formbook | 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca

General

Target

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
Size

260KB
MD5

d7f70f86875fb3aadfa0228690652fb3
SHA1

40745191f6897210d46c023259ac17084ebe0f12
SHA256

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca
SHA512

528a947c1219faeb14585ab9e5dbfd23cc2a8aaf1bbaa11fdff13699c904bdf5364c149de26fb91ba134d737d82d7208144d9036c0dc3f88ff56357fd8cb2701
SSDEEP

6144:QBn1/WI+GjGGWQ51zoG0cm9TsMhKULa2OEmQV2:g/nVGGZPoDceTXhxL2Pp

Score

10^/10

formbook tc10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tc10

Decoy

mwigyu.com

sepuluholx.com

nsdigitalagency.com

horrorkore.com

santaclaracoimbrakarate.com

myeternalsummer.com

laosmidnight-lotto.com

haremp.xyz

boyace.top

unusualwithdrawal.com

wildflowerkidsri.com

backlitvps.dev

topwellgas.com

k3nnsworld3.com

wanbang.xyz

cntvc.net

sjcamden.church

pussit24.com

claml.com

statisticsturkey.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3256-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3256-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5096-148-0x0000000000960000-0x000000000098F000-memory.dmp	formbook
behavioral2/memory/5096-153-0x0000000000960000-0x000000000098F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

leqls.exeleqls.exe

pid process

2228 leqls.exe
3256 leqls.exe

pid	process
2228	leqls.exe
3256	leqls.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

leqls.exeleqls.execolorcpl.exe

description	pid	process	target process
PID 2228 set thread context of 3256	2228	leqls.exe	leqls.exe
PID 3256 set thread context of 776	3256	leqls.exe	Explorer.EXE
PID 3256 set thread context of 776	3256	leqls.exe	Explorer.EXE
PID 5096 set thread context of 776	5096	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

leqls.execolorcpl.exe

pid	process
3256	leqls.exe
3256	leqls.exe
3256	leqls.exe
3256	leqls.exe
3256	leqls.exe
3256	leqls.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe
5096	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

776 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

leqls.exeleqls.execolorcpl.exe

pid process

2228 leqls.exe
3256 leqls.exe
3256 leqls.exe
3256 leqls.exe
3256 leqls.exe
5096 colorcpl.exe
5096 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

leqls.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 3256 leqls.exe
Token: SeDebugPrivilege 5096 colorcpl.exe

pid	process
776	Explorer.EXE

pid	process
2228	leqls.exe
3256	leqls.exe
3256	leqls.exe
3256	leqls.exe
3256	leqls.exe
5096	colorcpl.exe
5096	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	3256	leqls.exe
Token: SeDebugPrivilege	5096	colorcpl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exeleqls.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 2548 wrote to memory of 2228	2548	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe
PID 2548 wrote to memory of 2228	2548	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe
PID 2548 wrote to memory of 2228	2548	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe
PID 2228 wrote to memory of 3256	2228	leqls.exe	leqls.exe
PID 2228 wrote to memory of 3256	2228	leqls.exe	leqls.exe
PID 2228 wrote to memory of 3256	2228	leqls.exe	leqls.exe
PID 2228 wrote to memory of 3256	2228	leqls.exe	leqls.exe
PID 776 wrote to memory of 5096	776	Explorer.EXE	colorcpl.exe
PID 776 wrote to memory of 5096	776	Explorer.EXE	colorcpl.exe
PID 776 wrote to memory of 5096	776	Explorer.EXE	colorcpl.exe
PID 5096 wrote to memory of 404	5096	colorcpl.exe	cmd.exe
PID 5096 wrote to memory of 404	5096	colorcpl.exe	cmd.exe
PID 5096 wrote to memory of 404	5096	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
"C:\Users\Admin\AppData\Local\Temp\19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\leqls.exe
"C:\Users\Admin\AppData\Local\Temp\leqls.exe" C:\Users\Admin\AppData\Local\Temp\aqehglvbxjg.due
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\leqls.exe
"C:\Users\Admin\AppData\Local\Temp\leqls.exe" C:\Users\Admin\AppData\Local\Temp\aqehglvbxjg.due
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3544

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\leqls.exe"
3⤵
PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqehglvbxjg.due
Filesize
5KB

MD5
e7978f120b297bac5c86bf2acc9a40fd

SHA1
5c872d8a9584fe9db65d7dc038d0e878a76b4bd0

SHA256
90693effc205ef2aedacae6865b0ef704111c0182e1f257272bc969bf1f0bcf6

SHA512
70c31379db68a87fedd4f2ca1215e98b4875ca235564281f4c07aac79f512743373a2813d5b9e4cee3c81e901290a5b244ccdcaf1e7596bdcb735617e29dcc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwhkwmeamld.qux
Filesize
185KB

MD5
25080551c072fc1ad09d66c52a451aab

SHA1
bee02daf2cfcf46a2d257f002702e36400ca925d

SHA256
93a2477b4d94e39e3439a20558b40665589708b5c371802a72ae5ed84404190b

SHA512
f146a9de40d7244f74f4f7a05862d9dd4790c656135696a056c2438d0c177ad962b47cc382eb34aaff7e9e039e639b33a553d587b2b1f09bf59074b20384b715

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqls.exe
Filesize
122KB

MD5
60b966acbee7b9f4d8481c3b23cc8000

SHA1
eb5bce7f660dd412573b416ad83c204300db013c

SHA256
0721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0

SHA512
169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqls.exe
Filesize
122KB

MD5
60b966acbee7b9f4d8481c3b23cc8000

SHA1
eb5bce7f660dd412573b416ad83c204300db013c

SHA256
0721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0

SHA512
169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqls.exe
Filesize
122KB

MD5
60b966acbee7b9f4d8481c3b23cc8000

SHA1
eb5bce7f660dd412573b416ad83c204300db013c

SHA256
0721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0

SHA512
169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177

Download Submit
memory/404-149-0x0000000000000000-mapping.dmp

Download
memory/776-144-0x00000000083A0000-0x0000000008494000-memory.dmp

Filesize
976KB

Download
memory/776-154-0x0000000008870000-0x000000000896E000-memory.dmp

Filesize
1016KB

Download
memory/776-152-0x0000000008870000-0x000000000896E000-memory.dmp

Filesize
1016KB

Download
memory/776-142-0x0000000008230000-0x0000000008398000-memory.dmp

Filesize
1.4MB

Download
memory/2228-132-0x0000000000000000-mapping.dmp

Download
memory/3256-137-0x0000000000000000-mapping.dmp

Download
memory/3256-143-0x0000000000950000-0x0000000000964000-memory.dmp

Filesize
80KB

Download
memory/3256-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-141-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/3256-140-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download
memory/3256-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-145-0x0000000000000000-mapping.dmp

Download
memory/5096-148-0x0000000000960000-0x000000000098F000-memory.dmp

Filesize
188KB

Download
memory/5096-147-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/5096-150-0x0000000002B10000-0x0000000002E5A000-memory.dmp

Filesize
3.3MB

Download
memory/5096-151-0x0000000002950000-0x00000000029E3000-memory.dmp

Filesize
588KB

Download
memory/5096-153-0x0000000000960000-0x000000000098F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads