formbook | a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88

General

Target

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe
Size

352KB
MD5

aed32e73954c2d390a835e4a9d142a59
SHA1

e0aa4527d20f23d3975914e271f17cddfc178b69
SHA256

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88
SHA512

306d6ee82a5906e575e2882a8ecb880532300499029296ef5e69b1fe1000e3b0a3b224d061fee2368ee2aa788ca92d627726df350a67262b9e0d54beedb5a688

Score

10^/10

formbook kvsz rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

hdlivesonlinetv24.com

illaheehillsseniorliving.com

wihong.com

christopher-cost.com

huayvipee.com

csdroped.xyz

relationsvivantes.com

xmcombohome.com

qingc2.com

sunsetcinemamusic.com

anotherheadache.com

connectlcv.com

unitermi.com

cugetarileunuisarman.com

agakegois.com

burnercouture.com

ambassador-holidays.com

schnarr-design.com

2013lang.com

httattoos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1120-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1120-65-0x000000000041ED10-mapping.dmp	formbook
behavioral1/memory/1552-74-0x0000000000090000-0x00000000000BE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exeRegSvcs.execmstp.exe

description	pid	process	target process
PID 1512 set thread context of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1120 set thread context of 1420	1120	RegSvcs.exe	Explorer.EXE
PID 1552 set thread context of 1420	1552	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

628 schtasks.exe

pid	process
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

RegSvcs.execmstp.exe

pid	process
1120	RegSvcs.exe
1120	RegSvcs.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe
1552	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmstp.exe

pid process

1120 RegSvcs.exe
1120 RegSvcs.exe
1120 RegSvcs.exe
1552 cmstp.exe
1552 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.execmstp.exe

description pid process

Token: SeDebugPrivilege 1120 RegSvcs.exe
Token: SeDebugPrivilege 1552 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1120	RegSvcs.exe
Token: SeDebugPrivilege	1552	cmstp.exe

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1512 wrote to memory of 628	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 1512 wrote to memory of 628	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 1512 wrote to memory of 628	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 1512 wrote to memory of 628	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1512 wrote to memory of 1120	1512	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1420 wrote to memory of 1552	1420	Explorer.EXE	cmstp.exe
PID 1552 wrote to memory of 804	1552	cmstp.exe	cmd.exe
PID 1552 wrote to memory of 804	1552	cmstp.exe	cmd.exe
PID 1552 wrote to memory of 804	1552	cmstp.exe	cmd.exe
PID 1552 wrote to memory of 804	1552	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe
"C:\Users\Admin\AppData\Local\Temp\a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWtPFU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFED.tmp"
3⤵
- Creates scheduled task(s)
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:588

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1132

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1496

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:320

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1312

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:560

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1384

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:688

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1060

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:828

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1204

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1572

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCFED.tmp
Filesize
1KB

MD5
d83ecc720da92ae4bb5a18c4cf79fcc9

SHA1
3f9ebf78c5656fc00364b831b461b3e299b3c2e4

SHA256
09ae69b771d8bfb84e74e964b079cbfd65f718b627eb0bff02e6b7ee7430085c

SHA512
ce6e8b8a6b5654ad72bc9d2fb14bd1b36c2e971c92b6ac0a12195ae0b87cb8aec577ce112b1883b123a6625662b8c0618f3de9f5d91ff657d0f96bf332bc8910

Download Submit
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/804-72-0x0000000000000000-mapping.dmp

Download
memory/1120-67-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/1120-68-0x0000000000470000-0x0000000000484000-memory.dmp

Filesize
80KB

Download
memory/1120-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1120-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1120-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1120-65-0x000000000041ED10-mapping.dmp

Download
memory/1420-77-0x0000000004A50000-0x0000000004B31000-memory.dmp

Filesize
900KB

Download
memory/1420-69-0x0000000007030000-0x000000000718B000-memory.dmp

Filesize
1.4MB

Download
memory/1512-56-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1512-58-0x0000000004C70000-0x0000000004CA6000-memory.dmp

Filesize
216KB

Download
memory/1512-55-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1512-54-0x00000000012D0000-0x000000000132E000-memory.dmp

Filesize
376KB

Download
memory/1512-57-0x0000000004C20000-0x0000000004C76000-memory.dmp

Filesize
344KB

Download
memory/1552-70-0x0000000000000000-mapping.dmp

Download
memory/1552-73-0x0000000000C50000-0x0000000000C68000-memory.dmp

Filesize
96KB

Download
memory/1552-74-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/1552-75-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/1552-76-0x0000000000920000-0x00000000009B3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads