formbook | 090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80

General

Target

RFQ _#CIF FOR Hyderabad.exe
Size

893KB
MD5

38e553f81a142579ea9a4e61a5c02c14
SHA1

44cb7f3254aa1991bd49039f9cfaec4ac3cf87b2
SHA256

090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80
SHA512

3bc489194086f1abc40e077657d50835d6a71fe94314592aa47c806340ae3d5dd4f53bb8bc969c7d22cd2403fd395a8283a4573abb1475709dd7543c72b65203
SSDEEP

12288:roQgKZ/nXt7virmWhlGLaQYIV7m2HUOZE2SqvXD0LLc7VrfOJvFTkfDtd9201ZRk:DBHEdqf0KOJvFTkf5L2GRahex3zLu

Score

10^/10

formbook d94i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1096-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1096-69-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/1096-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1096-80-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/924-83-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/924-88-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exeMSBuild.exesystray.exe

description	pid	process	target process
PID 1652 set thread context of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1096 set thread context of 1248	1096	MSBuild.exe	Explorer.EXE
PID 1096 set thread context of 1248	1096	MSBuild.exe	Explorer.EXE
PID 924 set thread context of 1248	924	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1176 schtasks.exe

pid	process
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exeMSBuild.exepowershell.exesystray.exe

pid	process
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1652	RFQ _#CIF FOR Hyderabad.exe
1096	MSBuild.exe
1096	MSBuild.exe
652	powershell.exe
1096	MSBuild.exe
924	systray.exe
924	systray.exe
924	systray.exe
924	systray.exe
924	systray.exe
924	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSBuild.exesystray.exe

pid process

1096 MSBuild.exe
1096 MSBuild.exe
1096 MSBuild.exe
1096 MSBuild.exe
924 systray.exe
924 systray.exe

pid	process
1096	MSBuild.exe
1096	MSBuild.exe
1096	MSBuild.exe
1096	MSBuild.exe
924	systray.exe
924	systray.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exepowershell.exeMSBuild.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1652	RFQ _#CIF FOR Hyderabad.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1096	MSBuild.exe
Token: SeDebugPrivilege	924	systray.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1652 wrote to memory of 652	1652	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 1652 wrote to memory of 652	1652	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 1652 wrote to memory of 652	1652	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 1652 wrote to memory of 652	1652	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 1652 wrote to memory of 1176	1652	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 1652 wrote to memory of 1176	1652	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 1652 wrote to memory of 1176	1652	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 1652 wrote to memory of 1176	1652	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1652 wrote to memory of 1096	1652	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 1248 wrote to memory of 924	1248	Explorer.EXE	systray.exe
PID 1248 wrote to memory of 924	1248	Explorer.EXE	systray.exe
PID 1248 wrote to memory of 924	1248	Explorer.EXE	systray.exe
PID 1248 wrote to memory of 924	1248	Explorer.EXE	systray.exe
PID 924 wrote to memory of 308	924	systray.exe	cmd.exe
PID 924 wrote to memory of 308	924	systray.exe	cmd.exe
PID 924 wrote to memory of 308	924	systray.exe	cmd.exe
PID 924 wrote to memory of 308	924	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\RFQ _#CIF FOR Hyderabad.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ _#CIF FOR Hyderabad.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbpIuJYQjTRdxr.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbpIuJYQjTRdxr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D54.tmp"
3⤵
- Creates scheduled task(s)
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D54.tmp
Filesize
1KB

MD5
ccbc60d7c7304c35cee982de78007d26

SHA1
aabfb848bfd288fc2113c56550594b62fc94bdf9

SHA256
1115b295da3aae8bd3670e31398a045025323a66da025d674ac89a49a51d04ad

SHA512
5e7c2840b6be239f230329f64172d2ed37a751fd15595c0033b7b54d8811b5e06f23c915fec94633b3779cb9ef2fe4dce4ee78a97403120c29179418328d211b

Download Submit
memory/308-84-0x0000000000000000-mapping.dmp

Download
memory/652-75-0x000000006E890000-0x000000006EE3B000-memory.dmp

Filesize
5.7MB

Download
memory/652-59-0x0000000000000000-mapping.dmp

Download
memory/652-64-0x000000006E890000-0x000000006EE3B000-memory.dmp

Filesize
5.7MB

Download
memory/924-88-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/924-85-0x0000000000830000-0x00000000008C3000-memory.dmp

Filesize
588KB

Download
memory/924-83-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/924-82-0x0000000001F30000-0x0000000002233000-memory.dmp

Filesize
3.0MB

Download
memory/924-81-0x0000000000B20000-0x0000000000B25000-memory.dmp

Filesize
20KB

Download
memory/924-79-0x0000000000000000-mapping.dmp

Download
memory/1096-73-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1096-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-69-0x000000000041F160-mapping.dmp

Download
memory/1096-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-72-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1096-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-77-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1096-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-60-0x0000000000000000-mapping.dmp

Download
memory/1248-74-0x0000000006C80000-0x0000000006DA6000-memory.dmp

Filesize
1.1MB

Download
memory/1248-78-0x0000000007510000-0x00000000076A8000-memory.dmp

Filesize
1.6MB

Download
memory/1248-86-0x0000000008080000-0x00000000081EA000-memory.dmp

Filesize
1.4MB

Download
memory/1248-87-0x0000000007510000-0x00000000076A8000-memory.dmp

Filesize
1.6MB

Download
memory/1248-89-0x0000000008080000-0x00000000081EA000-memory.dmp

Filesize
1.4MB

Download
memory/1652-63-0x0000000005D80000-0x0000000005DE0000-memory.dmp

Filesize
384KB

Download
memory/1652-54-0x0000000000030000-0x0000000000116000-memory.dmp

Filesize
920KB

Download
memory/1652-58-0x0000000005EE0000-0x0000000005F78000-memory.dmp

Filesize
608KB

Download
memory/1652-57-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1652-56-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/1652-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads