formbook | 1f364b54ed1d03b1f87fe2bf0d7a376029298c3250611dab92dcba2d210afe1d

General

Target

HSBC_MT 103 COPY.pdf.exe
Size

857KB
MD5

3dfd937682599beaeb0ba57dcabe4638
SHA1

6e65a4de334ececb97add5e15ce6b55e1edf7ae9
SHA256

1f364b54ed1d03b1f87fe2bf0d7a376029298c3250611dab92dcba2d210afe1d
SHA512

9300f3bc9eeefc972a35189ffb85e6a28465f77d3a4ece17db5492f73dfca6b2f771f373b623e082d3b4b077ed9dfeec10ab50a0119d145984fccfbe3b35488d
SSDEEP

24576:ADCaT/0shbH1RT/0shb+M1X2S3plUdMW+1JhpuVerBG:al5x4GjsdMTn6eF

Score

10^/10

formbook ba17 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2616-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2616-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/8-154-0x0000000000FC0000-0x0000000000FEF000-memory.dmp	formbook
behavioral2/memory/8-161-0x0000000000FC0000-0x0000000000FEF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HSBC_MT 103 COPY.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HSBC_MT 103 COPY.pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.exeWWAHost.exe

description	pid	process	target process
PID 1824 set thread context of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 2616 set thread context of 2520	2616	HSBC_MT 103 COPY.pdf.exe	Explorer.EXE
PID 8 set thread context of 2520	8	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4600 schtasks.exe

pid	process
4600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.exepowershell.exeWWAHost.exe

pid	process
1824	HSBC_MT 103 COPY.pdf.exe
1824	HSBC_MT 103 COPY.pdf.exe
1824	HSBC_MT 103 COPY.pdf.exe
1824	HSBC_MT 103 COPY.pdf.exe
1824	HSBC_MT 103 COPY.pdf.exe
1824	HSBC_MT 103 COPY.pdf.exe
2616	HSBC_MT 103 COPY.pdf.exe
2616	HSBC_MT 103 COPY.pdf.exe
2616	HSBC_MT 103 COPY.pdf.exe
2616	HSBC_MT 103 COPY.pdf.exe
4556	powershell.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
4556	powershell.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe
8	WWAHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeWWAHost.exe

pid process

2616 HSBC_MT 103 COPY.pdf.exe
2616 HSBC_MT 103 COPY.pdf.exe
2616 HSBC_MT 103 COPY.pdf.exe
8 WWAHost.exe
8 WWAHost.exe

pid	process
2616	HSBC_MT 103 COPY.pdf.exe
2616	HSBC_MT 103 COPY.pdf.exe
2616	HSBC_MT 103 COPY.pdf.exe
8	WWAHost.exe
8	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exepowershell.exeHSBC_MT 103 COPY.pdf.exeWWAHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1824	HSBC_MT 103 COPY.pdf.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2616	HSBC_MT 103 COPY.pdf.exe
Token: SeDebugPrivilege	8	WWAHost.exe
Token: SeShutdownPrivilege	2520	Explorer.EXE
Token: SeCreatePagefilePrivilege	2520	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1824 wrote to memory of 4556	1824	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1824 wrote to memory of 4556	1824	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1824 wrote to memory of 4556	1824	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1824 wrote to memory of 4600	1824	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1824 wrote to memory of 4600	1824	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1824 wrote to memory of 4600	1824	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1824 wrote to memory of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1824 wrote to memory of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1824 wrote to memory of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1824 wrote to memory of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1824 wrote to memory of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1824 wrote to memory of 2616	1824	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 2520 wrote to memory of 8	2520	Explorer.EXE	WWAHost.exe
PID 2520 wrote to memory of 8	2520	Explorer.EXE	WWAHost.exe
PID 2520 wrote to memory of 8	2520	Explorer.EXE	WWAHost.exe
PID 8 wrote to memory of 1728	8	WWAHost.exe	cmd.exe
PID 8 wrote to memory of 1728	8	WWAHost.exe	cmd.exe
PID 8 wrote to memory of 1728	8	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fkjsDNq.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fkjsDNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAFE.tmp"
3⤵
- Creates scheduled task(s)
PID:4600

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
3⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBAFE.tmp
Filesize
1KB

MD5
061445caa6e02ba42c9c264ec62dd3e5

SHA1
f2c72f6fe6bce7cb46cf294530f3d0019d35215a

SHA256
59227a09210c468d82203bbadf36bb154d8ce00202925132b6a10f6f05e7772b

SHA512
ab45e98bc0287fc44e600852c8f1e36422614a42a0bfbc6df100927705cdf30cc6f55c790e82e633481c2373241e0fc7504cf31e19ebbe46971022ef5d142f38

Download Submit
memory/8-156-0x0000000001E20000-0x000000000216A000-memory.dmp

Filesize
3.3MB

Download
memory/8-161-0x0000000000FC0000-0x0000000000FEF000-memory.dmp

Filesize
188KB

Download
memory/8-159-0x0000000002170000-0x0000000002204000-memory.dmp

Filesize
592KB

Download
memory/8-152-0x0000000000000000-mapping.dmp

Download
memory/8-153-0x0000000000260000-0x000000000033C000-memory.dmp

Filesize
880KB

Download
memory/8-154-0x0000000000FC0000-0x0000000000FEF000-memory.dmp

Filesize
188KB

Download
memory/1728-155-0x0000000000000000-mapping.dmp

Download
memory/1824-135-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/1824-136-0x0000000001710000-0x00000000017AC000-memory.dmp

Filesize
624KB

Download
memory/1824-133-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/1824-134-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/1824-132-0x0000000000CF0000-0x0000000000DCC000-memory.dmp

Filesize
880KB

Download
memory/2520-160-0x0000000008810000-0x0000000008927000-memory.dmp

Filesize
1.1MB

Download
memory/2520-149-0x00000000082D0000-0x0000000008415000-memory.dmp

Filesize
1.3MB

Download
memory/2520-158-0x00000000082D0000-0x0000000008415000-memory.dmp

Filesize
1.3MB

Download
memory/2520-168-0x0000000008810000-0x0000000008927000-memory.dmp

Filesize
1.1MB

Download
memory/2616-142-0x0000000000000000-mapping.dmp

Download
memory/2616-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-148-0x00000000010C0000-0x00000000010D5000-memory.dmp

Filesize
84KB

Download
memory/2616-147-0x0000000001590000-0x00000000018DA000-memory.dmp

Filesize
3.3MB

Download
memory/4556-166-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

Filesize
104KB

Download
memory/4556-164-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

Filesize
120KB

Download
memory/4556-157-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/4556-150-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/4556-141-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/4556-139-0x0000000003040000-0x0000000003076000-memory.dmp

Filesize
216KB

Download
memory/4556-172-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

Filesize
32KB

Download
memory/4556-162-0x0000000006F10000-0x0000000006F42000-memory.dmp

Filesize
200KB

Download
memory/4556-163-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/4556-145-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/4556-165-0x00000000082F0000-0x000000000896A000-memory.dmp

Filesize
6.5MB

Download
memory/4556-151-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/4556-167-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

Filesize
40KB

Download
memory/4556-137-0x0000000000000000-mapping.dmp

Download
memory/4556-169-0x0000000007EF0000-0x0000000007F86000-memory.dmp

Filesize
600KB

Download
memory/4556-170-0x0000000006F90000-0x0000000006F9E000-memory.dmp

Filesize
56KB

Download
memory/4556-171-0x0000000007F90000-0x0000000007FAA000-memory.dmp

Filesize
104KB

Download
memory/4600-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads