formbook | f466700a7f45a812f832c3d869bd6453aef3a292f3e2cccc39b18e20a3e05203

General

Target

yeni sipari?.exe
Size

719KB
MD5

2209b47aae001d2bd001bfdefc337f68
SHA1

bb4984f3c1f8780069ec094b93668e9c45d65187
SHA256

ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65
SHA512

d206f7aa864fce2e4592842fbd50b05ef937d756a1078884e6c19cf65adfe61e205b7e1a4f6350a503a323cda216036b7301919e7ec70aa6840edc2bed8b8ea0

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

krii8it.com

etroty.com

siliconetechsolutions.com

idoukang.net

jb5w3c.download

cmvtulancingo.com

duniageo.com

therisc.com

recruitwith-rr.com

liential.com

americavolcano.win

miyario.com

theballerinashoecompany.com

43u99.com

hananoame.com

wwwglowhaus.net

crowdcoins.biz

icograda.net

fujiansoles.com

bliss-okachimachi.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2004-63-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2004-64-0x000000000041E300-mapping.dmp	formbook
behavioral1/memory/1268-72-0x00000000000C0000-0x00000000000ED000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

yeni sipari_.exeRegSvcs.execmmon32.exe

description	pid	process	target process
PID 1660 set thread context of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 2004 set thread context of 1428	2004	RegSvcs.exe	Explorer.EXE
PID 1268 set thread context of 1428	1268	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1756 schtasks.exe

pid	process
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

RegSvcs.execmmon32.exe

pid	process
2004	RegSvcs.exe
2004	RegSvcs.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe
1268	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmmon32.exe

pid process

2004 RegSvcs.exe
2004 RegSvcs.exe
2004 RegSvcs.exe
1268 cmmon32.exe
1268 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.execmmon32.exe

description pid process

Token: SeDebugPrivilege 2004 RegSvcs.exe
Token: SeDebugPrivilege 1268 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2004	RegSvcs.exe
Token: SeDebugPrivilege	1268	cmmon32.exe

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

yeni sipari_.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1660 wrote to memory of 1756	1660	yeni sipari_.exe	schtasks.exe
PID 1660 wrote to memory of 1756	1660	yeni sipari_.exe	schtasks.exe
PID 1660 wrote to memory of 1756	1660	yeni sipari_.exe	schtasks.exe
PID 1660 wrote to memory of 1756	1660	yeni sipari_.exe	schtasks.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1660 wrote to memory of 2004	1660	yeni sipari_.exe	RegSvcs.exe
PID 1428 wrote to memory of 1268	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 1268	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 1268	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 1268	1428	Explorer.EXE	cmmon32.exe
PID 1268 wrote to memory of 672	1268	cmmon32.exe	cmd.exe
PID 1268 wrote to memory of 672	1268	cmmon32.exe	cmd.exe
PID 1268 wrote to memory of 672	1268	cmmon32.exe	cmd.exe
PID 1268 wrote to memory of 672	1268	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\yeni sipari_.exe
"C:\Users\Admin\AppData\Local\Temp\yeni sipari_.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxWnILgHDUGmOF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E14.tmp"
3⤵
- Creates scheduled task(s)
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9E14.tmp
Filesize
1KB

MD5
7e395a7ba2a978135b1d2055c65dcf69

SHA1
7c8a838388ea0c55cce9a377b9393022775e23c8

SHA256
e96092fa238c7faff5ffc2d280de4de23876ed661ba289e89de89bd1bf4ec0e6

SHA512
2f6cb7dc2e04753a3d423ef9ddea736eaad45b2731e2e1b8849120071b339510b9042c5d973f3534cae6dce33dd2dd4a3a767e8b5a8217378aeb8701d99af6a7

Download Submit
memory/672-70-0x0000000000000000-mapping.dmp

Download
memory/1268-71-0x0000000000AF0000-0x0000000000AFD000-memory.dmp

Filesize
52KB

Download
memory/1268-74-0x0000000000330000-0x00000000003C3000-memory.dmp

Filesize
588KB

Download
memory/1268-73-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1268-72-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1268-69-0x0000000000000000-mapping.dmp

Download
memory/1428-75-0x0000000004A50000-0x0000000004B30000-memory.dmp

Filesize
896KB

Download
memory/1428-68-0x00000000068C0000-0x0000000006A52000-memory.dmp

Filesize
1.6MB

Download
memory/1660-55-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1660-56-0x00000000043B0000-0x00000000043EA000-memory.dmp

Filesize
232KB

Download
memory/1660-57-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1660-54-0x0000000000970000-0x0000000000A2A000-memory.dmp

Filesize
744KB

Download
memory/1756-58-0x0000000000000000-mapping.dmp

Download
memory/2004-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-67-0x0000000000150000-0x0000000000164000-memory.dmp

Filesize
80KB

Download
memory/2004-66-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/2004-64-0x000000000041E300-mapping.dmp

Download
memory/2004-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads