formbook | 5ab8f32d7ca605e9a8dac9336056c16a557eef273998ca1ec70e1ccc6eb80319

General

Target

19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe
Size

696KB
MD5

0a3090e1388dd1d864c61ce2da00e9ad
SHA1

0d5c2bc5f9dee93582c0f44284b7de83d2fb7724
SHA256

19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417
SHA512

0711a80fd227cff79ea5cdf783c7c2f6a18ac15d7d326a058724d247ef2ff9bd9fb72d2bc1174acb6e1f9f58093baec0b00b0602ade4d792de77e5e362fca023
SSDEEP

12288:H/Hvgh/PsZ1DX/VDJGBtNvY3jvhnAXO8kL/BRVSIXt1yffSyB30:Hfvgh/P9Z+jpnQOD/TzPWfSyy

Score

10^/10

formbook d0a7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4256-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4256-158-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2400-161-0x0000000000E50000-0x0000000000E7F000-memory.dmp	formbook
behavioral2/memory/2400-168-0x0000000000E50000-0x0000000000E7F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 4256 set thread context of 2640	4256	RegSvcs.exe	55
PID 2400 set thread context of 2640	2400	chkdsk.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2092	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3300	powershell.exe
4256	RegSvcs.exe
4256	RegSvcs.exe
4256	RegSvcs.exe
4256	RegSvcs.exe
3300	powershell.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe
2400	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4256	RegSvcs.exe
4256	RegSvcs.exe
4256	RegSvcs.exe
2400	chkdsk.exe
2400	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	4256	RegSvcs.exe
Token: SeDebugPrivilege	2400	chkdsk.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 3300	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	84
PID 1428 wrote to memory of 3300	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	84
PID 1428 wrote to memory of 3300	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	84
PID 1428 wrote to memory of 2092	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	86
PID 1428 wrote to memory of 2092	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	86
PID 1428 wrote to memory of 2092	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	86
PID 1428 wrote to memory of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 1428 wrote to memory of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 1428 wrote to memory of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 1428 wrote to memory of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 1428 wrote to memory of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 1428 wrote to memory of 4256	1428	19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe	88
PID 2640 wrote to memory of 2400	2640	Explorer.EXE	89
PID 2640 wrote to memory of 2400	2640	Explorer.EXE	89
PID 2640 wrote to memory of 2400	2640	Explorer.EXE	89
PID 2400 wrote to memory of 2720	2400	chkdsk.exe	90
PID 2400 wrote to memory of 2720	2400	chkdsk.exe	90
PID 2400 wrote to memory of 2720	2400	chkdsk.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe
  "C:\Users\Admin\AppData\Local\Temp\19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KgnrSbbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgnrSbbc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB083.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB083.tmp

Filesize
1KB

MD5
625f8780d1e8c53f047c3b7dd0fee098

SHA1
06fb6c97f9adc0f28134d2688257758b7e300d35

SHA256
e39645ff50b470b23957826d9d8db34ae266250e54c545728b0c560aa040ccae

SHA512
82605e2417b86d9a0c14ca20cbad8086d86e856ffb7db87dd100fd24ddb16f8b71799f72a947c4bb4b4117520ca59e595c6c689002f0dae3277df78a7b15e034

Download Submit
memory/1428-136-0x0000000007A60000-0x0000000007AFC000-memory.dmp

Filesize
624KB

Download
memory/1428-134-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/1428-135-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/1428-132-0x0000000000650000-0x0000000000704000-memory.dmp

Filesize
720KB

Download
memory/1428-133-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/2400-164-0x00000000015D0000-0x000000000191A000-memory.dmp

Filesize
3.3MB

Download
memory/2400-168-0x0000000000E50000-0x0000000000E7F000-memory.dmp

Filesize
188KB

Download
memory/2400-169-0x0000000001410000-0x00000000014A4000-memory.dmp

Filesize
592KB

Download
memory/2400-161-0x0000000000E50000-0x0000000000E7F000-memory.dmp

Filesize
188KB

Download
memory/2400-160-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/2640-171-0x0000000008720000-0x00000000088A7000-memory.dmp

Filesize
1.5MB

Download
memory/2640-170-0x0000000008720000-0x00000000088A7000-memory.dmp

Filesize
1.5MB

Download
memory/2640-150-0x0000000002BF0000-0x0000000002D33000-memory.dmp

Filesize
1.3MB

Download
memory/3300-151-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/3300-145-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/3300-152-0x0000000006940000-0x0000000006972000-memory.dmp

Filesize
200KB

Download
memory/3300-153-0x0000000070D30000-0x0000000070D7C000-memory.dmp

Filesize
304KB

Download
memory/3300-154-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/3300-155-0x0000000007CD0000-0x000000000834A000-memory.dmp

Filesize
6.5MB

Download
memory/3300-156-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/3300-139-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/3300-159-0x0000000007700000-0x000000000770A000-memory.dmp

Filesize
40KB

Download
memory/3300-147-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3300-142-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/3300-162-0x0000000007900000-0x0000000007996000-memory.dmp

Filesize
600KB

Download
memory/3300-144-0x0000000005C10000-0x0000000005C32000-memory.dmp

Filesize
136KB

Download
memory/3300-167-0x00000000079A0000-0x00000000079A8000-memory.dmp

Filesize
32KB

Download
memory/3300-165-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/3300-166-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/4256-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-149-0x0000000000E60000-0x0000000000E75000-memory.dmp

Filesize
84KB

Download
memory/4256-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-148-0x0000000000EF0000-0x000000000123A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads