formbook | 67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901

General

Target

INVOICEKOMB20220001-03-10-22.pdf.exe
Size

1.2MB
MD5

cbe324036a077d5b84d4c22788ff0027
SHA1

5526abc6eb697c083d3071bd5b6cf8fb67f617af
SHA256

67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
SHA512

dd81a4fb9c160d96c9443e0e310c203f79573a71c54d404a0ada191d2d6224f440c899482df8d06a1ea871a98ae3e9c3e40d606b127be33478ed1d8afb955896
SSDEEP

24576:0AOcZ2i7W4sb3Vm6XYbh1GIoQHXehUcztVqEubl83o9Zkbg5:iv5EKhQOKWfqEUU2ZkM

Score

10^/10

formbook mh76 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/980-70-0x000000000041F1A0-mapping.dmp	formbook
behavioral1/memory/980-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/980-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/560-78-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/560-83-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

kvkpltj.exe

pid process

1788 kvkpltj.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

1564 WScript.exe

pid	process
1788	kvkpltj.exe

pid	process
1564	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kvkpltj.exeRegSvcs.exewuapp.exe

description	pid	process	target process
PID 1788 set thread context of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 980 set thread context of 1284	980	RegSvcs.exe	Explorer.EXE
PID 560 set thread context of 1284	560	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

RegSvcs.exewuapp.exe

pid	process
980	RegSvcs.exe
980	RegSvcs.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe
560	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewuapp.exe

pid process

980 RegSvcs.exe
980 RegSvcs.exe
980 RegSvcs.exe
560 wuapp.exe
560 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exewuapp.exe

description pid process

Token: SeDebugPrivilege 980 RegSvcs.exe
Token: SeDebugPrivilege 560 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	980	RegSvcs.exe
Token: SeDebugPrivilege	560	wuapp.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exekvkpltj.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1948 wrote to memory of 1564	1948	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 1948 wrote to memory of 1564	1948	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 1948 wrote to memory of 1564	1948	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 1948 wrote to memory of 1564	1948	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1564 wrote to memory of 1788	1564	WScript.exe	kvkpltj.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 956	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1788 wrote to memory of 980	1788	kvkpltj.exe	RegSvcs.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 1284 wrote to memory of 560	1284	Explorer.EXE	wuapp.exe
PID 560 wrote to memory of 1832	560	wuapp.exe	cmd.exe
PID 560 wrote to memory of 1832	560	wuapp.exe	cmd.exe
PID 560 wrote to memory of 1832	560	wuapp.exe	cmd.exe
PID 560 wrote to memory of 1832	560	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
"C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe" rncmatmqvf.src
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\muqal.hko
Filesize
371KB

MD5
01089645fc52b19921f23b83030e8d3d

SHA1
a5218ba5f4f551b100bb8344eba21a05f2e59ca1

SHA256
ab19240660f7105fd6b10c78a0e680bd62c7a7e27044fe768222050c3a46239d

SHA512
8639a003f916c68a841d23fff3d26a0fecd43fb74b61a816e0aef236a9c9348d6a9625a4e0c19db8f9f8b3d342ac981535479152194a11c13144c5260851eee1

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\rncmatmqvf.src
Filesize
199.4MB

MD5
b08d93f474f93437234952ee10d683a1

SHA1
495c4b4e35397d05fcc5794a4212d88813122f47

SHA256
b2f3178a3244c0a3212a36af3bfb4064e0b83271a1f5c95ac9213a2ae527ef74

SHA512
75740ee71896b50d33388b5a0da0aa3b374266f60c3542f71d6ca7d9fcf6ab8610d555a7c07ce7e5f6419575d2310b6a02d8aa9b1db3a4799242a4a94c19c6a2

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbe
Filesize
29KB

MD5
227aa95434fd067fb526d1d5fe99bd13

SHA1
64b5f54a1166e976b855df86eec3326b57f0bbfd

SHA256
4d6709916c6c310172df66122d6c3373cded99c46b6beae078bf0b7f36072d40

SHA512
20b1db0192958fdd8d451faf23159771fe5db4abfdb6fbdad1c3a9fd1277879c4ffec3c84037fe2b987c8c0b89a2b57b2914aaa99097f896a129b7938ed9228f

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\vdawpc.xml
Filesize
48KB

MD5
6578e73332fcb06109246e684f411292

SHA1
eeb7a9df0ee6bbc82b20886574fc5af0f4130ef0

SHA256
c8ceba6692fec5da092951ebb7aad343178a8213cd9f730ba12ffb5f0f9aeb33

SHA512
33418dd335730759fd1b6b861453eb7a9673ab7abafa2908d8c441f9ed6ac7a2f92a85aeb42f6146aee672fea53598899f625c8f87e3407b42d13f5a147bc6e8

Download Submit
\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
memory/560-76-0x0000000000000000-mapping.dmp

Download
memory/560-77-0x00000000011F0000-0x00000000011FB000-memory.dmp

Filesize
44KB

Download
memory/560-83-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/560-81-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/560-80-0x0000000000BE0000-0x0000000000EE3000-memory.dmp

Filesize
3.0MB

Download
memory/560-78-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/980-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/980-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/980-73-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/980-74-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/980-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/980-70-0x000000000041F1A0-mapping.dmp

Download
memory/980-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-75-0x00000000041C0000-0x0000000004289000-memory.dmp

Filesize
804KB

Download
memory/1284-82-0x0000000006B70000-0x0000000006CBB000-memory.dmp

Filesize
1.3MB

Download
memory/1284-84-0x0000000006B70000-0x0000000006CBB000-memory.dmp

Filesize
1.3MB

Download
memory/1564-55-0x0000000000000000-mapping.dmp

Download
memory/1788-60-0x0000000000000000-mapping.dmp

Download
memory/1832-79-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads