formbook | 54d9e41dc860087321eb979b18858f109d7d45c73da540a19d343fc17cce8ccb

General

Target

yeni sipari?.exe
Size

648KB
MD5

9db7619bc23ec15cc6863948515acc4e
SHA1

90e5b2e78d2bcc1f6d78ff9bfd9e1ca16b94c605
SHA256

c2100ac52466885fcb64010897d0c7a4178a5c00c47e13261f66976b38f26aaf
SHA512

6676f9434bc4e2f2fe3e256a328554162020e156c576b63eaa7ec2f79f834ecf967610c1dace77f1931f0fd2110aafff656eabe20a76bda8b610e06cbe27cf62

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1284-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1284-65-0x000000000041ECA0-mapping.dmp	formbook
behavioral1/memory/1284-67-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1456-77-0x00000000000D0000-0x00000000000FE000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

yeni sipari_.exeRegSvcs.execmmon32.exe

description	pid	process	target process
PID 1000 set thread context of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1284 set thread context of 1364	1284	RegSvcs.exe	Explorer.EXE
PID 1284 set thread context of 1364	1284	RegSvcs.exe	Explorer.EXE
PID 1456 set thread context of 1364	1456	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1396 schtasks.exe

pid	process
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

yeni sipari_.exeRegSvcs.execmmon32.exe

pid	process
1000	yeni sipari_.exe
1000	yeni sipari_.exe
1000	yeni sipari_.exe
1000	yeni sipari_.exe
1000	yeni sipari_.exe
1284	RegSvcs.exe
1284	RegSvcs.exe
1284	RegSvcs.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe
1456	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execmmon32.exe

pid process

1284 RegSvcs.exe
1284 RegSvcs.exe
1284 RegSvcs.exe
1284 RegSvcs.exe
1456 cmmon32.exe
1456 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

yeni sipari_.exeRegSvcs.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1000 yeni sipari_.exe
Token: SeDebugPrivilege 1284 RegSvcs.exe
Token: SeDebugPrivilege 1456 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE

pid	process
1284	RegSvcs.exe
1284	RegSvcs.exe
1284	RegSvcs.exe
1284	RegSvcs.exe
1456	cmmon32.exe
1456	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1000	yeni sipari_.exe
Token: SeDebugPrivilege	1284	RegSvcs.exe
Token: SeDebugPrivilege	1456	cmmon32.exe

pid	process
1364	Explorer.EXE
1364	Explorer.EXE

pid	process
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

yeni sipari_.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1000 wrote to memory of 1396	1000	yeni sipari_.exe	schtasks.exe
PID 1000 wrote to memory of 1396	1000	yeni sipari_.exe	schtasks.exe
PID 1000 wrote to memory of 1396	1000	yeni sipari_.exe	schtasks.exe
PID 1000 wrote to memory of 1396	1000	yeni sipari_.exe	schtasks.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1000 wrote to memory of 1284	1000	yeni sipari_.exe	RegSvcs.exe
PID 1364 wrote to memory of 1456	1364	Explorer.EXE	cmmon32.exe
PID 1364 wrote to memory of 1456	1364	Explorer.EXE	cmmon32.exe
PID 1364 wrote to memory of 1456	1364	Explorer.EXE	cmmon32.exe
PID 1364 wrote to memory of 1456	1364	Explorer.EXE	cmmon32.exe
PID 1456 wrote to memory of 1656	1456	cmmon32.exe	cmd.exe
PID 1456 wrote to memory of 1656	1456	cmmon32.exe	cmd.exe
PID 1456 wrote to memory of 1656	1456	cmmon32.exe	cmd.exe
PID 1456 wrote to memory of 1656	1456	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\yeni sipari_.exe
"C:\Users\Admin\AppData\Local\Temp\yeni sipari_.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A98.tmp"
3⤵
- Creates scheduled task(s)
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4A98.tmp
Filesize
1KB

MD5
d9b3fb55144055bf53049ae44e24a2b4

SHA1
e01d7cbee7c35cac28b467f84e92b7a48d32d61e

SHA256
7b950a718804352c3350d97782b2db4cd0e4fa78d1fded8b7f56edfa9df4a437

SHA512
001c56ee85bf76eb22969026c4ddd0f784052c37144642d8124b4fe0db1893bba55b2f5c4739a5a8cb54cdab5b1ea37ad830b34c429fdac0b8f93a4d5acc052c

Download Submit
memory/1000-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1000-56-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1000-57-0x0000000004F30000-0x0000000004F98000-memory.dmp

Filesize
416KB

Download
memory/1000-58-0x0000000000AC0000-0x0000000000AFE000-memory.dmp

Filesize
248KB

Download
memory/1000-54-0x00000000010C0000-0x0000000001168000-memory.dmp

Filesize
672KB

Download
memory/1284-68-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1284-72-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/1284-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-65-0x000000000041ECA0-mapping.dmp

Download
memory/1284-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-69-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1364-70-0x0000000004CA0000-0x0000000004D67000-memory.dmp

Filesize
796KB

Download
memory/1364-73-0x0000000004F70000-0x0000000005045000-memory.dmp

Filesize
852KB

Download
memory/1364-80-0x0000000006B60000-0x0000000006CD7000-memory.dmp

Filesize
1.5MB

Download
memory/1396-59-0x0000000000000000-mapping.dmp

Download
memory/1456-74-0x0000000000000000-mapping.dmp

Download
memory/1456-76-0x0000000000980000-0x000000000098D000-memory.dmp

Filesize
52KB

Download
memory/1456-77-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/1456-78-0x0000000001F20000-0x0000000002223000-memory.dmp

Filesize
3.0MB

Download
memory/1456-79-0x0000000000860000-0x00000000008F3000-memory.dmp

Filesize
588KB

Download
memory/1656-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads