formbook | 27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84

General

Target

27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
Size

7KB
MD5

af5bbd736013f8528a3bd005472d32e4
SHA1

0a3445d75d92ee7b1b9e76d22ac72f775f2481f9
SHA256

27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84
SHA512

ce2e34520912ce40285598776adb55fd34c3882903ce3722728556070036144d492599147b84dac03267501a4d919219260fc16026da0cc6503859234c071320
SSDEEP

96:YICxjg4TvWzBuUPhsMYJCMuH7q+rDPfkHHJkZjTA3GnUODL:YfUuUPhhdbqASHa5Av0

Score

10^/10

formbook dv22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1960-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

description	pid	process	target process
PID 3960 set thread context of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

pid	process
3024	powershell.exe
3024	powershell.exe
3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
1960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
1960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
"C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
  C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
  2⤵
  PID:4140
- C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
  C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
  2⤵
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
  C:\Users\Admin\AppData\Local\Temp\27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-145-0x0000000000000000-mapping.dmp

Download
memory/1960-147-0x0000000000FB0000-0x00000000012FA000-memory.dmp

Filesize
3.3MB

Download
memory/1960-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-140-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3024-136-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/3024-138-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/3024-139-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/3024-141-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/3024-142-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/3024-135-0x0000000000000000-mapping.dmp

Download
memory/3204-144-0x0000000000000000-mapping.dmp

Download
memory/3960-137-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/3960-132-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/3960-134-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/3960-133-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/4140-143-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3960 wrote to memory of 3024	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	powershell.exe
PID 3960 wrote to memory of 3024	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	powershell.exe
PID 3960 wrote to memory of 3024	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	powershell.exe
PID 3960 wrote to memory of 4140	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 4140	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 4140	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 3204	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 3204	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 3204	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe
PID 3960 wrote to memory of 1960	3960	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe	27d5822dd4cdeafc49c43ccbb21ce23d954880fe396902ce9e5b5dac81a6cf84.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads