formbook | 01622d3e6d14184769fc2b052e32588b7bbd86f5a61e511f395db4695d7018a9

General

Target

LVpromo.exe
Size

769KB
MD5

77e85ad8891096baba68e44b43f2f820
SHA1

11517a0e9f4c5f39170f8083436ff6156b5ecf7b
SHA256

01622d3e6d14184769fc2b052e32588b7bbd86f5a61e511f395db4695d7018a9
SHA512

7c6727fe6a9a2092e576d75cb4ad2cf22f9b2fcba394049430e236590a38d9a90590f52ea89ea96a82e8226e61a70b6e41ab89a7fc6fca9fed13ddcabf4c6a7a

Score

10^/10

formbook oh75 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/676-127-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/676-139-0x0000000001310000-0x00000000014A0000-memory.dmp	formbook
behavioral2/memory/1296-177-0x0000000000B50000-0x0000000000B7F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

LVpromo.exeLVpromo.execmstp.exe

description	pid	process	target process
PID 2564 set thread context of 676	2564	LVpromo.exe	LVpromo.exe
PID 676 set thread context of 3040	676	LVpromo.exe	Explorer.EXE
PID 1296 set thread context of 3040	1296	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

512 schtasks.exe

pid	process
512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

powershell.exeLVpromo.execmstp.exe

pid	process
2920	powershell.exe
2920	powershell.exe
676	LVpromo.exe
676	LVpromo.exe
676	LVpromo.exe
676	LVpromo.exe
2920	powershell.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe
1296	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LVpromo.execmstp.exe

pid process

676 LVpromo.exe
676 LVpromo.exe
676 LVpromo.exe
1296 cmstp.exe
1296 cmstp.exe

pid	process
3040	Explorer.EXE

pid	process
676	LVpromo.exe
676	LVpromo.exe
676	LVpromo.exe
1296	cmstp.exe
1296	cmstp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeLVpromo.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	676	LVpromo.exe
Token: SeDebugPrivilege	1296	cmstp.exe
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LVpromo.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2564 wrote to memory of 2920	2564	LVpromo.exe	powershell.exe
PID 2564 wrote to memory of 2920	2564	LVpromo.exe	powershell.exe
PID 2564 wrote to memory of 2920	2564	LVpromo.exe	powershell.exe
PID 2564 wrote to memory of 512	2564	LVpromo.exe	schtasks.exe
PID 2564 wrote to memory of 512	2564	LVpromo.exe	schtasks.exe
PID 2564 wrote to memory of 512	2564	LVpromo.exe	schtasks.exe
PID 2564 wrote to memory of 676	2564	LVpromo.exe	LVpromo.exe
PID 2564 wrote to memory of 676	2564	LVpromo.exe	LVpromo.exe
PID 2564 wrote to memory of 676	2564	LVpromo.exe	LVpromo.exe
PID 2564 wrote to memory of 676	2564	LVpromo.exe	LVpromo.exe
PID 2564 wrote to memory of 676	2564	LVpromo.exe	LVpromo.exe
PID 2564 wrote to memory of 676	2564	LVpromo.exe	LVpromo.exe
PID 3040 wrote to memory of 1296	3040	Explorer.EXE	cmstp.exe
PID 3040 wrote to memory of 1296	3040	Explorer.EXE	cmstp.exe
PID 3040 wrote to memory of 1296	3040	Explorer.EXE	cmstp.exe
PID 1296 wrote to memory of 3624	1296	cmstp.exe	cmd.exe
PID 1296 wrote to memory of 3624	1296	cmstp.exe	cmd.exe
PID 1296 wrote to memory of 3624	1296	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\LVpromo.exe
"C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DhcJUDDVFUzIJt.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DhcJUDDVFUzIJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp291F.tmp"
3⤵
- Creates scheduled task(s)
PID:512

C:\Users\Admin\AppData\Local\Temp\LVpromo.exe
"C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
3⤵
PID:3624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp291F.tmp
MD5
2ff7c9a9163a88d3251fd3f11743abf2

SHA1
9fb6f5f3f1e36a2c149e3098edfee24c74e6500f

SHA256
be7bfd5a8795babdc878d5d5a2258bf7e9e04781d7c2ff362fc610f14f808b80

SHA512
a8fcea1da920432341d860262fc9c19d0fcaca2047cfe33aee93b8c98970ad22b76e2f5a32d3cfe702c587ef1cf68d1ed71ca447cbd9030bf4cbe996e7910341

Download Submit
memory/676-138-0x00000000014A0000-0x00000000017C0000-memory.dmp

Filesize
3.1MB

Download
memory/676-139-0x0000000001310000-0x00000000014A0000-memory.dmp

Filesize
1.6MB

Download
memory/676-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-180-0x0000000004D80000-0x00000000050A0000-memory.dmp

Filesize
3.1MB

Download
memory/1296-374-0x0000000004BE0000-0x0000000004D7C000-memory.dmp

Filesize
1.6MB

Download
memory/1296-175-0x00000000010B0000-0x00000000010C6000-memory.dmp

Filesize
88KB

Download
memory/1296-177-0x0000000000B50000-0x0000000000B7F000-memory.dmp

Filesize
188KB

Download
memory/2564-120-0x0000000006A70000-0x0000000006A7C000-memory.dmp

Filesize
48KB

Download
memory/2564-121-0x0000000007400000-0x000000000749C000-memory.dmp

Filesize
624KB

Download
memory/2564-122-0x0000000007360000-0x00000000073CA000-memory.dmp

Filesize
424KB

Download
memory/2564-119-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/2564-118-0x0000000004E00000-0x00000000052FE000-memory.dmp

Filesize
5.0MB

Download
memory/2564-115-0x00000000004D0000-0x0000000000596000-memory.dmp

Filesize
792KB

Download
memory/2564-117-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/2564-116-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/2920-136-0x0000000004780000-0x000000000479C000-memory.dmp

Filesize
112KB

Download
memory/2920-157-0x0000000008E10000-0x0000000008EB5000-memory.dmp

Filesize
660KB

Download
memory/2920-133-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/2920-137-0x0000000006D50000-0x0000000006D9B000-memory.dmp

Filesize
300KB

Download
memory/2920-131-0x0000000006862000-0x0000000006863000-memory.dmp

Filesize
4KB

Download
memory/2920-130-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/2920-141-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/2920-126-0x00000000068B0000-0x00000000068E6000-memory.dmp

Filesize
216KB

Download
memory/2920-150-0x000000007EC30000-0x000000007EC31000-memory.dmp

Filesize
4KB

Download
memory/2920-151-0x0000000008CE0000-0x0000000008D13000-memory.dmp

Filesize
204KB

Download
memory/2920-152-0x0000000008CA0000-0x0000000008CBE000-memory.dmp

Filesize
120KB

Download
memory/2920-134-0x0000000007650000-0x00000000079A0000-memory.dmp

Filesize
3.3MB

Download
memory/2920-158-0x0000000009010000-0x00000000090A4000-memory.dmp

Filesize
592KB

Download
memory/2920-174-0x0000000006863000-0x0000000006864000-memory.dmp

Filesize
4KB

Download
memory/2920-132-0x0000000006C20000-0x0000000006C86000-memory.dmp

Filesize
408KB

Download
memory/2920-129-0x0000000006830000-0x0000000006852000-memory.dmp

Filesize
136KB

Download
memory/2920-128-0x0000000006F20000-0x0000000007548000-memory.dmp

Filesize
6.2MB

Download
memory/2920-355-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/2920-360-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/3040-140-0x0000000005F10000-0x000000000606D000-memory.dmp

Filesize
1.4MB

Download
memory/3040-375-0x00000000060B0000-0x00000000061EB000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads