formbook | f86258665b68d70e83397ac4ef17598c552b994dd13f26b8208c4d40b8e94816

General

Target

Siparis onayi.09826272882.exe
Size

777KB
MD5

ec4945b27f81624b5293543cc03885e5
SHA1

98702dd3ae9571c627615d6cb7137156381d1886
SHA256

f86258665b68d70e83397ac4ef17598c552b994dd13f26b8208c4d40b8e94816
SHA512

70156ed777e9650e4a37ce8794df62b7b08852e331edd798c388430abc33616cc2f608b0a8c92295d97f87be3d31297c6e921946841d967c7254a98d30cd57f8

Score

10^/10

formbook bc3s persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc3s

C2

http://www.topei-products.com/bc3s/

Decoy

anna-ng.com

mariangelamata.com

szqnbl.com

nesherguitars.com

mysekrit.com

againbeautyviensui.xyz

appf.life

bilalsolution.com

technoratii.com

11restoran.com

birthingly.com

crystalcarrillo.com

cohenasset.info

bunchofdesign.com

highstreetmag.com

talentkerning.com

outdoor-glassesadvice.com

aliceeety.com

habbuhot.info

pao91.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1932-59-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/1932-62-0x0000000072480000-0x00000000724AE000-memory.dmp	formbook
behavioral1/memory/1932-67-0x0000000072480000-0x00000000724AE000-memory.dmp	formbook
behavioral1/memory/1192-72-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Siparis onayi.09826272882.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vgkxrts = "C:\\Users\\Public\\Libraries\\strxkgV.url"	Siparis onayi.09826272882.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mobsync.exeNETSTAT.EXE

description	pid	process	target process
PID 1932 set thread context of 1384	1932	mobsync.exe	Explorer.EXE
PID 1932 set thread context of 1384	1932	mobsync.exe	Explorer.EXE
PID 1192 set thread context of 1384	1192	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1192 NETSTAT.EXE

pid	process
1192	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

mobsync.exeNETSTAT.EXE

pid	process
1932	mobsync.exe
1932	mobsync.exe
1932	mobsync.exe
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE
1192	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

mobsync.exeNETSTAT.EXE

pid process

1932 mobsync.exe
1932 mobsync.exe
1932 mobsync.exe
1932 mobsync.exe
1192 NETSTAT.EXE
1192 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mobsync.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1932 mobsync.exe
Token: SeDebugPrivilege 1192 NETSTAT.EXE

pid	process
1384	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1932	mobsync.exe
Token: SeDebugPrivilege	1192	NETSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Siparis onayi.09826272882.exemobsync.exeNETSTAT.EXE

description	pid	process	target process
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 2004 wrote to memory of 1932	2004	Siparis onayi.09826272882.exe	mobsync.exe
PID 1932 wrote to memory of 1192	1932	mobsync.exe	NETSTAT.EXE
PID 1932 wrote to memory of 1192	1932	mobsync.exe	NETSTAT.EXE
PID 1932 wrote to memory of 1192	1932	mobsync.exe	NETSTAT.EXE
PID 1932 wrote to memory of 1192	1932	mobsync.exe	NETSTAT.EXE
PID 1192 wrote to memory of 2036	1192	NETSTAT.EXE	cmd.exe
PID 1192 wrote to memory of 2036	1192	NETSTAT.EXE	cmd.exe
PID 1192 wrote to memory of 2036	1192	NETSTAT.EXE	cmd.exe
PID 1192 wrote to memory of 2036	1192	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1384

C:\Users\Admin\AppData\Local\Temp\Siparis onayi.09826272882.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis onayi.09826272882.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
4⤵
PID:1092

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
4⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\mobsync.exe"
5⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-70-0x0000000000000000-mapping.dmp

Download
memory/1192-75-0x0000000001F30000-0x0000000001FC3000-memory.dmp

Filesize
588KB

Download
memory/1192-73-0x0000000002100000-0x0000000002403000-memory.dmp

Filesize
3.0MB

Download
memory/1192-71-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download
memory/1192-72-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1384-66-0x0000000004800000-0x00000000048BC000-memory.dmp

Filesize
752KB

Download
memory/1384-69-0x0000000006310000-0x0000000006430000-memory.dmp

Filesize
1.1MB

Download
memory/1384-76-0x0000000005D50000-0x0000000005E0F000-memory.dmp

Filesize
764KB

Download
memory/1932-68-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/1932-65-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/1932-67-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/1932-62-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/1932-64-0x0000000002240000-0x0000000002543000-memory.dmp

Filesize
3.0MB

Download
memory/1932-57-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1932-59-0x0000000000000000-mapping.dmp

Download
memory/1932-56-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/1932-61-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2004-53-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x0000000000301000-0x0000000000315000-memory.dmp

Filesize
80KB

Download
memory/2004-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2036-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads