formbook | d13d078e3ca43adb581966a669f056116b1aaee681d1b6c026f0b6f4bb606324

General

Target

11-29-22.exe
Size

121KB
MD5

e906026bef372da3ac8618be9c0a1787
SHA1

d98429fcff9d667e116c8b99469070e7bdb0de59
SHA256

d13d078e3ca43adb581966a669f056116b1aaee681d1b6c026f0b6f4bb606324
SHA512

403de6adc801b3f460967f0b0d63003647265be67cc0336aeb60a1c31cdbed00199eb43c8bed489c777299db36f88f785b99e29bf15b4f3615bd907b3431f4cb
SSDEEP

3072:VEvf9OEud7hY72rOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/In/87gUHCzQgtn9x:u9OnGZwLf8

Score

10^/10

formbook fs44 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs44

Decoy

whneat.com

jljcw.net

pocodelivery.com

outofplacezine.com

yavuzcansigorta.com

xinhewood-cn.com

cartogogh.com

5avis.com

joyceyong.art

digitalsurf.community

blackcreekbarns.com

magazinedistribuidor.com

sportsgross.com

drevom.online

mayibeofservice.com

gareloi-digit.com

permitha.net

renaissanceestetica.com

facts-r-friends.com

dach-loc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3868-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3868-155-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4360-159-0x00000000003B0000-0x00000000003DF000-memory.dmp	formbook
behavioral2/memory/4360-161-0x00000000003B0000-0x00000000003DF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

11-29-22.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 11-29-22.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	11-29-22.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

11-29-22.exeMSBuild.exeWWAHost.exe

description	pid	process	target process
PID 400 set thread context of 3868	400	11-29-22.exe	MSBuild.exe
PID 3868 set thread context of 3044	3868	MSBuild.exe	Explorer.EXE
PID 4360 set thread context of 3044	4360	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exeMSBuild.exeWWAHost.exe

pid	process
3264	powershell.exe
3264	powershell.exe
4032	powershell.exe
4032	powershell.exe
3868	MSBuild.exe
3868	MSBuild.exe
3868	MSBuild.exe
3868	MSBuild.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe
4360	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.exeWWAHost.exe

pid process

3868 MSBuild.exe
3868 MSBuild.exe
3868 MSBuild.exe
4360 WWAHost.exe
4360 WWAHost.exe

pid	process
3044	Explorer.EXE

pid	process
3868	MSBuild.exe
3868	MSBuild.exe
3868	MSBuild.exe
4360	WWAHost.exe
4360	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe11-29-22.exepowershell.exeMSBuild.exeWWAHost.exe

description	pid	process
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	400	11-29-22.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3868	MSBuild.exe
Token: SeDebugPrivilege	4360	WWAHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

11-29-22.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 400 wrote to memory of 3264	400	11-29-22.exe	powershell.exe
PID 400 wrote to memory of 3264	400	11-29-22.exe	powershell.exe
PID 400 wrote to memory of 3264	400	11-29-22.exe	powershell.exe
PID 400 wrote to memory of 4032	400	11-29-22.exe	powershell.exe
PID 400 wrote to memory of 4032	400	11-29-22.exe	powershell.exe
PID 400 wrote to memory of 4032	400	11-29-22.exe	powershell.exe
PID 400 wrote to memory of 3868	400	11-29-22.exe	MSBuild.exe
PID 400 wrote to memory of 3868	400	11-29-22.exe	MSBuild.exe
PID 400 wrote to memory of 3868	400	11-29-22.exe	MSBuild.exe
PID 400 wrote to memory of 3868	400	11-29-22.exe	MSBuild.exe
PID 400 wrote to memory of 3868	400	11-29-22.exe	MSBuild.exe
PID 400 wrote to memory of 3868	400	11-29-22.exe	MSBuild.exe
PID 3044 wrote to memory of 4360	3044	Explorer.EXE	WWAHost.exe
PID 3044 wrote to memory of 4360	3044	Explorer.EXE	WWAHost.exe
PID 3044 wrote to memory of 4360	3044	Explorer.EXE	WWAHost.exe
PID 4360 wrote to memory of 868	4360	WWAHost.exe	cmd.exe
PID 4360 wrote to memory of 868	4360	WWAHost.exe	cmd.exe
PID 4360 wrote to memory of 868	4360	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\11-29-22.exe
  "C:\Users\Admin\AppData\Local\Temp\11-29-22.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-Date
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9befb8f6c6fcb990e6014c5b4aa8da88

SHA1
480221b1584f17c89e6b8ee41c1b5d0e041d3fc6

SHA256
d5ca9a675e7449c6405aca51a8f1b086d846f9ef53bd43cd57080aea589d9f4a

SHA512
d429a38d2288f0fdea92101d41000e30c85ef3d56c4f16a6c2afd2c2ab5f0183e11a12584dc3b328542e53e9b34f4effced1b46d0b208c975ebfce81c58b8c07

Download Submit
memory/400-133-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/400-137-0x0000000005C10000-0x0000000005CA2000-memory.dmp

Filesize
584KB

Download
memory/400-132-0x00000000004B0000-0x00000000004D4000-memory.dmp

Filesize
144KB

Download
memory/400-141-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/868-156-0x0000000000000000-mapping.dmp

Download
memory/3044-163-0x0000000008250000-0x000000000832E000-memory.dmp

Filesize
888KB

Download
memory/3044-162-0x0000000008250000-0x000000000832E000-memory.dmp

Filesize
888KB

Download
memory/3044-153-0x00000000080B0000-0x0000000008250000-memory.dmp

Filesize
1.6MB

Download
memory/3264-139-0x0000000004D40000-0x0000000004DA6000-memory.dmp

Filesize
408KB

Download
memory/3264-138-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/3264-144-0x0000000006160000-0x000000000617A000-memory.dmp

Filesize
104KB

Download
memory/3264-134-0x0000000000000000-mapping.dmp

Download
memory/3264-142-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/3264-140-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/3264-136-0x0000000004E50000-0x0000000005478000-memory.dmp

Filesize
6.2MB

Download
memory/3264-143-0x0000000007350000-0x00000000079CA000-memory.dmp

Filesize
6.5MB

Download
memory/3264-135-0x0000000002270000-0x00000000022A6000-memory.dmp

Filesize
216KB

Download
memory/3868-152-0x0000000001700000-0x0000000001714000-memory.dmp

Filesize
80KB

Download
memory/3868-151-0x0000000001740000-0x0000000001A8A000-memory.dmp

Filesize
3.3MB

Download
memory/3868-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-148-0x0000000000000000-mapping.dmp

Download
memory/4032-145-0x0000000000000000-mapping.dmp

Download
memory/4360-154-0x0000000000000000-mapping.dmp

Download
memory/4360-159-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/4360-160-0x0000000001240000-0x00000000012D3000-memory.dmp

Filesize
588KB

Download
memory/4360-161-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/4360-158-0x0000000001410000-0x000000000175A000-memory.dmp

Filesize
3.3MB

Download
memory/4360-157-0x0000000000960000-0x0000000000A3C000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads