formbook | 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673

General

Target

6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
Size

964KB
MD5

f817bc5a13f0f7ffe8652f86dc0ce55f
SHA1

0f2d30796f411da74a3af083966bad88f4a3a326
SHA256

6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673
SHA512

5d09e4adcdf7a2a73972433b89021e702e08882ada4a536fbdb92c8fa492193822fcd8655003a2dfdf38840ebdba065b9f12cb6a3df5deab5ca2dc6c9fa533c2
SSDEEP

12288:q+6L7SIHNcIPaYJPaSiMae7TT4JwH/CW4yaWJSt:qZXbtc8aYJySiiPkSfC+f

Score

10^/10

formbook kbc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kbc

Decoy

ross76.com

modabyboutique.com

zenabode.store

peakorgmush.net

superchargelab.com

mumaniu.net

18costleyst.com

moreroomy.com

creativecardsnappanee.com

jameshamiltonphoto.com

amimania.com

ahaihealing.com

thecopy.coach

caishen2587.com

bigdickquick.com

suojincn.com

2020rl.com

jointbah.com

teddingtonstudios.com

javre.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/912-64-0x000000000041EB80-mapping.dmp	formbook
behavioral1/memory/912-63-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

description	pid	process	target process
PID 1032 set thread context of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1204 schtasks.exe

pid	process
1204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

pid	process
1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
912	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

description pid process

Token: SeDebugPrivilege 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

description	pid	process
Token: SeDebugPrivilege	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

description	pid	process	target process
PID 1032 wrote to memory of 1204	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	schtasks.exe
PID 1032 wrote to memory of 1204	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	schtasks.exe
PID 1032 wrote to memory of 1204	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	schtasks.exe
PID 1032 wrote to memory of 1204	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	schtasks.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
PID 1032 wrote to memory of 912	1032	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe	6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe

C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
"C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CcbnPmJmAZnQJq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp843E.tmp"
2⤵
- Creates scheduled task(s)
PID:1204

C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
"C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:912

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp843E.tmp
Filesize
1KB

MD5
8598f088c141869a1c39d5b6e09f80a9

SHA1
8e814fbf23f4c0bfaec386f5738f2e64f5f0c65d

SHA256
4dcb7319e69687a1a04f0cd5037c72ae0df522978985832f4c8deee6482ab1b7

SHA512
b9728f178a20aadcf806b431ac114a08ba8d78cdec6fae911a72ef4822ea7319bfc62c18990cd6fd0a0a9b623bf0418f36b520aab5c0126b0f03aa5cd3677543

Download Submit
memory/912-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-64-0x000000000041EB80-mapping.dmp

Download
memory/912-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-65-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1032-54-0x0000000000EE0000-0x0000000000FD8000-memory.dmp

Filesize
992KB

Download
memory/1032-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1032-56-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1032-57-0x0000000005340000-0x00000000053A2000-memory.dmp

Filesize
392KB

Download
memory/1204-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads