formbook | 0c3cf51bad9939b49a0a84465261c4bb1b218e9896a63b7d9b4a1fdd3e4e5d9b

General

Target

extracted_at_0x0.exe
Size

19KB
MD5

48e8120fe2553410035e7686bbadf6be
SHA1

ab8ccba71e5c0a8d0f0429da2991f7fb583f9feb
SHA256

0c3cf51bad9939b49a0a84465261c4bb1b218e9896a63b7d9b4a1fdd3e4e5d9b
SHA512

2420f967cd0cbab93476c898d17e83811e2653edbbdc04db8c7e289f3d5e0d3c409f138c7fdae3a7d354250a2d885ca04d527f77bb22ad3e581668883e7d6825
SSDEEP

192:6rtynt64526Ez3VVk80pf8stYcFmVc03KY:6rkt6452Fr2pfptYcFmVc03K

Score

10^/10

formbook mi24 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi24

Decoy

iberostargrandelmirador.info

emaginemru.com

clubeurowin.com

calspasjohnston.com

chasforg.me.uk

birslot.online

doyouthrive.com

collagenukr.shop

especiallyszhienough.com

g2-inc.online

bty0to.com

bodao.online

found-alerts.live

hcsilicon.com

19562.site

injurylawyersconsultants.com

annvandersteel.store

agenturplatzhirsch.store

descontosenergy.com

casesyanstarted.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/736-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/736-66-0x000000000041F0A0-mapping.dmp	formbook
behavioral1/memory/736-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/736-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1652-79-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe

pid	process
624	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

extracted_at_0x0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aphovzensb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uuullqqqbe\\Aphovzensb.exe\""	extracted_at_0x0.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

extracted_at_0x0.exeextracted_at_0x0.exeNAPSTAT.EXE

description	pid	process	target process
PID 1352 set thread context of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 736 set thread context of 1284	736	extracted_at_0x0.exe	Explorer.EXE
PID 736 set thread context of 1284	736	extracted_at_0x0.exe	Explorer.EXE
PID 1652 set thread context of 1284	1652	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

extracted_at_0x0.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	extracted_at_0x0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	extracted_at_0x0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	extracted_at_0x0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	extracted_at_0x0.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeextracted_at_0x0.exeNAPSTAT.EXE

pid	process
808	powershell.exe
736	extracted_at_0x0.exe
736	extracted_at_0x0.exe
736	extracted_at_0x0.exe
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

extracted_at_0x0.exeNAPSTAT.EXE

pid process

736 extracted_at_0x0.exe
736 extracted_at_0x0.exe
736 extracted_at_0x0.exe
736 extracted_at_0x0.exe
1652 NAPSTAT.EXE
1652 NAPSTAT.EXE

pid	process
1284	Explorer.EXE

pid	process
736	extracted_at_0x0.exe
736	extracted_at_0x0.exe
736	extracted_at_0x0.exe
736	extracted_at_0x0.exe
1652	NAPSTAT.EXE
1652	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

extracted_at_0x0.exepowershell.exeextracted_at_0x0.exeNAPSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1352	extracted_at_0x0.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	736	extracted_at_0x0.exe
Token: SeDebugPrivilege	1652	NAPSTAT.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

extracted_at_0x0.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1352 wrote to memory of 808	1352	extracted_at_0x0.exe	powershell.exe
PID 1352 wrote to memory of 808	1352	extracted_at_0x0.exe	powershell.exe
PID 1352 wrote to memory of 808	1352	extracted_at_0x0.exe	powershell.exe
PID 1352 wrote to memory of 808	1352	extracted_at_0x0.exe	powershell.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1352 wrote to memory of 736	1352	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 1284 wrote to memory of 1652	1284	Explorer.EXE	NAPSTAT.EXE
PID 1284 wrote to memory of 1652	1284	Explorer.EXE	NAPSTAT.EXE
PID 1284 wrote to memory of 1652	1284	Explorer.EXE	NAPSTAT.EXE
PID 1284 wrote to memory of 1652	1284	Explorer.EXE	NAPSTAT.EXE
PID 1652 wrote to memory of 624	1652	NAPSTAT.EXE	cmd.exe
PID 1652 wrote to memory of 624	1652	NAPSTAT.EXE	cmd.exe
PID 1652 wrote to memory of 624	1652	NAPSTAT.EXE	cmd.exe
PID 1652 wrote to memory of 624	1652	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
"C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1644

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe"
3⤵
- Deletes itself
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-76-0x0000000000000000-mapping.dmp

Download
memory/736-66-0x000000000041F0A0-mapping.dmp

Download
memory/736-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-72-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/736-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-69-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/736-68-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/736-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/808-61-0x000000006E830000-0x000000006EDDB000-memory.dmp

Filesize
5.7MB

Download
memory/808-60-0x000000006E830000-0x000000006EDDB000-memory.dmp

Filesize
5.7MB

Download
memory/808-59-0x000000006E830000-0x000000006EDDB000-memory.dmp

Filesize
5.7MB

Download
memory/808-57-0x0000000000000000-mapping.dmp

Download
memory/1284-81-0x0000000003AF0000-0x0000000003B87000-memory.dmp

Filesize
604KB

Download
memory/1284-70-0x00000000070C0000-0x00000000071C8000-memory.dmp

Filesize
1.0MB

Download
memory/1284-73-0x0000000007800000-0x000000000798A000-memory.dmp

Filesize
1.5MB

Download
memory/1284-82-0x0000000003AF0000-0x0000000003B87000-memory.dmp

Filesize
604KB

Download
memory/1352-56-0x0000000006010000-0x0000000006242000-memory.dmp

Filesize
2.2MB

Download
memory/1352-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1352-54-0x0000000001090000-0x000000000109A000-memory.dmp

Filesize
40KB

Download
memory/1652-77-0x0000000000A70000-0x0000000000AB6000-memory.dmp

Filesize
280KB

Download
memory/1652-78-0x0000000001EC0000-0x00000000021C3000-memory.dmp

Filesize
3.0MB

Download
memory/1652-79-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1652-80-0x00000000008E0000-0x0000000000974000-memory.dmp

Filesize
592KB

Download
memory/1652-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads