formbook | 1f364b54ed1d03b1f87fe2bf0d7a376029298c3250611dab92dcba2d210afe1d

General

Target

HSBC_MT 103 COPY.pdf.exe
Size

857KB
MD5

3dfd937682599beaeb0ba57dcabe4638
SHA1

6e65a4de334ececb97add5e15ce6b55e1edf7ae9
SHA256

1f364b54ed1d03b1f87fe2bf0d7a376029298c3250611dab92dcba2d210afe1d
SHA512

9300f3bc9eeefc972a35189ffb85e6a28465f77d3a4ece17db5492f73dfca6b2f771f373b623e082d3b4b077ed9dfeec10ab50a0119d145984fccfbe3b35488d
SSDEEP

24576:ADCaT/0shbH1RT/0shb+M1X2S3plUdMW+1JhpuVerBG:al5x4GjsdMTn6eF

Score

10^/10

formbook ba17 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/332-68-0x000000000041F1E0-mapping.dmp	formbook
behavioral1/memory/332-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/332-70-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/332-80-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/280-84-0x00000000000B0000-0x00000000000DF000-memory.dmp	formbook
behavioral1/memory/280-88-0x00000000000B0000-0x00000000000DF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

664 cmd.exe

pid	process
664	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.execmstp.exe

description	pid	process	target process
PID 1648 set thread context of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 332 set thread context of 1344	332	HSBC_MT 103 COPY.pdf.exe	Explorer.EXE
PID 332 set thread context of 1344	332	HSBC_MT 103 COPY.pdf.exe	Explorer.EXE
PID 280 set thread context of 1344	280	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1152 schtasks.exe

pid	process
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exepowershell.exeHSBC_MT 103 COPY.pdf.execmstp.exe

pid	process
1648	HSBC_MT 103 COPY.pdf.exe
1648	HSBC_MT 103 COPY.pdf.exe
2040	powershell.exe
332	HSBC_MT 103 COPY.pdf.exe
332	HSBC_MT 103 COPY.pdf.exe
332	HSBC_MT 103 COPY.pdf.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe
280	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

HSBC_MT 103 COPY.pdf.execmstp.exe

pid process

332 HSBC_MT 103 COPY.pdf.exe
332 HSBC_MT 103 COPY.pdf.exe
332 HSBC_MT 103 COPY.pdf.exe
332 HSBC_MT 103 COPY.pdf.exe
280 cmstp.exe
280 cmstp.exe

pid	process
332	HSBC_MT 103 COPY.pdf.exe
332	HSBC_MT 103 COPY.pdf.exe
332	HSBC_MT 103 COPY.pdf.exe
332	HSBC_MT 103 COPY.pdf.exe
280	cmstp.exe
280	cmstp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exepowershell.exeHSBC_MT 103 COPY.pdf.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	1648	HSBC_MT 103 COPY.pdf.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	332	HSBC_MT 103 COPY.pdf.exe
Token: SeDebugPrivilege	280	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.execmstp.exe

description	pid	process	target process
PID 1648 wrote to memory of 2040	1648	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1648 wrote to memory of 2040	1648	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1648 wrote to memory of 2040	1648	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1648 wrote to memory of 2040	1648	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1648 wrote to memory of 1152	1648	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1648 wrote to memory of 1152	1648	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1648 wrote to memory of 1152	1648	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1648 wrote to memory of 1152	1648	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1648 wrote to memory of 332	1648	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 332 wrote to memory of 280	332	HSBC_MT 103 COPY.pdf.exe	cmstp.exe
PID 280 wrote to memory of 664	280	cmstp.exe	cmd.exe
PID 280 wrote to memory of 664	280	cmstp.exe	cmd.exe
PID 280 wrote to memory of 664	280	cmstp.exe	cmd.exe
PID 280 wrote to memory of 664	280	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1344

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fkjsDNq.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fkjsDNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED8B.tmp"
3⤵
- Creates scheduled task(s)
PID:1152

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
4⤵
PID:1476

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
5⤵
- Deletes itself
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpED8B.tmp
Filesize
1KB

MD5
190ee732b691dc253eb3832e694199e5

SHA1
96844b1a36904d222b37fa76d7ba571821de4899

SHA256
7b6f2c9ad51be24366ab54d8b48ebd24d5bf5fb0b400ef5c5e26057d01bd332d

SHA512
5ba21dac06953b9fae34046ecddfb4c32f8914f814e33fd8ce962655ac16a1c96ec493f0c5e8f4b221e2cfc35c107a00056c44cdc1f9c3741d74ee042bc4f8c7

Download Submit
memory/280-79-0x0000000000000000-mapping.dmp

Download
memory/280-84-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/280-83-0x0000000000040000-0x0000000000058000-memory.dmp

Filesize
96KB

Download
memory/280-85-0x0000000001FF0000-0x00000000022F3000-memory.dmp

Filesize
3.0MB

Download
memory/280-88-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/280-86-0x0000000001E00000-0x0000000001E94000-memory.dmp

Filesize
592KB

Download
memory/332-72-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/332-77-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/332-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/332-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/332-68-0x000000000041F1E0-mapping.dmp

Download
memory/332-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/332-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/332-73-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download
memory/332-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-82-0x0000000000000000-mapping.dmp

Download
memory/1152-60-0x0000000000000000-mapping.dmp

Download
memory/1344-89-0x0000000004320000-0x0000000004475000-memory.dmp

Filesize
1.3MB

Download
memory/1344-87-0x0000000004320000-0x0000000004475000-memory.dmp

Filesize
1.3MB

Download
memory/1344-78-0x0000000006590000-0x00000000066F0000-memory.dmp

Filesize
1.4MB

Download
memory/1344-74-0x0000000006400000-0x000000000655F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-56-0x0000000000960000-0x000000000097A000-memory.dmp

Filesize
104KB

Download
memory/1648-54-0x0000000000300000-0x00000000003DC000-memory.dmp

Filesize
880KB

Download
memory/1648-63-0x0000000004FC0000-0x0000000004FF4000-memory.dmp

Filesize
208KB

Download
memory/1648-55-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download
memory/1648-57-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/1648-58-0x0000000007D20000-0x0000000007DA4000-memory.dmp

Filesize
528KB

Download
memory/2040-71-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-75-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads