formbook | 392d84c160a17dd93a78b8549f5298d43d1f2ead6d236a1780bc290cc864e615

General

Target

formbook5.exe
Size

718KB
MD5

39cffb366d87292f4b5efecf69c32774
SHA1

104fe2e617556e97af1a6f5082bba003a8e9ff3d
SHA256

37e9f15077e6491eade2a03b73b9f48b0037c6995a5fbecdae7a942710d1dde1
SHA512

d508a86dc49fc5737904b23ceab055329ebf47dc77b119297a8d1fb6c1f17217a24ec0a714787e8dcda215381549a04d77d8212f0fd83ddcf1de545453d4078f
SSDEEP

12288:3hUWMtLdsIJ4Il6RXTTpbe0RRnT7QLtAeSfN5r5pHM2as8i9Rr5o7We:xhMtBsy6R82RnTEmewN5rr8i98

Score

10^/10

formbook gs25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/108-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/108-65-0x000000000041F1B0-mapping.dmp	formbook
behavioral1/memory/108-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/108-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/988-79-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/988-82-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 108	956	formbook5.exe	29
PID 108 set thread context of 1396	108	RegSvcs.exe	15
PID 108 set thread context of 1396	108	RegSvcs.exe	15
PID 988 set thread context of 1396	988	svchost.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
956	formbook5.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1396	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
988	svchost.exe
988	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	formbook5.exe
Token: SeDebugPrivilege	108	RegSvcs.exe
Token: SeDebugPrivilege	988	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 812	956	formbook5.exe	27
PID 956 wrote to memory of 812	956	formbook5.exe	27
PID 956 wrote to memory of 812	956	formbook5.exe	27
PID 956 wrote to memory of 812	956	formbook5.exe	27
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 956 wrote to memory of 108	956	formbook5.exe	29
PID 108 wrote to memory of 988	108	RegSvcs.exe	30
PID 108 wrote to memory of 988	108	RegSvcs.exe	30
PID 108 wrote to memory of 988	108	RegSvcs.exe	30
PID 108 wrote to memory of 988	108	RegSvcs.exe	30
PID 988 wrote to memory of 556	988	svchost.exe	31
PID 988 wrote to memory of 556	988	svchost.exe	31
PID 988 wrote to memory of 556	988	svchost.exe	31
PID 988 wrote to memory of 556	988	svchost.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396
- C:\Users\Admin\AppData\Local\Temp\formbook5.exe
  "C:\Users\Admin\AppData\Local\Temp\formbook5.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YaFLXNhWEOOsy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91E4.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp91E4.tmp

Filesize
1KB

MD5
772e2f364e8e1c30bc82df49dadc53a3

SHA1
be356b93872a3a948cef94d9266a164ad2f2fa01

SHA256
210b25a08cadd6cd9c62dd19fc59b57abb0092f103a5a35efd14907a1144255f

SHA512
a939624853d6216c34a9b07a60c7ade3396ad1a29ed836f50884636b4303020f87a7563a9979db78923cb9db7760d979190ef594e4959dcf269f77312a51fe66

Download Submit
memory/108-68-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/108-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-72-0x0000000000370000-0x0000000000385000-memory.dmp

Filesize
84KB

Download
memory/108-69-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/108-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/956-54-0x0000000000F10000-0x0000000000FCA000-memory.dmp

Filesize
744KB

Download
memory/956-56-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/956-58-0x0000000000AC0000-0x0000000000AF4000-memory.dmp

Filesize
208KB

Download
memory/956-57-0x0000000005250000-0x00000000052D8000-memory.dmp

Filesize
544KB

Download
memory/988-80-0x0000000000550000-0x00000000005E4000-memory.dmp

Filesize
592KB

Download
memory/988-77-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/988-78-0x00000000009B0000-0x0000000000CB3000-memory.dmp

Filesize
3.0MB

Download
memory/988-79-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/988-82-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1396-73-0x0000000006910000-0x00000000069F5000-memory.dmp

Filesize
916KB

Download
memory/1396-70-0x0000000006C40000-0x0000000006DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1396-81-0x0000000006A90000-0x0000000006B83000-memory.dmp

Filesize
972KB

Download
memory/1396-83-0x0000000006A90000-0x0000000006B83000-memory.dmp

Filesize
972KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads