formbook | 62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634

General

Target

?????? ?? ???????.exe
Size

662KB
MD5

203f52c19d874bb4206677f8075c7677
SHA1

9f0b37d6aa3854442d0336a0a853593f9177ad85
SHA256

cdcf2838549fff5889e730c6acf553d1de2940575da7e75b8aeefb043dc13ac0
SHA512

d44325b203d93fd86bb75eb75e8ebcd7618d4f3997d6179d8103101a054eb5f9f40a5de53dcacb2f12d8c4adfaa7a115fbece2d4431b772cf3d22a9984343c25

Score

10^/10

formbook kvsz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4424-140-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4424-142-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/64-148-0x0000000000B50000-0x0000000000B7E000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

______ __ _______.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	______ __ _______.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

______ __ _______.exeRegSvcs.execolorcpl.exe

description	pid	process	target process
PID 4160 set thread context of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 4424 set thread context of 3048	4424	RegSvcs.exe	Explorer.EXE
PID 64 set thread context of 3048	64	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2856 schtasks.exe

pid	process
2856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

______ __ _______.exeRegSvcs.execolorcpl.exe

pid	process
4160	______ __ _______.exe
4160	______ __ _______.exe
4160	______ __ _______.exe
4424	RegSvcs.exe
4424	RegSvcs.exe
4424	RegSvcs.exe
4424	RegSvcs.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe
64	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execolorcpl.exe

pid process

4424 RegSvcs.exe
4424 RegSvcs.exe
4424 RegSvcs.exe
64 colorcpl.exe
64 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

______ __ _______.exeRegSvcs.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 4160 ______ __ _______.exe
Token: SeDebugPrivilege 4424 RegSvcs.exe
Token: SeDebugPrivilege 64 colorcpl.exe

pid	process
3048	Explorer.EXE

pid	process
4424	RegSvcs.exe
4424	RegSvcs.exe
4424	RegSvcs.exe
64	colorcpl.exe
64	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	4160	______ __ _______.exe
Token: SeDebugPrivilege	4424	RegSvcs.exe
Token: SeDebugPrivilege	64	colorcpl.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

______ __ _______.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 4160 wrote to memory of 2856	4160	______ __ _______.exe	schtasks.exe
PID 4160 wrote to memory of 2856	4160	______ __ _______.exe	schtasks.exe
PID 4160 wrote to memory of 2856	4160	______ __ _______.exe	schtasks.exe
PID 4160 wrote to memory of 4860	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4860	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4860	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 4160 wrote to memory of 4424	4160	______ __ _______.exe	RegSvcs.exe
PID 3048 wrote to memory of 64	3048	Explorer.EXE	colorcpl.exe
PID 3048 wrote to memory of 64	3048	Explorer.EXE	colorcpl.exe
PID 3048 wrote to memory of 64	3048	Explorer.EXE	colorcpl.exe
PID 64 wrote to memory of 1280	64	colorcpl.exe	cmd.exe
PID 64 wrote to memory of 1280	64	colorcpl.exe	cmd.exe
PID 64 wrote to memory of 1280	64	colorcpl.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\______ __ _______.exe
"C:\Users\Admin\AppData\Local\Temp\______ __ _______.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PvhWkENbJBxfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp736B.tmp"
2⤵
- Creates scheduled task(s)
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp736B.tmp
Filesize
1KB

MD5
2bd264bb9f94de5b63196a71fac3d05a

SHA1
3747f404c1d316d509b8bf4d9a41fff7a6c8ed3a

SHA256
6aa50bcb619f153f0cbdc007ab2df7d2d7c59e3231c6692eab1e0b2b46155fa1

SHA512
8d6d72bf0cd00741caa5200ba7426c483d75369a36b4cda6197884d4989a8344cab0869cd046ce55639b7444078e5fbcebbb9044a55797b38757945c14e32ec9

Download Submit
memory/64-151-0x0000000002B70000-0x0000000002C03000-memory.dmp

Filesize
588KB

Download
memory/64-150-0x0000000002DE0000-0x000000000312A000-memory.dmp

Filesize
3.3MB

Download
memory/64-147-0x0000000000DB0000-0x0000000000DC9000-memory.dmp

Filesize
100KB

Download
memory/64-148-0x0000000000B50000-0x0000000000B7E000-memory.dmp

Filesize
184KB

Download
memory/64-146-0x0000000000000000-mapping.dmp

Download
memory/1280-149-0x0000000000000000-mapping.dmp

Download
memory/2856-136-0x0000000000000000-mapping.dmp

Download
memory/3048-144-0x0000000007E20000-0x0000000007F4E000-memory.dmp

Filesize
1.2MB

Download
memory/3048-152-0x0000000008010000-0x0000000008114000-memory.dmp

Filesize
1.0MB

Download
memory/4160-135-0x0000000005CE0000-0x0000000005D36000-memory.dmp

Filesize
344KB

Download
memory/4160-130-0x0000000000FE0000-0x000000000108C000-memory.dmp

Filesize
688KB

Download
memory/4160-134-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/4160-133-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/4160-132-0x0000000006100000-0x00000000066A4000-memory.dmp

Filesize
5.6MB

Download
memory/4160-131-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/4424-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4424-143-0x0000000000EE0000-0x000000000122A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4424-145-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/4424-139-0x0000000000000000-mapping.dmp

Download
memory/4860-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads