formbook | 11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42

General

Target

SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
Size

660KB
MD5

4456d023908ebca5034b01ae809d6e62
SHA1

99272ab4f217276228ab68eaae72abfc4242a746
SHA256

11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42
SHA512

ecde1fb31000b7ef0cf02e995106d236c3aa23e6821da106f69f9bd22744184a53fa1b5671770a5bfb1e2137d4bb0d7581ad664685dde0b8ead994c168dc40ad
SSDEEP

12288:6PuYd+V6b1momPZefeKrsUTkx8S0VP+P1ATnVsgIu3fV6Tx0TBf+v0PuYd+V6b:6PuYd+V6bIomxieMwx8ZBT2/0cxWBf+y

Score

10^/10

formbook f9r5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f9r5

Decoy

teknotimur.com

zuliboo.com

remmingtoncampbell.com

vehicletitleloansphoenix.com

sen-computer.com

98731.biz

shelikesblu.com

canis-totem.com

metaversemedianetwork.com

adsdu.com

vanishmediasystems.com

astewaykebede.com

wszhongxue.com

gacha-animator-free.com

papatyadekorasyon.com

mqc168.top

simplebrilliantsolutions.com

jubileehawkesprairie.com

ridflab.com

conboysfilm.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/584-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/584-69-0x000000000041F150-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

description	pid	process	target process
PID 780 set thread context of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1544 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeSecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

pid process

1648 powershell.exe
584 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1648 powershell.exe

pid	process
1544	schtasks.exe

pid	process
1648	powershell.exe
584	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

description	pid	process
Token: SeDebugPrivilege	1648	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

description	pid	process	target process
PID 780 wrote to memory of 1648	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	powershell.exe
PID 780 wrote to memory of 1648	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	powershell.exe
PID 780 wrote to memory of 1648	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	powershell.exe
PID 780 wrote to memory of 1648	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	powershell.exe
PID 780 wrote to memory of 1544	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	schtasks.exe
PID 780 wrote to memory of 1544	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	schtasks.exe
PID 780 wrote to memory of 1544	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	schtasks.exe
PID 780 wrote to memory of 1544	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	schtasks.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
PID 780 wrote to memory of 584	780	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe	SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sWoaYFhAZd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWoaYFhAZd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD144.tmp"
2⤵
- Creates scheduled task(s)
PID:1544

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD144.tmp
Filesize
1KB

MD5
83e44613c5d1f3771158fb710595b68c

SHA1
75074ea322ee1c1022da6a0926149971cc0d64d0

SHA256
284b4d78c29cc74743326ed1a873745d9f1ed882aa112a1ca5e951526ded9f3d

SHA512
e1de3735155a688d9662c9919bf7eb75e671dbaf1fabc615234be93b20df95c3976d63edde67b993e9108832181ca131b1f566dfbc06a1e0a31e62820074bfba

Download Submit
memory/584-70-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/584-69-0x000000000041F150-mapping.dmp

Download
memory/584-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-58-0x0000000005100000-0x0000000005170000-memory.dmp

Filesize
448KB

Download
memory/780-64-0x0000000004360000-0x0000000004394000-memory.dmp

Filesize
208KB

Download
memory/780-54-0x0000000000D40000-0x0000000000DEA000-memory.dmp

Filesize
680KB

Download
memory/780-57-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/780-56-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/780-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1544-60-0x0000000000000000-mapping.dmp

Download
memory/1648-63-0x000000006EB90000-0x000000006F13B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-59-0x0000000000000000-mapping.dmp

Download
memory/1648-71-0x000000006EB90000-0x000000006F13B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads