formbook | 13daa4e080cdda1d0506ad74da6ac34e295684cfe7643a34b91264a1fe70646a

General

Target

Orden de Compra Urgente.exe
Size

757KB
MD5

96d65af8738de30dfa2283585f11e1e1
SHA1

fce536c32341baad02ba836a06688ab9f60193b9
SHA256

a69ee77f4eb102a3528594435748d3a1e2925022a6d986eac8d32feb068c1f36
SHA512

99364f2a86bb7a10e57642ad176195df04a746cb2e25d3b2562228f61192634ccec3668b008b141a3fb6864fb6f6608dff3721e96613eb31aaf65e5cb5b204ca

Score

10^/10

formbook de08 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de08

Decoy

retirecloudyyard.com

fabiyan.xyz

chrisarlyde.com

selapex.com

vivalosgales.com

specialty-medicine.com

contasesolucoes.com

satunusanews.net

allyibc.com

alameda1876.com

artofdala.com

yukoidusp.xyz

steeldrumbandnearme.com

stonewedgetechnology.com

kentonai.com

macquarie-private.com

ddgwy.com

megagreenhousekits.com

descomplicaomarketing.com

inclusiverealtor.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2044-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2044-68-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/2044-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2044-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1392-83-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1392-85-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Orden de Compra Urgente.exeRegSvcs.exewininit.exe

description	pid	process	target process
PID 1612 set thread context of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 2044 set thread context of 1244	2044	RegSvcs.exe	Explorer.EXE
PID 2044 set thread context of 1244	2044	RegSvcs.exe	Explorer.EXE
PID 1392 set thread context of 1244	1392	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1372 schtasks.exe

pid	process
1372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

RegSvcs.exepowershell.exewininit.exe

pid	process
2044	RegSvcs.exe
2044	RegSvcs.exe
824	powershell.exe
2044	RegSvcs.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe
1392	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exewininit.exe

pid process

2044 RegSvcs.exe
2044 RegSvcs.exe
2044 RegSvcs.exe
2044 RegSvcs.exe
1392 wininit.exe
1392 wininit.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegSvcs.exepowershell.exewininit.exe

description pid process

Token: SeDebugPrivilege 2044 RegSvcs.exe
Token: SeDebugPrivilege 824 powershell.exe
Token: SeDebugPrivilege 1392 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Orden de Compra Urgente.exe

pid process

1612 Orden de Compra Urgente.exe
1612 Orden de Compra Urgente.exe

description	pid	process
Token: SeDebugPrivilege	2044	RegSvcs.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1392	wininit.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1612	Orden de Compra Urgente.exe
1612	Orden de Compra Urgente.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Orden de Compra Urgente.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1612 wrote to memory of 824	1612	Orden de Compra Urgente.exe	powershell.exe
PID 1612 wrote to memory of 824	1612	Orden de Compra Urgente.exe	powershell.exe
PID 1612 wrote to memory of 824	1612	Orden de Compra Urgente.exe	powershell.exe
PID 1612 wrote to memory of 824	1612	Orden de Compra Urgente.exe	powershell.exe
PID 1612 wrote to memory of 1372	1612	Orden de Compra Urgente.exe	schtasks.exe
PID 1612 wrote to memory of 1372	1612	Orden de Compra Urgente.exe	schtasks.exe
PID 1612 wrote to memory of 1372	1612	Orden de Compra Urgente.exe	schtasks.exe
PID 1612 wrote to memory of 1372	1612	Orden de Compra Urgente.exe	schtasks.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1612 wrote to memory of 2044	1612	Orden de Compra Urgente.exe	RegSvcs.exe
PID 1244 wrote to memory of 1392	1244	Explorer.EXE	wininit.exe
PID 1244 wrote to memory of 1392	1244	Explorer.EXE	wininit.exe
PID 1244 wrote to memory of 1392	1244	Explorer.EXE	wininit.exe
PID 1244 wrote to memory of 1392	1244	Explorer.EXE	wininit.exe
PID 1392 wrote to memory of 1120	1392	wininit.exe	cmd.exe
PID 1392 wrote to memory of 1120	1392	wininit.exe	cmd.exe
PID 1392 wrote to memory of 1120	1392	wininit.exe	cmd.exe
PID 1392 wrote to memory of 1120	1392	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\Orden de Compra Urgente.exe
"C:\Users\Admin\AppData\Local\Temp\Orden de Compra Urgente.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qBdLBxat.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qBdLBxat" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31BB.tmp"
3⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp31BB.tmp
Filesize
1KB

MD5
10e814ed1ee88d7d5de211f410605e02

SHA1
26d585e1604e0b99e745825e23602ef0ab75e1ae

SHA256
357b3389410fdcab10ad9475a1d89030adb9ec0caba367f4ef0df08e1f1b7536

SHA512
96f15d737e8e6787143bd6ffa1d14e62030d2753e168fe96a6f87a700539fafdf7a48470175fa0d1e7cb6c49886768aa92f389be42b2e6956d1ce78d2a3f4f31

Download Submit
memory/824-59-0x0000000000000000-mapping.dmp

Download
memory/824-74-0x000000006F0B0000-0x000000006F65B000-memory.dmp

Filesize
5.7MB

Download
memory/824-70-0x000000006F0B0000-0x000000006F65B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-80-0x0000000000000000-mapping.dmp

Download
memory/1244-86-0x0000000004F00000-0x0000000004F99000-memory.dmp

Filesize
612KB

Download
memory/1244-73-0x0000000006B90000-0x0000000006CAC000-memory.dmp

Filesize
1.1MB

Download
memory/1244-77-0x0000000006CB0000-0x0000000006DE5000-memory.dmp

Filesize
1.2MB

Download
memory/1244-87-0x0000000004F00000-0x0000000004F99000-memory.dmp

Filesize
612KB

Download
memory/1372-61-0x0000000000000000-mapping.dmp

Download
memory/1392-82-0x0000000001EB0000-0x00000000021B3000-memory.dmp

Filesize
3.0MB

Download
memory/1392-85-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1392-84-0x0000000001D10000-0x0000000001DA3000-memory.dmp

Filesize
588KB

Download
memory/1392-83-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1392-78-0x0000000000000000-mapping.dmp

Download
memory/1392-81-0x00000000000C0000-0x00000000000DA000-memory.dmp

Filesize
104KB

Download
memory/1612-57-0x0000000004350000-0x000000000435A000-memory.dmp

Filesize
40KB

Download
memory/1612-54-0x0000000000040000-0x0000000000102000-memory.dmp

Filesize
776KB

Download
memory/1612-56-0x0000000001FC0000-0x0000000001FD6000-memory.dmp

Filesize
88KB

Download
memory/1612-63-0x0000000008240000-0x0000000008278000-memory.dmp

Filesize
224KB

Download
memory/1612-58-0x000000000A950000-0x000000000A9D6000-memory.dmp

Filesize
536KB

Download
memory/1612-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-71-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/2044-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-76-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/2044-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-72-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/2044-68-0x000000000041F120-mapping.dmp

Download
memory/2044-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads