formbook | f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46

General

Target

SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
Size

259KB
MD5

197ab666b7242cd57be0af99c33c150e
SHA1

c67a8a7f437716bb324e2697412464fd165c6c90
SHA256

f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46
SHA512

a5babd41cc7dcc73710d4ca6d03121b3395601a398158f8375dacc391e7d0b5c6255f7faff0ede21db4351662f4c2d418f6fae2db17610c017272e3aa355863a
SSDEEP

6144:QBn1m1geH7jWuQ0IQWCPt2uKQ+Hm4PMuo:gmycnWuQ0hHoQ0Q

Score

10^/10

formbook pr28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4816-144-0x0000000001200000-0x000000000122F000-memory.dmp	formbook
behavioral2/memory/4816-148-0x0000000001200000-0x000000000122F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

zcvza.exezcvza.exe

pid process

1376 zcvza.exe
4216 zcvza.exe

pid	process
1376	zcvza.exe
4216	zcvza.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zcvza.exezcvza.execmd.exe

description	pid	process	target process
PID 1376 set thread context of 4216	1376	zcvza.exe	zcvza.exe
PID 4216 set thread context of 3044	4216	zcvza.exe	Explorer.EXE
PID 4816 set thread context of 3044	4816	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

zcvza.execmd.exe

pid	process
4216	zcvza.exe
4216	zcvza.exe
4216	zcvza.exe
4216	zcvza.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe
4816	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

zcvza.exezcvza.execmd.exe

pid process

1376 zcvza.exe
1376 zcvza.exe
4216 zcvza.exe
4216 zcvza.exe
4216 zcvza.exe
4816 cmd.exe
4816 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zcvza.execmd.exe

description pid process

Token: SeDebugPrivilege 4216 zcvza.exe
Token: SeDebugPrivilege 4816 cmd.exe

pid	process
3044	Explorer.EXE

pid	process
1376	zcvza.exe
1376	zcvza.exe
4216	zcvza.exe
4216	zcvza.exe
4216	zcvza.exe
4816	cmd.exe
4816	cmd.exe

description	pid	process
Token: SeDebugPrivilege	4216	zcvza.exe
Token: SeDebugPrivilege	4816	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exezcvza.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 520 wrote to memory of 1376	520	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 520 wrote to memory of 1376	520	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 520 wrote to memory of 1376	520	SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe	zcvza.exe
PID 1376 wrote to memory of 4216	1376	zcvza.exe	zcvza.exe
PID 1376 wrote to memory of 4216	1376	zcvza.exe	zcvza.exe
PID 1376 wrote to memory of 4216	1376	zcvza.exe	zcvza.exe
PID 1376 wrote to memory of 4216	1376	zcvza.exe	zcvza.exe
PID 3044 wrote to memory of 4816	3044	Explorer.EXE	cmd.exe
PID 3044 wrote to memory of 4816	3044	Explorer.EXE	cmd.exe
PID 3044 wrote to memory of 4816	3044	Explorer.EXE	cmd.exe
PID 4816 wrote to memory of 644	4816	cmd.exe	cmd.exe
PID 4816 wrote to memory of 644	4816	cmd.exe	cmd.exe
PID 4816 wrote to memory of 644	4816	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\zcvza.exe
"C:\Users\Admin\AppData\Local\Temp\zcvza.exe" C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\zcvza.exe
"C:\Users\Admin\AppData\Local\Temp\zcvza.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\zcvza.exe"
3⤵
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dexbttgmct.yga
Filesize
185KB

MD5
ed232e70dae27a58281d330aa9591674

SHA1
cb9ded97fa32bafde70c30fd3ddd8bff8279686f

SHA256
ac394c29ac4dcb2c6dc5978ba284f033089b3c9389529a59030455dd2b40afdc

SHA512
bb94cc112a6c2d79b9732b35a8b8660c5b310c787a9a6ba92d216adab3b3093328959e0f1a7c367d718997294840d6c0a40d38d522211e1655c86869fa17742a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j
Filesize
5KB

MD5
e31b70467b0d7eeb29cae835ee993b5d

SHA1
155713f1e8a959f69cbf0a1c409d392a3782bc77

SHA256
1c671b3d5c74d675ed80d36b2e5d9429051e825bd11deecc9a69e13f5f31d00e

SHA512
cb17417d1b3811d711b905b6eafb15dc03f88f75686bf8dc45f666168c862547fa64b28a6cdf3936800b82c2731bd4df70d73ef02b33b6194fbe7440692432fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe
Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
memory/644-145-0x0000000000000000-mapping.dmp

Download
memory/1376-132-0x0000000000000000-mapping.dmp

Download
memory/3044-150-0x0000000008170000-0x00000000082DE000-memory.dmp

Filesize
1.4MB

Download
memory/3044-149-0x0000000008170000-0x00000000082DE000-memory.dmp

Filesize
1.4MB

Download
memory/3044-141-0x00000000080B0000-0x000000000816C000-memory.dmp

Filesize
752KB

Download
memory/4216-140-0x0000000000A20000-0x0000000000A34000-memory.dmp

Filesize
80KB

Download
memory/4216-139-0x0000000000AF0000-0x0000000000E3A000-memory.dmp

Filesize
3.3MB

Download
memory/4216-137-0x0000000000000000-mapping.dmp

Download
memory/4816-143-0x00000000003D0000-0x000000000042A000-memory.dmp

Filesize
360KB

Download
memory/4816-144-0x0000000001200000-0x000000000122F000-memory.dmp

Filesize
188KB

Download
memory/4816-142-0x0000000000000000-mapping.dmp

Download
memory/4816-146-0x0000000001A80000-0x0000000001DCA000-memory.dmp

Filesize
3.3MB

Download
memory/4816-147-0x00000000018F0000-0x0000000001983000-memory.dmp

Filesize
588KB

Download
memory/4816-148-0x0000000001200000-0x000000000122F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads