formbook | bf19534d31541387c22c69963c679114bac4315d83e1dd3dc7b775b7dd377658

General

Target

PO202107.xls
Size

23KB
MD5

c9123fe2a9ea247a974641a32940335b
SHA1

13c5be04c9afceb11892f27767d7bc45c33b4b9c
SHA256

bf19534d31541387c22c69963c679114bac4315d83e1dd3dc7b775b7dd377658
SHA512

a87babeac9c10faa19d638b7f02551eeab7f17b2f482bdf1a797d616b52995b5e326758a32d7a1418baab596ff1dfecf142dcd1ab8ca6cd8386c863f8984ba0c

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.tiktokblueprints.com/ea9e/

Decoy

yoga-fertilite.com

zcltlfsh.icu

aberdareroyalcottages.com

kawaiibobateahouse.com

311gang.com

coastalbreezecreations.com

globosimpresoss.com

ignitioniq.com

5gplaystation.com

marketopiniononline.com

martinstantondesigns.com

ksdhxtkpup4.net

findconscious.com

pure-tab.com

orderanthonysofskippack.com

findingthecurve.com

e-devletim.com

prosystemwebsite.com

travelbroom.com

sharpopinion.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3912-277-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3912-278-0x000000000041ED80-mapping.dmp	formbook
behavioral2/memory/2376-286-0x0000000000C00000-0x0000000000C2E000-memory.dmp	formbook

Executes dropped EXE 4 IoCs

Processes:

PO202107PO202107PO202107PO202107

pid process

2864 PO202107
2328 PO202107
860 PO202107
3912 PO202107

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO202107PO202107chkdsk.exe

description	pid	process	target process
PID 2864 set thread context of 3912	2864	PO202107	PO202107
PID 3912 set thread context of 2492	3912	PO202107	Explorer.EXE
PID 2376 set thread context of 2492	2376	chkdsk.exe	Explorer.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchkdsk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4048 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

PO202107PO202107chkdsk.exe

pid	process
2864	PO202107
2864	PO202107
2864	PO202107
2864	PO202107
3912	PO202107
3912	PO202107
3912	PO202107
3912	PO202107
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe
2376	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2492 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO202107chkdsk.exe

pid process

3912 PO202107
3912 PO202107
3912 PO202107
2376 chkdsk.exe
2376 chkdsk.exe

pid	process
2492	Explorer.EXE

pid	process
3912	PO202107
3912	PO202107
3912	PO202107
2376	chkdsk.exe
2376	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

PO202107PO202107chkdsk.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2864	PO202107
Token: SeDebugPrivilege	3912	PO202107
Token: SeDebugPrivilege	2376	chkdsk.exe
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4048 EXCEL.EXE
4048 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EXCEL.EXEPO202107Explorer.EXEchkdsk.exe

description	pid	process	target process
PID 4048 wrote to memory of 2864	4048	EXCEL.EXE	PO202107
PID 4048 wrote to memory of 2864	4048	EXCEL.EXE	PO202107
PID 4048 wrote to memory of 2864	4048	EXCEL.EXE	PO202107
PID 2864 wrote to memory of 2328	2864	PO202107	PO202107
PID 2864 wrote to memory of 2328	2864	PO202107	PO202107
PID 2864 wrote to memory of 2328	2864	PO202107	PO202107
PID 2864 wrote to memory of 860	2864	PO202107	PO202107
PID 2864 wrote to memory of 860	2864	PO202107	PO202107
PID 2864 wrote to memory of 860	2864	PO202107	PO202107
PID 2864 wrote to memory of 3912	2864	PO202107	PO202107
PID 2864 wrote to memory of 3912	2864	PO202107	PO202107
PID 2864 wrote to memory of 3912	2864	PO202107	PO202107
PID 2864 wrote to memory of 3912	2864	PO202107	PO202107
PID 2864 wrote to memory of 3912	2864	PO202107	PO202107
PID 2864 wrote to memory of 3912	2864	PO202107	PO202107
PID 2492 wrote to memory of 2376	2492	Explorer.EXE	chkdsk.exe
PID 2492 wrote to memory of 2376	2492	Explorer.EXE	chkdsk.exe
PID 2492 wrote to memory of 2376	2492	Explorer.EXE	chkdsk.exe
PID 2376 wrote to memory of 3864	2376	chkdsk.exe	cmd.exe
PID 2376 wrote to memory of 3864	2376	chkdsk.exe	cmd.exe
PID 2376 wrote to memory of 3864	2376	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO202107.xls"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\PO202107
C:\Users\Admin\AppData\Local\Temp\PO202107
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\PO202107
"C:\Users\Admin\AppData\Local\Temp\PO202107"
4⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\PO202107
"C:\Users\Admin\AppData\Local\Temp\PO202107"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Users\Admin\AppData\Local\Temp\PO202107
"C:\Users\Admin\AppData\Local\Temp\PO202107"
4⤵
- Executes dropped EXE
PID:860

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO202107"
3⤵
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PO202107
MD5
081f5f42ff8f75d52ca942383d097028

SHA1
8382c3a28ab790b7090f25cb5b7259638b57cb5c

SHA256
e99179189d603b5fe86e06f80326ff9716c05825a47c4c0dfecc5d9b3429d917

SHA512
9dff362902911c57bf1430c14765d866aa7d1803f9fc0ee0e7f37751c14dacc6c8cbcab3044e48bff77fd59090dde996559e303bbf51418d54205cfb75b50f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO202107
MD5
081f5f42ff8f75d52ca942383d097028

SHA1
8382c3a28ab790b7090f25cb5b7259638b57cb5c

SHA256
e99179189d603b5fe86e06f80326ff9716c05825a47c4c0dfecc5d9b3429d917

SHA512
9dff362902911c57bf1430c14765d866aa7d1803f9fc0ee0e7f37751c14dacc6c8cbcab3044e48bff77fd59090dde996559e303bbf51418d54205cfb75b50f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO202107
MD5
081f5f42ff8f75d52ca942383d097028

SHA1
8382c3a28ab790b7090f25cb5b7259638b57cb5c

SHA256
e99179189d603b5fe86e06f80326ff9716c05825a47c4c0dfecc5d9b3429d917

SHA512
9dff362902911c57bf1430c14765d866aa7d1803f9fc0ee0e7f37751c14dacc6c8cbcab3044e48bff77fd59090dde996559e303bbf51418d54205cfb75b50f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO202107
MD5
081f5f42ff8f75d52ca942383d097028

SHA1
8382c3a28ab790b7090f25cb5b7259638b57cb5c

SHA256
e99179189d603b5fe86e06f80326ff9716c05825a47c4c0dfecc5d9b3429d917

SHA512
9dff362902911c57bf1430c14765d866aa7d1803f9fc0ee0e7f37751c14dacc6c8cbcab3044e48bff77fd59090dde996559e303bbf51418d54205cfb75b50f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO202107
MD5
081f5f42ff8f75d52ca942383d097028

SHA1
8382c3a28ab790b7090f25cb5b7259638b57cb5c

SHA256
e99179189d603b5fe86e06f80326ff9716c05825a47c4c0dfecc5d9b3429d917

SHA512
9dff362902911c57bf1430c14765d866aa7d1803f9fc0ee0e7f37751c14dacc6c8cbcab3044e48bff77fd59090dde996559e303bbf51418d54205cfb75b50f2f

Download Submit
memory/2376-288-0x0000000005120000-0x00000000051B3000-memory.dmp

Filesize
588KB

Download
memory/2376-287-0x0000000004D20000-0x0000000004DCE000-memory.dmp

Filesize
696KB

Download
memory/2376-286-0x0000000000C00000-0x0000000000C2E000-memory.dmp

Filesize
184KB

Download
memory/2376-285-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/2376-283-0x0000000000000000-mapping.dmp

Download
memory/2492-291-0x00000000059F0000-0x0000000005B46000-memory.dmp

Filesize
1.3MB

Download
memory/2492-282-0x0000000001470000-0x0000000001565000-memory.dmp

Filesize
980KB

Download
memory/2864-274-0x0000000005250000-0x0000000005280000-memory.dmp

Filesize
192KB

Download
memory/2864-257-0x0000000000000000-mapping.dmp

Download
memory/2864-266-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2864-267-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2864-268-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/2864-269-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/2864-270-0x0000000002A20000-0x0000000002A31000-memory.dmp

Filesize
68KB

Download
memory/2864-273-0x0000000001050000-0x00000000010C5000-memory.dmp

Filesize
468KB

Download
memory/2864-265-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2864-264-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2864-262-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3864-284-0x0000000000000000-mapping.dmp

Download
memory/3912-278-0x000000000041ED80-mapping.dmp

Download
memory/3912-277-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3912-281-0x0000000001610000-0x0000000001624000-memory.dmp

Filesize
80KB

Download
memory/3912-280-0x0000000001630000-0x0000000001950000-memory.dmp

Filesize
3.1MB

Download
memory/4048-121-0x00007FFDC3030000-0x00007FFDC411E000-memory.dmp

Filesize
16.9MB

Download
memory/4048-123-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-122-0x00007FFDC1130000-0x00007FFDC3025000-memory.dmp

Filesize
31.0MB

Download
memory/4048-114-0x00007FF72F110000-0x00007FF7326C6000-memory.dmp

Filesize
53.7MB

Download
memory/4048-118-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-304-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-305-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-306-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-307-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads