formbook | 090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80

General

Target

RFQ _#CIF FOR Hyderabad.exe
Size

893KB
MD5

38e553f81a142579ea9a4e61a5c02c14
SHA1

44cb7f3254aa1991bd49039f9cfaec4ac3cf87b2
SHA256

090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80
SHA512

3bc489194086f1abc40e077657d50835d6a71fe94314592aa47c806340ae3d5dd4f53bb8bc969c7d22cd2403fd395a8283a4573abb1475709dd7543c72b65203
SSDEEP

12288:roQgKZ/nXt7virmWhlGLaQYIV7m2HUOZE2SqvXD0LLc7VrfOJvFTkfDtd9201ZRk:DBHEdqf0KOJvFTkf5L2GRahex3zLu

Score

10^/10

formbook d94i phishing rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

Detected phishing page
phishing
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3492-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3492-156-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5024-162-0x0000000000320000-0x000000000034F000-memory.dmp	formbook
behavioral2/memory/5024-170-0x0000000000320000-0x000000000034F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ _#CIF FOR Hyderabad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RFQ _#CIF FOR Hyderabad.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exeMSBuild.exerundll32.exe

description	pid	process	target process
PID 2484 set thread context of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 3492 set thread context of 3060	3492	MSBuild.exe	Explorer.EXE
PID 5024 set thread context of 3060	5024	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4676 schtasks.exe

pid	process
4676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exepowershell.exeMSBuild.exerundll32.exe

pid	process
2484	RFQ _#CIF FOR Hyderabad.exe
2484	RFQ _#CIF FOR Hyderabad.exe
1228	powershell.exe
3492	MSBuild.exe
3492	MSBuild.exe
3492	MSBuild.exe
3492	MSBuild.exe
1228	powershell.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.exerundll32.exe

pid process

3492 MSBuild.exe
3492 MSBuild.exe
3492 MSBuild.exe
5024 rundll32.exe
5024 rundll32.exe

pid	process
3060	Explorer.EXE

pid	process
3492	MSBuild.exe
3492	MSBuild.exe
3492	MSBuild.exe
5024	rundll32.exe
5024	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exepowershell.exeMSBuild.exerundll32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2484	RFQ _#CIF FOR Hyderabad.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	3492	MSBuild.exe
Token: SeDebugPrivilege	5024	rundll32.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RFQ _#CIF FOR Hyderabad.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2484 wrote to memory of 1228	2484	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 2484 wrote to memory of 1228	2484	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 2484 wrote to memory of 1228	2484	RFQ _#CIF FOR Hyderabad.exe	powershell.exe
PID 2484 wrote to memory of 4676	2484	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 2484 wrote to memory of 4676	2484	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 2484 wrote to memory of 4676	2484	RFQ _#CIF FOR Hyderabad.exe	schtasks.exe
PID 2484 wrote to memory of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 2484 wrote to memory of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 2484 wrote to memory of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 2484 wrote to memory of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 2484 wrote to memory of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 2484 wrote to memory of 3492	2484	RFQ _#CIF FOR Hyderabad.exe	MSBuild.exe
PID 3060 wrote to memory of 5024	3060	Explorer.EXE	rundll32.exe
PID 3060 wrote to memory of 5024	3060	Explorer.EXE	rundll32.exe
PID 3060 wrote to memory of 5024	3060	Explorer.EXE	rundll32.exe
PID 5024 wrote to memory of 3992	5024	rundll32.exe	cmd.exe
PID 5024 wrote to memory of 3992	5024	rundll32.exe	cmd.exe
PID 5024 wrote to memory of 3992	5024	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\RFQ _#CIF FOR Hyderabad.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ _#CIF FOR Hyderabad.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbpIuJYQjTRdxr.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbpIuJYQjTRdxr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA25A.tmp"
3⤵
- Creates scheduled task(s)
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA25A.tmp
Filesize
1KB

MD5
f140dcf9325d4175d735706607333131

SHA1
1c75c8599fc08fb0bf6f5d3dbf91c03d6aa52280

SHA256
33d22370881a3b60ebeb1a076cd32f7724a4d366755e5524aa70aca412d05710

SHA512
0c2586cbd5c569284d80bb85d2bd3f8c79310b4e1d13d7a1760b432ec5c7d4e71434adbeef629f1bb8ef79dfb3faca88d7dd4bc2b0bc1139d25419aa8058c46f

Download Submit
memory/1228-151-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/1228-164-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/1228-158-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/1228-157-0x0000000007D90000-0x000000000840A000-memory.dmp

Filesize
6.5MB

Download
memory/1228-137-0x0000000000000000-mapping.dmp

Download
memory/1228-165-0x0000000007980000-0x000000000798E000-memory.dmp

Filesize
56KB

Download
memory/1228-139-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/1228-154-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/1228-152-0x0000000006A10000-0x0000000006A42000-memory.dmp

Filesize
200KB

Download
memory/1228-141-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/1228-167-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/1228-144-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/1228-145-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/1228-146-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/1228-160-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download
memory/1228-166-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/1228-153-0x0000000071070000-0x00000000710BC000-memory.dmp

Filesize
304KB

Download
memory/2484-133-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/2484-132-0x0000000000330000-0x0000000000416000-memory.dmp

Filesize
920KB

Download
memory/2484-134-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/2484-136-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/2484-135-0x0000000004DB0000-0x0000000004DBA000-memory.dmp

Filesize
40KB

Download
memory/3060-150-0x0000000008900000-0x0000000008AAE000-memory.dmp

Filesize
1.7MB

Download
memory/3060-171-0x00000000031B0000-0x000000000325F000-memory.dmp

Filesize
700KB

Download
memory/3060-169-0x00000000031B0000-0x000000000325F000-memory.dmp

Filesize
700KB

Download
memory/3492-149-0x0000000001420000-0x0000000001434000-memory.dmp

Filesize
80KB

Download
memory/3492-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-148-0x0000000000F00000-0x000000000124A000-memory.dmp

Filesize
3.3MB

Download
memory/3492-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-142-0x0000000000000000-mapping.dmp

Download
memory/3992-159-0x0000000000000000-mapping.dmp

Download
memory/4676-138-0x0000000000000000-mapping.dmp

Download
memory/5024-170-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/5024-163-0x0000000002520000-0x000000000286A000-memory.dmp

Filesize
3.3MB

Download
memory/5024-168-0x0000000002290000-0x0000000002323000-memory.dmp

Filesize
588KB

Download
memory/5024-162-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/5024-161-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download
memory/5024-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads