formbook | 205f40228597bee4de6da0f386c14fde658b7dc6956fb2839a98504b48bd9377

General

Target

HSBC_MT 103 COPY.pdf.exe
Size

913KB
MD5

83f30904b0fb2c78fddeae79947701b5
SHA1

adecde754012010933b1f721025a470492a5842c
SHA256

205f40228597bee4de6da0f386c14fde658b7dc6956fb2839a98504b48bd9377
SHA512

ac011ebd3b4a1b1ffe6e6be52c8ec1847982cab91982b975ebf210cd175fb46be19f41c3f11c327f59b2bc305bfa3434f04e1b6c4ad3be9d314f25f8e71774a6
SSDEEP

24576:c5+rnaCWsDcWI+H3JOicO+PXG+/AG6K5:WUv/Dl3AK+n/AG6K5

Score

10^/10

formbook ba17 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1472-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1472-69-0x000000000041F1E0-mapping.dmp	formbook
behavioral1/memory/1472-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1236-82-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1236-86-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

916 cmd.exe

pid	process
916	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.exeexplorer.exe

description	pid	process	target process
PID 1652 set thread context of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1472 set thread context of 1276	1472	HSBC_MT 103 COPY.pdf.exe	Explorer.EXE
PID 1236 set thread context of 1276	1236	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1288 schtasks.exe

pid	process
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.exepowershell.exeexplorer.exe

pid	process
1652	HSBC_MT 103 COPY.pdf.exe
1652	HSBC_MT 103 COPY.pdf.exe
1652	HSBC_MT 103 COPY.pdf.exe
1472	HSBC_MT 103 COPY.pdf.exe
932	powershell.exe
1472	HSBC_MT 103 COPY.pdf.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeexplorer.exe

pid process

1472 HSBC_MT 103 COPY.pdf.exe
1472 HSBC_MT 103 COPY.pdf.exe
1472 HSBC_MT 103 COPY.pdf.exe
1236 explorer.exe
1236 explorer.exe

pid	process
1472	HSBC_MT 103 COPY.pdf.exe
1472	HSBC_MT 103 COPY.pdf.exe
1472	HSBC_MT 103 COPY.pdf.exe
1236	explorer.exe
1236	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeHSBC_MT 103 COPY.pdf.exepowershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1652	HSBC_MT 103 COPY.pdf.exe
Token: SeDebugPrivilege	1472	HSBC_MT 103 COPY.pdf.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1236	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

HSBC_MT 103 COPY.pdf.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1652 wrote to memory of 932	1652	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1652 wrote to memory of 932	1652	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1652 wrote to memory of 932	1652	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1652 wrote to memory of 932	1652	HSBC_MT 103 COPY.pdf.exe	powershell.exe
PID 1652 wrote to memory of 1288	1652	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1652 wrote to memory of 1288	1652	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1652 wrote to memory of 1288	1652	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1652 wrote to memory of 1288	1652	HSBC_MT 103 COPY.pdf.exe	schtasks.exe
PID 1652 wrote to memory of 920	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 920	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 920	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 920	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1652 wrote to memory of 1472	1652	HSBC_MT 103 COPY.pdf.exe	HSBC_MT 103 COPY.pdf.exe
PID 1276 wrote to memory of 1236	1276	Explorer.EXE	explorer.exe
PID 1276 wrote to memory of 1236	1276	Explorer.EXE	explorer.exe
PID 1276 wrote to memory of 1236	1276	Explorer.EXE	explorer.exe
PID 1276 wrote to memory of 1236	1276	Explorer.EXE	explorer.exe
PID 1236 wrote to memory of 916	1236	explorer.exe	cmd.exe
PID 1236 wrote to memory of 916	1236	explorer.exe	cmd.exe
PID 1236 wrote to memory of 916	1236	explorer.exe	cmd.exe
PID 1236 wrote to memory of 916	1236	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hjuQOAF.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hjuQOAF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC93.tmp"
3⤵
- Creates scheduled task(s)
PID:1288

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
3⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HSBC_MT 103 COPY.pdf.exe"
3⤵
- Deletes itself
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCC93.tmp
Filesize
1KB

MD5
f27b40a796fbd9c01ca9498d5558de2e

SHA1
6955ba8af9f25060e1a3898a5a2e8728516789f5

SHA256
fbcd2ff470b0081f7218cccc87de5fa7a3cc32bd4906c0bd466cf39dc8d0ed44

SHA512
72b8d49b8807be28dc7fececd72519a192d2aaf7ed1fc952cc25bcea2a0d59cc3b362d8114836b4dc782417b844737039ebec6755393d22bea786a719c4f9ff5

Download Submit
memory/916-80-0x0000000000000000-mapping.dmp

Download
memory/932-70-0x000000006E3B0000-0x000000006E95B000-memory.dmp

Filesize
5.7MB

Download
memory/932-59-0x0000000000000000-mapping.dmp

Download
memory/932-72-0x000000006E3B0000-0x000000006E95B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-79-0x0000000074601000-0x0000000074603000-memory.dmp

Filesize
8KB

Download
memory/1236-82-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1236-86-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1236-83-0x0000000002500000-0x0000000002803000-memory.dmp

Filesize
3.0MB

Download
memory/1236-81-0x0000000000E70000-0x00000000010F1000-memory.dmp

Filesize
2.5MB

Download
memory/1236-84-0x0000000000AE0000-0x0000000000B74000-memory.dmp

Filesize
592KB

Download
memory/1236-76-0x0000000000000000-mapping.dmp

Download
memory/1276-75-0x0000000006560000-0x00000000066EF000-memory.dmp

Filesize
1.6MB

Download
memory/1276-87-0x0000000005FB0000-0x00000000060B7000-memory.dmp

Filesize
1.0MB

Download
memory/1276-85-0x0000000005FB0000-0x00000000060B7000-memory.dmp

Filesize
1.0MB

Download
memory/1288-60-0x0000000000000000-mapping.dmp

Download
memory/1472-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-73-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/1472-69-0x000000000041F1E0-mapping.dmp

Download
memory/1472-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-74-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/1652-57-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1652-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1652-63-0x00000000023D0000-0x00000000023D6000-memory.dmp

Filesize
24KB

Download
memory/1652-56-0x0000000000510000-0x0000000000532000-memory.dmp

Filesize
136KB

Download
memory/1652-58-0x0000000005D80000-0x0000000005E10000-memory.dmp

Filesize
576KB

Download
memory/1652-54-0x0000000000BA0000-0x0000000000C8A000-memory.dmp

Filesize
936KB

Download
memory/1652-64-0x0000000004970000-0x00000000049B2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads