formbook | 315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c

General

Target

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
Size

733KB
MD5

a2225e6ddb8ca51732c83c66f1af9f6f
SHA1

bb49ebe5e22ffb213d5f25f8c4dbafff6487ab66
SHA256

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c
SHA512

18414dff21d71926cc20148efae5f45b49b1a3550dedaad911f1f5f4dc8e91626f6b2610a9801fd3fca5285a6329277714cae52b9c7cba31a276f0f0fd3b3376

Score

10^/10

formbook kvsz rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

hdlivesonlinetv24.com

illaheehillsseniorliving.com

wihong.com

christopher-cost.com

huayvipee.com

csdroped.xyz

relationsvivantes.com

xmcombohome.com

qingc2.com

sunsetcinemamusic.com

anotherheadache.com

connectlcv.com

unitermi.com

cugetarileunuisarman.com

agakegois.com

burnercouture.com

ambassador-holidays.com

schnarr-design.com

2013lang.com

httattoos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1696-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1696-65-0x000000000041ED10-mapping.dmp	formbook
behavioral1/memory/1696-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1284-74-0x0000000000110000-0x000000000013E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeRegSvcs.execontrol.exe

description	pid	process	target process
PID 1196 set thread context of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1696 set thread context of 1200	1696	RegSvcs.exe	Explorer.EXE
PID 1284 set thread context of 1200	1284	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1568 schtasks.exe

pid	process
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeRegSvcs.execontrol.exe

pid	process
1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1696	RegSvcs.exe
1696	RegSvcs.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe
1284	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execontrol.exe

pid process

1696 RegSvcs.exe
1696 RegSvcs.exe
1696 RegSvcs.exe
1284 control.exe
1284 control.exe

pid	process
1696	RegSvcs.exe
1696	RegSvcs.exe
1696	RegSvcs.exe
1284	control.exe
1284	control.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeRegSvcs.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
Token: SeDebugPrivilege	1696	RegSvcs.exe
Token: SeDebugPrivilege	1284	control.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1196 wrote to memory of 1568	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1196 wrote to memory of 1568	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1196 wrote to memory of 1568	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1196 wrote to memory of 1568	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1196 wrote to memory of 1696	1196	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1200 wrote to memory of 1284	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 1284	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 1284	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 1284	1200	Explorer.EXE	control.exe
PID 1284 wrote to memory of 820	1284	control.exe	cmd.exe
PID 1284 wrote to memory of 820	1284	control.exe	cmd.exe
PID 1284 wrote to memory of 820	1284	control.exe	cmd.exe
PID 1284 wrote to memory of 820	1284	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TAmIZYH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6079.tmp"
3⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6079.tmp
Filesize
1KB

MD5
d6ee9a884dea5ae51c5697c8d0c3da33

SHA1
cbf5f5b1e461a1fb1786b5a81b573436002eed17

SHA256
eefdc4ec8100ef4a73d7e3ecf0ded0405ca0e5b4f4f1af92715b24fc8e2b7a6c

SHA512
1459ec6aa40d7ad592558047fc8797b23cbc39c5fed8cd75bbad9abe4ccee666c13e573acabf0cf5557d01d0e42e9d1d2a65f2e0a0bc0890bdad6d655567f1f9

Download Submit
memory/820-75-0x0000000000000000-mapping.dmp

Download
memory/1196-57-0x0000000004BC0000-0x0000000004C16000-memory.dmp

Filesize
344KB

Download
memory/1196-58-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/1196-54-0x0000000000A60000-0x0000000000B20000-memory.dmp

Filesize
768KB

Download
memory/1196-56-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1196-55-0x00000000009F0000-0x0000000000A46000-memory.dmp

Filesize
344KB

Download
memory/1200-78-0x0000000006030000-0x0000000006130000-memory.dmp

Filesize
1024KB

Download
memory/1200-70-0x0000000004210000-0x00000000042E8000-memory.dmp

Filesize
864KB

Download
memory/1284-71-0x0000000000000000-mapping.dmp

Download
memory/1284-77-0x0000000001CA0000-0x0000000001D33000-memory.dmp

Filesize
588KB

Download
memory/1284-76-0x0000000001DD0000-0x00000000020D3000-memory.dmp

Filesize
3.0MB

Download
memory/1284-74-0x0000000000110000-0x000000000013E000-memory.dmp

Filesize
184KB

Download
memory/1284-73-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/1284-72-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1568-59-0x0000000000000000-mapping.dmp

Download
memory/1696-69-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1696-68-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1696-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-65-0x000000000041ED10-mapping.dmp

Download
memory/1696-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads