formbook | 843c93a950a42ce6ccdd4debb3b505ee31a696637c523aa3cde37876a940d1d1

General

Target

980c09040af5ab467b0e902c8097cb83.exe
Size

420KB
MD5

980c09040af5ab467b0e902c8097cb83
SHA1

efbd7fcfc5bac7aee07b2715c492ff71df54ce48
SHA256

843c93a950a42ce6ccdd4debb3b505ee31a696637c523aa3cde37876a940d1d1
SHA512

d1524131c82bac5e4fc6232963694d5c2944fd1ad52d7c394fac449c44f498f474d130217ec94a84514897cba02060207b564c640e056c85536356896f1e14c8
SSDEEP

6144:oYa6eYODUglfIPtpIGAmRCXODtbOy0FD5GHfE7pV5gK8noo:oYdpIGAmMe5SyYtGHiuK81

Score

10^/10

formbook vr84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr84

Decoy

intouchenergy.co.uk

lalumalkaliram.com

hillgreenholidays.co.uk

fluentliteracy.com

buildingworkerpower.com

by23577.com

gate-ch375019.online

jayess-decor.com

larkslife.com

swsnacks.co.uk

bigturtletiny.com

egggge.xyz

olastore.africa

lightshowsnewengland.com

daily-lox.com

empireoba.com

91302events.com

lawrencecountyfirechiefs.com

abrahamslibrary.com

cleaner365.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1100-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1100-78-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2040	filpx.exe
1176	filpx.exe

Loads dropped DLL 3 IoCs

pid	Process
940	980c09040af5ab467b0e902c8097cb83.exe
940	980c09040af5ab467b0e902c8097cb83.exe
2040	filpx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1176	2040	filpx.exe	30
PID 1176 set thread context of 1376	1176	filpx.exe	14
PID 1100 set thread context of 1376	1100	colorcpl.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1176	filpx.exe
1176	filpx.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe
1100	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2040	filpx.exe
1176	filpx.exe
1176	filpx.exe
1176	filpx.exe
1100	colorcpl.exe
1100	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	filpx.exe
Token: SeDebugPrivilege	1100	colorcpl.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1376	Explorer.EXE
1376	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1376	Explorer.EXE
1376	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 2040	940	980c09040af5ab467b0e902c8097cb83.exe	28
PID 940 wrote to memory of 2040	940	980c09040af5ab467b0e902c8097cb83.exe	28
PID 940 wrote to memory of 2040	940	980c09040af5ab467b0e902c8097cb83.exe	28
PID 940 wrote to memory of 2040	940	980c09040af5ab467b0e902c8097cb83.exe	28
PID 2040 wrote to memory of 1176	2040	filpx.exe	30
PID 2040 wrote to memory of 1176	2040	filpx.exe	30
PID 2040 wrote to memory of 1176	2040	filpx.exe	30
PID 2040 wrote to memory of 1176	2040	filpx.exe	30
PID 2040 wrote to memory of 1176	2040	filpx.exe	30
PID 1376 wrote to memory of 1100	1376	Explorer.EXE	31
PID 1376 wrote to memory of 1100	1376	Explorer.EXE	31
PID 1376 wrote to memory of 1100	1376	Explorer.EXE	31
PID 1376 wrote to memory of 1100	1376	Explorer.EXE	31
PID 1100 wrote to memory of 664	1100	colorcpl.exe	32
PID 1100 wrote to memory of 664	1100	colorcpl.exe	32
PID 1100 wrote to memory of 664	1100	colorcpl.exe	32
PID 1100 wrote to memory of 664	1100	colorcpl.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\980c09040af5ab467b0e902c8097cb83.exe
  "C:\Users\Admin\AppData\Local\Temp\980c09040af5ab467b0e902c8097cb83.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\filpx.exe
    "C:\Users\Admin\AppData\Local\Temp\filpx.exe" C:\Users\Admin\AppData\Local\Temp\xtvjfgswix.j
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\filpx.exe
      "C:\Users\Admin\AppData\Local\Temp\filpx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\filpx.exe"
    3⤵
    PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
C:\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
C:\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfsyom.m

Filesize
205KB

MD5
6e778839ad9b8e35c2ee219f6084749c

SHA1
0b2d15d794006e31c458875c3f452e25b687da83

SHA256
ce74cea5493334d94ee41b2f33c08daf5e7969f02c0f705e32bb5e47019114e3

SHA512
9e49e69389e5dc4a6d3ebb845396672ba897c207dbe4d7e4b75204f0c0a8d82788860082ad534605750da0faf89c74b6773336579f7c1a7572edd599c67df723

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtvjfgswix.j

Filesize
5KB

MD5
feb3241fec4320789d09238ee0a3806e

SHA1
8dade6e5708610a6959f1dd50d59d23c6341a9e3

SHA256
49ce3a686a989745ef53e27db48058376120918159d8c1855e9295d260da7f3d

SHA512
4c3cf4b9822f4785722e641525f00467d46dda78258b743844bfbe03c056ba5fd48d1418928417068742a0725d4b83e80f4f9ba9d4d36a3524437b3dd6a4b85b

Download Submit
\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
memory/940-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1100-76-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/1100-78-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1100-72-0x0000000000E50000-0x0000000000E68000-memory.dmp

Filesize
96KB

Download
memory/1100-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1100-75-0x0000000002270000-0x0000000002573000-memory.dmp

Filesize
3.0MB

Download
memory/1176-67-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/1176-68-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download
memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-69-0x00000000061A0000-0x000000000626A000-memory.dmp

Filesize
808KB

Download
memory/1376-77-0x0000000007170000-0x0000000007285000-memory.dmp

Filesize
1.1MB

Download
memory/1376-79-0x0000000007170000-0x0000000007285000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing