formbook | 1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa

General

Target

1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe
Size

213KB
MD5

1af681084e3d0b909e8ff56e4cee3c80
SHA1

fc8532c8feb0ce096e761020678744824dc1607c
SHA256

1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa
SHA512

b9d0d1cb4cf3ac31f0b5f772e8e7dcdd5c13b9410dc52d22dfa42c6d34f98b13582319688a52c3f85bc0d2f46782f621ded3cdd70be1401846b2fc2ee449e4bf

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

sh

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4092-142-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4092-148-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/1628-152-0x0000000000C70000-0x0000000000C9A000-memory.dmp	formbook
behavioral2/memory/1628-155-0x0000000000C70000-0x0000000000C9A000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exevbc.exehelp.exe

description	pid	process	target process
PID 4996 set thread context of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 4092 set thread context of 664	4092	vbc.exe	Explorer.EXE
PID 1628 set thread context of 664	1628	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exevbc.exehelp.exe

pid	process
4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe
4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe
4092	vbc.exe
4092	vbc.exe
4092	vbc.exe
4092	vbc.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

664 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exehelp.exe

pid process

4092 vbc.exe
4092 vbc.exe
4092 vbc.exe
1628 help.exe
1628 help.exe

pid	process
664	Explorer.EXE

pid	process
4092	vbc.exe
4092	vbc.exe
4092	vbc.exe
1628	help.exe
1628	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exevbc.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe
Token: SeDebugPrivilege	4092	vbc.exe
Token: SeDebugPrivilege	1628	help.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.execsc.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 4996 wrote to memory of 776	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	csc.exe
PID 4996 wrote to memory of 776	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	csc.exe
PID 4996 wrote to memory of 776	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	csc.exe
PID 776 wrote to memory of 2316	776	csc.exe	cvtres.exe
PID 776 wrote to memory of 2316	776	csc.exe	cvtres.exe
PID 776 wrote to memory of 2316	776	csc.exe	cvtres.exe
PID 4996 wrote to memory of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 4996 wrote to memory of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 4996 wrote to memory of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 4996 wrote to memory of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 4996 wrote to memory of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 4996 wrote to memory of 4092	4996	1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe	vbc.exe
PID 664 wrote to memory of 1628	664	Explorer.EXE	help.exe
PID 664 wrote to memory of 1628	664	Explorer.EXE	help.exe
PID 664 wrote to memory of 1628	664	Explorer.EXE	help.exe
PID 1628 wrote to memory of 4676	1628	help.exe	cmd.exe
PID 1628 wrote to memory of 4676	1628	help.exe	cmd.exe
PID 1628 wrote to memory of 4676	1628	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe
"C:\Users\Admin\AppData\Local\Temp\1deac5c42c5c12f811a14593da40c7589da9274b67086ac62174498923c893fa.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3inwfcfe\3inwfcfe.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB54B.tmp" "c:\Users\Admin\AppData\Local\Temp\3inwfcfe\CSCAF64E192331C41FE8A875CB7F4F25A2.TMP"
4⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3inwfcfe\3inwfcfe.dll

Filesize
6KB

MD5
f45cfeaf003c8f224ea4fd2305c5c4d4

SHA1
814477a94047497ed7c4e378470c420f2c5fa410

SHA256
438a0fb0c92bea6206f8d3bdfd389486f789aeca97469a3a397926f61e179bae

SHA512
b5f5ea544bd01683de58057f31c1b44c61f0542a0fb2b760c5b63b9ab55ac7340eb85f4d86503ed28c5b5ec7fd906c600be8cb49252a8f7748a5be8b85cf01c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3inwfcfe\3inwfcfe.pdb

Filesize
15KB

MD5
b9c46a0a0e9a19485577d30db86ef033

SHA1
f8f0b28ce9730983d1d0d0238919f3537505cc5a

SHA256
a8f6a9a0570b239c4aecb6b4139e1fff412dc63001bdeca87fa5b2f929464d75

SHA512
67075562eedde4627a1a08294f3ed92c7387bdc1690d0276863dad50c3796df86ea21ab7b3773fa1db811db00bea253fcee7bfcf7787998ea22ed3a92f2d221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB54B.tmp

Filesize
1KB

MD5
be3c1cb56e20eb3eea400d133933d966

SHA1
bfc474396068d358bd944fc8fd5d30d7d3a80d9a

SHA256
3956b51016d3eb681e70bdcd4461688ed9141e92841c02eb2cd11046e61dcf4e

SHA512
c83dfe1d63f29f656a979e2d60bc9e8b3f4d1a69ac0620c94b5dd93158ee5966a804c2f101b19a3b8d9f9a4c12e30cc888ad1f7eedfff11dc9c9754d94cc52d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3inwfcfe\3inwfcfe.0.cs

Filesize
2KB

MD5
4b7bccbd0e3c7ad0e35494793d17069b

SHA1
4f12101636084c28935313568518f1292caae7ff

SHA256
96cafa3320c3d870753c58b65fe3c05e2ffb343be959cfa316c4f6c34c4c60ea

SHA512
4409b49e687fcd14a0457e3b9b422a34efe5e4c04d807f7156cb8b4f215b4f07537d134d48a168b766fdffbff5106f41e09585fe1eab86dfa2e894a2bf477de2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3inwfcfe\3inwfcfe.cmdline

Filesize
248B

MD5
06fa3c98acd37eb9872a1a19e5c06163

SHA1
0167becf2d9f2c2e5ee52bb7e6df414e95bd4fff

SHA256
03f9d9026cc06be3881cb7bcab784ee991df16fcc134e0c7adf4aea4a9c83a48

SHA512
83abcc845810002dea3962dbc874b28591b05659eef42c7308c3cb821d24a9acdcb71e343aa8a44db9f7b90ddc60adcc319b44aa465154fdddc428a730e2e6dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3inwfcfe\CSCAF64E192331C41FE8A875CB7F4F25A2.TMP

Filesize
1KB

MD5
2b18c10ef5937626234902fcca253bfc

SHA1
c8adcf7d104347560986b10e7942a2429f623f7a

SHA256
8df337fd67f210528e1b35b66f5cf2c02b8c637492ebfb5abd365022e0cdc904

SHA512
71fc6bb0e943e2b4cf8431eecc9c7120f30f8f9183915f2c31106752fd040f21da2986ca370e482b1c9908b30d96a27fa4531e18411c6421844550c43f16fe44

Download Submit
memory/664-154-0x0000000007FF0000-0x00000000080D3000-memory.dmp

Filesize
908KB

Download
memory/664-156-0x0000000007FF0000-0x00000000080D3000-memory.dmp

Filesize
908KB

Download
memory/664-146-0x00000000030F0000-0x0000000003247000-memory.dmp

Filesize
1.3MB

Download
memory/776-131-0x0000000000000000-mapping.dmp

Download
memory/1628-155-0x0000000000C70000-0x0000000000C9A000-memory.dmp

Filesize
168KB

Download
memory/1628-153-0x0000000001340000-0x00000000013D3000-memory.dmp

Filesize
588KB

Download
memory/1628-150-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/1628-151-0x00000000013F0000-0x000000000173A000-memory.dmp

Filesize
3.3MB

Download
memory/1628-152-0x0000000000C70000-0x0000000000C9A000-memory.dmp

Filesize
168KB

Download
memory/1628-147-0x0000000000000000-mapping.dmp

Download
memory/2316-134-0x0000000000000000-mapping.dmp

Download
memory/4092-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4092-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4092-145-0x00000000005E0000-0x00000000005F4000-memory.dmp

Filesize
80KB

Download
memory/4092-143-0x0000000000AE0000-0x0000000000E2A000-memory.dmp

Filesize
3.3MB

Download
memory/4092-141-0x0000000000000000-mapping.dmp

Download
memory/4676-149-0x0000000000000000-mapping.dmp

Download
memory/4996-130-0x0000000000B80000-0x0000000000BBC000-memory.dmp

Filesize
240KB

Download
memory/4996-140-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

Filesize
624KB

Download
memory/4996-139-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads