formbook | 93a60b00b3933b1d036aa791e81efe05249c5563384f2ddd04492b6be6563583

General

Target

Payment-Advice.exe
Size

2.6MB
MD5

3e416710f120b91849b1878d07ecacd0
SHA1

71eb6640520773803b0201cf4466ff57cb3ac81f
SHA256

a56fd898ced9c080955b0ee12f4d652bd1b74ddde43470e94033a288e2b97dfc
SHA512

3dd24bbff081711efb22f9c4b056e820fbbb45722ef911c7b9bf68b91ed436b2f16af95d2970b29c1d77858f922b4e91b8f2d61856d06d31731de983a796b451
SSDEEP

49152:l0LiB3F6szZwltsrSKYsbCNICNfoAgQflqB:l3F62ZwDqSsbODNfoAgqK

Score

10^/10

formbook purecrypter gune downloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gune

Decoy

artentarn.net

allstarpurchaslng.com

lendhave.quest

3yza.com

qpyikn.shop

play-fortuna-win-15.top

jaspergirl.store

naranjacanelaymiel.online

hiddenvalley-farms.com

gas-grills-66023.com

fp-wp.com

livepix.ltda

liholagroup.com

erlinjobs.com

doctorhooper.net

sggwmdkk.shop

ujuyzw.shop

gameclubzeed.com

myhomewish.com

ontopageone.com

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1700-55-0x0000000004A30000-0x0000000004CB6000-memory.dmp	family_purecrypter

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1888-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1888-67-0x000000000041F0F0-mapping.dmp	formbook
behavioral1/memory/1888-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1628-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1628-80-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 1888	1700	Payment-Advice.exe	30
PID 1888 set thread context of 1216	1888	MSBuild.exe	19
PID 1628 set thread context of 1216	1628	svchost.exe	19

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
320	powershell.exe
1888	MSBuild.exe
1888	MSBuild.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe
1628	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1888	MSBuild.exe
1888	MSBuild.exe
1888	MSBuild.exe
1628	svchost.exe
1628	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	Payment-Advice.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1888	MSBuild.exe
Token: SeDebugPrivilege	1628	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 320	1700	Payment-Advice.exe	28
PID 1700 wrote to memory of 320	1700	Payment-Advice.exe	28
PID 1700 wrote to memory of 320	1700	Payment-Advice.exe	28
PID 1700 wrote to memory of 320	1700	Payment-Advice.exe	28
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1700 wrote to memory of 1888	1700	Payment-Advice.exe	30
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	31
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	31
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	31
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	31
PID 1628 wrote to memory of 864	1628	svchost.exe	32
PID 1628 wrote to memory of 864	1628	svchost.exe	32
PID 1628 wrote to memory of 864	1628	svchost.exe	32
PID 1628 wrote to memory of 864	1628	svchost.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\Payment-Advice.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment-Advice.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-59-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/320-60-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/320-61-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/1216-72-0x0000000006900000-0x0000000006A2E000-memory.dmp

Filesize
1.2MB

Download
memory/1216-81-0x0000000006BF0000-0x0000000006D34000-memory.dmp

Filesize
1.3MB

Download
memory/1216-79-0x0000000006BF0000-0x0000000006D34000-memory.dmp

Filesize
1.3MB

Download
memory/1628-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1628-78-0x00000000004B0000-0x0000000000543000-memory.dmp

Filesize
588KB

Download
memory/1628-80-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1628-77-0x00000000006C0000-0x00000000009C3000-memory.dmp

Filesize
3.0MB

Download
memory/1628-74-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/1700-54-0x0000000001260000-0x0000000001504000-memory.dmp

Filesize
2.6MB

Download
memory/1700-62-0x0000000004FA0000-0x0000000005002000-memory.dmp

Filesize
392KB

Download
memory/1700-56-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/1700-55-0x0000000004A30000-0x0000000004CB6000-memory.dmp

Filesize
2.5MB

Download
memory/1888-71-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1888-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-70-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1888-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing