formbook | 63ec01839919b7f832954e17b9259a74fe90e0217f178dbd5f7661454af4c91f

General

Target

b561c766f16984cad7bd9303131d69da7cae866a.exe
Size

445KB
MD5

7f86f5c4f81ec48b4b6bfc92b29ec751
SHA1

b561c766f16984cad7bd9303131d69da7cae866a
SHA256

63ec01839919b7f832954e17b9259a74fe90e0217f178dbd5f7661454af4c91f
SHA512

d040eb130075902d49536dca8b1abe4bc49ff6421884a793da73f956bf614806949b89ce602168bdc5a55af111871ee4120654f136914e4e63d2170557806cb3
SSDEEP

12288:3Y7shrtvJ4uNMIL/TJF/DaYVgl5NVx1fFHD02SJZ:3Yu1KA1I/FXngPZ

Score

10^/10

formbook vr84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr84

Decoy

intouchenergy.co.uk

lalumalkaliram.com

hillgreenholidays.co.uk

fluentliteracy.com

buildingworkerpower.com

by23577.com

gate-ch375019.online

jayess-decor.com

larkslife.com

swsnacks.co.uk

bigturtletiny.com

egggge.xyz

olastore.africa

lightshowsnewengland.com

daily-lox.com

empireoba.com

91302events.com

lawrencecountyfirechiefs.com

abrahamslibrary.com

cleaner365.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/972-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1720-72-0x00000000001D0000-0x00000000001FF000-memory.dmp	formbook
behavioral1/memory/1720-76-0x00000000001D0000-0x00000000001FF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1176	tbelmde.exe
972	tbelmde.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	b561c766f16984cad7bd9303131d69da7cae866a.exe
1176	tbelmde.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 972	1176	tbelmde.exe	28
PID 972 set thread context of 1412	972	tbelmde.exe	11
PID 1720 set thread context of 1412	1720	cscript.exe	11

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
972	tbelmde.exe
972	tbelmde.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1176	tbelmde.exe
972	tbelmde.exe
972	tbelmde.exe
972	tbelmde.exe
1720	cscript.exe
1720	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	tbelmde.exe
Token: SeDebugPrivilege	1720	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1176	1612	b561c766f16984cad7bd9303131d69da7cae866a.exe	27
PID 1612 wrote to memory of 1176	1612	b561c766f16984cad7bd9303131d69da7cae866a.exe	27
PID 1612 wrote to memory of 1176	1612	b561c766f16984cad7bd9303131d69da7cae866a.exe	27
PID 1612 wrote to memory of 1176	1612	b561c766f16984cad7bd9303131d69da7cae866a.exe	27
PID 1176 wrote to memory of 972	1176	tbelmde.exe	28
PID 1176 wrote to memory of 972	1176	tbelmde.exe	28
PID 1176 wrote to memory of 972	1176	tbelmde.exe	28
PID 1176 wrote to memory of 972	1176	tbelmde.exe	28
PID 1176 wrote to memory of 972	1176	tbelmde.exe	28
PID 1412 wrote to memory of 1720	1412	Explorer.EXE	36
PID 1412 wrote to memory of 1720	1412	Explorer.EXE	36
PID 1412 wrote to memory of 1720	1412	Explorer.EXE	36
PID 1412 wrote to memory of 1720	1412	Explorer.EXE	36
PID 1720 wrote to memory of 1824	1720	cscript.exe	37
PID 1720 wrote to memory of 1824	1720	cscript.exe	37
PID 1720 wrote to memory of 1824	1720	cscript.exe	37
PID 1720 wrote to memory of 1824	1720	cscript.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\b561c766f16984cad7bd9303131d69da7cae866a.exe
  "C:\Users\Admin\AppData\Local\Temp\b561c766f16984cad7bd9303131d69da7cae866a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\tbelmde.exe
    "C:\Users\Admin\AppData\Local\Temp\tbelmde.exe" C:\Users\Admin\AppData\Local\Temp\lxirk.jhb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\tbelmde.exe
      "C:\Users\Admin\AppData\Local\Temp\tbelmde.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:972
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1964
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2016
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tbelmde.exe"
    3⤵
    PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\blqttgnqqaq.qo

Filesize
205KB

MD5
7e6daa507120f5d554a44c601bbfba58

SHA1
4018d5a2de62d2013a6c898828f8a74e814d5c1d

SHA256
ca29d66f49018a38a180092513e189a53577092219ff4c8d119b30055913cbe1

SHA512
896aaa9adaa33227e0abbac98aa43f4ae2c66d8efc41ba50d452ceea170508f6a049af6621e452eec3b215895cdb0e719c3c9afd34e257b77ff133e591aab1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxirk.jhb

Filesize
5KB

MD5
7611d59c10c085fe2b6f33cb8bc797b9

SHA1
8e6a6c47f32c48d1892b664b734c324cd70e0fb0

SHA256
1391af011ebe5d6d3bbfd08ad339779d49b65f28260aef59bb4fb490b77c03ab

SHA512
2f59ffdc86c719e780b7f07102dd1f3ee53d20f9f1f5464c0ac94495a8da25ddefe94e97499ab7c0da1a5d6bcd71d549da2bfef3d4d85e5d132c6a38534dcf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbelmde.exe

Filesize
12KB

MD5
2a653d1ff961008fca702200878c9bf1

SHA1
676dbca890fedf5e3fec6e8df688dbf0ef8436f2

SHA256
e1fc47c2cbfda644718c2e519fcc103b8cb43b11b878183648be966082485bba

SHA512
15b136b5561d3922113855a9caebe7b4b0813a4b7b28cc7cababa1f546bcb37217155273a7aa4d8ee0e4b54cf480383c4cd002dddf8f416de2e2a4b74ac697d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbelmde.exe

Filesize
12KB

MD5
2a653d1ff961008fca702200878c9bf1

SHA1
676dbca890fedf5e3fec6e8df688dbf0ef8436f2

SHA256
e1fc47c2cbfda644718c2e519fcc103b8cb43b11b878183648be966082485bba

SHA512
15b136b5561d3922113855a9caebe7b4b0813a4b7b28cc7cababa1f546bcb37217155273a7aa4d8ee0e4b54cf480383c4cd002dddf8f416de2e2a4b74ac697d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbelmde.exe

Filesize
12KB

MD5
2a653d1ff961008fca702200878c9bf1

SHA1
676dbca890fedf5e3fec6e8df688dbf0ef8436f2

SHA256
e1fc47c2cbfda644718c2e519fcc103b8cb43b11b878183648be966082485bba

SHA512
15b136b5561d3922113855a9caebe7b4b0813a4b7b28cc7cababa1f546bcb37217155273a7aa4d8ee0e4b54cf480383c4cd002dddf8f416de2e2a4b74ac697d8

Download Submit
\Users\Admin\AppData\Local\Temp\tbelmde.exe

Filesize
12KB

MD5
2a653d1ff961008fca702200878c9bf1

SHA1
676dbca890fedf5e3fec6e8df688dbf0ef8436f2

SHA256
e1fc47c2cbfda644718c2e519fcc103b8cb43b11b878183648be966082485bba

SHA512
15b136b5561d3922113855a9caebe7b4b0813a4b7b28cc7cababa1f546bcb37217155273a7aa4d8ee0e4b54cf480383c4cd002dddf8f416de2e2a4b74ac697d8

Download Submit
\Users\Admin\AppData\Local\Temp\tbelmde.exe

Filesize
12KB

MD5
2a653d1ff961008fca702200878c9bf1

SHA1
676dbca890fedf5e3fec6e8df688dbf0ef8436f2

SHA256
e1fc47c2cbfda644718c2e519fcc103b8cb43b11b878183648be966082485bba

SHA512
15b136b5561d3922113855a9caebe7b4b0813a4b7b28cc7cababa1f546bcb37217155273a7aa4d8ee0e4b54cf480383c4cd002dddf8f416de2e2a4b74ac697d8

Download Submit
memory/972-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-66-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/972-67-0x0000000000280000-0x0000000000295000-memory.dmp

Filesize
84KB

Download
memory/1412-75-0x0000000006830000-0x000000000691D000-memory.dmp

Filesize
948KB

Download
memory/1412-68-0x0000000006E30000-0x0000000006FB9000-memory.dmp

Filesize
1.5MB

Download
memory/1412-77-0x0000000006830000-0x000000000691D000-memory.dmp

Filesize
948KB

Download
memory/1612-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1720-72-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/1720-73-0x0000000001E90000-0x0000000002193000-memory.dmp

Filesize
3.0MB

Download
memory/1720-74-0x0000000002240000-0x00000000022D4000-memory.dmp

Filesize
592KB

Download
memory/1720-71-0x0000000000280000-0x00000000002A2000-memory.dmp

Filesize
136KB

Download
memory/1720-76-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing