formbook | 87491dc3e7e7bee41367da139e5110ca1a9b7bb1ea2c92dd20a8a96c8775fd98

General

Target

TEKLIF 2707.exe
Size

463KB
MD5

ee91a329dcc24caa6f613725339032f0
SHA1

13caf2c984420f49d456ee8f5d255d12b1e2994b
SHA256

87491dc3e7e7bee41367da139e5110ca1a9b7bb1ea2c92dd20a8a96c8775fd98
SHA512

73028d287bdf0761890be9d35c00868a57faa2782d59752c9cd678cd4ee991ff9ea6ac96a7b5febcc1fb57bfd1963bec89be51f651a696554d7b48cf7600c226

Score

10^/10

formbook kn30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kn30

Decoy

edeniabenz.com

laurenjsettles.com

schwyzerland.com

hdrslh.com

talleresmasabrazos.com

wesdop.xyz

xn--abcj-doab.net

visioresearch.net

vostextes.com

santoriniconciergethira.com

seektrainings.com

dogsocats.com

munjanichemical.com

sapnemekyadekha.online

hiartwork.com

remarquehomebuilders.com

huilege.com

pjslot.net

greatsolutionwebsite.xyz

graciousclothingstore.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5052-135-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5052-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4764-144-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook
behavioral2/memory/4764-147-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

TEKLIF 2707.exeInstallUtil.exechkdsk.exe

description	pid	process	target process
PID 4608 set thread context of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 5052 set thread context of 2748	5052	InstallUtil.exe	Explorer.EXE
PID 4764 set thread context of 2748	4764	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TEKLIF 2707.exeInstallUtil.exechkdsk.exe

pid	process
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
4608	TEKLIF 2707.exe
5052	InstallUtil.exe
5052	InstallUtil.exe
5052	InstallUtil.exe
5052	InstallUtil.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe
4764	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2748 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

InstallUtil.exechkdsk.exe

pid process

5052 InstallUtil.exe
5052 InstallUtil.exe
5052 InstallUtil.exe
4764 chkdsk.exe
4764 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TEKLIF 2707.exeInstallUtil.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 4608 TEKLIF 2707.exe
Token: SeDebugPrivilege 5052 InstallUtil.exe
Token: SeDebugPrivilege 4764 chkdsk.exe

pid	process
2748	Explorer.EXE

pid	process
5052	InstallUtil.exe
5052	InstallUtil.exe
5052	InstallUtil.exe
4764	chkdsk.exe
4764	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	4608	TEKLIF 2707.exe
Token: SeDebugPrivilege	5052	InstallUtil.exe
Token: SeDebugPrivilege	4764	chkdsk.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

TEKLIF 2707.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 4608 wrote to memory of 4892	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 4892	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 4892	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 1104	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 1104	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 1104	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 4608 wrote to memory of 5052	4608	TEKLIF 2707.exe	InstallUtil.exe
PID 2748 wrote to memory of 4764	2748	Explorer.EXE	chkdsk.exe
PID 2748 wrote to memory of 4764	2748	Explorer.EXE	chkdsk.exe
PID 2748 wrote to memory of 4764	2748	Explorer.EXE	chkdsk.exe
PID 4764 wrote to memory of 1304	4764	chkdsk.exe	cmd.exe
PID 4764 wrote to memory of 1304	4764	chkdsk.exe	cmd.exe
PID 4764 wrote to memory of 1304	4764	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\TEKLIF 2707.exe
"C:\Users\Admin\AppData\Local\Temp\TEKLIF 2707.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-133-0x0000000000000000-mapping.dmp

Download
memory/1304-142-0x0000000000000000-mapping.dmp

Download
memory/2748-139-0x00000000030E0000-0x000000000319C000-memory.dmp

Filesize
752KB

Download
memory/2748-149-0x00000000088E0000-0x0000000008A43000-memory.dmp

Filesize
1.4MB

Download
memory/2748-148-0x00000000088E0000-0x0000000008A43000-memory.dmp

Filesize
1.4MB

Download
memory/4608-131-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/4608-130-0x0000000000470000-0x00000000004EA000-memory.dmp

Filesize
488KB

Download
memory/4764-143-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/4764-140-0x0000000000000000-mapping.dmp

Download
memory/4764-145-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download
memory/4764-144-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4764-146-0x0000000001050000-0x00000000010E4000-memory.dmp

Filesize
592KB

Download
memory/4764-147-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4892-132-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000000E10000-0x0000000000E25000-memory.dmp

Filesize
84KB

Download
memory/5052-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-137-0x0000000001360000-0x00000000016AA000-memory.dmp

Filesize
3.3MB

Download
memory/5052-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads