formbook | f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46

General

Target

197ab666b7242cd57be0af99c33c150e.exe
Size

259KB
MD5

197ab666b7242cd57be0af99c33c150e
SHA1

c67a8a7f437716bb324e2697412464fd165c6c90
SHA256

f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46
SHA512

a5babd41cc7dcc73710d4ca6d03121b3395601a398158f8375dacc391e7d0b5c6255f7faff0ede21db4351662f4c2d418f6fae2db17610c017272e3aa355863a
SSDEEP

6144:QBn1m1geH7jWuQ0IQWCPt2uKQ+Hm4PMuo:gmycnWuQ0hHoQ0Q

Score

10^/10

formbook pr28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/780-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/780-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1548-75-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1548-80-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2036	zcvza.exe
780	zcvza.exe

Loads dropped DLL 2 IoCs

pid	Process
952	197ab666b7242cd57be0af99c33c150e.exe
2036	zcvza.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 780	2036	zcvza.exe	30
PID 780 set thread context of 1264	780	zcvza.exe	16
PID 780 set thread context of 1264	780	zcvza.exe	16
PID 1548 set thread context of 1264	1548	msiexec.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
780	zcvza.exe
780	zcvza.exe
780	zcvza.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2036	zcvza.exe
780	zcvza.exe
780	zcvza.exe
780	zcvza.exe
780	zcvza.exe
1548	msiexec.exe
1548	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	zcvza.exe
Token: SeDebugPrivilege	1548	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2036	952	197ab666b7242cd57be0af99c33c150e.exe	28
PID 952 wrote to memory of 2036	952	197ab666b7242cd57be0af99c33c150e.exe	28
PID 952 wrote to memory of 2036	952	197ab666b7242cd57be0af99c33c150e.exe	28
PID 952 wrote to memory of 2036	952	197ab666b7242cd57be0af99c33c150e.exe	28
PID 2036 wrote to memory of 780	2036	zcvza.exe	30
PID 2036 wrote to memory of 780	2036	zcvza.exe	30
PID 2036 wrote to memory of 780	2036	zcvza.exe	30
PID 2036 wrote to memory of 780	2036	zcvza.exe	30
PID 2036 wrote to memory of 780	2036	zcvza.exe	30
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 780 wrote to memory of 1548	780	zcvza.exe	39
PID 1548 wrote to memory of 892	1548	msiexec.exe	40
PID 1548 wrote to memory of 892	1548	msiexec.exe	40
PID 1548 wrote to memory of 892	1548	msiexec.exe	40
PID 1548 wrote to memory of 892	1548	msiexec.exe	40

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1264
- C:\Users\Admin\AppData\Local\Temp\197ab666b7242cd57be0af99c33c150e.exe
  "C:\Users\Admin\AppData\Local\Temp\197ab666b7242cd57be0af99c33c150e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\zcvza.exe
    "C:\Users\Admin\AppData\Local\Temp\zcvza.exe" C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\zcvza.exe
      "C:\Users\Admin\AppData\Local\Temp\zcvza.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\SysWOW64\msiexec.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\zcvza.exe"
        6⤵
        
        PID:892
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1872
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1192
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:656
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:468
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:636
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1392
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dexbttgmct.yga

Filesize
185KB

MD5
ed232e70dae27a58281d330aa9591674

SHA1
cb9ded97fa32bafde70c30fd3ddd8bff8279686f

SHA256
ac394c29ac4dcb2c6dc5978ba284f033089b3c9389529a59030455dd2b40afdc

SHA512
bb94cc112a6c2d79b9732b35a8b8660c5b310c787a9a6ba92d216adab3b3093328959e0f1a7c367d718997294840d6c0a40d38d522211e1655c86869fa17742a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j

Filesize
5KB

MD5
e31b70467b0d7eeb29cae835ee993b5d

SHA1
155713f1e8a959f69cbf0a1c409d392a3782bc77

SHA256
1c671b3d5c74d675ed80d36b2e5d9429051e825bd11deecc9a69e13f5f31d00e

SHA512
cb17417d1b3811d711b905b6eafb15dc03f88f75686bf8dc45f666168c862547fa64b28a6cdf3936800b82c2731bd4df70d73ef02b33b6194fbe7440692432fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe

Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe

Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcvza.exe

Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
\Users\Admin\AppData\Local\Temp\zcvza.exe

Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
\Users\Admin\AppData\Local\Temp\zcvza.exe

Filesize
100KB

MD5
c457f7dc6091c5cd58fd181fcb116f0d

SHA1
43309913c0009fe78b17f0aba2409aa8043a759b

SHA256
7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

SHA512
12143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88

Download Submit
memory/780-69-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/780-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-66-0x0000000000D40000-0x0000000001043000-memory.dmp

Filesize
3.0MB

Download
memory/780-67-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/952-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1264-79-0x00000000064E0000-0x00000000065EC000-memory.dmp

Filesize
1.0MB

Download
memory/1264-70-0x0000000004DB0000-0x0000000004EBB000-memory.dmp

Filesize
1.0MB

Download
memory/1264-68-0x0000000007450000-0x00000000075D9000-memory.dmp

Filesize
1.5MB

Download
memory/1264-81-0x00000000064E0000-0x00000000065EC000-memory.dmp

Filesize
1.0MB

Download
memory/1264-82-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmp

Filesize
1.3MB

Download
memory/1264-83-0x000007FF524F0000-0x000007FF524FA000-memory.dmp

Filesize
40KB

Download
memory/1548-74-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1548-75-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1548-77-0x0000000002220000-0x0000000002523000-memory.dmp

Filesize
3.0MB

Download
memory/1548-78-0x0000000000710000-0x00000000007A3000-memory.dmp

Filesize
588KB

Download
memory/1548-80-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing