formbook | f5cd237bed69b3fd27584548ca0f4ea6244a16174b51ab2b62be2a6c2a7159e7

General

Target

ORDER__9.EXE.exe
Size

259KB
MD5

227e97fd58338811c7c831524ba17f0d
SHA1

9ddb00c67fa1a5eaa1687fcf478d04d7e37c5514
SHA256

f5cd237bed69b3fd27584548ca0f4ea6244a16174b51ab2b62be2a6c2a7159e7
SHA512

efff3e3bce3a313992354d18e589b44180c091514d19d9ffb0ebca8e30afa694d4b7ccf297e4e804e14dd04356ac34b5e763f0cd0add3f97db808eff0580672e
SSDEEP

6144:QBn1U6sxaTc7gU2KF+TW+V86v53P2jT+YI:gUPaTRYXm95f2LI

Score

10^/10

formbook pr28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5064-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2288-147-0x0000000000D80000-0x0000000000DAF000-memory.dmp	formbook
behavioral2/memory/2288-148-0x0000000000D80000-0x0000000000DAF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

yqtmj.exeyqtmj.exe

pid process

3068 yqtmj.exe
5064 yqtmj.exe

pid	process
3068	yqtmj.exe
5064	yqtmj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

yqtmj.exeyqtmj.exechkdsk.exe

description	pid	process	target process
PID 3068 set thread context of 5064	3068	yqtmj.exe	yqtmj.exe
PID 5064 set thread context of 1076	5064	yqtmj.exe	Explorer.EXE
PID 2288 set thread context of 1076	2288	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

yqtmj.exechkdsk.exe

pid	process
5064	yqtmj.exe
5064	yqtmj.exe
5064	yqtmj.exe
5064	yqtmj.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe
2288	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1076 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

yqtmj.exeyqtmj.exechkdsk.exe

pid process

3068 yqtmj.exe
5064 yqtmj.exe
5064 yqtmj.exe
5064 yqtmj.exe
2288 chkdsk.exe
2288 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

yqtmj.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 5064 yqtmj.exe
Token: SeDebugPrivilege 2288 chkdsk.exe

pid	process
1076	Explorer.EXE

pid	process
3068	yqtmj.exe
5064	yqtmj.exe
5064	yqtmj.exe
5064	yqtmj.exe
2288	chkdsk.exe
2288	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	5064	yqtmj.exe
Token: SeDebugPrivilege	2288	chkdsk.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ORDER__9.EXE.exeyqtmj.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1628 wrote to memory of 3068	1628	ORDER__9.EXE.exe	yqtmj.exe
PID 1628 wrote to memory of 3068	1628	ORDER__9.EXE.exe	yqtmj.exe
PID 1628 wrote to memory of 3068	1628	ORDER__9.EXE.exe	yqtmj.exe
PID 3068 wrote to memory of 5064	3068	yqtmj.exe	yqtmj.exe
PID 3068 wrote to memory of 5064	3068	yqtmj.exe	yqtmj.exe
PID 3068 wrote to memory of 5064	3068	yqtmj.exe	yqtmj.exe
PID 3068 wrote to memory of 5064	3068	yqtmj.exe	yqtmj.exe
PID 1076 wrote to memory of 2288	1076	Explorer.EXE	chkdsk.exe
PID 1076 wrote to memory of 2288	1076	Explorer.EXE	chkdsk.exe
PID 1076 wrote to memory of 2288	1076	Explorer.EXE	chkdsk.exe
PID 2288 wrote to memory of 4800	2288	chkdsk.exe	cmd.exe
PID 2288 wrote to memory of 4800	2288	chkdsk.exe	cmd.exe
PID 2288 wrote to memory of 4800	2288	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\ORDER__9.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER__9.EXE.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
"C:\Users\Admin\AppData\Local\Temp\yqtmj.exe" C:\Users\Admin\AppData\Local\Temp\forzva.whj
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
"C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"
3⤵
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forzva.whj
Filesize
5KB

MD5
52d0f6a84019b64b1367f9a85e9b49f9

SHA1
ddb47861c8aad95af9e33fbf1ebe4556b7744e8d

SHA256
cdc649db185a51e5ee61942c135a003340d425bf7fccfe62172907485c5451f4

SHA512
4effcdc878837e5713b036213a1f20de3c705056b0998b0b9384e2bc577b6d97ec3a67717aaacd65401a0543c116fc254ebc29458d95d251c1dad85aaccd3da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxlyl.gtg
Filesize
185KB

MD5
6dc84948d15eb3e4e0ffa150721cb56d

SHA1
744375f6063be96c219ac2a77b7a83b950abf7d2

SHA256
25619bf05012a64e668f6e4193560f05a2fc7544dfdbfd1cb4b8bd7210dd48f2

SHA512
5fdb1ebcd025b2f6f9778f81988e7a34085d7f333697a7d5f02879c689a9d1c6f88d7fef895d71b68ffbd18db837359e8cc72af0c28d491fad1e88cd26761a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe
Filesize
100KB

MD5
db6e8d7728ac0cb43fd68837b3893cfd

SHA1
e380628a5f49bee69b6d4a7add4a5e3098a53c61

SHA256
d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6

SHA512
3633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221

Download Submit
memory/1076-142-0x00000000087B0000-0x000000000891A000-memory.dmp

Filesize
1.4MB

Download
memory/1076-151-0x00000000085D0000-0x00000000086C8000-memory.dmp

Filesize
992KB

Download
memory/1076-150-0x00000000085D0000-0x00000000086C8000-memory.dmp

Filesize
992KB

Download
memory/2288-147-0x0000000000D80000-0x0000000000DAF000-memory.dmp

Filesize
188KB

Download
memory/2288-143-0x0000000000000000-mapping.dmp

Download
memory/2288-145-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/2288-146-0x00000000017C0000-0x0000000001B0A000-memory.dmp

Filesize
3.3MB

Download
memory/2288-148-0x0000000000D80000-0x0000000000DAF000-memory.dmp

Filesize
188KB

Download
memory/2288-149-0x0000000001610000-0x00000000016A3000-memory.dmp

Filesize
588KB

Download
memory/3068-132-0x0000000000000000-mapping.dmp

Download
memory/4800-144-0x0000000000000000-mapping.dmp

Download
memory/5064-141-0x00000000011D0000-0x00000000011E4000-memory.dmp

Filesize
80KB

Download
memory/5064-140-0x0000000001240000-0x000000000158A000-memory.dmp

Filesize
3.3MB

Download
memory/5064-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads