formbook | 4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b

General

Target

4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
Size

836KB
MD5

67b547b2ca77306c8036fd20ca89a40a
SHA1

b7d8a6012df371ee276c901aafc1b5b21d62a1a0
SHA256

4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b
SHA512

a4221ea9ed99339b069a23e00f60209ac99ffe178061fd1682cc7fdc33767e1f90867d5ecf24ccd16bbcf5b6c3acfb30527c98523a6d05ea45f189969361bcd4

Score

10^/10

formbook m8g9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m8g9

Decoy

jimmycamel.com

bestinvilnius.com

diana-jarvis.com

manabitown.net

luxuryremyhair.com

cavesage.com

wholequote.space

truckdrivingfuture.xyz

ptcouponspt.com

stainthree-shift.space

universalstaffingpros.com

alibi-music.com

iqjlylro.com

pinterestservice.com

soolehayeiran.com

youngplatformpro.com

fidelitysafesecure.com

af258.wine

theblissdynamic.com

aliciabrooksenglishmastiff.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2660-130-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2660-136-0x0000000000D80000-0x0000000001530000-memory.dmp	formbook
behavioral1/memory/1028-143-0x0000000002A00000-0x0000000002A2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 3436 set thread context of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 2660 set thread context of 2164	2660	RegSvcs.exe	Explorer.EXE
PID 1028 set thread context of 2164	1028	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2704 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1028 NETSTAT.EXE

pid	process
2704	schtasks.exe

pid	process
1028	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exeRegSvcs.exepowershell.exeNETSTAT.EXE

pid	process
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
2660	RegSvcs.exe
2660	RegSvcs.exe
4084	powershell.exe
2660	RegSvcs.exe
2660	RegSvcs.exe
4084	powershell.exe
1028	NETSTAT.EXE
1028	NETSTAT.EXE
4084	powershell.exe
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE
1028	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2164 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

2660 RegSvcs.exe
2660 RegSvcs.exe
2660 RegSvcs.exe
1028 NETSTAT.EXE
1028 NETSTAT.EXE

pid	process
2164	Explorer.EXE

pid	process
2660	RegSvcs.exe
2660	RegSvcs.exe
2660	RegSvcs.exe
1028	NETSTAT.EXE
1028	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exepowershell.exeRegSvcs.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2660	RegSvcs.exe
Token: SeDebugPrivilege	1028	NETSTAT.EXE
Token: SeShutdownPrivilege	2164	Explorer.EXE
Token: SeCreatePagefilePrivilege	2164	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3436 wrote to memory of 4084	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	powershell.exe
PID 3436 wrote to memory of 4084	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	powershell.exe
PID 3436 wrote to memory of 4084	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	powershell.exe
PID 3436 wrote to memory of 2704	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	schtasks.exe
PID 3436 wrote to memory of 2704	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	schtasks.exe
PID 3436 wrote to memory of 2704	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	schtasks.exe
PID 3436 wrote to memory of 2044	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2044	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2044	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 3436 wrote to memory of 2660	3436	4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe	RegSvcs.exe
PID 2164 wrote to memory of 1028	2164	Explorer.EXE	NETSTAT.EXE
PID 2164 wrote to memory of 1028	2164	Explorer.EXE	NETSTAT.EXE
PID 2164 wrote to memory of 1028	2164	Explorer.EXE	NETSTAT.EXE
PID 1028 wrote to memory of 1296	1028	NETSTAT.EXE	cmd.exe
PID 1028 wrote to memory of 1296	1028	NETSTAT.EXE	cmd.exe
PID 1028 wrote to memory of 1296	1028	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe
"C:\Users\Admin\AppData\Local\Temp\4102936b0b54529eb3be257a0ed5a222149bf146da96cd75b77e1dd2be614f9b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\flqesK.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\flqesK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D8B.tmp"
3⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D8B.tmp
MD5
f7b088d26fa05b53d7dbc7f70aae245f

SHA1
3021c72730a9d8687c30fb30f08badad7691397f

SHA256
e6f6c9e0f042c3eea3d50eba30146e190a678c952f417c2b67b0f7ac2e7768ca

SHA512
0ee6c2df3de944e7a80d1f3c51e10a286b96594f4b537ddcb1727e1acc9436d52aeb853e177a17ef3f6d74a23b399b295bc272a999bd294150d9fe43ce53a259

Download Submit
memory/1028-144-0x0000000002D50000-0x0000000003070000-memory.dmp

Filesize
3.1MB

Download
memory/1028-142-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/1028-143-0x0000000002A00000-0x0000000002A2F000-memory.dmp

Filesize
188KB

Download
memory/1028-231-0x0000000002BB0000-0x0000000002D4C000-memory.dmp

Filesize
1.6MB

Download
memory/2164-137-0x0000000002660000-0x0000000002739000-memory.dmp

Filesize
868KB

Download
memory/2164-234-0x0000000005B90000-0x0000000005C96000-memory.dmp

Filesize
1.0MB

Download
memory/2660-136-0x0000000000D80000-0x0000000001530000-memory.dmp

Filesize
7.7MB

Download
memory/2660-131-0x00000000011C0000-0x00000000014E0000-memory.dmp

Filesize
3.1MB

Download
memory/2660-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-121-0x00000000074A0000-0x000000000753C000-memory.dmp

Filesize
624KB

Download
memory/3436-116-0x0000000005010000-0x000000000550E000-memory.dmp

Filesize
5.0MB

Download
memory/3436-120-0x0000000004FE0000-0x0000000004FEC000-memory.dmp

Filesize
48KB

Download
memory/3436-118-0x0000000004B70000-0x0000000004B7A000-memory.dmp

Filesize
40KB

Download
memory/3436-122-0x0000000007540000-0x00000000075AA000-memory.dmp

Filesize
424KB

Download
memory/3436-117-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/3436-119-0x0000000004B10000-0x000000000500E000-memory.dmp

Filesize
5.0MB

Download
memory/3436-115-0x0000000000110000-0x00000000001EA000-memory.dmp

Filesize
872KB

Download
memory/4084-126-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4084-153-0x0000000009590000-0x00000000095C3000-memory.dmp

Filesize
204KB

Download
memory/4084-138-0x0000000007FE0000-0x0000000008330000-memory.dmp

Filesize
3.3MB

Download
memory/4084-139-0x0000000007E00000-0x0000000007E1C000-memory.dmp

Filesize
112KB

Download
memory/4084-140-0x0000000007E20000-0x0000000007E6B000-memory.dmp

Filesize
300KB

Download
memory/4084-141-0x00000000086C0000-0x0000000008736000-memory.dmp

Filesize
472KB

Download
memory/4084-134-0x0000000007D20000-0x0000000007D86000-memory.dmp

Filesize
408KB

Download
memory/4084-132-0x0000000007520000-0x0000000007542000-memory.dmp

Filesize
136KB

Download
memory/4084-129-0x0000000007640000-0x0000000007C68000-memory.dmp

Filesize
6.2MB

Download
memory/4084-135-0x0000000007F70000-0x0000000007FD6000-memory.dmp

Filesize
408KB

Download
memory/4084-154-0x00000000088A0000-0x00000000088BE000-memory.dmp

Filesize
120KB

Download
memory/4084-159-0x00000000096C0000-0x0000000009765000-memory.dmp

Filesize
660KB

Download
memory/4084-160-0x000000007E500000-0x000000007E501000-memory.dmp

Filesize
4KB

Download
memory/4084-161-0x0000000009AE0000-0x0000000009B74000-memory.dmp

Filesize
592KB

Download
memory/4084-198-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/4084-128-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/4084-127-0x0000000004BD0000-0x0000000004C06000-memory.dmp

Filesize
216KB

Download
memory/4084-357-0x00000000094E0000-0x00000000094FA000-memory.dmp

Filesize
104KB

Download
memory/4084-362-0x00000000094D0000-0x00000000094D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads