formbook | 236c1f89670b6e65ebe496d838b3e68cd6100570994de9dcd4ea32dd3eead793

General

Target

orden de compra.exe
Size

423KB
MD5

099eb059723bc3e0b11cd0483240e7a8
SHA1

d61b35ba4e797cb6568d798bbb59222120f8f33e
SHA256

aa4fad19caeb7d4d9abd68155eee268619442c6cfc8a69c2bc337dd4efdf4b4d
SHA512

581d078f2dcddb03859456864c716a6053c7af4f0ed06f378304def93fafa928f0deb1edb87206815f98330c8da563b3075c6f38fc5c6f563039296d4c7fbf2f

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1072-65-0x000000000041ECA0-mapping.dmp	formbook
behavioral1/memory/1072-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1696-78-0x00000000000B0000-0x00000000000DE000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

orden de compra.exeRegSvcs.exemsiexec.exe

description	pid	process	target process
PID 2008 set thread context of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 1072 set thread context of 1268	1072	RegSvcs.exe	Explorer.EXE
PID 1072 set thread context of 1268	1072	RegSvcs.exe	Explorer.EXE
PID 1696 set thread context of 1268	1696	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1372 schtasks.exe

pid	process
1372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

orden de compra.exeRegSvcs.exemsiexec.exe

pid	process
2008	orden de compra.exe
2008	orden de compra.exe
2008	orden de compra.exe
1072	RegSvcs.exe
1072	RegSvcs.exe
1072	RegSvcs.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe
1696	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exemsiexec.exe

pid process

1072 RegSvcs.exe
1072 RegSvcs.exe
1072 RegSvcs.exe
1072 RegSvcs.exe
1696 msiexec.exe
1696 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

orden de compra.exeRegSvcs.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 2008 orden de compra.exe
Token: SeDebugPrivilege 1072 RegSvcs.exe
Token: SeDebugPrivilege 1696 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1072	RegSvcs.exe
1072	RegSvcs.exe
1072	RegSvcs.exe
1072	RegSvcs.exe
1696	msiexec.exe
1696	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	2008	orden de compra.exe
Token: SeDebugPrivilege	1072	RegSvcs.exe
Token: SeDebugPrivilege	1696	msiexec.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

orden de compra.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 2008 wrote to memory of 1372	2008	orden de compra.exe	schtasks.exe
PID 2008 wrote to memory of 1372	2008	orden de compra.exe	schtasks.exe
PID 2008 wrote to memory of 1372	2008	orden de compra.exe	schtasks.exe
PID 2008 wrote to memory of 1372	2008	orden de compra.exe	schtasks.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 2008 wrote to memory of 1072	2008	orden de compra.exe	RegSvcs.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1696	1268	Explorer.EXE	msiexec.exe
PID 1696 wrote to memory of 908	1696	msiexec.exe	cmd.exe
PID 1696 wrote to memory of 908	1696	msiexec.exe	cmd.exe
PID 1696 wrote to memory of 908	1696	msiexec.exe	cmd.exe
PID 1696 wrote to memory of 908	1696	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\orden de compra.exe
"C:\Users\Admin\AppData\Local\Temp\orden de compra.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xconClO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB452.tmp"
3⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB452.tmp
Filesize
1KB

MD5
9c266a4b43ca4b33f544c90d2d591cbc

SHA1
575eeeca3f575a6e82c7b404f83155faf6ffa4de

SHA256
0c3646314df4664d5fa22958ec2848b549bc772faf04cb772a19311b9739946d

SHA512
9ad833719d387cb616de95d9b30549741232e9d7da2f3b77cf8f1dbcae74789b8e693c8c9fadac2693e06039adff39e3e5a65236057c72d3170986d8b94c5092

Download Submit
memory/908-76-0x0000000000000000-mapping.dmp

Download
memory/1072-69-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/1072-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1072-68-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1072-72-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1072-65-0x000000000041ECA0-mapping.dmp

Download
memory/1072-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1072-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1072-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1268-81-0x0000000006AF0000-0x0000000006C28000-memory.dmp

Filesize
1.2MB

Download
memory/1268-70-0x0000000004E40000-0x0000000004F1F000-memory.dmp

Filesize
892KB

Download
memory/1268-73-0x0000000006970000-0x0000000006AED000-memory.dmp

Filesize
1.5MB

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1696-74-0x0000000000000000-mapping.dmp

Download
memory/1696-77-0x0000000000040000-0x0000000000054000-memory.dmp

Filesize
80KB

Download
memory/1696-78-0x00000000000B0000-0x00000000000DE000-memory.dmp

Filesize
184KB

Download
memory/1696-79-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/1696-80-0x0000000001F80000-0x0000000002013000-memory.dmp

Filesize
588KB

Download
memory/2008-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2008-57-0x0000000004C30000-0x0000000004C8A000-memory.dmp

Filesize
360KB

Download
memory/2008-54-0x0000000001320000-0x0000000001390000-memory.dmp

Filesize
448KB

Download
memory/2008-58-0x00000000006E0000-0x0000000000714000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads