formbook | f08bb3738306349fa7b9217837de2e959cba48fdceb4ada3d3b58533bb3527f2

General

Target

QUOTATION.exe
Size

761KB
MD5

b7cd2e625aa05005e2326e5e6158a560
SHA1

420a83cd1c1703fbf7aeb8b7e51c46c407e5d6b5
SHA256

f08bb3738306349fa7b9217837de2e959cba48fdceb4ada3d3b58533bb3527f2
SHA512

c53ea74a3da53f82bc12bbe0d10a8050d8747737b3cff118465357c278d05b7ddf185b4f53759e636cf7da6000a6036220f1d3df3faa15b00e13f6c33ba18b30

Score

10^/10

formbook e10p rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e10p

Decoy

pompland.com

hybikebbs.com

sacramentocommercial.net

dixietales.com

rakan-group.com

wanmeipp.com

brandonwestjacksonville.com

jschenjitong.com

sedarous.com

cheapflightsandhotels.net

effectivehomeloans.com

haru-kun.com

pure-heartfelt.com

tlbdsm72.com

avantcarmomento.com

flighthonestpaulvids.com

xn--ok0b350biyc97gvlg.com

3bmmxvn.life

force-win.info

shvecarskiy-stil.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3308-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/592-132-0x0000000004E00000-0x0000000004E2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

QUOTATION.exeQUOTATION.exechkdsk.exe

description	pid	process	target process
PID 2748 set thread context of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 3308 set thread context of 3036	3308	QUOTATION.exe	Explorer.EXE
PID 592 set thread context of 3036	592	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3248 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

pid	process
3248	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

QUOTATION.exechkdsk.exe

pid	process
3308	QUOTATION.exe
3308	QUOTATION.exe
3308	QUOTATION.exe
3308	QUOTATION.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe
592	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

QUOTATION.exechkdsk.exe

pid process

3308 QUOTATION.exe
3308 QUOTATION.exe
3308 QUOTATION.exe
592 chkdsk.exe
592 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QUOTATION.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 3308 QUOTATION.exe
Token: SeDebugPrivilege 592 chkdsk.exe

pid	process
3036	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3308	QUOTATION.exe
Token: SeDebugPrivilege	592	chkdsk.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

QUOTATION.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 2748 wrote to memory of 3248	2748	QUOTATION.exe	schtasks.exe
PID 2748 wrote to memory of 3248	2748	QUOTATION.exe	schtasks.exe
PID 2748 wrote to memory of 3248	2748	QUOTATION.exe	schtasks.exe
PID 2748 wrote to memory of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 2748 wrote to memory of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 2748 wrote to memory of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 2748 wrote to memory of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 2748 wrote to memory of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 2748 wrote to memory of 3308	2748	QUOTATION.exe	QUOTATION.exe
PID 3036 wrote to memory of 592	3036	Explorer.EXE	chkdsk.exe
PID 3036 wrote to memory of 592	3036	Explorer.EXE	chkdsk.exe
PID 3036 wrote to memory of 592	3036	Explorer.EXE	chkdsk.exe
PID 592 wrote to memory of 3876	592	chkdsk.exe	cmd.exe
PID 592 wrote to memory of 3876	592	chkdsk.exe	cmd.exe
PID 592 wrote to memory of 3876	592	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ecCgWUxCAvyuz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA75.tmp"
3⤵
- Creates scheduled task(s)
PID:3248

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA75.tmp
MD5
fbf90b7f8a588c09f683131ee29225c7

SHA1
6aeef68b2c9d2468e20e5c6f1d6e50f2586ab688

SHA256
b15b67c8dd752bc733918eea01993010f5bff3a856ad98a88f52b03b2b809476

SHA512
2b78e99fc2abf29619b6c2a1e844c08806ba30d7a391f27fdce0614fd2a76c9f047f8d687a88cdf499078701f9872f00bc835802ed2d8b96e54d918feef9ae0b

Download Submit
memory/592-132-0x0000000004E00000-0x0000000004E2F000-memory.dmp

Filesize
188KB

Download
memory/592-134-0x00000000052F0000-0x0000000005384000-memory.dmp

Filesize
592KB

Download
memory/592-131-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/592-133-0x0000000004E30000-0x0000000004F7A000-memory.dmp

Filesize
1.3MB

Download
memory/2748-123-0x00000000090D0000-0x0000000009184000-memory.dmp

Filesize
720KB

Download
memory/2748-121-0x0000000005750000-0x00000000057A6000-memory.dmp

Filesize
344KB

Download
memory/2748-122-0x0000000005B70000-0x0000000005B7A000-memory.dmp

Filesize
40KB

Download
memory/2748-115-0x0000000000D10000-0x0000000000DD4000-memory.dmp

Filesize
784KB

Download
memory/2748-118-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/2748-117-0x0000000005CD0000-0x00000000061CE000-memory.dmp

Filesize
5.0MB

Download
memory/2748-116-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/2748-120-0x0000000003190000-0x000000000319A000-memory.dmp

Filesize
40KB

Download
memory/2748-119-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2748-124-0x000000000B5D0000-0x000000000B632000-memory.dmp

Filesize
392KB

Download
memory/3036-135-0x0000000005810000-0x000000000596C000-memory.dmp

Filesize
1.4MB

Download
memory/3036-130-0x00000000056F0000-0x0000000005803000-memory.dmp

Filesize
1.1MB

Download
memory/3308-129-0x00000000016C0000-0x00000000016D5000-memory.dmp

Filesize
84KB

Download
memory/3308-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-128-0x0000000001280000-0x00000000015A0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads