formbook | 259e5ef027d03917665224d147607bb75367f2089e66633d6fa7d7918b7a6706

General

Target

orden de compra.exe
Size

442KB
MD5

e9af9f387d78e1f4ee36f4f477bbdbad
SHA1

27dcc86366c3b154f68290ea5663de6e42522478
SHA256

9bd3202d7f71a48a80d612198106d7180c0e0350a79c970863ec0cd19cc6b47a
SHA512

68c94011095e67e6bbd695573895f5b7df262777b10f6eb7ae9b9bd867f56c30dcabb3c3aab340ce579c68feb958da1a495cfdd691f7188e001afaa2b3dcfc04

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1332-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1332-65-0x000000000041ECA0-mapping.dmp	formbook
behavioral1/memory/1332-70-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/584-76-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

orden de compra.exeRegSvcs.execontrol.exe

description	pid	process	target process
PID 1664 set thread context of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1332 set thread context of 1212	1332	RegSvcs.exe	Explorer.EXE
PID 1332 set thread context of 1212	1332	RegSvcs.exe	Explorer.EXE
PID 584 set thread context of 1212	584	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1320 schtasks.exe

pid	process
1320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

orden de compra.exeRegSvcs.execontrol.exe

pid	process
1664	orden de compra.exe
1664	orden de compra.exe
1664	orden de compra.exe
1664	orden de compra.exe
1332	RegSvcs.exe
1332	RegSvcs.exe
1332	RegSvcs.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execontrol.exe

pid process

1332 RegSvcs.exe
1332 RegSvcs.exe
1332 RegSvcs.exe
1332 RegSvcs.exe
584 control.exe
584 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

orden de compra.exeRegSvcs.execontrol.exe

description pid process

Token: SeDebugPrivilege 1664 orden de compra.exe
Token: SeDebugPrivilege 1332 RegSvcs.exe
Token: SeDebugPrivilege 584 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1332	RegSvcs.exe
1332	RegSvcs.exe
1332	RegSvcs.exe
1332	RegSvcs.exe
584	control.exe
584	control.exe

description	pid	process
Token: SeDebugPrivilege	1664	orden de compra.exe
Token: SeDebugPrivilege	1332	RegSvcs.exe
Token: SeDebugPrivilege	584	control.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

orden de compra.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1664 wrote to memory of 1320	1664	orden de compra.exe	schtasks.exe
PID 1664 wrote to memory of 1320	1664	orden de compra.exe	schtasks.exe
PID 1664 wrote to memory of 1320	1664	orden de compra.exe	schtasks.exe
PID 1664 wrote to memory of 1320	1664	orden de compra.exe	schtasks.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1236	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1664 wrote to memory of 1332	1664	orden de compra.exe	RegSvcs.exe
PID 1212 wrote to memory of 584	1212	Explorer.EXE	control.exe
PID 1212 wrote to memory of 584	1212	Explorer.EXE	control.exe
PID 1212 wrote to memory of 584	1212	Explorer.EXE	control.exe
PID 1212 wrote to memory of 584	1212	Explorer.EXE	control.exe
PID 584 wrote to memory of 1396	584	control.exe	cmd.exe
PID 584 wrote to memory of 1396	584	control.exe	cmd.exe
PID 584 wrote to memory of 1396	584	control.exe	cmd.exe
PID 584 wrote to memory of 1396	584	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\orden de compra.exe
"C:\Users\Admin\AppData\Local\Temp\orden de compra.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JzVjvzpP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC015.tmp"
3⤵
- Creates scheduled task(s)
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC015.tmp
Filesize
1KB

MD5
62577f8d61faed6d7397850441eaaebc

SHA1
58f963c8e7491518f83ebd6214796dbfc0bf764b

SHA256
b8a966e33bdaa37e21a394e3236125b1769ffe19e5b72d78ccf72fb3e4ac9e79

SHA512
334e51d4bd642aa03f051eb2d3deba8919b7f8e30666655bf041d9ea86ad03d8fc0f4deefefbb25b1ddb426d4c938570990b5877af3a91f0babb4e46463ba925

Download Submit
memory/584-75-0x0000000000E50000-0x0000000000E6F000-memory.dmp

Filesize
124KB

Download
memory/584-73-0x0000000000000000-mapping.dmp

Download
memory/584-79-0x00000000004B0000-0x0000000000543000-memory.dmp

Filesize
588KB

Download
memory/584-77-0x0000000002270000-0x0000000002573000-memory.dmp

Filesize
3.0MB

Download
memory/584-76-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1212-80-0x0000000004DD0000-0x0000000004E9E000-memory.dmp

Filesize
824KB

Download
memory/1212-69-0x0000000004AF0000-0x0000000004C53000-memory.dmp

Filesize
1.4MB

Download
memory/1212-72-0x0000000004C60000-0x0000000004DC4000-memory.dmp

Filesize
1.4MB

Download
memory/1320-59-0x0000000000000000-mapping.dmp

Download
memory/1332-71-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1332-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1332-68-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1332-65-0x000000000041ECA0-mapping.dmp

Download
memory/1332-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1332-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1332-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1332-66-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1396-78-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1664-58-0x0000000004200000-0x0000000004234000-memory.dmp

Filesize
208KB

Download
memory/1664-54-0x0000000000A30000-0x0000000000AA4000-memory.dmp

Filesize
464KB

Download
memory/1664-57-0x0000000000890000-0x00000000008E8000-memory.dmp

Filesize
352KB

Download
memory/1664-56-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads