formbook | 68ecb3a0784bbfd4ac9f3d1c76cfc09cff02b4298839e2e1b293e9ef8833b265

General

Target

SecuriteInfo.com.Win32.PWSX-gen.1463.exe
Size

1.1MB
MD5

0ce09a0d9e6f501f9b4839058a712ef6
SHA1

de969216ac3b44862c490f0d8e74911fe36915e0
SHA256

68ecb3a0784bbfd4ac9f3d1c76cfc09cff02b4298839e2e1b293e9ef8833b265
SHA512

b63d3616ece35dbe634558a79d7d6cacc1b5d237288b440aa1f9e0e78c73f9cc1875e590dfed4269cb0b1ae41f982e388d9da0563a752371d33da83ff5745843
SSDEEP

12288:2qDhBzE3BExvIGnv9friMBm2pIsVMspKeUlP4ysY/LC+kobWX6GeakXwM:lcREqGFfri63K1sY/LoqWX6F7f

Score

10^/10

formbook s92n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s92n

Decoy

granlogiasoberana.com

roblox-so.com

buycarsonline.fyi

thesaleworld.com

laterlifegroup.com

lov3stia.com

frdgg.cfd

businessllp.com

margaretsbeautifiedshop.com

123bet.store

sadalagran.com

psychedelicshippiez.com

bonitaspringskayakrentals.com

thorsbyinsurance.com

visionauto-int.com

k3cosmetic.skin

ilogtv.com

one-big-yes.com

houseofmorrow.com

pisigranjariogrande.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4228-148-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.PWSX-gen.1463.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3248 set thread context of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
3688	powershell.exe
3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
4228	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
4228	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
3688	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe
Token: SeDebugPrivilege	3688	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 3688	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	86
PID 3248 wrote to memory of 3688	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	86
PID 3248 wrote to memory of 3688	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	86
PID 3248 wrote to memory of 948	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	88
PID 3248 wrote to memory of 948	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	88
PID 3248 wrote to memory of 948	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	88
PID 3248 wrote to memory of 4532	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	90
PID 3248 wrote to memory of 4532	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	90
PID 3248 wrote to memory of 4532	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	90
PID 3248 wrote to memory of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91
PID 3248 wrote to memory of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91
PID 3248 wrote to memory of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91
PID 3248 wrote to memory of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91
PID 3248 wrote to memory of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91
PID 3248 wrote to memory of 4228	3248	SecuriteInfo.com.Win32.PWSX-gen.1463.exe	91

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.1463.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.1463.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XtxQKr.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XtxQKr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp735B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:948
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.1463.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.1463.exe"
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.1463.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.1463.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp735B.tmp

Filesize
1KB

MD5
bfbeac1894b46cd095afa1318c59fa5e

SHA1
a2943827f080ca4f18d046184320716abc623577

SHA256
62586e0c3f3b60595f528e59074fcca03bfa4163932e0293407e3919eeaddac5

SHA512
0d2ca994c805ee19786fc51c9484d223385c115921590662c2b63524dfb89b6ed3161e0794ffac52c66eb13a0ffa51111cd54dc955f0b62dae6c45e68405a204

Download Submit
memory/3248-136-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/3248-137-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/3248-138-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/3248-139-0x0000000009160000-0x00000000091FC000-memory.dmp

Filesize
624KB

Download
memory/3248-140-0x0000000009550000-0x00000000095B6000-memory.dmp

Filesize
408KB

Download
memory/3248-135-0x0000000000C70000-0x0000000000D9A000-memory.dmp

Filesize
1.2MB

Download
memory/3688-149-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/3688-156-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/3688-145-0x00000000058F0000-0x0000000005F18000-memory.dmp

Filesize
6.2MB

Download
memory/3688-162-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/3688-161-0x0000000007A60000-0x0000000007A7A000-memory.dmp

Filesize
104KB

Download
memory/3688-160-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/3688-150-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3688-159-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/3688-152-0x0000000005170000-0x000000000518E000-memory.dmp

Filesize
120KB

Download
memory/3688-153-0x00000000069F0000-0x0000000006A22000-memory.dmp

Filesize
200KB

Download
memory/3688-154-0x0000000075770000-0x00000000757BC000-memory.dmp

Filesize
304KB

Download
memory/3688-155-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/3688-143-0x0000000002B00000-0x0000000002B36000-memory.dmp

Filesize
216KB

Download
memory/3688-157-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/3688-158-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/4228-151-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/4228-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads