formbook | cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f

General

Target

SWIFT SKM_4_5767189090436911808.js.exe
Size

946KB
MD5

d40709798e6695b0f5cbe45e73dfd677
SHA1

cc27ce3d9199b1ab3dbfa6fea943ea5fc1f4d7d6
SHA256

cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f
SHA512

92ebaee7aa16797cf4fdbed3a25d736610ff01d5a6208aa4463973f7596dc7129363b36b67f82b81f86a0212e248984c58200878030440e576fc0b5724efa625
SSDEEP

12288:D2OfFiAGPtdUAXpY+ZmBjHUk+qNng/lxupZMbDF1Uh76xksye1wHe7YnK3o37YU7:yEiPl95hZmBHklxVF1UrsyuwGj0

Score

10^/10

formbook a19i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a19i

Decoy

onelovefungi.com

paperlesspoop.com

perfectsalaries.com

tutor-dashboard.com

canucksshine.com

brl-mo6.online

fathistudio.com

iptv-3.com

hbombmedia.com

ifizidi.com

dahuaguinee.com

jyrbz.com

aawwuk.com

aina.health

socialbod.com

27mk.top

gnomeswhognow.net

unrivaledpurpose.com

randy.cloud

referralcodesmarket.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/572-68-0x000000000041F090-mapping.dmp	formbook
behavioral1/memory/572-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/572-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/572-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/596-82-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/596-86-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

SWIFT SKM_4_5767189090436911808.js.exeRegSvcs.exewininit.exe

description	pid	process	target process
PID 1696 set thread context of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 572 set thread context of 1368	572	RegSvcs.exe	Explorer.EXE
PID 572 set thread context of 1368	572	RegSvcs.exe	Explorer.EXE
PID 596 set thread context of 1368	596	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1720 schtasks.exe

pid	process
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

SWIFT SKM_4_5767189090436911808.js.exepowershell.exeRegSvcs.exewininit.exe

pid	process
1696	SWIFT SKM_4_5767189090436911808.js.exe
1696	SWIFT SKM_4_5767189090436911808.js.exe
2028	powershell.exe
572	RegSvcs.exe
572	RegSvcs.exe
572	RegSvcs.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe
596	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exewininit.exe

pid process

572 RegSvcs.exe
572 RegSvcs.exe
572 RegSvcs.exe
572 RegSvcs.exe
596 wininit.exe
596 wininit.exe

pid	process
1368	Explorer.EXE

pid	process
572	RegSvcs.exe
572	RegSvcs.exe
572	RegSvcs.exe
572	RegSvcs.exe
596	wininit.exe
596	wininit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SWIFT SKM_4_5767189090436911808.js.exepowershell.exeRegSvcs.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1696	SWIFT SKM_4_5767189090436911808.js.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	572	RegSvcs.exe
Token: SeDebugPrivilege	596	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
1368 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
1368 Explorer.EXE

pid	process
1368	Explorer.EXE
1368	Explorer.EXE

pid	process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

SWIFT SKM_4_5767189090436911808.js.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1696 wrote to memory of 2028	1696	SWIFT SKM_4_5767189090436911808.js.exe	powershell.exe
PID 1696 wrote to memory of 2028	1696	SWIFT SKM_4_5767189090436911808.js.exe	powershell.exe
PID 1696 wrote to memory of 2028	1696	SWIFT SKM_4_5767189090436911808.js.exe	powershell.exe
PID 1696 wrote to memory of 2028	1696	SWIFT SKM_4_5767189090436911808.js.exe	powershell.exe
PID 1696 wrote to memory of 1720	1696	SWIFT SKM_4_5767189090436911808.js.exe	schtasks.exe
PID 1696 wrote to memory of 1720	1696	SWIFT SKM_4_5767189090436911808.js.exe	schtasks.exe
PID 1696 wrote to memory of 1720	1696	SWIFT SKM_4_5767189090436911808.js.exe	schtasks.exe
PID 1696 wrote to memory of 1720	1696	SWIFT SKM_4_5767189090436911808.js.exe	schtasks.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1696 wrote to memory of 572	1696	SWIFT SKM_4_5767189090436911808.js.exe	RegSvcs.exe
PID 1368 wrote to memory of 596	1368	Explorer.EXE	wininit.exe
PID 1368 wrote to memory of 596	1368	Explorer.EXE	wininit.exe
PID 1368 wrote to memory of 596	1368	Explorer.EXE	wininit.exe
PID 1368 wrote to memory of 596	1368	Explorer.EXE	wininit.exe
PID 596 wrote to memory of 964	596	wininit.exe	cmd.exe
PID 596 wrote to memory of 964	596	wininit.exe	cmd.exe
PID 596 wrote to memory of 964	596	wininit.exe	cmd.exe
PID 596 wrote to memory of 964	596	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\SWIFT SKM_4_5767189090436911808.js.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT SKM_4_5767189090436911808.js.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PJmIIJITyUiN.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PJmIIJITyUiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA68D.tmp"
3⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA68D.tmp
Filesize
1KB

MD5
da847b0c9d9ff65e081b82f3512df9fd

SHA1
5d39ca791a4400bdbf2b293e59d58b49ce6d6789

SHA256
ce65d00b21099ca7c2b09303fc735d25e7438fb242b38f1557d07d83c001e9c2

SHA512
cf3f7d16046c9889409a4137105d3010a0c4a79a84fe95ec1eba3e8071adb31b1d0776ac7fc52483db41d43444ab661b681ce35e7cd22947df6467c7623bc12b

Download Submit
memory/572-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-76-0x00000000003A0000-0x00000000003B5000-memory.dmp

Filesize
84KB

Download
memory/572-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-72-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/572-73-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/572-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-68-0x000000000041F090-mapping.dmp

Download
memory/572-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-81-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/596-83-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/596-86-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/596-84-0x00000000003D0000-0x0000000000464000-memory.dmp

Filesize
592KB

Download
memory/596-82-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/596-78-0x0000000000000000-mapping.dmp

Download
memory/964-80-0x0000000000000000-mapping.dmp

Download
memory/1368-85-0x0000000007130000-0x00000000072B6000-memory.dmp

Filesize
1.5MB

Download
memory/1368-87-0x000007FEFB570000-0x000007FEFB6B3000-memory.dmp

Filesize
1.3MB

Download
memory/1368-77-0x0000000006600000-0x0000000006713000-memory.dmp

Filesize
1.1MB

Download
memory/1368-74-0x0000000006FA0000-0x0000000007128000-memory.dmp

Filesize
1.5MB

Download
memory/1368-89-0x0000000007130000-0x00000000072B6000-memory.dmp

Filesize
1.5MB

Download
memory/1368-88-0x000007FE829C0000-0x000007FE829CA000-memory.dmp

Filesize
40KB

Download
memory/1696-56-0x0000000000560000-0x0000000000582000-memory.dmp

Filesize
136KB

Download
memory/1696-54-0x0000000000010000-0x0000000000102000-memory.dmp

Filesize
968KB

Download
memory/1696-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-57-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1696-63-0x0000000004E60000-0x0000000004E94000-memory.dmp

Filesize
208KB

Download
memory/1696-58-0x0000000004DF0000-0x0000000004E60000-memory.dmp

Filesize
448KB

Download
memory/1720-60-0x0000000000000000-mapping.dmp

Download
memory/2028-71-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-69-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads