formbook | 152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2

General

Target

SecuriteInfo.com.Win32.PWSX-gen.8337.exe
Size

1.0MB
MD5

d895b9c76dd01f74ed7ac569214bd908
SHA1

c4b0c3e114a9d31d7957f873ee0a87731fd16148
SHA256

152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
SHA512

1a22d896206d1aa1dd40784ba7f2751687c0b1f148620f76b2484e1c105f831d290803cfe28554890ba1055da1eb7e6390cb684c031711cb5d065f0d63d35347
SSDEEP

24576:FSfCp6q+gk0huWQks+28p9NpH6tvqrTlzqepF:FjJc9dks+2O9eVqV

Score

10^/10

formbook ci07 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ci07

Decoy

lain-co.com

weixingshe2777.live

cwin67.com

cabiss.com

absolutehvh.xyz

mycrystallampshop.com

ovalwriters.com

concarneau.net

ciexol.xyz

adulty.net

techartinternational.com

conleyconfection.com

xn--nadinebyond-hbb.world

elevatezed.net

apdodge.xyz

ql456654.vip

amtqu.com

ymvip484.com

00ssolow.kred

fpvmalaysia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1536-68-0x000000000041F080-mapping.dmp	formbook
behavioral1/memory/1536-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.8337.exe

description	pid	process	target process
PID 1724 set thread context of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeSecuriteInfo.com.Win32.PWSX-gen.8337.exe

pid process

860 powershell.exe
1536 SecuriteInfo.com.Win32.PWSX-gen.8337.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 860 powershell.exe

pid	process
1496	schtasks.exe

pid	process
860	powershell.exe
1536	SecuriteInfo.com.Win32.PWSX-gen.8337.exe

description	pid	process
Token: SeDebugPrivilege	860	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.8337.exe

description	pid	process	target process
PID 1724 wrote to memory of 860	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	powershell.exe
PID 1724 wrote to memory of 860	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	powershell.exe
PID 1724 wrote to memory of 860	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	powershell.exe
PID 1724 wrote to memory of 860	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	powershell.exe
PID 1724 wrote to memory of 1496	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	schtasks.exe
PID 1724 wrote to memory of 1496	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	schtasks.exe
PID 1724 wrote to memory of 1496	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	schtasks.exe
PID 1724 wrote to memory of 1496	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	schtasks.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe
PID 1724 wrote to memory of 1536	1724	SecuriteInfo.com.Win32.PWSX-gen.8337.exe	SecuriteInfo.com.Win32.PWSX-gen.8337.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.8337.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.8337.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IgppHjCOS.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IgppHjCOS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5A3.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.8337.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.8337.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA5A3.tmp

Filesize
1KB

MD5
22c068304ed48b1594b4163efe4a04a9

SHA1
e9a15edd9e0ae7b6a127175a68091868834c30b8

SHA256
b0dd241b1dff5962901a9fd2dcd11098e76e51265d23cd9c7b8f5d97f4f437a9

SHA512
c5fd4f887abadfa819b8e909ee1a6337245466c1d30469f7053ab172587424ac563e79dcb6bd6e7680def2ee347ebb6ab19b202c1a6d290f99c0cb30ff116cfb

Download Submit
memory/860-59-0x0000000000000000-mapping.dmp

Download
memory/860-70-0x000000006E5F0000-0x000000006EB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1536-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-68-0x000000000041F080-mapping.dmp

Download
memory/1536-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-69-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1724-58-0x0000000007D80000-0x0000000007E36000-memory.dmp

Filesize
728KB

Download
memory/1724-57-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/1724-56-0x0000000000540000-0x000000000055A000-memory.dmp

Filesize
104KB

Download
memory/1724-63-0x0000000005AD0000-0x0000000005B4C000-memory.dmp

Filesize
496KB

Download
memory/1724-54-0x00000000001C0000-0x00000000002C8000-memory.dmp

Filesize
1.0MB

Download
memory/1724-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads