process
Token: SeDebugPrivilege	612	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Token: SeDebugPrivilege	1216	netsh.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 484 wrote to memory of 332	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 484 wrote to memory of 332	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 484 wrote to memory of 332	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 484 wrote to memory of 332	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 484 wrote to memory of 612	484	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1288 wrote to memory of 1216	1288	Explorer.EXE	netsh.exe
PID 1288 wrote to memory of 1216	1288	Explorer.EXE	netsh.exe
PID 1288 wrote to memory of 1216	1288	Explorer.EXE	netsh.exe
PID 1288 wrote to memory of 1216	1288	Explorer.EXE	netsh.exe
PID 1216 wrote to memory of 1516	1216	netsh.exe	cmd.exe
PID 1216 wrote to memory of 1516	1216	netsh.exe	cmd.exe
PID 1216 wrote to memory of 1516	1216	netsh.exe	cmd.exe
PID 1216 wrote to memory of 1516	1216	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pqaJglPNgqcbj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp"
3⤵
- Creates scheduled task(s)
PID:332

C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
3⤵
- Deletes itself
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp
MD5
0b7e50a46f1d14ada16dac76c851f4eb

SHA1
524bc709e9f640a06e0af12755c76712a92cb332

SHA256
626035e20df57faae12648d3d67c93af174d26fa93360ee9c37729d0743e9d97

SHA512
542f5b215635b7df7dd1558ecda07678f15dab1cb8123dedf3f6c5e1c42a2ebe095b9bd65718311565c63adeebbf260540c4917dc9c8be2ec2ad52ed5779a643

Download Submit
memory/332-65-0x0000000000000000-mapping.dmp

Download
memory/484-59-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/484-61-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/484-62-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/484-63-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/484-64-0x0000000000BA0000-0x0000000000BF0000-memory.dmp

Filesize
320KB

Download
memory/612-68-0x000000000041ED10-mapping.dmp

Download
memory/612-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/612-70-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/612-71-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1216-73-0x0000000000000000-mapping.dmp

Download
memory/1216-75-0x00000000016D0000-0x00000000016EB000-memory.dmp

Filesize
108KB

Download
memory/1216-76-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1216-77-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

Filesize
3.0MB

Download
memory/1216-78-0x00000000009C0000-0x0000000000A53000-memory.dmp

Filesize
588KB

Download
memory/1288-72-0x00000000064A0000-0x0000000006630000-memory.dmp

Filesize
1.6MB

Download
memory/1288-79-0x0000000003BD0000-0x0000000003C79000-memory.dmp

Filesize
676KB

Download
memory/1516-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads