formbook | b87631dd4125cdc5775d67fb2ec619c9772d47151d7196af7793cd10e8a377ab

General

Target

PO.exe
Size

58.0MB
MD5

39452d43693baa6d75c1a57e58186d8e
SHA1

55d035bb23f2b9581a791d841067a4169d4b2221
SHA256

b87631dd4125cdc5775d67fb2ec619c9772d47151d7196af7793cd10e8a377ab
SHA512

07dbb8b08d02a499f8b713519110b90856b5e63314c4790552186ff3f875575408f561cec8b36e4e5f5bf9654a1fd3a2e3ab832a3217f0e37a616654d3691d9e

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.monsunconsulting.com/gnf/

Decoy

phongthuythienan.website

andreaknightteacherauthor.com

lifeswatercolors.com

572215.com

kolm-polymers.com

turkishmarket.guru

jonnybravoarmory.com

wedatseasonings.com

worstdread.com

arisealf.com

gpsemployerservices.com

glorybit.com

purposeprowrestling.com

funlifecycle.com

bprattservices.com

pumpkinpundit.com

kustomhydraulics.com

accounteyei.com

visionagny.com

iddomum.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/960-68-0x000000000041EBF0-mapping.dmp	formbook
behavioral1/memory/960-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/688-77-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

PO.exePO.exe

description pid process target process

PID 368 set thread context of 960 368 PO.exe PO.exe
PID 960 set thread context of 1244 960 PO.exe Explorer.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

828 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO.exePO.exeexplorer.exe

pid process

368 PO.exe
960 PO.exe
960 PO.exe
688 explorer.exe
688 explorer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

PO.exe

pid process

960 PO.exe
960 PO.exe
960 PO.exe

pid	process
1496	cmd.exe

description	pid	process	target process
PID 368 set thread context of 960	368	PO.exe	PO.exe
PID 960 set thread context of 1244	960	PO.exe	Explorer.EXE

pid	process
828	schtasks.exe

pid	process
368	PO.exe
960	PO.exe
960	PO.exe
688	explorer.exe
688	explorer.exe

pid	process
1244	Explorer.EXE

pid	process
960	PO.exe
960	PO.exe
960	PO.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exePO.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	368	PO.exe
Token: SeDebugPrivilege	960	PO.exe
Token: SeDebugPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	1244	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

PO.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 368 wrote to memory of 828	368	PO.exe	schtasks.exe
PID 368 wrote to memory of 828	368	PO.exe	schtasks.exe
PID 368 wrote to memory of 828	368	PO.exe	schtasks.exe
PID 368 wrote to memory of 828	368	PO.exe	schtasks.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 368 wrote to memory of 960	368	PO.exe	PO.exe
PID 1244 wrote to memory of 688	1244	Explorer.EXE	explorer.exe
PID 1244 wrote to memory of 688	1244	Explorer.EXE	explorer.exe
PID 1244 wrote to memory of 688	1244	Explorer.EXE	explorer.exe
PID 1244 wrote to memory of 688	1244	Explorer.EXE	explorer.exe
PID 688 wrote to memory of 1496	688	explorer.exe	cmd.exe
PID 688 wrote to memory of 1496	688	explorer.exe	cmd.exe
PID 688 wrote to memory of 1496	688	explorer.exe	cmd.exe
PID 688 wrote to memory of 1496	688	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\PO.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bJSaprQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC320.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\PO.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"
    3⤵
    - Deletes itself
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC320.tmp

MD5
8683f95e2b7ba3e6a0b840674570b19d

SHA1
4b86bec6d330906b9c8698a0e7c8e424da51c08c

SHA256
c5d893805f92f2e3bbd4b0d448d4d21c4e3201c611131e4d2be3df6036efe1e0

SHA512
870f8ed7f423f5196d2d56ac4d257d4d8e0bb9a7d461ac2a765dff1fe2d44c93d34c4ce3757b85f572c7dca21fbdce795f39b3454613ef61fe33e4692203e4a1

Download Submit
memory/368-61-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/368-62-0x00000000004D0000-0x00000000004D4000-memory.dmp

Filesize
16KB

Download
memory/368-63-0x0000000005190000-0x000000000520E000-memory.dmp

Filesize
504KB

Download
memory/368-64-0x00000000006E0000-0x0000000000718000-memory.dmp

Filesize
224KB

Download
memory/368-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/688-73-0x0000000000000000-mapping.dmp

Download
memory/688-74-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/688-75-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/688-76-0x0000000000FE0000-0x0000000001261000-memory.dmp

Filesize
2.5MB

Download
memory/688-77-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/688-78-0x0000000002670000-0x0000000002973000-memory.dmp

Filesize
3.0MB

Download
memory/828-65-0x0000000000000000-mapping.dmp

Download
memory/960-68-0x000000000041EBF0-mapping.dmp

Download
memory/960-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/960-70-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/960-71-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1244-72-0x0000000004D50000-0x0000000004E53000-memory.dmp

Filesize
1.0MB

Download
memory/1496-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads