formbook | e1b5157b0929486351722245f7bf2cee1b8b9e05fca294fe3a0cf676e9a7ad57

General

Target

tmp.exe
Size

247KB
MD5

6d5af3c3cbd850fd982a9b243e2857a7
SHA1

a070566b72fca1e39f52599da8d2f80a0a11fb5f
SHA256

e1b5157b0929486351722245f7bf2cee1b8b9e05fca294fe3a0cf676e9a7ad57
SHA512

dccba4090f0aef7e59f35d4be64406b7ce7733f59f7ab940e296c5d8b5da852dce11b53d317f71bcf53304088c1c361fc24f8e466915c6d9a1e8dfee17fb4bc1

Score

10^/10

formbook g14s rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g14s

Decoy

highnessmagazine.com

mokeyshop.com

remotedesktop.xyz

bicielettrica.xyz

addoncarzspa.com

ironesteem.com

asset-management-int.com

newportnewsaccounting.com

seriesyonkis2.com

hhivac.com

shrmgattlnow.com

yangzhenyu1.xyz

prettylittlenail.com

phyform.com

fggloballlc.com

gamecentertx.com

apriltoken.com

agalign.com

jointventurecoop.club

pengqianyue.tech

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4164-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4164-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4164-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2468-148-0x0000000000AB0000-0x0000000000ADF000-memory.dmp	formbook
behavioral2/memory/2468-155-0x0000000000AB0000-0x0000000000ADF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

xlarfvuad.exexlarfvuad.exe

pid process

756 xlarfvuad.exe
4164 xlarfvuad.exe

pid	process
756	xlarfvuad.exe
4164	xlarfvuad.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

xlarfvuad.exexlarfvuad.exemsdt.exe

description	pid	process	target process
PID 756 set thread context of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 4164 set thread context of 664	4164	xlarfvuad.exe	Explorer.EXE
PID 4164 set thread context of 664	4164	xlarfvuad.exe	Explorer.EXE
PID 2468 set thread context of 664	2468	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

xlarfvuad.exemsdt.exe

pid	process
4164	xlarfvuad.exe
4164	xlarfvuad.exe
4164	xlarfvuad.exe
4164	xlarfvuad.exe
4164	xlarfvuad.exe
4164	xlarfvuad.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe
2468	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

664 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

xlarfvuad.exemsdt.exe

pid process

4164 xlarfvuad.exe
4164 xlarfvuad.exe
4164 xlarfvuad.exe
4164 xlarfvuad.exe
2468 msdt.exe
2468 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xlarfvuad.exemsdt.exe

description pid process

Token: SeDebugPrivilege 4164 xlarfvuad.exe
Token: SeDebugPrivilege 2468 msdt.exe

pid	process
664	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4164	xlarfvuad.exe
Token: SeDebugPrivilege	2468	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exexlarfvuad.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1540 wrote to memory of 756	1540	tmp.exe	xlarfvuad.exe
PID 1540 wrote to memory of 756	1540	tmp.exe	xlarfvuad.exe
PID 1540 wrote to memory of 756	1540	tmp.exe	xlarfvuad.exe
PID 756 wrote to memory of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 756 wrote to memory of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 756 wrote to memory of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 756 wrote to memory of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 756 wrote to memory of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 756 wrote to memory of 4164	756	xlarfvuad.exe	xlarfvuad.exe
PID 664 wrote to memory of 2468	664	Explorer.EXE	msdt.exe
PID 664 wrote to memory of 2468	664	Explorer.EXE	msdt.exe
PID 664 wrote to memory of 2468	664	Explorer.EXE	msdt.exe
PID 2468 wrote to memory of 1852	2468	msdt.exe	cmd.exe
PID 2468 wrote to memory of 1852	2468	msdt.exe	cmd.exe
PID 2468 wrote to memory of 1852	2468	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe"
3⤵
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14bjwnh70000oktef97
Filesize
184KB

MD5
39caefe2282d6b8c0eef7d657db7c154

SHA1
cc6604f9985ae1a05f034f799dd6ee550be1d7e8

SHA256
47fc6884f3dee9dfd8def2b3b5f0c38856c0eef9f0c005fd02fef0c1344592f2

SHA512
930bb809904ff5f27420b1ae1a0005ee73b9383e21a41dbd93dbd18f4048c1bfcebbff1b6a189eb63444cd876e95b11c8c346bfa7166f4ddd172fcadbbf73cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lafzmxlg
Filesize
5KB

MD5
bce94db7c34663df2cbd9246ff73a348

SHA1
7ae61ec3e2de7736c42059f798e33950b558e6b4

SHA256
39220e3264b8bd27e6980a0edee02315c1a42e88181b8dc107122cd5d1590b29

SHA512
f9d3fd89a54648cebfacfe1f2f12310b438fb53e8f1eb65fab70ac56ea94da8c72eb239e50da8160a4217f723f0727aa44434b65ebe6c3356a11194d328690e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
memory/664-152-0x0000000007FF0000-0x0000000008151000-memory.dmp

Filesize
1.4MB

Download
memory/664-150-0x00000000030F0000-0x00000000031CD000-memory.dmp

Filesize
884KB

Download
memory/664-156-0x00000000031D0000-0x00000000032EA000-memory.dmp

Filesize
1.1MB

Download
memory/664-144-0x0000000007FF0000-0x0000000008151000-memory.dmp

Filesize
1.4MB

Download
memory/664-141-0x00000000030F0000-0x00000000031CD000-memory.dmp

Filesize
884KB

Download
memory/664-154-0x00000000031D0000-0x00000000032EA000-memory.dmp

Filesize
1.1MB

Download
memory/756-130-0x0000000000000000-mapping.dmp

Download
memory/1852-149-0x0000000000000000-mapping.dmp

Download
memory/2468-153-0x0000000002930000-0x00000000029C3000-memory.dmp

Filesize
588KB

Download
memory/2468-151-0x0000000002D40000-0x000000000308A000-memory.dmp

Filesize
3.3MB

Download
memory/2468-155-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

Filesize
188KB

Download
memory/2468-145-0x0000000000000000-mapping.dmp

Download
memory/2468-147-0x0000000000520000-0x0000000000577000-memory.dmp

Filesize
348KB

Download
memory/2468-148-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

Filesize
188KB

Download
memory/4164-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-143-0x00000000018C0000-0x00000000018D4000-memory.dmp

Filesize
80KB

Download
memory/4164-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-140-0x0000000001460000-0x0000000001474000-memory.dmp

Filesize
80KB

Download
memory/4164-138-0x00000000018E0000-0x0000000001C2A000-memory.dmp

Filesize
3.3MB

Download
memory/4164-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads