formbook | bde0129799ae332ca620e04afb99a7292548d4486c1b07b26254f781c2777b67

General

Target

LENG EAV GROUP-pdf-scan-copy.exe
Size

518KB
MD5

c5356c7eec60fb77f7538a743cc82e61
SHA1

2fe7d2b6c0c0198e44c935675929e44a1085b5bf
SHA256

99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
SHA512

eb2010259e5172e6000c7ea316663d372c157b5d03c32bc69cf238f4252ef44bff3faa589b08064c7be64602eb7bc75d8226bd65420adc13ed561b38b6590778

Score

10^/10

formbook m17y rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17y

Decoy

dental-implants-us-prices.site

eolegends.online

drskinstudio.com

miamivideomapping.com

cqytwater.com

fesfe.net

dlautostore.com

wwwpledge.com

trynutiliti.com

551milesoak.com

jemmetalfab.com

teamtrinitysellsncarolina.com

injurypersonallawyer.com

r3qcf2.xyz

djellaba-boutique.com

t6fwagd.xyz

lm-upto100.com

shyashijz.com

classicbasilicata.com

exactias.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/864-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1200-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1596 cmd.exe

pid	process
1596	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.execmmon32.exe

description	pid	process	target process
PID 1204 set thread context of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 864 set thread context of 1208	864	LENG EAV GROUP-pdf-scan-copy.exe	Explorer.EXE
PID 1200 set thread context of 1208	1200	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1740 schtasks.exe

pid	process
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exepowershell.execmmon32.exe

pid	process
864	LENG EAV GROUP-pdf-scan-copy.exe
864	LENG EAV GROUP-pdf-scan-copy.exe
1624	powershell.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe
1200	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.execmmon32.exe

pid process

864 LENG EAV GROUP-pdf-scan-copy.exe
864 LENG EAV GROUP-pdf-scan-copy.exe
864 LENG EAV GROUP-pdf-scan-copy.exe
1200 cmmon32.exe
1200 cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exepowershell.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	864	LENG EAV GROUP-pdf-scan-copy.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1200	cmmon32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

LENG EAV GROUP-pdf-scan-copy.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1204 wrote to memory of 1624	1204	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1204 wrote to memory of 1624	1204	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1204 wrote to memory of 1624	1204	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1204 wrote to memory of 1624	1204	LENG EAV GROUP-pdf-scan-copy.exe	powershell.exe
PID 1204 wrote to memory of 1740	1204	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1204 wrote to memory of 1740	1204	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1204 wrote to memory of 1740	1204	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1204 wrote to memory of 1740	1204	LENG EAV GROUP-pdf-scan-copy.exe	schtasks.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1204 wrote to memory of 864	1204	LENG EAV GROUP-pdf-scan-copy.exe	LENG EAV GROUP-pdf-scan-copy.exe
PID 1208 wrote to memory of 1200	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 1200	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 1200	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 1200	1208	Explorer.EXE	cmmon32.exe
PID 1200 wrote to memory of 1596	1200	cmmon32.exe	cmd.exe
PID 1200 wrote to memory of 1596	1200	cmmon32.exe	cmd.exe
PID 1200 wrote to memory of 1596	1200	cmmon32.exe	cmd.exe
PID 1200 wrote to memory of 1596	1200	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe
"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVXkgTTYkF.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVXkgTTYkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp"
3⤵
- Creates scheduled task(s)
PID:1740

C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe
"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1372

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1136

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1788

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1360

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"
3⤵
- Deletes itself
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp
MD5
ec31fed5e8749e9d8073472ccb0c7eb7

SHA1
e8cdc75bb30909399f822911a78abd7a6342a728

SHA256
ad02cd2e10a36aaf7be698aba35678805684f3df88c97965a77378de635232cd

SHA512
acf88270c8fcc2d0f2c28e54a0c1b474b126cc17ea936dc1638d693eb0020f23b8012e421f35eda6b1175d656c54b402c6804014a8cdc5f4262bb726c9a7200a

Download Submit
memory/864-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-67-0x00000000007F0000-0x0000000000DB3000-memory.dmp

Filesize
5.8MB

Download
memory/864-68-0x0000000000180000-0x0000000000195000-memory.dmp

Filesize
84KB

Download
memory/864-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-70-0x00000000008A0000-0x00000000008AD000-memory.dmp

Filesize
52KB

Download
memory/1200-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1200-73-0x0000000001DD0000-0x0000000001E64000-memory.dmp

Filesize
592KB

Download
memory/1200-72-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1204-55-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1204-57-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/1204-53-0x0000000000A20000-0x0000000000AA8000-memory.dmp

Filesize
544KB

Download
memory/1204-56-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/1208-69-0x0000000003FC0000-0x0000000004075000-memory.dmp

Filesize
724KB

Download
memory/1208-74-0x0000000004290000-0x0000000004386000-memory.dmp

Filesize
984KB

Download
memory/1624-66-0x0000000002290000-0x0000000002EDA000-memory.dmp

Filesize
12.3MB

Download
memory/1624-65-0x0000000002290000-0x0000000002EDA000-memory.dmp

Filesize
12.3MB

Download
memory/1624-64-0x0000000002290000-0x0000000002EDA000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads