formbook | 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b

General

Target

20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
Size

426KB
MD5

cb783c9daff07c32ea86f1bbf2a32aa7
SHA1

67695f79d67dad3068b33216cdc1492b66d7602a
SHA256

20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b
SHA512

4c33ef083ea76477fc55873ff55f5d8fbcb0634d21787be6afcc024f8f69f96b201974a77ed88c6ccb5a2b8d70521b9da9bf25d402e26f3ada421e5253109346

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

sh

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/756-66-0x0000000001EA0000-0x0000000001ECA000-memory.dmp	formbook
behavioral1/memory/940-71-0x000000000041B5F0-mapping.dmp	formbook
behavioral1/memory/940-73-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1312-80-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/1312-84-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exevbc.exewininit.exe

description	pid	process	target process
PID 756 set thread context of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 940 set thread context of 1260	940	vbc.exe	Explorer.EXE
PID 1312 set thread context of 1260	1312	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exevbc.exewininit.exe

pid	process
756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
940	vbc.exe
940	vbc.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe
1312	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exewininit.exe

pid process

940 vbc.exe
940 vbc.exe
940 vbc.exe
1312 wininit.exe
1312 wininit.exe

pid	process
940	vbc.exe
940	vbc.exe
940	vbc.exe
1312	wininit.exe
1312	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exevbc.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
Token: SeDebugPrivilege	940	vbc.exe
Token: SeDebugPrivilege	1312	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.execsc.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 756 wrote to memory of 308	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	csc.exe
PID 756 wrote to memory of 308	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	csc.exe
PID 756 wrote to memory of 308	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	csc.exe
PID 756 wrote to memory of 308	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	csc.exe
PID 308 wrote to memory of 1204	308	csc.exe	cvtres.exe
PID 308 wrote to memory of 1204	308	csc.exe	cvtres.exe
PID 308 wrote to memory of 1204	308	csc.exe	cvtres.exe
PID 308 wrote to memory of 1204	308	csc.exe	cvtres.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 756 wrote to memory of 940	756	20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe	vbc.exe
PID 1260 wrote to memory of 1312	1260	Explorer.EXE	wininit.exe
PID 1260 wrote to memory of 1312	1260	Explorer.EXE	wininit.exe
PID 1260 wrote to memory of 1312	1260	Explorer.EXE	wininit.exe
PID 1260 wrote to memory of 1312	1260	Explorer.EXE	wininit.exe
PID 1312 wrote to memory of 320	1312	wininit.exe	cmd.exe
PID 1312 wrote to memory of 320	1312	wininit.exe	cmd.exe
PID 1312 wrote to memory of 320	1312	wininit.exe	cmd.exe
PID 1312 wrote to memory of 320	1312	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
"C:\Users\Admin\AppData\Local\Temp\20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dcedxf3m\dcedxf3m.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4693.tmp" "c:\Users\Admin\AppData\Local\Temp\dcedxf3m\CSC1AB8E082FE9F45398226604760BD9938.TMP"
4⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4693.tmp

Filesize
1KB

MD5
f01a872be442747df7f269fc2a4693b1

SHA1
7fd586097b3b5bf3b31a6b07b0a07c96fbb7d9d9

SHA256
e5dccb115ef40208d49d06f41c7e53979749e4048ba8492a4156a0601056854e

SHA512
e83128b5be6036e2d0fd1474975e44738708479ef425457247428d763696e287c537f560d7d8d422bd5cff031eae68e09591a4e12059db2f6068225501c3e214

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcedxf3m\dcedxf3m.dll

Filesize
20KB

MD5
a414b83ee639dcfcd1b7182b9d031cf4

SHA1
5bac1ceb9102e9ef33d0ef11b4651fd5a5de4b5d

SHA256
2876ad23129c9a601d344f8ce9b5c3bec24932fe48bb712b4d7e82afd0954664

SHA512
8ec44a3dd140cd55e856ebe64fd0d2ca2a884c61f4b43e8bf58892e6c48e2c69bee71009c85b1b0b11ba3309f24b750322938f8793a8e284e4ab67c1a098133e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcedxf3m\dcedxf3m.pdb

Filesize
65KB

MD5
926fabb4669f253ff4b89bd19b7381c7

SHA1
d09e904388f294cc5bf8e0af2658222f394042f0

SHA256
7a461352f160f18cd6f7a65e1276ac547ab7baeafc0c1b7a39c1d0463d38eb5d

SHA512
48bea26e2dcea9f95e53c22a2a0725042356efdc656a15e43ef7c6699c8a017ed8279eb3868a1206181ff14123735fb22f460496f9798a4c8f7acd6d597b30fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcedxf3m\CSC1AB8E082FE9F45398226604760BD9938.TMP

Filesize
1KB

MD5
cf8b1d63daa1dbc3a366dc60737b994d

SHA1
9f4643778b6126510348b15ff38db82cd24b9775

SHA256
4a987fee3cc4effe9f8b4e9d0b944cf0dfe39c2b3df9e7a5e037720efbb0854f

SHA512
2881454b23540272ad2ad15ed3288b4f1f94e1a08ef122a13cca2c7772f9da546281e0855b0bf5d0196765cca42b82a69c6993b38bf40680faa9ae3f643979d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcedxf3m\dcedxf3m.0.cs

Filesize
44KB

MD5
2830d7e4a34ee5547dfed648a8c2dd7d

SHA1
bf759b96e33a56de14b09d27c53dbdd5324b8df2

SHA256
b176995fbe69d28185a99632f7cbe9cced3aa2581738d81c977ff924d6e23b13

SHA512
6c67435b3dcb1ae67da1d7f34c21fdd73e2283b92780a214beb0a747dfdca28e1a37296fe2561a17fba59382f2ead599a7dabea8d7d474df0a22d65c720d3c16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcedxf3m\dcedxf3m.cmdline

Filesize
248B

MD5
5f08e55db0ac5ffc1e561283c3b63519

SHA1
81e3a04dc16d2fdeb6b33b2ee9c1728b081926d7

SHA256
094254c656361aab958c3b5dbc52f1ec2551a658c0ab9e70ab4e11e4cc88b230

SHA512
55dbb10f07d5e2103c43826a64991a9e740805b84bb8e270d432266dec31800e8d08d8d71409ecc047c23a70aa614240f4a8e474fa226b3bed69141e5219b717

Download Submit
memory/308-55-0x0000000000000000-mapping.dmp

Download
memory/320-78-0x0000000000000000-mapping.dmp

Download
memory/756-54-0x0000000000860000-0x00000000008D2000-memory.dmp

Filesize
456KB

Download
memory/756-63-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/756-64-0x0000000001F70000-0x0000000001FAA000-memory.dmp

Filesize
232KB

Download
memory/756-65-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/756-66-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/940-67-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/940-68-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/940-71-0x000000000041B5F0-mapping.dmp

Download
memory/940-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/940-74-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/940-75-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1204-58-0x0000000000000000-mapping.dmp

Download
memory/1260-76-0x0000000004AE0000-0x0000000004C12000-memory.dmp

Filesize
1.2MB

Download
memory/1260-83-0x0000000002AF0000-0x0000000002BC5000-memory.dmp

Filesize
852KB

Download
memory/1260-85-0x0000000002AF0000-0x0000000002BC5000-memory.dmp

Filesize
852KB

Download
memory/1312-77-0x0000000000000000-mapping.dmp

Download
memory/1312-79-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/1312-81-0x0000000001ED0000-0x00000000021D3000-memory.dmp

Filesize
3.0MB

Download
memory/1312-80-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1312-82-0x0000000000530000-0x00000000005C3000-memory.dmp

Filesize
588KB

Download
memory/1312-84-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads