formbook | 315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c

General

Target

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
Size

733KB
MD5

a2225e6ddb8ca51732c83c66f1af9f6f
SHA1

bb49ebe5e22ffb213d5f25f8c4dbafff6487ab66
SHA256

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c
SHA512

18414dff21d71926cc20148efae5f45b49b1a3550dedaad911f1f5f4dc8e91626f6b2610a9801fd3fca5285a6329277714cae52b9c7cba31a276f0f0fd3b3376

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

hdlivesonlinetv24.com

illaheehillsseniorliving.com

wihong.com

christopher-cost.com

huayvipee.com

csdroped.xyz

relationsvivantes.com

xmcombohome.com

qingc2.com

sunsetcinemamusic.com

anotherheadache.com

connectlcv.com

unitermi.com

cugetarileunuisarman.com

agakegois.com

burnercouture.com

ambassador-holidays.com

schnarr-design.com

2013lang.com

httattoos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2304-139-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/688-146-0x0000000000F60000-0x0000000000F8E000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 1496 set thread context of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 2304 set thread context of 3148	2304	RegSvcs.exe	Explorer.EXE
PID 688 set thread context of 3148	688	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3912 schtasks.exe

pid	process
3912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeRegSvcs.execmd.exe

pid	process
1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
2304	RegSvcs.exe
2304	RegSvcs.exe
2304	RegSvcs.exe
2304	RegSvcs.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmd.exe

pid process

2304 RegSvcs.exe
2304 RegSvcs.exe
2304 RegSvcs.exe
688 cmd.exe
688 cmd.exe

pid	process
3148	Explorer.EXE

pid	process
2304	RegSvcs.exe
2304	RegSvcs.exe
2304	RegSvcs.exe
688	cmd.exe
688	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeRegSvcs.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
Token: SeDebugPrivilege	2304	RegSvcs.exe
Token: SeDebugPrivilege	688	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1496 wrote to memory of 3912	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1496 wrote to memory of 3912	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1496 wrote to memory of 3912	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	schtasks.exe
PID 1496 wrote to memory of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1496 wrote to memory of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1496 wrote to memory of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1496 wrote to memory of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1496 wrote to memory of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 1496 wrote to memory of 2304	1496	315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe	RegSvcs.exe
PID 3148 wrote to memory of 688	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 688	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 688	3148	Explorer.EXE	cmd.exe
PID 688 wrote to memory of 1296	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 1296	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 1296	688	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\315e737738df8faaeeb36c8fb6c692a18179675dcd4648a1dc982678e46f8f7c.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TAmIZYH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F0A.tmp"
3⤵
- Creates scheduled task(s)
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4F0A.tmp
Filesize
1KB

MD5
1312483e21d545bbe82a0d1fa83fe023

SHA1
cc8f8317e52c32a0030163a5c94bbb7d56bac166

SHA256
add5279c3f85f7e9eff2d3925b69f112b43c628137ab065b6fe7aa1fb59c42bf

SHA512
cb8d312267d41bb06ffbdf675553502130de8840868e3aaf18a0666086c14ac54dccb465467beec3eaa11b30595f1a9ae94a9c9e37a6a8f4496549f0a003f200

Download Submit
memory/688-149-0x0000000001880000-0x0000000001913000-memory.dmp

Filesize
588KB

Download
memory/688-147-0x0000000001AE0000-0x0000000001E2A000-memory.dmp

Filesize
3.3MB

Download
memory/688-146-0x0000000000F60000-0x0000000000F8E000-memory.dmp

Filesize
184KB

Download
memory/688-145-0x0000000000010000-0x000000000006A000-memory.dmp

Filesize
360KB

Download
memory/688-144-0x0000000000000000-mapping.dmp

Download
memory/1296-148-0x0000000000000000-mapping.dmp

Download
memory/1496-135-0x00000000061C0000-0x0000000006216000-memory.dmp

Filesize
344KB

Download
memory/1496-130-0x0000000000FD0000-0x0000000001090000-memory.dmp

Filesize
768KB

Download
memory/1496-134-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

Filesize
40KB

Download
memory/1496-133-0x0000000006030000-0x00000000060C2000-memory.dmp

Filesize
584KB

Download
memory/1496-132-0x0000000006540000-0x0000000006AE4000-memory.dmp

Filesize
5.6MB

Download
memory/1496-131-0x0000000005EF0000-0x0000000005F8C000-memory.dmp

Filesize
624KB

Download
memory/2304-138-0x0000000000000000-mapping.dmp

Download
memory/2304-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2304-141-0x00000000018C0000-0x0000000001C0A000-memory.dmp

Filesize
3.3MB

Download
memory/2304-142-0x0000000001C40000-0x0000000001C54000-memory.dmp

Filesize
80KB

Download
memory/3148-143-0x0000000002720000-0x0000000002881000-memory.dmp

Filesize
1.4MB

Download
memory/3148-150-0x0000000002B70000-0x0000000002C0F000-memory.dmp

Filesize
636KB

Download
memory/3912-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads