formbook | 99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a

General

Target

LENG EAV GROUP-pdf-scan-copy.exe
Size

518KB
MD5

c5356c7eec60fb77f7538a743cc82e61
SHA1

2fe7d2b6c0c0198e44c935675929e44a1085b5bf
SHA256

99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
SHA512

eb2010259e5172e6000c7ea316663d372c157b5d03c32bc69cf238f4252ef44bff3faa589b08064c7be64602eb7bc75d8226bd65420adc13ed561b38b6590778

Score

10^/10

formbook m17y rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17y

Decoy

dental-implants-us-prices.site

eolegends.online

drskinstudio.com

miamivideomapping.com

cqytwater.com

fesfe.net

dlautostore.com

wwwpledge.com

trynutiliti.com

551milesoak.com

jemmetalfab.com

teamtrinitysellsncarolina.com

injurypersonallawyer.com

r3qcf2.xyz

djellaba-boutique.com

t6fwagd.xyz

lm-upto100.com

shyashijz.com

classicbasilicata.com

exactias.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1844-127-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3216-145-0x0000000002310000-0x000000000233F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.execmmon32.exe

description	pid	process	target process
PID 1552 set thread context of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1844 set thread context of 2968	1844	LENG EAV GROUP-pdf-scan-copy.exe	Explorer.EXE
PID 3216 set thread context of 2968	3216	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

600 schtasks.exe

pid	process
600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exepowershell.execmmon32.exe

pid	process
1844	LENG EAV GROUP-pdf-scan-copy.exe
1844	LENG EAV GROUP-pdf-scan-copy.exe
1844	LENG EAV GROUP-pdf-scan-copy.exe
1844	LENG EAV GROUP-pdf-scan-copy.exe
960	powershell.exe
960	powershell.exe
3216	cmmon32.exe
3216	cmmon32.exe
960	powershell.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe
3216	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2968 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.execmmon32.exe

pid process

1844 LENG EAV GROUP-pdf-scan-copy.exe
1844 LENG EAV GROUP-pdf-scan-copy.exe
1844 LENG EAV GROUP-pdf-scan-copy.exe
3216 cmmon32.exe
3216 cmmon32.exe

pid	process
2968	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exepowershell.execmmon32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1844	LENG EAV GROUP-pdf-scan-copy.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	3216	cmmon32.exe
Token: SeShutdownPrivilege	2968	Explorer.EXE
Token: SeCreatePagefilePrivilege	2968	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1552 wrote to memory of 960	1552	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1552 wrote to memory of 960	1552	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1552 wrote to memory of 960	1552	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1552 wrote to memory of 600	1552	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1552 wrote to memory of 600	1552	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1552 wrote to memory of 600	1552	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1552 wrote to memory of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1552 wrote to memory of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1552 wrote to memory of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1552 wrote to memory of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1552 wrote to memory of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1552 wrote to memory of 1844	1552	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 2968 wrote to memory of 3216	2968	Explorer.EXE	cmmon32.exe
PID 2968 wrote to memory of 3216	2968	Explorer.EXE	cmmon32.exe
PID 2968 wrote to memory of 3216	2968	Explorer.EXE	cmmon32.exe
PID 3216 wrote to memory of 1616	3216	cmmon32.exe	cmd.exe
PID 3216 wrote to memory of 1616	3216	cmmon32.exe	cmd.exe
PID 3216 wrote to memory of 1616	3216	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe
"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVXkgTTYkF.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVXkgTTYkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9552.tmp"
3⤵
- Creates scheduled task(s)
PID:600

C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe
"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
3⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9552.tmp
MD5
f8f381b25237dbcc57a76232d70c69e3

SHA1
6aaeb9c66f8c6e69143a9d0aa72567d9cd03bb7c

SHA256
71a2839d504977c4c25f54e4c6c9a2b30686de78b238f6be773784f8e54d670e

SHA512
48435ae8bfb2ca35101a682778d6cf7b6fe8475f36684f69920c10d1ebf6476bceeb03a2c4483027af530cab905b5f31b5bc4cc582091f143ebd4254052a7a01

Download Submit
memory/960-136-0x0000000008220000-0x0000000008286000-memory.dmp

Filesize
408KB

Download
memory/960-138-0x0000000008370000-0x00000000086C0000-memory.dmp

Filesize
3.3MB

Download
memory/960-135-0x0000000008180000-0x00000000081A2000-memory.dmp

Filesize
136KB

Download
memory/960-153-0x0000000009D50000-0x0000000009D83000-memory.dmp

Filesize
204KB

Download
memory/960-159-0x0000000009E80000-0x0000000009F25000-memory.dmp

Filesize
660KB

Download
memory/960-160-0x000000007EC20000-0x000000007EC21000-memory.dmp

Filesize
4KB

Download
memory/960-161-0x000000000A010000-0x000000000A0A4000-memory.dmp

Filesize
592KB

Download
memory/960-141-0x0000000008C10000-0x0000000008C86000-memory.dmp

Filesize
472KB

Download
memory/960-126-0x0000000007420000-0x0000000007456000-memory.dmp

Filesize
216KB

Download
memory/960-137-0x0000000008300000-0x0000000008366000-memory.dmp

Filesize
408KB

Download
memory/960-128-0x0000000007B20000-0x0000000008148000-memory.dmp

Filesize
6.2MB

Download
memory/960-130-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/960-131-0x00000000074E2000-0x00000000074E3000-memory.dmp

Filesize
4KB

Download
memory/960-362-0x0000000009A40000-0x0000000009A48000-memory.dmp

Filesize
32KB

Download
memory/960-357-0x0000000009AA0000-0x0000000009ABA000-memory.dmp

Filesize
104KB

Download
memory/960-162-0x00000000074E3000-0x00000000074E4000-memory.dmp

Filesize
4KB

Download
memory/960-140-0x0000000008800000-0x000000000884B000-memory.dmp

Filesize
300KB

Download
memory/960-139-0x00000000082D0000-0x00000000082EC000-memory.dmp

Filesize
112KB

Download
memory/960-154-0x0000000008E90000-0x0000000008EAE000-memory.dmp

Filesize
120KB

Download
memory/1552-117-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/1552-119-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/1552-118-0x00000000051C0000-0x00000000056BE000-memory.dmp

Filesize
5.0MB

Download
memory/1552-116-0x00000000056C0000-0x0000000005BBE000-memory.dmp

Filesize
5.0MB

Download
memory/1552-122-0x0000000007950000-0x00000000079B6000-memory.dmp

Filesize
408KB

Download
memory/1552-121-0x0000000001200000-0x000000000129C000-memory.dmp

Filesize
624KB

Download
memory/1552-120-0x0000000005400000-0x0000000005414000-memory.dmp

Filesize
80KB

Download
memory/1552-115-0x0000000000900000-0x0000000000988000-memory.dmp

Filesize
544KB

Download
memory/1844-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-133-0x00000000018F0000-0x0000000001C10000-memory.dmp

Filesize
3.1MB

Download
memory/1844-132-0x0000000001300000-0x000000000144A000-memory.dmp

Filesize
1.3MB

Download
memory/2968-134-0x0000000006DB0000-0x0000000006EE6000-memory.dmp

Filesize
1.2MB

Download
memory/2968-230-0x0000000001450000-0x0000000001528000-memory.dmp

Filesize
864KB

Download
memory/3216-146-0x0000000004410000-0x0000000004730000-memory.dmp

Filesize
3.1MB

Download
memory/3216-145-0x0000000002310000-0x000000000233F000-memory.dmp

Filesize
188KB

Download
memory/3216-144-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/3216-199-0x0000000004270000-0x0000000004402000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads