formbook | 6fe094ec30939499261cd11a9f01973454719bf53617b1692b1089ac6607a79a

General

Target

11-29-22.exe
Size

121KB
MD5

e906026bef372da3ac8618be9c0a1787
SHA1

d98429fcff9d667e116c8b99469070e7bdb0de59
SHA256

d13d078e3ca43adb581966a669f056116b1aaee681d1b6c026f0b6f4bb606324
SHA512

403de6adc801b3f460967f0b0d63003647265be67cc0336aeb60a1c31cdbed00199eb43c8bed489c777299db36f88f785b99e29bf15b4f3615bd907b3431f4cb
SSDEEP

3072:VEvf9OEud7hY72rOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/In/87gUHCzQgtn9x:u9OnGZwLf8

Score

10^/10

formbook fs44 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs44

Decoy

whneat.com

jljcw.net

pocodelivery.com

outofplacezine.com

yavuzcansigorta.com

xinhewood-cn.com

cartogogh.com

5avis.com

joyceyong.art

digitalsurf.community

blackcreekbarns.com

magazinedistribuidor.com

sportsgross.com

drevom.online

mayibeofservice.com

gareloi-digit.com

permitha.net

renaissanceestetica.com

facts-r-friends.com

dach-loc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/208-150-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/208-152-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/208-160-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2208-162-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook
behavioral2/memory/2208-167-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11-29-22.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	11-29-22.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

11-29-22.exeMSBuild.exesystray.exe

description	pid	process	target process
PID 1192 set thread context of 208	1192	11-29-22.exe	MSBuild.exe
PID 208 set thread context of 2152	208	MSBuild.exe	Explorer.EXE
PID 208 set thread context of 2152	208	MSBuild.exe	Explorer.EXE
PID 2208 set thread context of 2152	2208	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exeMSBuild.exesystray.exe

pid	process
3792	powershell.exe
3792	powershell.exe
1756	powershell.exe
1756	powershell.exe
208	MSBuild.exe
208	MSBuild.exe
208	MSBuild.exe
208	MSBuild.exe
208	MSBuild.exe
208	MSBuild.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe
2208	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2152 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSBuild.exesystray.exe

pid process

208 MSBuild.exe
208 MSBuild.exe
208 MSBuild.exe
208 MSBuild.exe
2208 systray.exe
2208 systray.exe

pid	process
2152	Explorer.EXE

pid	process
208	MSBuild.exe
208	MSBuild.exe
208	MSBuild.exe
208	MSBuild.exe
2208	systray.exe
2208	systray.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe11-29-22.exepowershell.exeMSBuild.exesystray.exe

description	pid	process
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	1192	11-29-22.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	208	MSBuild.exe
Token: SeDebugPrivilege	2208	systray.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

11-29-22.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1192 wrote to memory of 3792	1192	11-29-22.exe	powershell.exe
PID 1192 wrote to memory of 3792	1192	11-29-22.exe	powershell.exe
PID 1192 wrote to memory of 3792	1192	11-29-22.exe	powershell.exe
PID 1192 wrote to memory of 1756	1192	11-29-22.exe	powershell.exe
PID 1192 wrote to memory of 1756	1192	11-29-22.exe	powershell.exe
PID 1192 wrote to memory of 1756	1192	11-29-22.exe	powershell.exe
PID 1192 wrote to memory of 208	1192	11-29-22.exe	MSBuild.exe
PID 1192 wrote to memory of 208	1192	11-29-22.exe	MSBuild.exe
PID 1192 wrote to memory of 208	1192	11-29-22.exe	MSBuild.exe
PID 1192 wrote to memory of 208	1192	11-29-22.exe	MSBuild.exe
PID 1192 wrote to memory of 208	1192	11-29-22.exe	MSBuild.exe
PID 1192 wrote to memory of 208	1192	11-29-22.exe	MSBuild.exe
PID 2152 wrote to memory of 2208	2152	Explorer.EXE	systray.exe
PID 2152 wrote to memory of 2208	2152	Explorer.EXE	systray.exe
PID 2152 wrote to memory of 2208	2152	Explorer.EXE	systray.exe
PID 2208 wrote to memory of 3572	2208	systray.exe	cmd.exe
PID 2208 wrote to memory of 3572	2208	systray.exe	cmd.exe
PID 2208 wrote to memory of 3572	2208	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\11-29-22.exe
  "C:\Users\Admin\AppData\Local\Temp\11-29-22.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-Date
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
ee31f317c95f1a42f4ae55380f0d3efd

SHA1
6fd95bbf869e659f68953d423218c7995621660b

SHA256
93aaeb46a0871f238b2274e6c8a319e4b722c4f25a727e56a821606c6f1a462d

SHA512
8bf5a4c408c940f3af362bf8e1590eb73f6f1cea87656d48dc1a53b72adf5f39618a069bb2e98765d3580518af03f9445a3bd14527f899aec16ada6adbd186a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
8e3a01fcdd7e305ba78d4bb8b5971b4a

SHA1
0ec86fae5100dcb794dbc3537146d0436dddd76d

SHA256
c56f9db9694265f36ae92aa2f3512093f56494344fc6d05e5ab31efc46f16219

SHA512
eddfb957e38cc73ad01cec7b97b97ae6cd9a5eb4b53908e315fe1e2c3e24ca53d1ee9c91b54475e3e44d3b3f2f2fbe3a032bd34d5c1ff4507c470ccee7529d26

Download Submit
memory/208-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-154-0x0000000000CA0000-0x0000000000CB4000-memory.dmp

Filesize
80KB

Download
memory/208-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-149-0x0000000000000000-mapping.dmp

Download
memory/208-157-0x0000000001110000-0x0000000001124000-memory.dmp

Filesize
80KB

Download
memory/208-153-0x0000000001170000-0x00000000014BA000-memory.dmp

Filesize
3.3MB

Download
memory/1192-135-0x0000000006250000-0x00000000062E2000-memory.dmp

Filesize
584KB

Download
memory/1192-139-0x0000000006230000-0x000000000623A000-memory.dmp

Filesize
40KB

Download
memory/1192-132-0x0000000000B50000-0x0000000000B74000-memory.dmp

Filesize
144KB

Download
memory/1192-133-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/1756-145-0x0000000000000000-mapping.dmp

Download
memory/2152-166-0x0000000008330000-0x00000000084B7000-memory.dmp

Filesize
1.5MB

Download
memory/2152-155-0x0000000008060000-0x00000000081F6000-memory.dmp

Filesize
1.6MB

Download
memory/2152-158-0x0000000008330000-0x00000000084B7000-memory.dmp

Filesize
1.5MB

Download
memory/2152-164-0x0000000008060000-0x00000000081F6000-memory.dmp

Filesize
1.6MB

Download
memory/2152-169-0x0000000007B30000-0x0000000007C17000-memory.dmp

Filesize
924KB

Download
memory/2152-170-0x0000000007B30000-0x0000000007C17000-memory.dmp

Filesize
924KB

Download
memory/2208-162-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/2208-161-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2208-168-0x0000000002700000-0x0000000002793000-memory.dmp

Filesize
588KB

Download
memory/2208-167-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/2208-159-0x0000000000000000-mapping.dmp

Download
memory/2208-165-0x0000000002890000-0x0000000002BDA000-memory.dmp

Filesize
3.3MB

Download
memory/3572-163-0x0000000000000000-mapping.dmp

Download
memory/3792-140-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3792-144-0x0000000006B50000-0x0000000006B6A000-memory.dmp

Filesize
104KB

Download
memory/3792-138-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/3792-141-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/3792-137-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/3792-142-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/3792-143-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/3792-136-0x0000000002D80000-0x0000000002DB6000-memory.dmp

Filesize
216KB

Download
memory/3792-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads