formbook | bd653c9f26663d5ceb9c21dcbefb79f4a6c3d28e9c2363857a51d4daeab04a71

General

Target

SWIFT_5201660828948016.pdf.exe
Size

12KB
MD5

7735d8206f9275cf9d880695f5c51b1e
SHA1

df731f57a07985af8dc540d9cb828cbce2513a32
SHA256

bd653c9f26663d5ceb9c21dcbefb79f4a6c3d28e9c2363857a51d4daeab04a71
SHA512

855c0fa50de7679f8c05e5e13a1c53372ebac007a2169b9916214479e1031e31939a322057bc48ee9d3b105cbe2c46dda33b65986c6619e10615733f4ead7b13

Score

10^/10

formbook s4s9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s4s9

Decoy

qianyuandianshang.com

bernardklein.com

slhomeservices.com

findasaas.com

janellelancaster.xyz

umkpro.site

nr6949.online

mersquare.club

lanariproperties.com

3rdeyefocused.com

giftexpress8260.xyz

hilleleven.xyz

beajod.com

kosazs.online

ishare.team

mb314.com

xjjinxingda.com

ayekooprojectamazing.com

ballsybanter.com

todayshoppingbd.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1732-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1732-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1732-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3548-152-0x0000000000EB0000-0x0000000000EDF000-memory.dmp	formbook
behavioral2/memory/3548-155-0x0000000000EB0000-0x0000000000EDF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SWIFT_5201660828948016.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	SWIFT_5201660828948016.pdf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

SWIFT_5201660828948016.pdf.exeMSBuild.exeraserver.exe

description	pid	process	target process
PID 956 set thread context of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 1732 set thread context of 1012	1732	MSBuild.exe	Explorer.EXE
PID 1732 set thread context of 1012	1732	MSBuild.exe	Explorer.EXE
PID 3548 set thread context of 1012	3548	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

powershell.exeSWIFT_5201660828948016.pdf.exeMSBuild.exeraserver.exe

pid	process
3452	powershell.exe
3452	powershell.exe
956	SWIFT_5201660828948016.pdf.exe
956	SWIFT_5201660828948016.pdf.exe
1732	MSBuild.exe
1732	MSBuild.exe
1732	MSBuild.exe
1732	MSBuild.exe
1732	MSBuild.exe
1732	MSBuild.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe
3548	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1012 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSBuild.exeraserver.exe

pid process

1732 MSBuild.exe
1732 MSBuild.exe
1732 MSBuild.exe
1732 MSBuild.exe
3548 raserver.exe
3548 raserver.exe

pid	process
1012	Explorer.EXE

pid	process
1732	MSBuild.exe
1732	MSBuild.exe
1732	MSBuild.exe
1732	MSBuild.exe
3548	raserver.exe
3548	raserver.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SWIFT_5201660828948016.pdf.exepowershell.exeMSBuild.exeraserver.exe

description	pid	process
Token: SeDebugPrivilege	956	SWIFT_5201660828948016.pdf.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	1732	MSBuild.exe
Token: SeDebugPrivilege	3548	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SWIFT_5201660828948016.pdf.exeMSBuild.exeraserver.exe

description	pid	process	target process
PID 956 wrote to memory of 3452	956	SWIFT_5201660828948016.pdf.exe	powershell.exe
PID 956 wrote to memory of 3452	956	SWIFT_5201660828948016.pdf.exe	powershell.exe
PID 956 wrote to memory of 3452	956	SWIFT_5201660828948016.pdf.exe	powershell.exe
PID 956 wrote to memory of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 956 wrote to memory of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 956 wrote to memory of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 956 wrote to memory of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 956 wrote to memory of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 956 wrote to memory of 1732	956	SWIFT_5201660828948016.pdf.exe	MSBuild.exe
PID 1732 wrote to memory of 3548	1732	MSBuild.exe	raserver.exe
PID 1732 wrote to memory of 3548	1732	MSBuild.exe	raserver.exe
PID 1732 wrote to memory of 3548	1732	MSBuild.exe	raserver.exe
PID 3548 wrote to memory of 3688	3548	raserver.exe	cmd.exe
PID 3548 wrote to memory of 3688	3548	raserver.exe	cmd.exe
PID 3548 wrote to memory of 3688	3548	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1012

C:\Users\Admin\AppData\Local\Temp\SWIFT_5201660828948016.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT_5201660828948016.pdf.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:3688

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4544

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-130-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/956-131-0x0000000006620000-0x0000000006642000-memory.dmp

Filesize
136KB

Download
memory/1012-145-0x0000000003210000-0x0000000003373000-memory.dmp

Filesize
1.4MB

Download
memory/1012-157-0x0000000008610000-0x00000000086C8000-memory.dmp

Filesize
736KB

Download
memory/1012-148-0x0000000008410000-0x0000000008504000-memory.dmp

Filesize
976KB

Download
memory/1012-158-0x0000000008610000-0x00000000086C8000-memory.dmp

Filesize
736KB

Download
memory/1732-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-147-0x0000000001480000-0x0000000001494000-memory.dmp

Filesize
80KB

Download
memory/1732-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-144-0x0000000001410000-0x0000000001424000-memory.dmp

Filesize
80KB

Download
memory/1732-140-0x0000000000000000-mapping.dmp

Download
memory/1732-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-143-0x00000000014A0000-0x00000000017EA000-memory.dmp

Filesize
3.3MB

Download
memory/3452-137-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/3452-133-0x0000000003200000-0x0000000003236000-memory.dmp

Filesize
216KB

Download
memory/3452-138-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/3452-136-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/3452-135-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/3452-134-0x0000000005AD0000-0x00000000060F8000-memory.dmp

Filesize
6.2MB

Download
memory/3452-132-0x0000000000000000-mapping.dmp

Download
memory/3452-139-0x0000000006D00000-0x0000000006D1A000-memory.dmp

Filesize
104KB

Download
memory/3548-151-0x00000000008A0000-0x00000000008BF000-memory.dmp

Filesize
124KB

Download
memory/3548-154-0x0000000002D10000-0x000000000305A000-memory.dmp

Filesize
3.3MB

Download
memory/3548-155-0x0000000000EB0000-0x0000000000EDF000-memory.dmp

Filesize
188KB

Download
memory/3548-156-0x0000000002BC0000-0x0000000002C53000-memory.dmp

Filesize
588KB

Download
memory/3548-152-0x0000000000EB0000-0x0000000000EDF000-memory.dmp

Filesize
188KB

Download
memory/3548-150-0x0000000000000000-mapping.dmp

Download
memory/3688-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads