formbook | a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88

General

Target

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe
Size

352KB
MD5

aed32e73954c2d390a835e4a9d142a59
SHA1

e0aa4527d20f23d3975914e271f17cddfc178b69
SHA256

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88
SHA512

306d6ee82a5906e575e2882a8ecb880532300499029296ef5e69b1fe1000e3b0a3b224d061fee2368ee2aa788ca92d627726df350a67262b9e0d54beedb5a688

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

hdlivesonlinetv24.com

illaheehillsseniorliving.com

wihong.com

christopher-cost.com

huayvipee.com

csdroped.xyz

relationsvivantes.com

xmcombohome.com

qingc2.com

sunsetcinemamusic.com

anotherheadache.com

connectlcv.com

unitermi.com

cugetarileunuisarman.com

agakegois.com

burnercouture.com

ambassador-holidays.com

schnarr-design.com

2013lang.com

httattoos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4812-139-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/5104-146-0x0000000000C00000-0x0000000000C2E000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exeRegSvcs.exeipconfig.exe

description	pid	process	target process
PID 3540 set thread context of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 4812 set thread context of 3128	4812	RegSvcs.exe	Explorer.EXE
PID 5104 set thread context of 3128	5104	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1728 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

5104 ipconfig.exe

pid	process
1728	schtasks.exe

pid	process
5104	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exeRegSvcs.exeipconfig.exe

pid	process
3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe
4812	RegSvcs.exe
4812	RegSvcs.exe
4812	RegSvcs.exe
4812	RegSvcs.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe
5104	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeipconfig.exe

pid process

4812 RegSvcs.exe
4812 RegSvcs.exe
4812 RegSvcs.exe
5104 ipconfig.exe
5104 ipconfig.exe

pid	process
3128	Explorer.EXE

pid	process
4812	RegSvcs.exe
4812	RegSvcs.exe
4812	RegSvcs.exe
5104	ipconfig.exe
5104	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exeRegSvcs.exeipconfig.exe

description	pid	process
Token: SeDebugPrivilege	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe
Token: SeDebugPrivilege	4812	RegSvcs.exe
Token: SeDebugPrivilege	5104	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 3540 wrote to memory of 1728	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 3540 wrote to memory of 1728	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 3540 wrote to memory of 1728	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	schtasks.exe
PID 3540 wrote to memory of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 3540 wrote to memory of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 3540 wrote to memory of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 3540 wrote to memory of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 3540 wrote to memory of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 3540 wrote to memory of 4812	3540	a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe	RegSvcs.exe
PID 3128 wrote to memory of 5104	3128	Explorer.EXE	ipconfig.exe
PID 3128 wrote to memory of 5104	3128	Explorer.EXE	ipconfig.exe
PID 3128 wrote to memory of 5104	3128	Explorer.EXE	ipconfig.exe
PID 5104 wrote to memory of 660	5104	ipconfig.exe	cmd.exe
PID 5104 wrote to memory of 660	5104	ipconfig.exe	cmd.exe
PID 5104 wrote to memory of 660	5104	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe
"C:\Users\Admin\AppData\Local\Temp\a17edecac2d18b23265bb37f240b5a8cd9eedc00ed6154f384f8ddd7e538ca88.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWtPFU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C0C.tmp"
3⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2C0C.tmp
Filesize
1KB

MD5
414303dbc6152564e91e066c3cac18cb

SHA1
a827509741b56ac9b93b55675432c150b87561a7

SHA256
8eaf40cf1f8b6c93237fd387503ebc0ee34e7e96c8020403db81556f11b66669

SHA512
a7041bb23d896e25b85c941abed18bd9ee631583e2e593f9dda605d4790dd37f8187e75f1be30047a1205c633a9faee8903b9ac6bc6560972a79ec2a638bd13a

Download Submit
memory/660-148-0x0000000000000000-mapping.dmp

Download
memory/1728-136-0x0000000000000000-mapping.dmp

Download
memory/3128-143-0x0000000003420000-0x0000000003510000-memory.dmp

Filesize
960KB

Download
memory/3128-150-0x0000000003700000-0x00000000037BE000-memory.dmp

Filesize
760KB

Download
memory/3540-131-0x00000000049C0000-0x0000000004A5C000-memory.dmp

Filesize
624KB

Download
memory/3540-132-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/3540-133-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/3540-134-0x0000000004950000-0x000000000495A000-memory.dmp

Filesize
40KB

Download
memory/3540-135-0x0000000004CA0000-0x0000000004CF6000-memory.dmp

Filesize
344KB

Download
memory/3540-130-0x00000000000A0000-0x00000000000FE000-memory.dmp

Filesize
376KB

Download
memory/4812-141-0x0000000001580000-0x00000000018CA000-memory.dmp

Filesize
3.3MB

Download
memory/4812-142-0x0000000001380000-0x0000000001394000-memory.dmp

Filesize
80KB

Download
memory/4812-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4812-138-0x0000000000000000-mapping.dmp

Download
memory/5104-144-0x0000000000000000-mapping.dmp

Download
memory/5104-145-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/5104-146-0x0000000000C00000-0x0000000000C2E000-memory.dmp

Filesize
184KB

Download
memory/5104-147-0x0000000001480000-0x00000000017CA000-memory.dmp

Filesize
3.3MB

Download
memory/5104-149-0x00000000012B0000-0x0000000001343000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads