formbook | d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133

General

Target

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
Size

58KB
MD5

f2b6d04e02cd293d0743c419211ce6b7
SHA1

6f0120d0f57162680a5951741c9befbe21ee7e6f
SHA256

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133
SHA512

bdbda94f442557de6752fe4806ec5ea9157e895006b6986817a6b1ca1c08d5c465290ee6eac90cb58c087afee973bf201ac4062fb22a13eaa8bdb15144b0f37c

Score

10^/10

formbook wieh persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wieh

Decoy

rosevillepress.com

diegodeoviedo.com

karanganbungabandungcimahi.com

skeletonnation.net

tihudez.xyz

idaz2.xyz

highcaliberperformance.com

serfoe.com

envisioneyecare.net

bj-htjy360.com

turkiyeekonomiyikonusuyor.com

nationsassociation.online

matesmeltingpot.com

7haof.com

burkhardhomes.com

candyhunks.com

internationalafrican.school

harsors.com

themarketstore.xyz

yulmarket.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4088-132-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

description	pid	process	target process
PID 2064 set thread context of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1220 timeout.exe

pid	process
1220	timeout.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exed44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

pid	process
2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
4088	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
4088	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

description pid process

Token: SeDebugPrivilege 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

description	pid	process
Token: SeDebugPrivilege	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 2904	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	cmd.exe
PID 2064 wrote to memory of 2904	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	cmd.exe
PID 2064 wrote to memory of 2904	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	cmd.exe
PID 2904 wrote to memory of 1220	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 1220	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 1220	2904	cmd.exe	timeout.exe
PID 2064 wrote to memory of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
PID 2064 wrote to memory of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
PID 2064 wrote to memory of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
PID 2064 wrote to memory of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
PID 2064 wrote to memory of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
PID 2064 wrote to memory of 4088	2064	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe	d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe

C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
"C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 19
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\timeout.exe
timeout 19
3⤵
- Delays execution with timeout.exe
PID:1220

C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d07311c9ef5f3fe251e8bfc4e6bcc8fd 2URH+vHQFkGkbEY8QnWCgQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-130-0x0000000000C00000-0x0000000000C14000-memory.dmp

Filesize
80KB

Download
memory/2064-131-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4088-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads