formbook | 608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3

General

Target

Ordem de Compra pdf xxQ4h.exe
Size

894KB
MD5

973a94d5f2fb8e7d4da718d074dfd9eb
SHA1

707f58e7972ed3493b0bd62480e4ed9538eba93f
SHA256

608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3
SHA512

9b5dac4e93ff472550e557b9ea6e3bc4ccdcefd861886403a4c3729b9070de30d507ce3d4dc341d671416b1f4bd6e1a7a3624e5f9cd0f9935b3c375b89595250
SSDEEP

24576:EHryn040Nznszfdf0DYkmybe7hxtcPuDdEPf:6mp0SZfsgyOT6vP

Score

10^/10

formbook cy28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cy28

Decoy

100049723423.review

lovehealthcare.online

immuniversity.info

ihproductions.net

originatorsu.mobi

shxwjn.top

fivemeters.com

planettiki.site

berantaspinjol.online

oregonusedtrucks.com

darkstarkoi.com

izmirhaberci.world

41014.top

georgiaspanishgoats.com

dealstopstartups.click

ravmodeling.center

unsundayjesus.world

initialslash.site

shubaola.top

caserevision.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4232-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4232-154-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4744-157-0x0000000000850000-0x000000000087F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ordem de Compra pdf xxQ4h.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Ordem de Compra pdf xxQ4h.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Ordem de Compra pdf xxQ4h.exeRegSvcs.exe

description	pid	process	target process
PID 4740 set thread context of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 4232 set thread context of 2764	4232	RegSvcs.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3284 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

pid	process
3284	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

RegSvcs.exepowershell.exechkdsk.exe

pid	process
4232	RegSvcs.exe
4232	RegSvcs.exe
4232	RegSvcs.exe
4232	RegSvcs.exe
4836	powershell.exe
4836	powershell.exe
4744	chkdsk.exe
4744	chkdsk.exe
4744	chkdsk.exe
4744	chkdsk.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegSvcs.exechkdsk.exe

pid process

4232 RegSvcs.exe
4232 RegSvcs.exe
4232 RegSvcs.exe
4744 chkdsk.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeRegSvcs.exechkdsk.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4232	RegSvcs.exe
Token: SeDebugPrivilege	4744	chkdsk.exe
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Ordem de Compra pdf xxQ4h.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 4740 wrote to memory of 4836	4740	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 4740 wrote to memory of 4836	4740	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 4740 wrote to memory of 4836	4740	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 4740 wrote to memory of 3284	4740	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 4740 wrote to memory of 3284	4740	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 4740 wrote to memory of 3284	4740	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 4740 wrote to memory of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 4740 wrote to memory of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 4740 wrote to memory of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 4740 wrote to memory of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 4740 wrote to memory of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 4740 wrote to memory of 4232	4740	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 2764 wrote to memory of 4744	2764	Explorer.EXE	chkdsk.exe
PID 2764 wrote to memory of 4744	2764	Explorer.EXE	chkdsk.exe
PID 2764 wrote to memory of 4744	2764	Explorer.EXE	chkdsk.exe
PID 4744 wrote to memory of 3708	4744	chkdsk.exe	cmd.exe
PID 4744 wrote to memory of 3708	4744	chkdsk.exe	cmd.exe
PID 4744 wrote to memory of 3708	4744	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf xxQ4h.exe
"C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf xxQ4h.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IAFLNzOdgRR.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IAFLNzOdgRR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp40E7.tmp"
3⤵
- Creates scheduled task(s)
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp40E7.tmp
Filesize
1KB

MD5
34622c2e8ff965cd2bb6d5eb913a2581

SHA1
035bb77f09db0b2a5f5938e96311e4e9c0843dba

SHA256
eaa6286d5bcf93f71a1eaea1e975123d41514a09cc2c6267c8e6ae511a109a09

SHA512
15aff1fb702c54336d4d5648a173d2bbfe551c22e273d0a9b2f84a2520484605ed1a0ae3b757c319aac6c610b32b75cde277f125efe020d884d7c2b857a4f8a9

Download Submit
memory/2764-151-0x00000000082F0000-0x000000000845A000-memory.dmp

Filesize
1.4MB

Download
memory/2764-166-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/2764-167-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2764-169-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2764-168-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3284-139-0x0000000000000000-mapping.dmp

Download
memory/3708-155-0x0000000000000000-mapping.dmp

Download
memory/4232-143-0x0000000000000000-mapping.dmp

Download
memory/4232-149-0x00000000013A0000-0x00000000016EA000-memory.dmp

Filesize
3.3MB

Download
memory/4232-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-150-0x00000000012E0000-0x00000000012F4000-memory.dmp

Filesize
80KB

Download
memory/4740-137-0x00000000077F0000-0x000000000788C000-memory.dmp

Filesize
624KB

Download
memory/4740-136-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/4740-133-0x0000000000910000-0x00000000009F6000-memory.dmp

Filesize
920KB

Download
memory/4740-135-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4740-134-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/4744-158-0x0000000001020000-0x000000000136A000-memory.dmp

Filesize
3.3MB

Download
memory/4744-152-0x0000000000000000-mapping.dmp

Download
memory/4744-156-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/4744-157-0x0000000000850000-0x000000000087F000-memory.dmp

Filesize
188KB

Download
memory/4836-142-0x0000000005820000-0x0000000005E48000-memory.dmp

Filesize
6.2MB

Download
memory/4836-153-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/4836-148-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/4836-159-0x0000000006CF0000-0x0000000006D22000-memory.dmp

Filesize
200KB

Download
memory/4836-160-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

Filesize
304KB

Download
memory/4836-161-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

Filesize
120KB

Download
memory/4836-162-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/4836-163-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/4836-164-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/4836-165-0x0000000007CA0000-0x0000000007D36000-memory.dmp

Filesize
600KB

Download
memory/4836-147-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4836-145-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/4836-140-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/4836-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads