formbook | 80b80845ee4a8518871ba71bba822baf33341129eb94c1f512684c613133c3bf

General

Target

INQ_7654323.exe
Size

852KB
MD5

ca9bd64aa59c0c99e6be3f8fc78b2fa8
SHA1

832400c4d1e54231c9ef43c24576bc0ea35388ce
SHA256

80b80845ee4a8518871ba71bba822baf33341129eb94c1f512684c613133c3bf
SHA512

fdeacd8bbeb522f0e8b911a35a800b8d749b0a47cdea1dedc1469c584b9ee6cc6e9a616b8d70343cfeff49fe2d336625a104d678b73bc238c196127a0b0b799a
SSDEEP

12288:gdMX2iNjuR28n5Cj7MWnh9e5rW89I1bbLbV96x2cHss/S+P:gWX1Vu88no7Ad9EDbVIx2cHs6Sq

Score

10^/10

formbook oi05 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oi05

Decoy

fluidavail.online

blchain.tech

kyocera.website

sangmine.xyz

thepolicyjacket.info

ssvhelpman.net

y-t-design.com

eminentabroad.com

codingcamp.store

bester.capital

tanjiya23.site

bheniamyn.dev

top5monitor.com

bit-prim.trade

airstreamsocialclub.com

darkwarspod.com

zazisalesdistribution.com

vivolentlo.online

daftburo.net

elemangelsin.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/644-68-0x000000000041F100-mapping.dmp	formbook
behavioral1/memory/644-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/644-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/644-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1620-81-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1620-86-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1652	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 644	1424	INQ_7654323.exe	33
PID 644 set thread context of 1236	644	INQ_7654323.exe	16
PID 644 set thread context of 1236	644	INQ_7654323.exe	16
PID 1620 set thread context of 1236	1620	netsh.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1424	INQ_7654323.exe
1424	INQ_7654323.exe
1904	powershell.exe
644	INQ_7654323.exe
644	INQ_7654323.exe
644	INQ_7654323.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe
1620	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
644	INQ_7654323.exe
644	INQ_7654323.exe
644	INQ_7654323.exe
644	INQ_7654323.exe
1620	netsh.exe
1620	netsh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	INQ_7654323.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	644	INQ_7654323.exe
Token: SeDebugPrivilege	1620	netsh.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1904	1424	INQ_7654323.exe	28
PID 1424 wrote to memory of 1904	1424	INQ_7654323.exe	28
PID 1424 wrote to memory of 1904	1424	INQ_7654323.exe	28
PID 1424 wrote to memory of 1904	1424	INQ_7654323.exe	28
PID 1424 wrote to memory of 1696	1424	INQ_7654323.exe	30
PID 1424 wrote to memory of 1696	1424	INQ_7654323.exe	30
PID 1424 wrote to memory of 1696	1424	INQ_7654323.exe	30
PID 1424 wrote to memory of 1696	1424	INQ_7654323.exe	30
PID 1424 wrote to memory of 748	1424	INQ_7654323.exe	32
PID 1424 wrote to memory of 748	1424	INQ_7654323.exe	32
PID 1424 wrote to memory of 748	1424	INQ_7654323.exe	32
PID 1424 wrote to memory of 748	1424	INQ_7654323.exe	32
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1424 wrote to memory of 644	1424	INQ_7654323.exe	33
PID 1236 wrote to memory of 1620	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1620	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1620	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1620	1236	Explorer.EXE	42
PID 1620 wrote to memory of 1652	1620	netsh.exe	43
PID 1620 wrote to memory of 1652	1620	netsh.exe	43
PID 1620 wrote to memory of 1652	1620	netsh.exe	43
PID 1620 wrote to memory of 1652	1620	netsh.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe
  "C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AfSEmpqyeaOiU.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AfSEmpqyeaOiU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94E1.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe
    "C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe"
    3⤵
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe
    "C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1020
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1604
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:632
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1476
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\INQ_7654323.exe"
    3⤵
    - Deletes itself
    PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp94E1.tmp

Filesize
1KB

MD5
400c180ff0a9b13ac1f81252d61ddf1e

SHA1
a6a34babba48176fc40c6d4015cda8ef8afd22be

SHA256
bf9bbaee283b0ad9cebbc7d5c495a9fc73089017dcab839c5cad73daf0a0f717

SHA512
23825274eb9cde2b15dc19949bfae1da17ae2687de412f50068c5d7e24da1b6fd853c28ca47a3f2948c7554eaf71290389b687664c54208cdda1ee8a4e487a88

Download Submit
memory/644-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-76-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/644-72-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/644-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-73-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/644-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-85-0x0000000007540000-0x0000000007667000-memory.dmp

Filesize
1.2MB

Download
memory/1236-87-0x0000000007540000-0x0000000007667000-memory.dmp

Filesize
1.2MB

Download
memory/1236-74-0x0000000004B90000-0x0000000004D12000-memory.dmp

Filesize
1.5MB

Download
memory/1236-77-0x0000000007290000-0x000000000740A000-memory.dmp

Filesize
1.5MB

Download
memory/1424-63-0x0000000002270000-0x00000000022A4000-memory.dmp

Filesize
208KB

Download
memory/1424-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1424-54-0x0000000000C10000-0x0000000000CEC000-memory.dmp

Filesize
880KB

Download
memory/1424-56-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/1424-58-0x0000000005030000-0x00000000050A0000-memory.dmp

Filesize
448KB

Download
memory/1424-57-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1620-80-0x0000000001650000-0x000000000166B000-memory.dmp

Filesize
108KB

Download
memory/1620-81-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1620-83-0x0000000000B70000-0x0000000000E73000-memory.dmp

Filesize
3.0MB

Download
memory/1620-84-0x0000000000AA0000-0x0000000000B33000-memory.dmp

Filesize
588KB

Download
memory/1620-86-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1904-70-0x000000006E5E0000-0x000000006EB8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads