formbook | ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd

General

Target

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
Size

740KB
MD5

a33d9b8d1cf40a7d3bd2601917276ed4
SHA1

4fcf9b739705cdc9dd1643c152df2a1db4ae2e48
SHA256

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd
SHA512

0d8870bfcee2d68eff506ae507f9e20b25dc9ec4eb54d8212dc8743a8e443b26cded51e9e845777d2f124d86ca26495694553e05872a6668fdd2dff634cd4892
SSDEEP

12288:kwl+momPZefiPtqvyu1JtnN8t2iZX65arc2+dTbt1NbXBFHWf0Tg90/G:romxiiQF1fN88iZX65S+t1NzBRWeaoG

Score

10^/10

formbook oi05 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oi05

Decoy

fluidavail.online

blchain.tech

kyocera.website

sangmine.xyz

thepolicyjacket.info

ssvhelpman.net

y-t-design.com

eminentabroad.com

codingcamp.store

bester.capital

tanjiya23.site

bheniamyn.dev

top5monitor.com

bit-prim.trade

airstreamsocialclub.com

darkwarspod.com

zazisalesdistribution.com

vivolentlo.online

daftburo.net

elemangelsin.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2496-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

description	pid	process	target process
PID 1400 set thread context of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4308 schtasks.exe

pid	process
4308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exepowershell.exeddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

pid	process
1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
4148	powershell.exe
2496	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
2496	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
4148	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
Token: SeDebugPrivilege	4148	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

C:\Users\Admin\AppData\Local\Temp\ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
"C:\Users\Admin\AppData\Local\Temp\ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Nbhdpo.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Nbhdpo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF491.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
  "C:\Users\Admin\AppData\Local\Temp\ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe"
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
  "C:\Users\Admin\AppData\Local\Temp\ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF491.tmp

Filesize
1KB

MD5
721bf8847c291dca76120e03704cf1fc

SHA1
2ade54435acafed4946c4061c7c26fa87f2b8dc0

SHA256
ee52b6fff191a2b24fdec6e4b0188e8d7f09cf894adf6694f2383024819d8ebe

SHA512
bc018ebfbbbffa6b3984cef3f470711272553500ee12650b46b472b942ff8ccb32bf0e184b0090c0cc12ddb5066cb328e77eb79f464fa831bd61044d505fd84c

Download Submit
memory/1400-133-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/1400-134-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/1400-135-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/1400-136-0x000000000B6D0000-0x000000000B76C000-memory.dmp

Filesize
624KB

Download
memory/1400-132-0x0000000000FD0000-0x000000000108E000-memory.dmp

Filesize
760KB

Download
memory/2496-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-148-0x0000000001940000-0x0000000001C8A000-memory.dmp

Filesize
3.3MB

Download
memory/2496-143-0x0000000000000000-mapping.dmp

Download
memory/4148-146-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/4148-154-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/4148-159-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

Filesize
32KB

Download
memory/4148-140-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

Filesize
216KB

Download
memory/4148-145-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/4148-158-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

Filesize
104KB

Download
memory/4148-147-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4148-137-0x0000000000000000-mapping.dmp

Download
memory/4148-149-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/4148-150-0x0000000006E50000-0x0000000006E82000-memory.dmp

Filesize
200KB

Download
memory/4148-151-0x0000000071610000-0x000000007165C000-memory.dmp

Filesize
304KB

Download
memory/4148-152-0x0000000006E30000-0x0000000006E4E000-memory.dmp

Filesize
120KB

Download
memory/4148-153-0x0000000008210000-0x000000000888A000-memory.dmp

Filesize
6.5MB

Download
memory/4148-142-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/4148-155-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/4148-156-0x0000000007E00000-0x0000000007E96000-memory.dmp

Filesize
600KB

Download
memory/4148-157-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

Filesize
56KB

Download
memory/4308-138-0x0000000000000000-mapping.dmp

Download
memory/4432-141-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1400 wrote to memory of 4148	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	powershell.exe
PID 1400 wrote to memory of 4148	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	powershell.exe
PID 1400 wrote to memory of 4148	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	powershell.exe
PID 1400 wrote to memory of 4308	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	schtasks.exe
PID 1400 wrote to memory of 4308	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	schtasks.exe
PID 1400 wrote to memory of 4308	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	schtasks.exe
PID 1400 wrote to memory of 4432	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 4432	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 4432	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe
PID 1400 wrote to memory of 2496	1400	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe	ddec6968806b89640eed8ad10d3f33e1cdf0c5a9f596e128d9f3fbcecfad5fbd.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads