formbook | b6af4d62365de0a1bd4af15eb2012438146996caba9eab8ac1a89e904c8eca30

General

Target

ORDEN DE COMPRA DE DICIEMBRE pdf.exe
Size

573KB
MD5

e5666f11a9f07f0b5754f6e24be28ee7
SHA1

df09902dda3e6917bed30d53505384b60dadfa0a
SHA256

dbbbb6acb1f5da76b3a7b03130d5e8235ac8fcb43f16fdb7e226bcc595fde196
SHA512

e14242f82ae798afdad460d99a70bc9977f8c566a7da6d19287b906b03b1e24425d7481fa5a4aa93cde9288bf6a7b3195f90147f28e7d6e76175fa4d4fb82caf
SSDEEP

12288:QqXGLLa1ptsstO8w0WRMCJO7BkFIqpwp:QqWvqhOsmIqpwp

Score

10^/10

formbook d0a7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1720-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1720-69-0x000000000041F040-mapping.dmp	formbook
behavioral1/memory/1720-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/552-79-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/552-83-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exeRegSvcs.exewscript.exe

description	pid	process	target process
PID 892 set thread context of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 1720 set thread context of 1212	1720	RegSvcs.exe	Explorer.EXE
PID 552 set thread context of 1212	552	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe

pid	process
1096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exeRegSvcs.exepowershell.exewscript.exe

pid	process
892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe
892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe
1720	RegSvcs.exe
1720	RegSvcs.exe
1508	powershell.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe
552	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewscript.exe

pid process

1720 RegSvcs.exe
1720 RegSvcs.exe
1720 RegSvcs.exe
552 wscript.exe
552 wscript.exe

pid	process
1212	Explorer.EXE

pid	process
1720	RegSvcs.exe
1720	RegSvcs.exe
1720	RegSvcs.exe
552	wscript.exe
552	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exeRegSvcs.exepowershell.exewscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe
Token: SeDebugPrivilege	1720	RegSvcs.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	552	wscript.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

ORDEN DE COMPRA DE DICIEMBRE pdf.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 892 wrote to memory of 1508	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 892 wrote to memory of 1508	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 892 wrote to memory of 1508	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 892 wrote to memory of 1508	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	powershell.exe
PID 892 wrote to memory of 1096	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 892 wrote to memory of 1096	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 892 wrote to memory of 1096	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 892 wrote to memory of 1096	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	schtasks.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1936	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 892 wrote to memory of 1720	892	ORDEN DE COMPRA DE DICIEMBRE pdf.exe	RegSvcs.exe
PID 1212 wrote to memory of 552	1212	Explorer.EXE	wscript.exe
PID 1212 wrote to memory of 552	1212	Explorer.EXE	wscript.exe
PID 1212 wrote to memory of 552	1212	Explorer.EXE	wscript.exe
PID 1212 wrote to memory of 552	1212	Explorer.EXE	wscript.exe
PID 552 wrote to memory of 1324	552	wscript.exe	cmd.exe
PID 552 wrote to memory of 1324	552	wscript.exe	cmd.exe
PID 552 wrote to memory of 1324	552	wscript.exe	cmd.exe
PID 552 wrote to memory of 1324	552	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA DE DICIEMBRE pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA DE DICIEMBRE pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KiaSYgZ.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KiaSYgZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp54D5.tmp"
3⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54D5.tmp
Filesize
1KB

MD5
6e18041ec1afcb2c7f3a36b77f0fbc9e

SHA1
de24fe8ba8d312111c50260c65415b9a7106d518

SHA256
8f658737dc60e0034586af8f444de1fccd8c49072d644ea6b623953ce9317a0a

SHA512
1a99527d4226fa860d35f39042d651629e16c501846ce6a7ac81e4005bd266fe500d24e8125f0137ca35c5de132cfaa6c270bec84e4ba7f4860aac81317ef20f

Download Submit
memory/552-78-0x0000000002220000-0x0000000002523000-memory.dmp

Filesize
3.0MB

Download
memory/552-83-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/552-81-0x00000000003C0000-0x0000000000454000-memory.dmp

Filesize
592KB

Download
memory/552-77-0x0000000000C60000-0x0000000000C86000-memory.dmp

Filesize
152KB

Download
memory/552-74-0x0000000000000000-mapping.dmp

Download
memory/552-79-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/892-56-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/892-58-0x0000000007DE0000-0x0000000007E50000-memory.dmp

Filesize
448KB

Download
memory/892-55-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/892-54-0x0000000000970000-0x0000000000A06000-memory.dmp

Filesize
600KB

Download
memory/892-64-0x0000000005AE0000-0x0000000005B14000-memory.dmp

Filesize
208KB

Download
memory/892-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1096-61-0x0000000000000000-mapping.dmp

Download
memory/1212-84-0x00000000042F0000-0x00000000043B5000-memory.dmp

Filesize
788KB

Download
memory/1212-73-0x0000000004DB0000-0x0000000004E88000-memory.dmp

Filesize
864KB

Download
memory/1212-82-0x00000000042F0000-0x00000000043B5000-memory.dmp

Filesize
788KB

Download
memory/1324-76-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1508-63-0x000000006E4F0000-0x000000006EA9B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-80-0x000000006E4F0000-0x000000006EA9B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-72-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/1720-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-69-0x000000000041F040-mapping.dmp

Download
memory/1720-71-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads