formbook | 199e6cb2e7f907f2f9ff30a25edb130dd330a44fdd6873c83abd4731e2d5f262

General

Target

RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Size

664KB
MD5

e635ebf84417ed9ed97d4516de0cdaba
SHA1

33716297dd627e23010332c9fefd443447aeb47b
SHA256

cb0386454b283917d742dc6833ef4d7f5aaeeb5cd92acf9d54bb495752cdcda6
SHA512

e8ceacf9fcb559776237ba2de9518ee557ba8a073820403d59fa1f592c5047d349897003b304f3ee53c075413d7eebbd3a5c962dcf1b3d71f14c642fd4f8c5da

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.royalelectricvehicle.com/m8uk/

Decoy

blackcountryteshirts.com

pioneergeoscience.com

calacciwedding.com

theelegantdoorbow.com

graciosera.com

kwikversity.com

izita.xyz

drivewiththebest.co.uk

kakback.xyz

sachascott.net

lifeenterprisesystems.com

interimgirl.com

myviralplatform.com

spainmatrimony.com

supergenx.com

leglehla.icu

otlhswdok.icu

1stfdsqnre.com

xxxcentral.net

movimentare.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3548-126-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3548-127-0x000000000041ED10-mapping.dmp	formbook
behavioral2/memory/496-135-0x0000000000610000-0x000000000063E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.execolorcpl.exe

description	pid	process	target process
PID 1000 set thread context of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 3548 set thread context of 2180	3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	Explorer.EXE
PID 496 set thread context of 2180	496	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3420 schtasks.exe

pid	process
3420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.execolorcpl.exe

pid	process
1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe
496	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.execolorcpl.exe

pid	process
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
496	colorcpl.exe
496	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Token: SeDebugPrivilege	3548	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Token: SeDebugPrivilege	496	colorcpl.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1000 wrote to memory of 3420	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 1000 wrote to memory of 3420	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 1000 wrote to memory of 3420	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 1000 wrote to memory of 1900	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 1900	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 1900	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 2112	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 2112	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 2112	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 1000 wrote to memory of 3548	1000	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 2180 wrote to memory of 496	2180	Explorer.EXE	colorcpl.exe
PID 2180 wrote to memory of 496	2180	Explorer.EXE	colorcpl.exe
PID 2180 wrote to memory of 496	2180	Explorer.EXE	colorcpl.exe
PID 496 wrote to memory of 1092	496	colorcpl.exe	cmd.exe
PID 496 wrote to memory of 1092	496	colorcpl.exe	cmd.exe
PID 496 wrote to memory of 1092	496	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pqaJglPNgqcbj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9E4.tmp"
3⤵
- Creates scheduled task(s)
PID:3420

C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
3⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
3⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3276

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
3⤵
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE9E4.tmp
MD5
78d4e4a4f623899b0624100ed950b815

SHA1
8853f0d0f3cf642f031f88b0179fc540a4cd5254

SHA256
7f2d6e22e286af9692b9d03677238fd5a1f4c4911225866601b36f903cba28f3

SHA512
0bf8e908a96c87a408cd2d87354e847216d33c2ff32d5fd67612de22b6d1ae1ddece7b6854216e09999be44c39ba332be631d8280c030e3b4819fa276b97435b

Download Submit
memory/496-137-0x0000000000FD0000-0x0000000001063000-memory.dmp

Filesize
588KB

Download
memory/496-136-0x0000000004770000-0x0000000004A90000-memory.dmp

Filesize
3.1MB

Download
memory/496-134-0x0000000001350000-0x0000000001369000-memory.dmp

Filesize
100KB

Download
memory/496-135-0x0000000000610000-0x000000000063E000-memory.dmp

Filesize
184KB

Download
memory/496-132-0x0000000000000000-mapping.dmp

Download
memory/1000-120-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1000-118-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1000-123-0x0000000001650000-0x00000000016A0000-memory.dmp

Filesize
320KB

Download
memory/1000-121-0x0000000005830000-0x000000000583E000-memory.dmp

Filesize
56KB

Download
memory/1000-122-0x00000000015B0000-0x0000000001642000-memory.dmp

Filesize
584KB

Download
memory/1000-116-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1000-117-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/1000-114-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1000-119-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/1092-133-0x0000000000000000-mapping.dmp

Download
memory/2180-138-0x00000000030F0000-0x0000000003191000-memory.dmp

Filesize
644KB

Download
memory/2180-131-0x00000000066C0000-0x000000000685C000-memory.dmp

Filesize
1.6MB

Download
memory/3420-124-0x0000000000000000-mapping.dmp

Download
memory/3548-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3548-130-0x00000000017E0000-0x00000000017F4000-memory.dmp

Filesize
80KB

Download
memory/3548-129-0x0000000001830000-0x0000000001B50000-memory.dmp

Filesize
3.1MB

Download
memory/3548-127-0x000000000041ED10-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads