formbook | 388292015e4c2d075b935a8299d99335d957e3ad5134a33f28c4dc7f5e3687c5

General

Target

_BUSAN_HOCHIMINH_FEB.25.exe
Size

738KB
MD5

08b4042d2a89ebcff8537ba458295e48
SHA1

91e3fd4718786c523620c31465232113580ea477
SHA256

388292015e4c2d075b935a8299d99335d957e3ad5134a33f28c4dc7f5e3687c5
SHA512

5be0e94d68f8d0599c9323bb4c03635a0e000ff541b9924f6b83eba8adeda55c9528c818093f690249f51cd1976389c77d841e7f373fb1b5d362ba57ea36a222

Score

10^/10

formbook a04s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a04s

Decoy

lovelyveganfoods.com

wahidi.net

hwcstl.com

psnews.today

depress-elastic.com

r3mixlogistics.com

crimeawartoken.com

changethewayyouseegreen.com

mfa-azubi.com

maximizeprofit.store

alternativesclimat.net

turkcellsuperonline.xyz

extractword.com

radiotec-solutions.com

flawlesscity.com

schatzbenifits.com

gymzf.xyz

runpa.site

cryptocdes.biz

harryhoppe.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/820-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/820-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1072-82-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 820 set thread context of 1408	820	vbc.exe	22
PID 820 set thread context of 1408	820	vbc.exe	22
PID 1072 set thread context of 1408	1072	cmd.exe	22

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1724	_BUSAN_HOCHIMINH_FEB.25.exe
1724	_BUSAN_HOCHIMINH_FEB.25.exe
820	vbc.exe
820	vbc.exe
856	powershell.exe
820	vbc.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe
1072	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
820	vbc.exe
820	vbc.exe
820	vbc.exe
820	vbc.exe
1072	cmd.exe
1072	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	_BUSAN_HOCHIMINH_FEB.25.exe
Token: SeDebugPrivilege	820	vbc.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1072	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1408	Explorer.EXE
1408	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1408	Explorer.EXE
1408	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 856	1724	_BUSAN_HOCHIMINH_FEB.25.exe	27
PID 1724 wrote to memory of 856	1724	_BUSAN_HOCHIMINH_FEB.25.exe	27
PID 1724 wrote to memory of 856	1724	_BUSAN_HOCHIMINH_FEB.25.exe	27
PID 1724 wrote to memory of 856	1724	_BUSAN_HOCHIMINH_FEB.25.exe	27
PID 1724 wrote to memory of 1756	1724	_BUSAN_HOCHIMINH_FEB.25.exe	29
PID 1724 wrote to memory of 1756	1724	_BUSAN_HOCHIMINH_FEB.25.exe	29
PID 1724 wrote to memory of 1756	1724	_BUSAN_HOCHIMINH_FEB.25.exe	29
PID 1724 wrote to memory of 1756	1724	_BUSAN_HOCHIMINH_FEB.25.exe	29
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1724 wrote to memory of 820	1724	_BUSAN_HOCHIMINH_FEB.25.exe	31
PID 1408 wrote to memory of 1072	1408	Explorer.EXE	32
PID 1408 wrote to memory of 1072	1408	Explorer.EXE	32
PID 1408 wrote to memory of 1072	1408	Explorer.EXE	32
PID 1408 wrote to memory of 1072	1408	Explorer.EXE	32
PID 1072 wrote to memory of 1284	1072	cmd.exe	33
PID 1072 wrote to memory of 1284	1072	cmd.exe	33
PID 1072 wrote to memory of 1284	1072	cmd.exe	33
PID 1072 wrote to memory of 1284	1072	cmd.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\_BUSAN_HOCHIMINH_FEB.25.exe
  "C:\Users\Admin\AppData\Local\Temp\_BUSAN_HOCHIMINH_FEB.25.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YtGUemuxgzC.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YtGUemuxgzC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp583E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-74-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/820-72-0x0000000000CC0000-0x0000000000FC3000-memory.dmp

Filesize
3.0MB

Download
memory/820-75-0x0000000000280000-0x0000000000295000-memory.dmp

Filesize
84KB

Download
memory/820-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-78-0x00000000002D0000-0x00000000002E5000-memory.dmp

Filesize
84KB

Download
memory/820-77-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/820-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-67-0x000000006F151000-0x000000006F152000-memory.dmp

Filesize
4KB

Download
memory/856-73-0x0000000002332000-0x0000000002334000-memory.dmp

Filesize
8KB

Download
memory/856-68-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/856-71-0x0000000002331000-0x0000000002332000-memory.dmp

Filesize
4KB

Download
memory/856-70-0x000000006F152000-0x000000006F154000-memory.dmp

Filesize
8KB

Download
memory/1072-81-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/1072-80-0x000000004A1B0000-0x000000004A1FC000-memory.dmp

Filesize
304KB

Download
memory/1072-82-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1072-83-0x0000000001D20000-0x0000000001DB4000-memory.dmp

Filesize
592KB

Download
memory/1408-69-0x0000000006A40000-0x0000000006BBA000-memory.dmp

Filesize
1.5MB

Download
memory/1408-79-0x00000000065E0000-0x00000000066D8000-memory.dmp

Filesize
992KB

Download
memory/1408-84-0x00000000072C0000-0x00000000073F5000-memory.dmp

Filesize
1.2MB

Download
memory/1724-53-0x0000000001060000-0x000000000111E000-memory.dmp

Filesize
760KB

Download
memory/1724-61-0x0000000005760000-0x0000000005794000-memory.dmp

Filesize
208KB

Download
memory/1724-58-0x0000000005550000-0x0000000005604000-memory.dmp

Filesize
720KB

Download
memory/1724-57-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/1724-56-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1724-55-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/1724-54-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads