formbook | f5cd237bed69b3fd27584548ca0f4ea6244a16174b51ab2b62be2a6c2a7159e7

General

Target

ORDER__9.EXE.exe
Size

259KB
MD5

227e97fd58338811c7c831524ba17f0d
SHA1

9ddb00c67fa1a5eaa1687fcf478d04d7e37c5514
SHA256

f5cd237bed69b3fd27584548ca0f4ea6244a16174b51ab2b62be2a6c2a7159e7
SHA512

efff3e3bce3a313992354d18e589b44180c091514d19d9ffb0ebca8e30afa694d4b7ccf297e4e804e14dd04356ac34b5e763f0cd0add3f97db808eff0580672e
SSDEEP

6144:QBn1U6sxaTc7gU2KF+TW+V86v53P2jT+YI:gUPaTRYXm95f2LI

Score

10^/10

formbook pr28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/560-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/764-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/764-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

yqtmj.exeyqtmj.exe

pid process

840 yqtmj.exe
560 yqtmj.exe
Loads dropped DLL 2 IoCs

Processes:

ORDER__9.EXE.exeyqtmj.exe

pid process

1308 ORDER__9.EXE.exe
840 yqtmj.exe

pid	process
840	yqtmj.exe
560	yqtmj.exe

pid	process
1308	ORDER__9.EXE.exe
840	yqtmj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

yqtmj.exeyqtmj.exechkdsk.exe

description	pid	process	target process
PID 840 set thread context of 560	840	yqtmj.exe	yqtmj.exe
PID 560 set thread context of 1212	560	yqtmj.exe	Explorer.EXE
PID 764 set thread context of 1212	764	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

yqtmj.exechkdsk.exe

pid	process
560	yqtmj.exe
560	yqtmj.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe
764	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

yqtmj.exeyqtmj.exechkdsk.exe

pid process

840 yqtmj.exe
560 yqtmj.exe
560 yqtmj.exe
560 yqtmj.exe
764 chkdsk.exe
764 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

yqtmj.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 560 yqtmj.exe
Token: SeDebugPrivilege 764 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE

pid	process
840	yqtmj.exe
560	yqtmj.exe
560	yqtmj.exe
560	yqtmj.exe
764	chkdsk.exe
764	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	560	yqtmj.exe
Token: SeDebugPrivilege	764	chkdsk.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ORDER__9.EXE.exeyqtmj.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1308 wrote to memory of 840	1308	ORDER__9.EXE.exe	yqtmj.exe
PID 1308 wrote to memory of 840	1308	ORDER__9.EXE.exe	yqtmj.exe
PID 1308 wrote to memory of 840	1308	ORDER__9.EXE.exe	yqtmj.exe
PID 1308 wrote to memory of 840	1308	ORDER__9.EXE.exe	yqtmj.exe
PID 840 wrote to memory of 560	840	yqtmj.exe	yqtmj.exe
PID 840 wrote to memory of 560	840	yqtmj.exe	yqtmj.exe
PID 840 wrote to memory of 560	840	yqtmj.exe	yqtmj.exe
PID 840 wrote to memory of 560	840	yqtmj.exe	yqtmj.exe
PID 840 wrote to memory of 560	840	yqtmj.exe	yqtmj.exe
PID 1212 wrote to memory of 764	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 764	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 764	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 764	1212	Explorer.EXE	chkdsk.exe
PID 764 wrote to memory of 1764	764	chkdsk.exe	cmd.exe
PID 764 wrote to memory of 1764	764	chkdsk.exe	cmd.exe
PID 764 wrote to memory of 1764	764	chkdsk.exe	cmd.exe
PID 764 wrote to memory of 1764	764	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\ORDER__9.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER__9.EXE.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
"C:\Users\Admin\AppData\Local\Temp\yqtmj.exe" C:\Users\Admin\AppData\Local\Temp\forzva.whj
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
"C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"
3⤵
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forzva.whj
Filesize
5KB

MD5
52d0f6a84019b64b1367f9a85e9b49f9

SHA1
ddb47861c8aad95af9e33fbf1ebe4556b7744e8d

SHA256
cdc649db185a51e5ee61942c135a003340d425bf7fccfe62172907485c5451f4

SHA512
4effcdc878837e5713b036213a1f20de3c705056b0998b0b9384e2bc577b6d97ec3a67717aaacd65401a0543c116fc254ebc29458d95d251c1dad85aaccd3da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxlyl.gtg
Filesize
185KB

MD5
6dc84948d15eb3e4e0ffa150721cb56d

SHA1
744375f6063be96c219ac2a77b7a83b950abf7d2

SHA256
25619bf05012a64e668f6e4193560f05a2fc7544dfdbfd1cb4b8bd7210dd48f2

SHA512
5fdb1ebcd025b2f6f9778f81988e7a34085d7f333697a7d5f02879c689a9d1c6f88d7fef895d71b68ffbd18db837359e8cc72af0c28d491fad1e88cd26761a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
memory/560-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-66-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/560-63-0x000000000041F120-mapping.dmp

Download
memory/560-67-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/764-69-0x0000000000000000-mapping.dmp

Download
memory/764-70-0x00000000008B0000-0x00000000008B7000-memory.dmp

Filesize
28KB

Download
memory/764-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/764-73-0x0000000002120000-0x0000000002423000-memory.dmp

Filesize
3.0MB

Download
memory/764-74-0x0000000001E50000-0x0000000001EE3000-memory.dmp

Filesize
588KB

Download
memory/764-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/840-56-0x0000000000000000-mapping.dmp

Download
memory/1212-68-0x00000000049E0000-0x0000000004AE8000-memory.dmp

Filesize
1.0MB

Download
memory/1212-75-0x0000000004AF0000-0x0000000004C18000-memory.dmp

Filesize
1.2MB

Download
memory/1212-77-0x0000000004AF0000-0x0000000004C18000-memory.dmp

Filesize
1.2MB

Download
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1764-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads