formbook | 01622d3e6d14184769fc2b052e32588b7bbd86f5a61e511f395db4695d7018a9

General

Target

LVpromo.exe
Size

769KB
MD5

77e85ad8891096baba68e44b43f2f820
SHA1

11517a0e9f4c5f39170f8083436ff6156b5ecf7b
SHA256

01622d3e6d14184769fc2b052e32588b7bbd86f5a61e511f395db4695d7018a9
SHA512

7c6727fe6a9a2092e576d75cb4ad2cf22f9b2fcba394049430e236590a38d9a90590f52ea89ea96a82e8226e61a70b6e41ab89a7fc6fca9fed13ddcabf4c6a7a

Score

10^/10

formbook oh75 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/324-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1552-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1904 cmd.exe

pid	process
1904	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

LVpromo.exeLVpromo.exesvchost.exe

description	pid	process	target process
PID 948 set thread context of 324	948	LVpromo.exe	LVpromo.exe
PID 324 set thread context of 1224	324	LVpromo.exe	Explorer.EXE
PID 1552 set thread context of 1224	1552	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1484 schtasks.exe

pid	process
1484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

LVpromo.exepowershell.exesvchost.exe

pid	process
324	LVpromo.exe
324	LVpromo.exe
268	powershell.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LVpromo.exesvchost.exe

pid process

324 LVpromo.exe
324 LVpromo.exe
324 LVpromo.exe
1552 svchost.exe
1552 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LVpromo.exepowershell.exesvchost.exe

description pid process

Token: SeDebugPrivilege 324 LVpromo.exe
Token: SeDebugPrivilege 268 powershell.exe
Token: SeDebugPrivilege 1552 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	324	LVpromo.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1552	svchost.exe

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

LVpromo.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 948 wrote to memory of 268	948	LVpromo.exe	powershell.exe
PID 948 wrote to memory of 268	948	LVpromo.exe	powershell.exe
PID 948 wrote to memory of 268	948	LVpromo.exe	powershell.exe
PID 948 wrote to memory of 268	948	LVpromo.exe	powershell.exe
PID 948 wrote to memory of 1484	948	LVpromo.exe	schtasks.exe
PID 948 wrote to memory of 1484	948	LVpromo.exe	schtasks.exe
PID 948 wrote to memory of 1484	948	LVpromo.exe	schtasks.exe
PID 948 wrote to memory of 1484	948	LVpromo.exe	schtasks.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 948 wrote to memory of 324	948	LVpromo.exe	LVpromo.exe
PID 1224 wrote to memory of 1552	1224	Explorer.EXE	svchost.exe
PID 1224 wrote to memory of 1552	1224	Explorer.EXE	svchost.exe
PID 1224 wrote to memory of 1552	1224	Explorer.EXE	svchost.exe
PID 1224 wrote to memory of 1552	1224	Explorer.EXE	svchost.exe
PID 1552 wrote to memory of 1904	1552	svchost.exe	cmd.exe
PID 1552 wrote to memory of 1904	1552	svchost.exe	cmd.exe
PID 1552 wrote to memory of 1904	1552	svchost.exe	cmd.exe
PID 1552 wrote to memory of 1904	1552	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\LVpromo.exe
"C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DhcJUDDVFUzIJt.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DhcJUDDVFUzIJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8546.tmp"
3⤵
- Creates scheduled task(s)
PID:1484

C:\Users\Admin\AppData\Local\Temp\LVpromo.exe
"C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
3⤵
- Deletes itself
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8546.tmp
MD5
8290267e7e2dfdc7a01faa4a03239613

SHA1
0e1f22fceaa08214f6dba6bd64cbc3edd6f10782

SHA256
0271879747dceb19137314852885db952b69b49584749ed09e46db4ccfddfe40

SHA512
29c7800389c0fc5b303f93151eaf30f03eb2164f706b5c337cd505b5e53646de3f9c73bf66df7b31c8d6ea7c5b48cacc0a2921cd92923b0f68ae068240c3d38c

Download Submit
memory/268-71-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/324-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-68-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/324-69-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/324-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-57-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/948-55-0x0000000001350000-0x0000000001416000-memory.dmp

Filesize
792KB

Download
memory/948-58-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/948-59-0x0000000005250000-0x00000000052BA000-memory.dmp

Filesize
424KB

Download
memory/948-56-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download
memory/1224-70-0x0000000006710000-0x0000000006897000-memory.dmp

Filesize
1.5MB

Download
memory/1224-76-0x0000000004200000-0x00000000042C9000-memory.dmp

Filesize
804KB

Download
memory/1552-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1552-72-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/1552-74-0x0000000000760000-0x0000000000A63000-memory.dmp

Filesize
3.0MB

Download
memory/1552-75-0x0000000000560000-0x00000000005F3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads