formbook | 99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a

General

Target

LENG EAV GROUP-pdf-scan-copy.exe
Size

518KB
MD5

c5356c7eec60fb77f7538a743cc82e61
SHA1

2fe7d2b6c0c0198e44c935675929e44a1085b5bf
SHA256

99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
SHA512

eb2010259e5172e6000c7ea316663d372c157b5d03c32bc69cf238f4252ef44bff3faa589b08064c7be64602eb7bc75d8226bd65420adc13ed561b38b6590778

Score

10^/10

formbook m17y rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17y

Decoy

dental-implants-us-prices.site

eolegends.online

drskinstudio.com

miamivideomapping.com

cqytwater.com

fesfe.net

dlautostore.com

wwwpledge.com

trynutiliti.com

551milesoak.com

jemmetalfab.com

teamtrinitysellsncarolina.com

injurypersonallawyer.com

r3qcf2.xyz

djellaba-boutique.com

t6fwagd.xyz

lm-upto100.com

shyashijz.com

classicbasilicata.com

exactias.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/656-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/656-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1932-78-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe

pid	process
1708	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.exehelp.exe

description	pid	process	target process
PID 1612 set thread context of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 656 set thread context of 1228	656	LENG EAV GROUP-pdf-scan-copy.exe	Explorer.EXE
PID 656 set thread context of 1228	656	LENG EAV GROUP-pdf-scan-copy.exe	Explorer.EXE
PID 1932 set thread context of 1228	1932	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe

pid	process
820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exepowershell.exehelp.exe

pid	process
656	LENG EAV GROUP-pdf-scan-copy.exe
656	LENG EAV GROUP-pdf-scan-copy.exe
1360	powershell.exe
656	LENG EAV GROUP-pdf-scan-copy.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe
1932	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exehelp.exe

pid	process
656	LENG EAV GROUP-pdf-scan-copy.exe
656	LENG EAV GROUP-pdf-scan-copy.exe
656	LENG EAV GROUP-pdf-scan-copy.exe
656	LENG EAV GROUP-pdf-scan-copy.exe
1932	help.exe
1932	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exepowershell.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	656	LENG EAV GROUP-pdf-scan-copy.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1932	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.exehelp.exe

description	pid	process	target process
PID 1612 wrote to memory of 1360	1612	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1612 wrote to memory of 1360	1612	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1612 wrote to memory of 1360	1612	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1612 wrote to memory of 1360	1612	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1612 wrote to memory of 820	1612	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1612 wrote to memory of 820	1612	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1612 wrote to memory of 820	1612	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1612 wrote to memory of 820	1612	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1612 wrote to memory of 656	1612	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 656 wrote to memory of 1932	656	LENG EAV GROUP-pdf-scan-copy.exe	help.exe
PID 656 wrote to memory of 1932	656	LENG EAV GROUP-pdf-scan-copy.exe	help.exe
PID 656 wrote to memory of 1932	656	LENG EAV GROUP-pdf-scan-copy.exe	help.exe
PID 656 wrote to memory of 1932	656	LENG EAV GROUP-pdf-scan-copy.exe	help.exe
PID 1932 wrote to memory of 1708	1932	help.exe	cmd.exe
PID 1932 wrote to memory of 1708	1932	help.exe	cmd.exe
PID 1932 wrote to memory of 1708	1932	help.exe	cmd.exe
PID 1932 wrote to memory of 1708	1932	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1228

C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe
"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVXkgTTYkF.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVXkgTTYkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF76.tmp"
3⤵
- Creates scheduled task(s)
PID:820

C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe
"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
5⤵
- Deletes itself
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDF76.tmp
MD5
2a9e82c558934b8344c6a51415a014c0

SHA1
83656bf420e9005e92dec4efa76cfd70ab7b1de0

SHA256
b31db8a2bf55f2151a8e7ce36ddb5e5efa1b5fb1cfccb0ba51b0e652a2dc5da0

SHA512
6401f2490c092eff02e36f4e3b7ad625f862d09c1c56d16d821a3e1ab0c762c5bcdd860bcd011f8a3ed17fbbdc5854d9117f4a8ab4067c7563d944ebbee5c93c

Download Submit
memory/656-67-0x0000000000370000-0x0000000000385000-memory.dmp

Filesize
84KB

Download
memory/656-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-75-0x00000000003B0000-0x00000000003C5000-memory.dmp

Filesize
84KB

Download
memory/656-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-66-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/656-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-76-0x0000000006420000-0x00000000064EC000-memory.dmp

Filesize
816KB

Download
memory/1228-68-0x0000000006190000-0x0000000006275000-memory.dmp

Filesize
916KB

Download
memory/1228-81-0x0000000006590000-0x00000000066B7000-memory.dmp

Filesize
1.2MB

Download
memory/1360-73-0x0000000002240000-0x0000000002500000-memory.dmp

Filesize
2.8MB

Download
memory/1360-71-0x0000000002240000-0x0000000002500000-memory.dmp

Filesize
2.8MB

Download
memory/1360-72-0x0000000002240000-0x0000000002500000-memory.dmp

Filesize
2.8MB

Download
memory/1612-59-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/1612-56-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1612-58-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/1612-57-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/1612-55-0x00000000008A0000-0x0000000000928000-memory.dmp

Filesize
544KB

Download
memory/1932-78-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1932-77-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/1932-79-0x00000000007D0000-0x0000000000AD3000-memory.dmp

Filesize
3.0MB

Download
memory/1932-80-0x0000000000540000-0x00000000007C1000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads