formbook | 1668071dae27e79c5de1abc1d04e278ce9ffe980fd36fa194e9d32ab00ac6831

General

Target

Scan0186460022.exe
Size

28KB
MD5

4fcb4c25f8c90512688e83cdc8daf8b3
SHA1

256bb873dcfa16fade3e911cb348b217df8b389f
SHA256

1668071dae27e79c5de1abc1d04e278ce9ffe980fd36fa194e9d32ab00ac6831
SHA512

f6544e3212c721d93d631dc9b9d367080383bc9b036cf1fd7a4cccf5c53b6c6118d922607aee109f28a4c3342bc0763791c968f4b721a2774c7ba800b68fc70e

Score

10^/10

formbook oh75 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/560-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/560-76-0x000000000041F0F0-mapping.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

Ywpmbqmfovrour.exe

pid process

1044 Ywpmbqmfovrour.exe
Loads dropped DLL 1 IoCs

Processes:

Scan0186460022.exe

pid process

964 Scan0186460022.exe

pid	process
1044	Ywpmbqmfovrour.exe

pid	process
964	Scan0186460022.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ywpmbqmfovrour.exeScan0186460022.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsof = "\"C:\\Users\\Admin\\AppData\\Roaming\\offie\\microsof.exe\""	Ywpmbqmfovrour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsof = "\"C:\\Users\\Admin\\AppData\\Roaming\\offie\\microsof.exe\""	Scan0186460022.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Scan0186460022.exeYwpmbqmfovrour.exe

description	pid	process	target process
PID 964 set thread context of 560	964	Scan0186460022.exe	RegAsm.exe
PID 1044 set thread context of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1556 560 WerFault.exe RegAsm.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1876 timeout.exe
1112 timeout.exe
1312 timeout.exe
1508 timeout.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1884 PING.EXE
1224 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RegAsm.exe

pid process

1728 RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Scan0186460022.exeYwpmbqmfovrour.exe

pid process

964 Scan0186460022.exe
964 Scan0186460022.exe
1044 Ywpmbqmfovrour.exe
1044 Ywpmbqmfovrour.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Scan0186460022.exeYwpmbqmfovrour.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 964 Scan0186460022.exe
Token: SeDebugPrivilege 1044 Ywpmbqmfovrour.exe
Token: SeDebugPrivilege 1728 RegAsm.exe

pid	pid_target	process	target process
1556	560	WerFault.exe	RegAsm.exe

pid	process
1876	timeout.exe
1112	timeout.exe
1312	timeout.exe
1508	timeout.exe

pid	process
1884	PING.EXE
1224	PING.EXE

pid	process
1728	RegAsm.exe

pid	process
964	Scan0186460022.exe
964	Scan0186460022.exe
1044	Ywpmbqmfovrour.exe
1044	Ywpmbqmfovrour.exe

description	pid	process
Token: SeDebugPrivilege	964	Scan0186460022.exe
Token: SeDebugPrivilege	1044	Ywpmbqmfovrour.exe
Token: SeDebugPrivilege	1728	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Scan0186460022.execmd.execmd.exeYwpmbqmfovrour.execmd.exeRegAsm.execmd.exe

description	pid	process	target process
PID 964 wrote to memory of 2032	964	Scan0186460022.exe	cmd.exe
PID 964 wrote to memory of 2032	964	Scan0186460022.exe	cmd.exe
PID 964 wrote to memory of 2032	964	Scan0186460022.exe	cmd.exe
PID 964 wrote to memory of 2032	964	Scan0186460022.exe	cmd.exe
PID 2032 wrote to memory of 1876	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 1876	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 1876	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 1876	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 1884	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1884	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1884	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1884	2032	cmd.exe	PING.EXE
PID 964 wrote to memory of 1996	964	Scan0186460022.exe	cmd.exe
PID 964 wrote to memory of 1996	964	Scan0186460022.exe	cmd.exe
PID 964 wrote to memory of 1996	964	Scan0186460022.exe	cmd.exe
PID 964 wrote to memory of 1996	964	Scan0186460022.exe	cmd.exe
PID 1996 wrote to memory of 1112	1996	cmd.exe	timeout.exe
PID 1996 wrote to memory of 1112	1996	cmd.exe	timeout.exe
PID 1996 wrote to memory of 1112	1996	cmd.exe	timeout.exe
PID 1996 wrote to memory of 1112	1996	cmd.exe	timeout.exe
PID 964 wrote to memory of 1044	964	Scan0186460022.exe	Ywpmbqmfovrour.exe
PID 964 wrote to memory of 1044	964	Scan0186460022.exe	Ywpmbqmfovrour.exe
PID 964 wrote to memory of 1044	964	Scan0186460022.exe	Ywpmbqmfovrour.exe
PID 964 wrote to memory of 1044	964	Scan0186460022.exe	Ywpmbqmfovrour.exe
PID 1044 wrote to memory of 1060	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1044 wrote to memory of 1060	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1044 wrote to memory of 1060	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1044 wrote to memory of 1060	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1060 wrote to memory of 1312	1060	cmd.exe	timeout.exe
PID 1060 wrote to memory of 1312	1060	cmd.exe	timeout.exe
PID 1060 wrote to memory of 1312	1060	cmd.exe	timeout.exe
PID 1060 wrote to memory of 1312	1060	cmd.exe	timeout.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 964 wrote to memory of 560	964	Scan0186460022.exe	RegAsm.exe
PID 560 wrote to memory of 1556	560	RegAsm.exe	WerFault.exe
PID 560 wrote to memory of 1556	560	RegAsm.exe	WerFault.exe
PID 560 wrote to memory of 1556	560	RegAsm.exe	WerFault.exe
PID 560 wrote to memory of 1556	560	RegAsm.exe	WerFault.exe
PID 1060 wrote to memory of 1224	1060	cmd.exe	PING.EXE
PID 1060 wrote to memory of 1224	1060	cmd.exe	PING.EXE
PID 1060 wrote to memory of 1224	1060	cmd.exe	PING.EXE
PID 1060 wrote to memory of 1224	1060	cmd.exe	PING.EXE
PID 1044 wrote to memory of 772	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1044 wrote to memory of 772	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1044 wrote to memory of 772	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 1044 wrote to memory of 772	1044	Ywpmbqmfovrour.exe	cmd.exe
PID 772 wrote to memory of 1508	772	cmd.exe	timeout.exe
PID 772 wrote to memory of 1508	772	cmd.exe	timeout.exe
PID 772 wrote to memory of 1508	772	cmd.exe	timeout.exe
PID 772 wrote to memory of 1508	772	cmd.exe	timeout.exe
PID 1044 wrote to memory of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe
PID 1044 wrote to memory of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe
PID 1044 wrote to memory of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe
PID 1044 wrote to memory of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe
PID 1044 wrote to memory of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe
PID 1044 wrote to memory of 1728	1044	Ywpmbqmfovrour.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Scan0186460022.exe
"C:\Users\Admin\AppData\Local\Temp\Scan0186460022.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 15 -nobreak && ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\timeout.exe
timeout -t 15 -nobreak
3⤵
- Delays execution with timeout.exe
PID:1876

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 20
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\timeout.exe
timeout 20
3⤵
- Delays execution with timeout.exe
PID:1112

C:\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe
"C:\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 15 -nobreak && ping google.com
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout -t 15 -nobreak
4⤵
- Delays execution with timeout.exe
PID:1312

C:\Windows\SysWOW64\PING.EXE
ping google.com
4⤵
- Runs ping.exe
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 20
3⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\timeout.exe
timeout 20
4⤵
- Delays execution with timeout.exe
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 256
3⤵
- Program crash
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe
MD5
adb9244b4ce54305892fc9032f2d90f6

SHA1
363d6ee825adc1aeb0e003e0664c46cd29f926b8

SHA256
e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2

SHA512
62a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe
MD5
adb9244b4ce54305892fc9032f2d90f6

SHA1
363d6ee825adc1aeb0e003e0664c46cd29f926b8

SHA256
e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2

SHA512
62a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c

Download Submit
C:\Users\Admin\AppData\Roaming\offie\microsof.exe
MD5
adb9244b4ce54305892fc9032f2d90f6

SHA1
363d6ee825adc1aeb0e003e0664c46cd29f926b8

SHA256
e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2

SHA512
62a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c

Download Submit
\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe
MD5
adb9244b4ce54305892fc9032f2d90f6

SHA1
363d6ee825adc1aeb0e003e0664c46cd29f926b8

SHA256
e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2

SHA512
62a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c

Download Submit
memory/560-76-0x000000000041F0F0-mapping.dmp

Download
memory/560-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-83-0x0000000000000000-mapping.dmp

Download
memory/964-54-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/964-62-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/964-61-0x0000000004CD0000-0x0000000004D1E000-memory.dmp

Filesize
312KB

Download
memory/964-60-0x0000000000D60000-0x0000000000DB0000-memory.dmp

Filesize
320KB

Download
memory/964-59-0x00000000055D0000-0x0000000005678000-memory.dmp

Filesize
672KB

Download
memory/964-55-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/1044-81-0x0000000004790000-0x00000000047D8000-memory.dmp

Filesize
288KB

Download
memory/1044-66-0x0000000000000000-mapping.dmp

Download
memory/1044-69-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/1044-80-0x00000000054E0000-0x000000000557E000-memory.dmp

Filesize
632KB

Download
memory/1044-82-0x0000000004900000-0x0000000004944000-memory.dmp

Filesize
272KB

Download
memory/1060-70-0x0000000000000000-mapping.dmp

Download
memory/1112-64-0x0000000000000000-mapping.dmp

Download
memory/1224-79-0x0000000000000000-mapping.dmp

Download
memory/1312-71-0x0000000000000000-mapping.dmp

Download
memory/1508-84-0x0000000000000000-mapping.dmp

Download
memory/1556-78-0x0000000000000000-mapping.dmp

Download
memory/1728-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-101-0x0000000004E05000-0x0000000004E16000-memory.dmp

Filesize
68KB

Download
memory/1728-100-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1728-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-99-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/1728-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-93-0x0000000000419B6E-mapping.dmp

Download
memory/1728-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1876-57-0x0000000000000000-mapping.dmp

Download
memory/1884-58-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads