formbook | 4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8

General

Target

4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
Size

173KB
MD5

26c5dc4002976b3b9ae49f2440929df4
SHA1

e43a8d51eacb148ed0cfa2d88b229bf212493eab
SHA256

4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8
SHA512

a3789050060c85a77c48631ec7ab564d0244b49c4e513a388f7f2fbd57a1ad669ffa21b1c87a18daeb4655fe964906c92269dd461c18269fff4660adc5ef188d

Score

10^/10

formbook oh75 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1272-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "\"C:\\Users\\Admin\\AppData\\Roaming\\update\\update.exe\""	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

description	pid	process	target process
PID 4000 set thread context of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

436 timeout.exe

pid	process
436	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exe4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

pid	process
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
1272	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
1272	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
Token: SeDebugPrivilege	3976	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exepowershell.execmd.exe

description	pid	process	target process
PID 4000 wrote to memory of 3976	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	powershell.exe
PID 4000 wrote to memory of 3976	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	powershell.exe
PID 4000 wrote to memory of 3976	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	powershell.exe
PID 3976 wrote to memory of 4016	3976	powershell.exe	cmd.exe
PID 3976 wrote to memory of 4016	3976	powershell.exe	cmd.exe
PID 3976 wrote to memory of 4016	3976	powershell.exe	cmd.exe
PID 4016 wrote to memory of 436	4016	cmd.exe	timeout.exe
PID 4016 wrote to memory of 436	4016	cmd.exe	timeout.exe
PID 4016 wrote to memory of 436	4016	cmd.exe	timeout.exe
PID 4000 wrote to memory of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
PID 4000 wrote to memory of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
PID 4000 wrote to memory of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
PID 4000 wrote to memory of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
PID 4000 wrote to memory of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
PID 4000 wrote to memory of 1272	4000	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe	4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe

C:\Users\Admin\AppData\Local\Temp\4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
"C:\Users\Admin\AppData\Local\Temp\4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 19
3⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\timeout.exe
timeout 19
4⤵
- Delays execution with timeout.exe
PID:436

C:\Users\Admin\AppData\Local\Temp\4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
C:\Users\Admin\AppData\Local\Temp\4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-140-0x0000000000FC0000-0x00000000012E0000-memory.dmp

Filesize
3.1MB

Download
memory/3976-128-0x0000000007360000-0x00000000073C6000-memory.dmp

Filesize
408KB

Download
memory/3976-129-0x00000000074D0000-0x0000000007820000-memory.dmp

Filesize
3.3MB

Download
memory/3976-125-0x00000000043F0000-0x0000000004413000-memory.dmp

Filesize
140KB

Download
memory/3976-124-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/3976-126-0x00000000071E0000-0x0000000007202000-memory.dmp

Filesize
136KB

Download
memory/3976-127-0x00000000072F0000-0x0000000007356000-memory.dmp

Filesize
408KB

Download
memory/3976-121-0x0000000004460000-0x0000000004496000-memory.dmp

Filesize
216KB

Download
memory/3976-122-0x0000000006BB0000-0x00000000071D8000-memory.dmp

Filesize
6.2MB

Download
memory/3976-130-0x00000000072C0000-0x00000000072DC000-memory.dmp

Filesize
112KB

Download
memory/3976-131-0x0000000007B20000-0x0000000007B6B000-memory.dmp

Filesize
300KB

Download
memory/3976-132-0x0000000007C70000-0x0000000007CE6000-memory.dmp

Filesize
472KB

Download
memory/4000-136-0x0000000004E80000-0x0000000004F10000-memory.dmp

Filesize
576KB

Download
memory/4000-137-0x00000000047B0000-0x00000000047FC000-memory.dmp

Filesize
304KB

Download
memory/4000-138-0x0000000000BC0000-0x0000000000C52000-memory.dmp

Filesize
584KB

Download
memory/4000-123-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/4000-118-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads