formbook | be212619b97ee6954f65301efb5027961cebf3ac7ce8edd71dda5872442cea0c

General

Target

Payment Slip.exe
Size

305KB
MD5

959cc1d1577952988bee9d96237dc04f
SHA1

11942e192b6f5f4bba6947653fb070385f42998a
SHA256

9e5404dae4cf7c22028a3d09e99fa532a1f14e0636aa8112d177933a8b066b6c
SHA512

30e5e5f62239042b905a01c7d51f52f7be5668dbe23d4ec63b3a0c8e50f9ccb2f770fce1efbcd3914e842f0762838f8eb0ed9db1eb1fb670c890caaeece8fb70

Score

10^/10

formbook i032 coreentity rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

i032

Decoy

threecraftybitchhs.com

vmbitcoin.com

theeverydayrootsbook.com

perksatwrok.com

oilspilladjustersettlement.com

actiilifecoaching.com

kbv627xlp9o.biz

masterfitnessusa.com

bit-coin-b2b.com

crossfitpoway.com

van-life.info

start.supply

wonobi.com

volunteerfife.com

steamlish.com

fortituderunclub.com

10sweetmasageparlour.com

2espiritus.com

free-part-manuals.net

gocier.com

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1504-56-0x0000000000240000-0x0000000000248000-memory.dmp	coreentity

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1504-54-0x0000000001120000-0x0000000001172000-memory.dmp	coreccc

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2008-63-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2008-64-0x000000000041E330-mapping.dmp	formbook
behavioral1/memory/2008-66-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1724-75-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1504-57-0x0000000000CE0000-0x0000000000D1A000-memory.dmp	rezer0

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe

pid	process
1988	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Payment Slip.exePayment Slip.execmd.exe

description	pid	process	target process
PID 1504 set thread context of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 2008 set thread context of 1344	2008	Payment Slip.exe	Explorer.EXE
PID 2008 set thread context of 1344	2008	Payment Slip.exe	Explorer.EXE
PID 1724 set thread context of 1344	1724	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2040 schtasks.exe

pid	process
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Payment Slip.exePayment Slip.execmd.exe

pid	process
1504	Payment Slip.exe
2008	Payment Slip.exe
2008	Payment Slip.exe
2008	Payment Slip.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe
1724	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Payment Slip.execmd.exe

pid process

2008 Payment Slip.exe
2008 Payment Slip.exe
2008 Payment Slip.exe
2008 Payment Slip.exe
1724 cmd.exe
1724 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment Slip.exePayment Slip.execmd.exe

description pid process

Token: SeDebugPrivilege 1504 Payment Slip.exe
Token: SeDebugPrivilege 2008 Payment Slip.exe
Token: SeDebugPrivilege 1724 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE

pid	process
2008	Payment Slip.exe
2008	Payment Slip.exe
2008	Payment Slip.exe
2008	Payment Slip.exe
1724	cmd.exe
1724	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1504	Payment Slip.exe
Token: SeDebugPrivilege	2008	Payment Slip.exe
Token: SeDebugPrivilege	1724	cmd.exe

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Payment Slip.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 2040	1504	Payment Slip.exe	schtasks.exe
PID 1504 wrote to memory of 2040	1504	Payment Slip.exe	schtasks.exe
PID 1504 wrote to memory of 2040	1504	Payment Slip.exe	schtasks.exe
PID 1504 wrote to memory of 2040	1504	Payment Slip.exe	schtasks.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1504 wrote to memory of 2008	1504	Payment Slip.exe	Payment Slip.exe
PID 1344 wrote to memory of 1724	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 1724	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 1724	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 1724	1344	Explorer.EXE	cmd.exe
PID 1724 wrote to memory of 1988	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UjCdGbhg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1288.tmp"
3⤵
- Creates scheduled task(s)
PID:2040

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
3⤵
- Deletes itself
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1288.tmp
Filesize
1KB

MD5
06eaf3d704b56a8f918101aef8f11e0f

SHA1
092eded4a308fb5704e3b353abcc91ac3d414266

SHA256
af06168c6c8ea4569b3db8163207a28bd57580b615c65e9e9cd8efd02aaff991

SHA512
633bdd67bde9217b29b6433865031d5213984a1e7372c29746a19475f8640375423c99797a3d0556c3ba085b0f845a03780a063f54ff8f268dc658149a9b8f44

Download Submit
memory/1344-72-0x0000000007140000-0x0000000007275000-memory.dmp

Filesize
1.2MB

Download
memory/1344-69-0x0000000007000000-0x000000000713E000-memory.dmp

Filesize
1.2MB

Download
memory/1344-79-0x0000000004250000-0x0000000004345000-memory.dmp

Filesize
980KB

Download
memory/1504-56-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1504-54-0x0000000001120000-0x0000000001172000-memory.dmp

Filesize
328KB

Download
memory/1504-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1504-57-0x0000000000CE0000-0x0000000000D1A000-memory.dmp

Filesize
232KB

Download
memory/1724-74-0x000000004A150000-0x000000004A19C000-memory.dmp

Filesize
304KB

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1724-78-0x00000000003E0000-0x0000000000473000-memory.dmp

Filesize
588KB

Download
memory/1724-77-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/1724-75-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1988-76-0x0000000000000000-mapping.dmp

Download
memory/2008-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2008-71-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/2008-68-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/2008-64-0x000000000041E330-mapping.dmp

Download
memory/2008-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2008-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2008-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2008-67-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads