formbook | f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46

General

Target

SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
Size

259KB
MD5

197ab666b7242cd57be0af99c33c150e
SHA1

c67a8a7f437716bb324e2697412464fd165c6c90
SHA256

f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46
SHA512

a5babd41cc7dcc73710d4ca6d03121b3395601a398158f8375dacc391e7d0b5c6255f7faff0ede21db4351662f4c2d418f6fae2db17610c017272e3aa355863a
SSDEEP

6144:QBn1m1geH7jWuQ0IQWCPt2uKQ+Hm4PMuo:gmycnWuQ0hHoQ0Q

Score

10^/10

formbook pr28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/760-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/824-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/824-77-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

zcvza.exezcvza.exe

pid process

556 zcvza.exe
760 zcvza.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exezcvza.exe

pid process

756 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
556 zcvza.exe

pid	process
556	zcvza.exe
760	zcvza.exe

pid	process
756	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
556	zcvza.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zcvza.exezcvza.exeNETSTAT.EXE

description	pid	process	target process
PID 556 set thread context of 760	556	zcvza.exe	zcvza.exe
PID 760 set thread context of 1276	760	zcvza.exe	Explorer.EXE
PID 824 set thread context of 1276	824	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

824 NETSTAT.EXE

pid	process
824	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

zcvza.exeNETSTAT.EXE

pid	process
760	zcvza.exe
760	zcvza.exe
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE
824	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

zcvza.exezcvza.exeNETSTAT.EXE

pid process

556 zcvza.exe
760 zcvza.exe
760 zcvza.exe
760 zcvza.exe
824 NETSTAT.EXE
824 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zcvza.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 760 zcvza.exe
Token: SeDebugPrivilege 824 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1276	Explorer.EXE

pid	process
556	zcvza.exe
760	zcvza.exe
760	zcvza.exe
760	zcvza.exe
824	NETSTAT.EXE
824	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	760	zcvza.exe
Token: SeDebugPrivilege	824	NETSTAT.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exezcvza.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 756 wrote to memory of 556	756	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 756 wrote to memory of 556	756	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 756 wrote to memory of 556	756	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 756 wrote to memory of 556	756	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 556 wrote to memory of 760	556	zcvza.exe	zcvza.exe
PID 556 wrote to memory of 760	556	zcvza.exe	zcvza.exe
PID 556 wrote to memory of 760	556	zcvza.exe	zcvza.exe
PID 556 wrote to memory of 760	556	zcvza.exe	zcvza.exe
PID 556 wrote to memory of 760	556	zcvza.exe	zcvza.exe
PID 1276 wrote to memory of 824	1276	Explorer.EXE	NETSTAT.EXE
PID 1276 wrote to memory of 824	1276	Explorer.EXE	NETSTAT.EXE
PID 1276 wrote to memory of 824	1276	Explorer.EXE	NETSTAT.EXE
PID 1276 wrote to memory of 824	1276	Explorer.EXE	NETSTAT.EXE
PID 824 wrote to memory of 584	824	NETSTAT.EXE	cmd.exe
PID 824 wrote to memory of 584	824	NETSTAT.EXE	cmd.exe
PID 824 wrote to memory of 584	824	NETSTAT.EXE	cmd.exe
PID 824 wrote to memory of 584	824	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\zcvza.exe
"C:\Users\Admin\AppData\Local\Temp\zcvza.exe" C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\zcvza.exe
"C:\Users\Admin\AppData\Local\Temp\zcvza.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\zcvza.exe"
3⤵
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dexbttgmct.yga
Filesize
185KB

MD5
ed232e70dae27a58281d330aa9591674

SHA1
cb9ded97fa32bafde70c30fd3ddd8bff8279686f

SHA256
ac394c29ac4dcb2c6dc5978ba284f033089b3c9389529a59030455dd2b40afdc

SHA512
bb94cc112a6c2d79b9732b35a8b8660c5b310c787a9a6ba92d216adab3b3093328959e0f1a7c367d718997294840d6c0a40d38d522211e1655c86869fa17742a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j
Filesize
5KB

MD5
e31b70467b0d7eeb29cae835ee993b5d

SHA1
155713f1e8a959f69cbf0a1c409d392a3782bc77

SHA256
1c671b3d5c74d675ed80d36b2e5d9429051e825bd11deecc9a69e13f5f31d00e

SHA512
cb17417d1b3811d711b905b6eafb15dc03f88f75686bf8dc45f666168c862547fa64b28a6cdf3936800b82c2731bd4df70d73ef02b33b6194fbe7440692432fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
memory/556-56-0x0000000000000000-mapping.dmp

Download
memory/584-72-0x0000000000000000-mapping.dmp

Download
memory/756-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/760-67-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/760-66-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/760-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-63-0x000000000041F120-mapping.dmp

Download
memory/824-69-0x0000000000000000-mapping.dmp

Download
memory/824-70-0x0000000000740000-0x0000000000749000-memory.dmp

Filesize
36KB

Download
memory/824-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/824-73-0x00000000022A0000-0x00000000025A3000-memory.dmp

Filesize
3.0MB

Download
memory/824-74-0x0000000002070000-0x0000000002103000-memory.dmp

Filesize
588KB

Download
memory/824-77-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1276-68-0x0000000007130000-0x0000000007238000-memory.dmp

Filesize
1.0MB

Download
memory/1276-75-0x0000000007240000-0x0000000007359000-memory.dmp

Filesize
1.1MB

Download
memory/1276-76-0x0000000007130000-0x0000000007238000-memory.dmp

Filesize
1.0MB

Download
memory/1276-78-0x0000000007240000-0x0000000007359000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads