formbook | 199e6cb2e7f907f2f9ff30a25edb130dd330a44fdd6873c83abd4731e2d5f262

General

Target

RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Size

664KB
MD5

e635ebf84417ed9ed97d4516de0cdaba
SHA1

33716297dd627e23010332c9fefd443447aeb47b
SHA256

cb0386454b283917d742dc6833ef4d7f5aaeeb5cd92acf9d54bb495752cdcda6
SHA512

e8ceacf9fcb559776237ba2de9518ee557ba8a073820403d59fa1f592c5047d349897003b304f3ee53c075413d7eebbd3a5c962dcf1b3d71f14c642fd4f8c5da

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.royalelectricvehicle.com/m8uk/

Decoy

blackcountryteshirts.com

pioneergeoscience.com

calacciwedding.com

theelegantdoorbow.com

graciosera.com

kwikversity.com

izita.xyz

drivewiththebest.co.uk

kakback.xyz

sachascott.net

lifeenterprisesystems.com

interimgirl.com

myviralplatform.com

spainmatrimony.com

supergenx.com

leglehla.icu

otlhswdok.icu

1stfdsqnre.com

xxxcentral.net

movimentare.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/412-126-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/412-127-0x000000000041ED10-mapping.dmp	formbook
behavioral1/memory/668-137-0x0000000000C40000-0x0000000000C6E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.exemsiexec.exe

description	pid	process	target process
PID 4664 set thread context of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 412 set thread context of 3048	412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	Explorer.EXE
PID 668 set thread context of 3048	668	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4180 schtasks.exe

pid	process
4180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.exemsiexec.exe

pid	process
4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe
668	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE

pid	process
3048	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exemsiexec.exe

pid	process
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
668	msiexec.exe
668	msiexec.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeRFQ-2176 NEW PROJECT QUOTATION MAY.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Token: SeDebugPrivilege	412	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
Token: SeDebugPrivilege	668	msiexec.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ-2176 NEW PROJECT QUOTATION MAY.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 4664 wrote to memory of 4180	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 4664 wrote to memory of 4180	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 4664 wrote to memory of 4180	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	schtasks.exe
PID 4664 wrote to memory of 2668	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 2668	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 2668	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 2432	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 2432	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 2432	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 4664 wrote to memory of 412	4664	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	RFQ-2176 NEW PROJECT QUOTATION MAY.exe
PID 3048 wrote to memory of 668	3048	Explorer.EXE	msiexec.exe
PID 3048 wrote to memory of 668	3048	Explorer.EXE	msiexec.exe
PID 3048 wrote to memory of 668	3048	Explorer.EXE	msiexec.exe
PID 668 wrote to memory of 392	668	msiexec.exe	cmd.exe
PID 668 wrote to memory of 392	668	msiexec.exe	cmd.exe
PID 668 wrote to memory of 392	668	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pqaJglPNgqcbj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp309.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
    3⤵
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RFQ-2176 NEW PROJECT QUOTATION MAY.exe"
    3⤵
    PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp309.tmp

MD5
78d4e4a4f623899b0624100ed950b815

SHA1
8853f0d0f3cf642f031f88b0179fc540a4cd5254

SHA256
7f2d6e22e286af9692b9d03677238fd5a1f4c4911225866601b36f903cba28f3

SHA512
0bf8e908a96c87a408cd2d87354e847216d33c2ff32d5fd67612de22b6d1ae1ddece7b6854216e09999be44c39ba332be631d8280c030e3b4819fa276b97435b

Download Submit
memory/392-138-0x0000000000000000-mapping.dmp

Download
memory/412-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/412-130-0x0000000001760000-0x0000000001774000-memory.dmp

Filesize
80KB

Download
memory/412-129-0x00000000017A0000-0x0000000001AC0000-memory.dmp

Filesize
3.1MB

Download
memory/412-127-0x000000000041ED10-mapping.dmp

Download
memory/668-139-0x00000000049C0000-0x0000000004A53000-memory.dmp

Filesize
588KB

Download
memory/668-137-0x0000000000C40000-0x0000000000C6E000-memory.dmp

Filesize
184KB

Download
memory/668-136-0x0000000004B60000-0x0000000004E80000-memory.dmp

Filesize
3.1MB

Download
memory/668-135-0x0000000000F00000-0x0000000000F12000-memory.dmp

Filesize
72KB

Download
memory/668-132-0x0000000000000000-mapping.dmp

Download
memory/3048-131-0x00000000029B0000-0x0000000002A81000-memory.dmp

Filesize
836KB

Download
memory/3048-140-0x0000000006150000-0x00000000062E2000-memory.dmp

Filesize
1.6MB

Download
memory/4180-124-0x0000000000000000-mapping.dmp

Download
memory/4664-123-0x00000000016A0000-0x00000000016F0000-memory.dmp

Filesize
320KB

Download
memory/4664-122-0x0000000006680000-0x0000000006712000-memory.dmp

Filesize
584KB

Download
memory/4664-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/4664-121-0x0000000005D80000-0x0000000005D8E000-memory.dmp

Filesize
56KB

Download
memory/4664-120-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/4664-119-0x00000000058B0000-0x0000000005DAE000-memory.dmp

Filesize
5.0MB

Download
memory/4664-118-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/4664-117-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/4664-116-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads