formbook | 58bbda497419849bd851ed97dfde285b9c995a4421af98475776d6879e21309d

General

Target

Me jpg jpg jpg jpg.exe
Size

550KB
MD5

b341988d42a31ad31f64902f802be8cb
SHA1

dcb84aa283342301808bb227d0f768036cccc89a
SHA256

f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099
SHA512

97a260e43f2f77c57d46765d837df1bfa7bbbd27d4e3b8d17a63d68872429301b1be7fa5a735f0a37d7750a63ec98b242a93e7bb6be8ca9a7c9c289fd7b80c32

Score

10^/10

formbook hha rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hha

Decoy

atarairdive.com

binanca.com

krepostta-sofia.com

chiangmaipartys.com

bestglobalseo.com

rdsri.com

immaginaeventi.com

lushrox.com

kenderia.com

goldenbrownacademy.com

kiddyquest.com

cs-support.online

magicovino.com

banderasacuadros.com

originalducatispareparts.com

tfpfleet.com

wickedmaple.com

fasypeoplesearch.com

zggwpmwdcp.com

boav11.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/1452-137-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral4/memory/1452-142-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral4/memory/2312-148-0x0000000000EA0000-0x0000000000ECD000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Me jpg jpg jpg jpg.exeMSBuild.exechkdsk.exe

description	pid	process	target process
PID 2124 set thread context of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 1452 set thread context of 2604	1452	MSBuild.exe	Explorer.EXE
PID 1452 set thread context of 2604	1452	MSBuild.exe	Explorer.EXE
PID 2312 set thread context of 2604	2312	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

MSBuild.exechkdsk.exe

pid	process
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe
2312	chkdsk.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSBuild.exechkdsk.exe

pid process

1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
2312 chkdsk.exe
2312 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSBuild.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1452 MSBuild.exe
Token: SeDebugPrivilege 2312 chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	1452	MSBuild.exe
Token: SeDebugPrivilege	2312	chkdsk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Me jpg jpg jpg jpg.exeMSBuild.exechkdsk.exe

description	pid	process	target process
PID 2124 wrote to memory of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 2124 wrote to memory of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 2124 wrote to memory of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 2124 wrote to memory of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 2124 wrote to memory of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 2124 wrote to memory of 1452	2124	Me jpg jpg jpg jpg.exe	MSBuild.exe
PID 1452 wrote to memory of 2312	1452	MSBuild.exe	chkdsk.exe
PID 1452 wrote to memory of 2312	1452	MSBuild.exe	chkdsk.exe
PID 1452 wrote to memory of 2312	1452	MSBuild.exe	chkdsk.exe
PID 2312 wrote to memory of 756	2312	chkdsk.exe	cmd.exe
PID 2312 wrote to memory of 756	2312	chkdsk.exe	cmd.exe
PID 2312 wrote to memory of 756	2312	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      4⤵
      Suspicious use of SetThreadContext
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-146-0x0000000000000000-mapping.dmp

Download
memory/1452-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1452-143-0x00000000018C0000-0x00000000018D4000-memory.dmp

Filesize
80KB

Download
memory/1452-142-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1452-140-0x0000000001370000-0x0000000001384000-memory.dmp

Filesize
80KB

Download
memory/1452-138-0x00000000013C0000-0x000000000170A000-memory.dmp

Filesize
3.3MB

Download
memory/1452-136-0x0000000000000000-mapping.dmp

Download
memory/2124-135-0x0000000005760000-0x00000000057B6000-memory.dmp

Filesize
344KB

Download
memory/2124-130-0x00000000007C0000-0x0000000000852000-memory.dmp

Filesize
584KB

Download
memory/2124-134-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2124-131-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/2124-133-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/2124-132-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/2312-145-0x0000000000000000-mapping.dmp

Download
memory/2312-148-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/2312-147-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/2312-149-0x0000000001710000-0x0000000001A5A000-memory.dmp

Filesize
3.3MB

Download
memory/2312-150-0x0000000001480000-0x0000000001513000-memory.dmp

Filesize
588KB

Download
memory/2604-144-0x0000000008260000-0x00000000083A7000-memory.dmp

Filesize
1.3MB

Download
memory/2604-141-0x0000000002D60000-0x0000000002EE3000-memory.dmp

Filesize
1.5MB

Download
memory/2604-151-0x00000000087D0000-0x0000000008932000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads