formbook | 0c3cf51bad9939b49a0a84465261c4bb1b218e9896a63b7d9b4a1fdd3e4e5d9b

General

Target

extracted_at_0x0.exe
Size

19KB
MD5

48e8120fe2553410035e7686bbadf6be
SHA1

ab8ccba71e5c0a8d0f0429da2991f7fb583f9feb
SHA256

0c3cf51bad9939b49a0a84465261c4bb1b218e9896a63b7d9b4a1fdd3e4e5d9b
SHA512

2420f967cd0cbab93476c898d17e83811e2653edbbdc04db8c7e289f3d5e0d3c409f138c7fdae3a7d354250a2d885ca04d527f77bb22ad3e581668883e7d6825
SSDEEP

192:6rtynt64526Ez3VVk80pf8stYcFmVc03KY:6rkt6452Fr2pfptYcFmVc03K

Score

10^/10

formbook mi24 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi24

Decoy

iberostargrandelmirador.info

emaginemru.com

clubeurowin.com

calspasjohnston.com

chasforg.me.uk

birslot.online

doyouthrive.com

collagenukr.shop

especiallyszhienough.com

g2-inc.online

bty0to.com

bodao.online

found-alerts.live

hcsilicon.com

19562.site

injurylawyersconsultants.com

annvandersteel.store

agenturplatzhirsch.store

descontosenergy.com

casesyanstarted.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/916-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

extracted_at_0x0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	extracted_at_0x0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

extracted_at_0x0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aphovzensb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uuullqqqbe\\Aphovzensb.exe\""	extracted_at_0x0.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

extracted_at_0x0.exeextracted_at_0x0.exe

description	pid	process	target process
PID 4728 set thread context of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 916 set thread context of 2976	916	extracted_at_0x0.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeextracted_at_0x0.exeextracted_at_0x0.exe

pid	process
3884	powershell.exe
3884	powershell.exe
4728	extracted_at_0x0.exe
4728	extracted_at_0x0.exe
916	extracted_at_0x0.exe
916	extracted_at_0x0.exe
916	extracted_at_0x0.exe
916	extracted_at_0x0.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

extracted_at_0x0.exe

pid process

916 extracted_at_0x0.exe

pid	process
916	extracted_at_0x0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

extracted_at_0x0.exepowershell.exeextracted_at_0x0.exe

description	pid	process
Token: SeDebugPrivilege	4728	extracted_at_0x0.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	916	extracted_at_0x0.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

extracted_at_0x0.exeExplorer.EXE

description	pid	process	target process
PID 4728 wrote to memory of 3884	4728	extracted_at_0x0.exe	powershell.exe
PID 4728 wrote to memory of 3884	4728	extracted_at_0x0.exe	powershell.exe
PID 4728 wrote to memory of 3884	4728	extracted_at_0x0.exe	powershell.exe
PID 4728 wrote to memory of 4692	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 4692	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 4692	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 4728 wrote to memory of 916	4728	extracted_at_0x0.exe	extracted_at_0x0.exe
PID 2976 wrote to memory of 1820	2976	Explorer.EXE	help.exe
PID 2976 wrote to memory of 1820	2976	Explorer.EXE	help.exe
PID 2976 wrote to memory of 1820	2976	Explorer.EXE	help.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
"C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
3⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-145-0x0000000000000000-mapping.dmp

Download
memory/916-149-0x0000000000C20000-0x0000000000C35000-memory.dmp

Filesize
84KB

Download
memory/916-148-0x00000000010E0000-0x000000000142A000-memory.dmp

Filesize
3.3MB

Download
memory/916-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-150-0x0000000006CE0000-0x0000000006DA0000-memory.dmp

Filesize
768KB

Download
memory/3884-140-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/3884-138-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/3884-139-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/3884-141-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/3884-142-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/3884-143-0x0000000006630000-0x000000000664A000-memory.dmp

Filesize
104KB

Download
memory/3884-137-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/3884-136-0x0000000000000000-mapping.dmp

Download
memory/4692-144-0x0000000000000000-mapping.dmp

Download
memory/4728-132-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/4728-135-0x00000000066F0000-0x0000000006712000-memory.dmp

Filesize
136KB

Download
memory/4728-134-0x0000000006740000-0x00000000067D2000-memory.dmp

Filesize
584KB

Download
memory/4728-133-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads