formbook | 2997d580c97d0e4cfbeebdbd6ae11e9a13343778cdab2f0ac3720500d0fbf3be

General

Target

ScanPMT.exe
Size

753KB
MD5

07635d52fc102dc84f5922736c158677
SHA1

8f120df33ef24f6917d9eeecb85e96a49049ecab
SHA256

8288e9e21f28be24c2d3839e26c3c726dc90e9955a8506816fb498044f9846b6
SHA512

f5f34d62be8ad42435c554391d9406713ced9c19b73a1d9de33f3e6bbc150b5b0b165313e152408893b08900d367532ff4961b3fbb4729ef82792a8ced6e7c8d

Score

10^/10

formbook vcd persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vcd

Decoy

lacittauniversitaria.com

godsdigger.info

stxfwj.com

sing-uk.com

crazyedu.com

sunchermical.com

cocaparis2024.com

ahazm.com

li021.com

bizzspire.com

jb-o8y.com

ssconlineadmitcard.com

merkled.net

nesaraconstruction.com

viba.ltd

rasshoferconsulting.com

slingersdlbrbhjs.download

higgins-plastering.com

prostickusa.com

szryyl.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2560-137-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/2916-145-0x0000000000330000-0x000000000035D000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MRXXHBMXCNY = "C:\\Program Files (x86)\\Ejzd09bmx\\qxqxgzixzz5p4tbp.exe"	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

ScanPMT.exeScanPMT.exesvchost.exe

description	pid	process	target process
PID 3184 set thread context of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 2560 set thread context of 2604	2560	ScanPMT.exe	Explorer.EXE
PID 2916 set thread context of 2604	2916	svchost.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ejzd09bmx\qxqxgzixzz5p4tbp.exe svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ejzd09bmx\qxqxgzixzz5p4tbp.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ScanPMT.exesvchost.exe

pid	process
2560	ScanPMT.exe
2560	ScanPMT.exe
2560	ScanPMT.exe
2560	ScanPMT.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2604 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ScanPMT.exesvchost.exe

pid process

2560 ScanPMT.exe
2560 ScanPMT.exe
2560 ScanPMT.exe
2916 svchost.exe
2916 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ScanPMT.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2560 ScanPMT.exe
Token: SeDebugPrivilege 2916 svchost.exe

pid	process
2604	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2560	ScanPMT.exe
Token: SeDebugPrivilege	2916	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ScanPMT.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3184 wrote to memory of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 3184 wrote to memory of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 3184 wrote to memory of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 3184 wrote to memory of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 3184 wrote to memory of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 3184 wrote to memory of 2560	3184	ScanPMT.exe	ScanPMT.exe
PID 2604 wrote to memory of 2916	2604	Explorer.EXE	svchost.exe
PID 2604 wrote to memory of 2916	2604	Explorer.EXE	svchost.exe
PID 2604 wrote to memory of 2916	2604	Explorer.EXE	svchost.exe
PID 2916 wrote to memory of 3840	2916	svchost.exe	cmd.exe
PID 2916 wrote to memory of 3840	2916	svchost.exe	cmd.exe
PID 2916 wrote to memory of 3840	2916	svchost.exe	cmd.exe
PID 2916 wrote to memory of 216	2916	svchost.exe	cmd.exe
PID 2916 wrote to memory of 216	2916	svchost.exe	cmd.exe
PID 2916 wrote to memory of 216	2916	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe
"C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe
"C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"
3⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-149-0x0000000000000000-mapping.dmp

Download
memory/2560-136-0x0000000000000000-mapping.dmp

Download
memory/2560-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2560-139-0x00000000015A0000-0x00000000018EA000-memory.dmp

Filesize
3.3MB

Download
memory/2560-140-0x0000000001030000-0x0000000001044000-memory.dmp

Filesize
80KB

Download
memory/2604-148-0x0000000002EB0000-0x0000000003030000-memory.dmp

Filesize
1.5MB

Download
memory/2604-141-0x0000000002D60000-0x0000000002E27000-memory.dmp

Filesize
796KB

Download
memory/2916-145-0x0000000000330000-0x000000000035D000-memory.dmp

Filesize
180KB

Download
memory/2916-147-0x0000000001200000-0x0000000001293000-memory.dmp

Filesize
588KB

Download
memory/2916-146-0x0000000000B50000-0x0000000000E9A000-memory.dmp

Filesize
3.3MB

Download
memory/2916-144-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/2916-142-0x0000000000000000-mapping.dmp

Download
memory/3184-134-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/3184-135-0x0000000007BF0000-0x0000000007C46000-memory.dmp

Filesize
344KB

Download
memory/3184-130-0x0000000000960000-0x0000000000A22000-memory.dmp

Filesize
776KB

Download
memory/3184-133-0x0000000007980000-0x0000000007A12000-memory.dmp

Filesize
584KB

Download
memory/3184-132-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/3184-131-0x00000000078E0000-0x000000000797C000-memory.dmp

Filesize
624KB

Download
memory/3840-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads