formbook | 608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3

General

Target

Ordem de Compra pdf xxQ4h.exe
Size

894KB
MD5

973a94d5f2fb8e7d4da718d074dfd9eb
SHA1

707f58e7972ed3493b0bd62480e4ed9538eba93f
SHA256

608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3
SHA512

9b5dac4e93ff472550e557b9ea6e3bc4ccdcefd861886403a4c3729b9070de30d507ce3d4dc341d671416b1f4bd6e1a7a3624e5f9cd0f9935b3c375b89595250
SSDEEP

24576:EHryn040Nznszfdf0DYkmybe7hxtcPuDdEPf:6mp0SZfsgyOT6vP

Score

10^/10

formbook cy28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cy28

Decoy

100049723423.review

lovehealthcare.online

immuniversity.info

ihproductions.net

originatorsu.mobi

shxwjn.top

fivemeters.com

planettiki.site

berantaspinjol.online

oregonusedtrucks.com

darkstarkoi.com

izmirhaberci.world

41014.top

georgiaspanishgoats.com

dealstopstartups.click

ravmodeling.center

unsundayjesus.world

initialslash.site

shubaola.top

caserevision.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1864-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1864-68-0x000000000041F140-mapping.dmp	formbook
behavioral1/memory/1864-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1864-80-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1448-83-0x0000000000120000-0x000000000014F000-memory.dmp	formbook
behavioral1/memory/1448-87-0x0000000000120000-0x000000000014F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Ordem de Compra pdf xxQ4h.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 1456 set thread context of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1864 set thread context of 1324	1864	RegSvcs.exe	Explorer.EXE
PID 1864 set thread context of 1324	1864	RegSvcs.exe	Explorer.EXE
PID 1448 set thread context of 1324	1448	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1448 NETSTAT.EXE

pid	process
268	schtasks.exe

pid	process
1448	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

RegSvcs.exepowershell.exeNETSTAT.EXE

pid	process
1864	RegSvcs.exe
1864	RegSvcs.exe
1888	powershell.exe
1864	RegSvcs.exe
1448	NETSTAT.EXE
1448	NETSTAT.EXE
1448	NETSTAT.EXE
1448	NETSTAT.EXE
1448	NETSTAT.EXE
1448	NETSTAT.EXE
1448	NETSTAT.EXE
1448	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

1864 RegSvcs.exe
1864 RegSvcs.exe
1864 RegSvcs.exe
1864 RegSvcs.exe
1448 NETSTAT.EXE
1448 NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegSvcs.exepowershell.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1864	RegSvcs.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1448	NETSTAT.EXE
Token: SeShutdownPrivilege	1324	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1324 Explorer.EXE
1324 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1324 Explorer.EXE
1324 Explorer.EXE

pid	process
1324	Explorer.EXE
1324	Explorer.EXE

pid	process
1324	Explorer.EXE
1324	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Ordem de Compra pdf xxQ4h.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1456 wrote to memory of 1888	1456	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 1456 wrote to memory of 1888	1456	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 1456 wrote to memory of 1888	1456	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 1456 wrote to memory of 1888	1456	Ordem de Compra pdf xxQ4h.exe	powershell.exe
PID 1456 wrote to memory of 268	1456	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 1456 wrote to memory of 268	1456	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 1456 wrote to memory of 268	1456	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 1456 wrote to memory of 268	1456	Ordem de Compra pdf xxQ4h.exe	schtasks.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1456 wrote to memory of 1864	1456	Ordem de Compra pdf xxQ4h.exe	RegSvcs.exe
PID 1324 wrote to memory of 1448	1324	Explorer.EXE	NETSTAT.EXE
PID 1324 wrote to memory of 1448	1324	Explorer.EXE	NETSTAT.EXE
PID 1324 wrote to memory of 1448	1324	Explorer.EXE	NETSTAT.EXE
PID 1324 wrote to memory of 1448	1324	Explorer.EXE	NETSTAT.EXE
PID 1448 wrote to memory of 1904	1448	NETSTAT.EXE	cmd.exe
PID 1448 wrote to memory of 1904	1448	NETSTAT.EXE	cmd.exe
PID 1448 wrote to memory of 1904	1448	NETSTAT.EXE	cmd.exe
PID 1448 wrote to memory of 1904	1448	NETSTAT.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf xxQ4h.exe
"C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf xxQ4h.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IAFLNzOdgRR.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IAFLNzOdgRR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE551.tmp"
2⤵
- Creates scheduled task(s)
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE551.tmp
Filesize
1KB

MD5
79241af61fa0259b8f2ec187581b629d

SHA1
d41f11a6d377c433dba6b59ecf31c4a98d3c8563

SHA256
4f3d825d9e4a4cba1a2ff639fb8c7210eec64d254b4db0b2950811ace518b2c6

SHA512
fb4640fe183c0b4387bc12be69d000c24d4fd09d3d4b3cf7c7df8d84d870ca6b1499a283c1b3e211d4cb965a7fdceb076ae5a003b6ae7d4e9ea96a31f2afb3fc

Download Submit
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/1324-74-0x00000000063A0000-0x0000000006491000-memory.dmp

Filesize
964KB

Download
memory/1324-78-0x0000000006AF0000-0x0000000006C68000-memory.dmp

Filesize
1.5MB

Download
memory/1324-88-0x0000000007320000-0x000000000744A000-memory.dmp

Filesize
1.2MB

Download
memory/1324-86-0x0000000007320000-0x000000000744A000-memory.dmp

Filesize
1.2MB

Download
memory/1448-84-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1448-79-0x0000000000000000-mapping.dmp

Download
memory/1448-82-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/1448-83-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/1448-87-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/1448-85-0x0000000001E20000-0x0000000001EB3000-memory.dmp

Filesize
588KB

Download
memory/1456-58-0x00000000022A0000-0x0000000002346000-memory.dmp

Filesize
664KB

Download
memory/1456-63-0x00000000054F0000-0x000000000555C000-memory.dmp

Filesize
432KB

Download
memory/1456-54-0x0000000000270000-0x0000000000356000-memory.dmp

Filesize
920KB

Download
memory/1456-57-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/1456-56-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/1456-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1864-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-77-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/1864-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-73-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/1864-72-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1864-68-0x000000000041F140-mapping.dmp

Download
memory/1864-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-75-0x000000006E590000-0x000000006EB3B000-memory.dmp

Filesize
5.7MB

Download
memory/1888-69-0x000000006E590000-0x000000006EB3B000-memory.dmp

Filesize
5.7MB

Download
memory/1888-59-0x0000000000000000-mapping.dmp

Download
memory/1904-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads