formbook | e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a

General

Target

tmp.exe
Size

854KB
MD5

cc3b22bd3d92f8209de3a45f1b49b05d
SHA1

46f5d875d74b9dc5f4519b6aff1efdf62df70c73
SHA256

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a
SHA512

81eef9b07333b31a8016986f15a6ad519e77643bab1f2c557a5bea4014e1626702854c5c180c883c517ecaebd8a1a823da63d2533e7f9f73c0b8a1d7fd4612cf

Score

10^/10

formbook ba17 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4732-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4732-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4732-148-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5104-150-0x0000000000570000-0x000000000059F000-memory.dmp	formbook
behavioral2/memory/5104-156-0x0000000000570000-0x000000000059F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

42 5104 cmd.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation tmp.exe

flow	pid	process
42	5104	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	tmp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 1992 set thread context of 4732	1992	tmp.exe	RegSvcs.exe
PID 4732 set thread context of 3232	4732	RegSvcs.exe	Explorer.EXE
PID 4732 set thread context of 3232	4732	RegSvcs.exe	Explorer.EXE
PID 5104 set thread context of 3232	5104	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4904 schtasks.exe

pid	process
4904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

tmp.exeRegSvcs.execmd.exe

pid	process
1992	tmp.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe
5104	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3232 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execmd.exe

pid process

4732 RegSvcs.exe
4732 RegSvcs.exe
4732 RegSvcs.exe
4732 RegSvcs.exe
5104 cmd.exe
5104 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exeRegSvcs.execmd.exe

description pid process

Token: SeDebugPrivilege 1992 tmp.exe
Token: SeDebugPrivilege 4732 RegSvcs.exe
Token: SeDebugPrivilege 5104 cmd.exe

pid	process
3232	Explorer.EXE

pid	process
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
5104	cmd.exe
5104	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1992	tmp.exe
Token: SeDebugPrivilege	4732	RegSvcs.exe
Token: SeDebugPrivilege	5104	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 4904	1992	tmp.exe	schtasks.exe
PID 1992 wrote to memory of 4904	1992	tmp.exe	schtasks.exe
PID 1992 wrote to memory of 4904	1992	tmp.exe	schtasks.exe
PID 1992 wrote to memory of 4732	1992	tmp.exe	RegSvcs.exe
PID 1992 wrote to memory of 4732	1992	tmp.exe	RegSvcs.exe
PID 1992 wrote to memory of 4732	1992	tmp.exe	RegSvcs.exe
PID 1992 wrote to memory of 4732	1992	tmp.exe	RegSvcs.exe
PID 1992 wrote to memory of 4732	1992	tmp.exe	RegSvcs.exe
PID 1992 wrote to memory of 4732	1992	tmp.exe	RegSvcs.exe
PID 3232 wrote to memory of 5104	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 5104	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 5104	3232	Explorer.EXE	cmd.exe
PID 5104 wrote to memory of 3224	5104	cmd.exe	cmd.exe
PID 5104 wrote to memory of 3224	5104	cmd.exe	cmd.exe
PID 5104 wrote to memory of 3224	5104	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OHyOwWfiz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE256.tmp"
3⤵
- Creates scheduled task(s)
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE256.tmp
Filesize
1KB

MD5
50bf5952a492bb385296f4bfe8f3ee5f

SHA1
62ebe56ef336fdb95f90f151df7bf4735c95cbb6

SHA256
fa00bd11edf104d5a98eacce7ef6c5ae701f5c4873aacfde3dedbba5504dfa79

SHA512
39fa1144814fae061d10c79ff1f7bf954568ede2a9bbe91626547d376f59c5bcf291fd442a6e6dfb2ff843469baca69adb2ac2e9247ef1fe151f5a2ccf109cfa

Download Submit
memory/1992-130-0x0000000000CD0000-0x0000000000DAC000-memory.dmp

Filesize
880KB

Download
memory/1992-131-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/1992-132-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1992-133-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/1992-134-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/3224-151-0x0000000000000000-mapping.dmp

Download
memory/3232-157-0x0000000007FE0000-0x0000000008171000-memory.dmp

Filesize
1.6MB

Download
memory/3232-155-0x0000000007FE0000-0x0000000008171000-memory.dmp

Filesize
1.6MB

Download
memory/3232-153-0x0000000007E30000-0x0000000007F85000-memory.dmp

Filesize
1.3MB

Download
memory/3232-146-0x0000000007E30000-0x0000000007F85000-memory.dmp

Filesize
1.3MB

Download
memory/3232-143-0x0000000007C70000-0x0000000007DB5000-memory.dmp

Filesize
1.3MB

Download
memory/4732-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-141-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download
memory/4732-142-0x0000000000B40000-0x0000000000B55000-memory.dmp

Filesize
84KB

Download
memory/4732-137-0x0000000000000000-mapping.dmp

Download
memory/4732-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-145-0x0000000000FA0000-0x0000000000FB5000-memory.dmp

Filesize
84KB

Download
memory/4904-135-0x0000000000000000-mapping.dmp

Download
memory/5104-149-0x00000000003D0000-0x000000000042A000-memory.dmp

Filesize
360KB

Download
memory/5104-152-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/5104-150-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/5104-154-0x0000000000E40000-0x0000000000ED4000-memory.dmp

Filesize
592KB

Download
memory/5104-147-0x0000000000000000-mapping.dmp

Download
memory/5104-156-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads